HD Apple HD Apple SD Audio MP3 Android

In Security Decoded this week we cover the news and there is a lot of it:

Hacker announces the Zombie Apocalypse is here over the Emergency Broadcast System
* Facebook had a Zero Day
* Multiple US Government agencies we hacked
* Zeus is showing up in Japan
* Your heating and elevator controls could be easily hacked
* A new RAT called Frutas
* More Java, Flash, PDF and Microsoft vulnerabilities announced
* The PCI Special Intrest Group releases guidance around Cloud Computing
* And much more news. And we talk in details about security certifications.

Hacked Emergency broadcast announces Zombie Apocalypse is here
  • Viewers in Montana who were no doubt already on the edge of their seats waiting for the results of “teen cheaters take lie detectors” were suddenly confronted with a bigger calamity on Monday. The CW station of KRTV was interrupted by an emergency alert for a zombie apocalypse. Viewers were told that “the bodies of the dead are rising from their graves and attacking the living” in several Montana counties. KRTV confirmed someone had hacked into their emergency alert system and “there is no emergency.”

Fed says internal site breached by hackers, no critical functions affected – Anonymous attack on US Government

Summary: The U.S. Federal Reserve admitted members of Anonymous exploited a web application

vulnerability and accessed contact information belonging to over 4,000 U.S. bankers. Anonymous leaked the

stolen data by placing it on other compromised state and foreign government websites while the Federal

Reserve stressed no critical agency operations were affected. The attack is part of Anonymous’ campaign

against the U.S. government in remembrance of Aaron Swartz’s death. They made a second release Friday

afternoon. It’s a directory listing of an “F:” drive and it confirms speculation ColdFusion was running on the

compromised system. It is speculative the vulnerabilities patched by last Adobe ColdFusion security bulletin

(2013-01-15) were used to compromise the victim. The second link includes a map of the affected

institutions. None are in California or New York. These don’t conform to Fed Districts. There’s insufficient

intelligence to assess the probability the attackers have data on many more institutions. We are trying to

collect intelligence to address this. Targeted email is almost certainly the greatest risk.

Energy Department networks hit by Sophisticated Cyber Attack
  • Personal information on several hundred employees was compromised
  • There are indications the attackers had other motives, possibly including plans to gain future access to classified and other sensitive information.
  • No classified information was compromised in the cyber attack
  • The source or identity of the cyber attacker is not known, according to U.S. officials and outside security analysts. However, Chinese hackers are likely suspects because the department is known to be a major target of China for both secrets and technology.
  • The relative sophistication of the cyber attack is an indication of nation-state involvement.
  • A total of 14 computer servers and 20 workstations at the headquarters were penetrated during the attack.

‘Cyber-attack’ strikes govt again / Foreign Ministry says classified documents possibly stolen from computer
  • At least 20 internal documents, including confidential items, may have been stolen from the Foreign Ministry via an official computer in an apparent cyber-attack, it has been learned.
  • The ministry said Tuesday it had examined only one computer so far, and it would examine other computers to determine whether they were not infected with malware.
  • The cyber-attack followed the recent revelation at the Agriculture, Forestry and Fisheries Ministry that more than 3,000 pieces of information, including highly confidential documents, are suspected to have been stolen via unauthorized access to its computers.
  • According to the Foreign Ministry, it was notified by the National Information Security Center (NISC) on Jan. 28 that a computer at the ministry had possibly been the victim of unauthorized access. The ministry conducted an investigation and verified one of its computers had unauthorized communications with an external server.
  • The documents believed stolen include conference materials that could be considered class-2 information in terms of confidentiality according to the government’s standard classification.

Nokia Taiwan web sites defaced
  • Hackers of the Turkish Ajan group have breached Nokia Taiwan’s official website ( They defaced four subdomains andleaked files that, according to the hackers, contain around 100,000 records, including user details.
  • The affected subdomains are,,, and
  • It’s difficult to determine precisely how many users are affected by the breach. However, the Nokia610_Users file contains the names, email addresses,phone numbers, and IMEIs of 440 customers.
  • One of the larger files, NKA073_User, contains the details of close to 20,000 users. The names,mobile phone numbers and email addresses of over 25,000 customers are stored in another file named Event_N97_User.

