Think Like A Hacker, Train Like A Hacker

Joe McCray has been hacking into the Department of Defense, Federal Agencies, Financial Institutions, and other big companies for years – all legally of course.  He’s a Penetration Tester, a consultant that hacks into companies in order to test, measure and demonstrate security weaknesses.  He helps identify and fix vulnerabilities that could lead to security breaches.  

He is frequently sought out as a trainer, people want to know how he consistently bypasses common IT Security mechanisms.  Joe has recently developed a course to teach IT and IT Security professionals how hackers break into systems and bypass these common security mechanisms.  Although there are many courses on that claim to do this, Joe says, “I developed the Advanced Penetration Testing course because there were too many security courses out there that are written and taught by people that haven’t actually been pentesters.  These teachers are reading word for word from old computer security books and teaching the students hacks that are ten years old.  That kind of teaching is fine if you just want to introduce someone to our field and raise awareness, but it does nothing to help people working in the DoD, Federal Agencies, Financial Institutions, and other large companies secure critical systems from attack. ”

Advanced Penetration Testing (APT): Pentesting High Security Environments – is a course that focuses on attacking and defending highly secured environments.  This course can be taken as either a five-day course, or a two-day workshop at security conferences.  This is not a “death by powerpoint” course, and you won’t be attacking unpatched Windows 2000 Servers, or learning a bunch of outdated tools.  In APT, you learn how to attack new operating systems such as Windows Vista, Windows 7, Windows Server 2008, and the latest Linux servers.  All of these servers will be patched, and hardened, both Network and Host-based IDS/IPS will be in place as well.

The course starts with attacking heavily protected environments from the outside and dealing with things like Load Balancing, Deep Packet Inspection, and Network-Based IDS/IPS. Next attack web applications and deal with common application security measures in PHP/ASP.NET, then Web Application Firewalls.  The course moves on to attacking from the LAN, dealing with NAC, locked down workstations/GPOs, and Host-Based IDS/IPS.  Finally, the course covers gaining control of Active Directory.

This course can be taken at the following locations/events:

Large Hosting Providers Targeted by Malware

It appears that large hosting companies such as Aruba and GoDaddy have been under direct and targeted attack by malicious software distributors for the past few weeks.  The attacks that have succeeded so far involve script injection, obfuscation, string manipulation, and targets index files. 

A file named ferdy_simonette.php was reportedly found in one provider’s hosting and sub-directories.  This file was being analyzed at the time of this writing.  This file could be named randomly or differently in each case.  If you are a customer of one of the above providers, it’s enough to remove the malware script, if your website was infected. is being used to support the malicious scripts’ execution.

The end result or intended outcome of the malware is not clear at the moment, and the damage may be well contained, but the avenue of attack that was successful and WHY it was succesful need to be addressed.


What Makes A Good Manager?

I saw a discussion entitled “ You are a good manager if you are doing these five things”, and thought I had too much to add to the discussion to post on the original author’s thread without offending, coming across as a wise-acre, and/or detracting from the already developing conversations.  Instead, I post an expansion of the ideas, and add my own ideas here…

All kinds of people managers could benefit from some basic, common-sense project management advice to get more from their limited project and departmental resources.  The following is what I try to do during any engagement, whether project, departmental, or contractual.

Continue reading