  • Developers pulled from distribution last year
  • Now they are using it for espionage
  • Mcaffe reports it was used to infiltrate the governments of Japan and Poland as well as some private companies in Sweden and Denmark
  • Group behind it has been dubbed the “Poetry Group” because of the shakespearian verses that are in it’s code
  • Appears to be a “for hire” job

Python and Debian wiki’s hacked
  • An analysis of the incident revealed that an exploit had been planted on our servers possibly as early as July 25 2012, which allowed arbitrary execution of code under the user running theMoinMoin wiki.
  • It is likely that the password information was downloaded from the server in the course of the security breach, so we recommend changing your passwords immediately, if you have used the same password for other services as well.

We’re going to blow up your boiler: Critical bug threatens hospital systems
  • 21,000 vulnerable systems found on the internet
  • used by bank, hospitals and others
  • Sold by Honeywell
  • Controls heating systems, Elevators and other industrial equipment
  • Niagra AX-Branded
  • Demonstrated at Kaspersky’s security analyst summit in San Juan
  • Takes about 25 seconds to take control

Facebook Zero Day

  • got an email from FBI with a link
  • file that was there was done out of process and without verification
  • “red team” stood up
  • Backdoor removed
  • Exploit was used on Engineer’s laptop (the undisclosed software was then made aware of the zero-day used by Facebook in their test)
  • Did not sound the test alarm until the team was underway
  • everything was a test to see how they handled a security situation
  • Use this quote, it is a good reference to Episode 1 in our predictions where we state CyberSecurity is falling behind and needs to close the gap, “Internet security is so flawed,” Facebook Chief Security Officer Joe Sullivan told Ars. “I hate to say it, but it seems everyone is in this constant losing battle if you read the headlines. We don’t want to be part of those bad headlines.

Whitehole Exploit Kit
  • Recently Analyst at Trend Micro completed their analysis of a new Exploit Kit, Whitehole
  • Whitehole is just a randomly selected name to help differentiate it from the Blackhole Exploit Kit
  • While similar the Whitehole Kit doesn’t use JavaScript to hide it’s usage of “plugindetect.js”  It simply uses the .js with out trying to obfuscate it.
  • The new kit leverages existing JAVA vulnerabilites: 1-2011, 3-2012, and 1-2013
    • CVE-2012-5076
    • CVE-2011-3544
    • CVE-2012-4681
    • CVE-2012-1723
    • CVE-2013-0422
  • The new kit is currently being used in the following malware:
    • BKDR_Zaccess – known as a bootkit malware other this has the ability to download other malware or push fake applications like FakeAV
    • TROJ_Ransom – Known as Ransomeware, typically locks systems until users are force to pay a sum of money .  This malware is rapidy active in the wld and evolving at a fast pace  We have seen this in the form of “FBI” notifications of illegal web activity.
  • Whitehole is still in a Beta Testing mode but developers are currently seeling the kit  ranging from 200-1800 USD

Adobe Flash
  • Drops Multiple Files
  • Signed by LadyBoyle
  • Payload is 64 bit
  • One of the dropped executable files is digitally signed with an invalid certificate from MGAME Corporation, a Korean gaming company.
  • The same executable renames itself to try to pass itself off as the Google update process.
  • It creates startup registry entries for persistence after reboot.
  • The malware checks for presence of the AV processes listed below:
    • avp.exe
    • ctray.exe
    • tray.exe
    • 360tray.exe
  • It has a unique callback with the keyword “9002” and beacons to the CnC server at
  • Sites Associated:

Another new PDF vulnerability
  • PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.
  • Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks.
  • The second DLL in turn drops the callback component, which talks to a remote domain.

Yahoo using old Java
  • At a time when JAVA has come under the microscope for it’s multiple vulnerabilities and companies like Apple and Mozilla urges users to update to the most current version of JAVA, YAHOO is still offering an application based on a 2008 version of JAVA
  • Sitebuilder – is a free tool that is designed to make building a website as simple as point and click.  Sitebuild requires JAVA to function.
  • Yahoo bunbles this application with Java 6 Update 7.  It has not been cleared if this is an oversite or if SiteBuilder can function with recent versions of JAVA
  • Latest Java 6 is release 39
  • One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering resultssuggesting that sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.”

Cross-Platform Frutas RAT Builder and Back Door
  • back door remote access tool (RAT) written entirely in Java
  • The Frutas RAT allows attackers to create a connect-back client JAR file to run on a compromised computer.
  • Upon receiving a back door connection, the RAT server alerts the attacker and allows them to perform various back door functions on the compromised computer, including:
  • Query or kill system processes
  • Browse file systems
  • Download and execute arbitrary files
  • Send popup messages
  • Open a specified website in a browser
  • Perform denial of service attacks against a specified IP address
  • urity Firm “Bit9” compromise

  • 5 month old malware campaign
  • uses DDNS – Dynamic Domain Hosting to help hide its source
  • delivered through advertisements on web pages
  • good link on how it works in show notes

NetSeer suffers hack, triggers Google malware warnings­suffers­hack­triggers­google­malware­warnings­7000010776/

Cyber Threats Increase Around Valentines Day
  • This year, various Valentine’s Day spam messages have started flowing through Symantec’s Probe Network. The top word combinations used in spam messages include the following:
  • Find-Your-Valentine
  • eCards-for-Valentine
  • Valentine’s-Day-Flowers
  • backdoor trojan

Money Transfer Spam Campaign with HTML Attachment
  • Phishers love to arouse curiosity and/or fear in the user’s mind and this stimulus can compel people to set aside all caution as well as  any safety measures they might have in place
  • users are advised to confirm a pending transaction with their bank and also told that there is a copy of a bank slip attached
  • If the HTML attachment is opened, users are shown an image of a payment order. It is interesting to note that this image is very faint and very difficult to read. Using the HTML tag HTTP-EQUIV “REFRESH”, this image disappears after four seconds. This display of the receipt for a small time period is an attempt to arouse enough interest in the user so that they will venture further into the trap.
  • The page refreshes after four seconds and a popup appears that states that the user has been signed out of their email account and needs to sign in again to view the bank slip.
  • On clicking the only optional button, users are shown a website that resembles a well-known bank login page. If users input their bank credentials or their email address on this page, their information is sent to the scammers and may be used for nefarious purposes.

Phishing: The Easy Way to Compromise Twitter Accounts
  • Did you see this pic of you?
  • If the link is clicked, the browser is directed to a page that informs the user that they need to sign-in to their account to proceed. The page looks like it belongs to Twitter but it is actually a phishing page hosted on a server prepared by the attacker.
  • No matter what is entered into the login fields, correct or incorrect credentials, the user will appear back in their session.
  • Looks just like twitter
  • However, another fake page informs the user that the page they were attempting to visit does not exist.  The page then redirects back to the legitimate Twitter page and the user is unaware of anything malicious having taken place.

Microsoft, Symantec Hijack ‘Bamital’ Botnet
  • in the last two years, more than eight million computers have been attacked by Bamital
  • Affects Search
  • Microsoft and Symantec teaming up
  • Microsoft convinced a judge at the U.S. District Court for the Eastern District of Virginia to give it control over the infrastructure that Bamital used to coordinate the search hijacking activities of host PCs
  • A webpage will be displayed to users are infected with Bamital

NetSeer suffers hack, triggers Google malware warnings

Operation Beebus
  • The malicious email attachment exploits some common vulnerabilities in PDF and DOC files.
  • The malware uses a well-documented vulnerability in the Windows OS known as DLL search order hijacking
  • By dropping the ntshrui.DLL in the directory C:\Windows, the malware achieves persistence.
  • RSA breach March 2011

PCI Security Standards Council releases the PCI DSS Cloud Computing Guidelines
  • Public cloud environments are usually designed to allow access from anywhere on the Internet.
  • Perimeter boundaries between client environments can be fluid.
  • Clients may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high availability reasons, data could be stored in multiple locations at any given time.
  • It can be challenging to verify who has access to cardholder data processed, transmitted, or stored in the cloud environment.

Dark Side of Home Automation
  • X10. Because X10 devices use 4-bit ID numbers, it is vulnerable to brute-force attacks. Furthermore, because it can be turned off with just one command, a thief can turn-off an X10-based alarm and infiltrate a victim’s house.
  • Z-Wave. By using tools readily available on the Internet, an attacker can sniff all traffic that flows in WPAN. With this information, an attacker can monitor a user’s day-to-day activities and gain information on the kind of devices used at home and how these are controlled. More tech-savvy thieves can even execute random commands via WPAN.
  • ZigBee. Though ZigBee-based devices have a more secured communication, problems still exist in the gateway between WPAN and an IP network. An attacker can bypass ZigBee authentication due to user’s weak password or misconfiguration, allowing him to access devices like security cameras. With this, an attacker can monitor user’s daily activities and change gateway configuration to connect to a fake Domain Name System (DNS) or proxy server, that may lead to data theft.

Patch Tuesday
  • Five ofthe 12 patches Microsoft released today earned its most dire “critical” label
  • Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer
  • other critical patches fixproblems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, andflaws in the way Windows handles certain media files.
  • The remaining critical patch fixesa flaw that is present only on Windows XP systems.

Strategy Analytics: Android and Apple iOS Capture a Record 92 Percent Share of Global Smartphone Shipments in Q4 2012

Security Firms Stolen Crypto Key Used To Sign Malware
  • digitally signed malware using bit9 keys
  • infected 3 of their customers (bit9)
  • By stealing the keys the malware was able to take advantage of their “Application Whitelisting”
  • Virtually allowing all digitally signed applications to run on a customer’s network
  • “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,”
  • Keys not stored in a secure location
  • Certs have been revoked
  • There is no indication that the company’s Whitelisting products have been compromised
  • This parallels the 2011 RSA breach where customers were compromised through a theft of confidential data.

Security Certifications

  • Original question came from Christian Fellows of Eugene AR
  • Basically 2 tracks: Management and Technical,  Some cross over but not strong in both
  • Product Specific Certifications


Certified Information Systems Security Professional(CISSP)

  • 10 domains of security
    • Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
      • Concepts/methodologies/techniques
      • Effectiveness
      • Attacks
  • Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
    • Network architecture and design
    • Communication channels
    • Network components
    • Network attacks
  • Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
    • Security governance and policy
    • Information classification/ownership
    • Contractual agreements and procurement processes
    • Risk management concepts
    • Personnel security
    • Security education, training and awareness
    • Certification and accreditation
  • Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
    • Systems development life cycle (SDLC)
    • Application environment and security controls
    • Effectiveness of application security
  • Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
    • Encryption concepts
    • Digital signatures
    • Cryptanalytic attacks
    • Public Key Infrastructure (PKI)
    • Information hiding alternatives
  • Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
    • Fundamental concepts of security models
    • Capabilities of information systems (e.g. memory protection, virtualization)
    • Countermeasure principles
    • Vulnerabilities and threats (e.g. cloud computing, aggregation, data flow control)
  • Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
    • Resource protection
    • Incident response
    • Attack prevention and response
    • Patch and vulnerability management
  • Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
    • Business impact analysis
    • Recovery strategy
    • Disaster recovery process
    • Provide training
  • Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
    • Legal issues
    • Investigations
    • Forensic procedures
    • Compliance requirements/procedures
  • Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise’s resources and sensitive information.
    • Site/facility design considerations
    • Perimeter security
    • Internal security
    • Facilities security

Security+ – CompTIA

  • Network Security (21% of exam)
  • Compliance and Operational Security (18%)
  • Threats and Vulnerabilities (21%)
  • Application, Data and Host Security (16%)
  • Access Control and Identity Management (13%)
  • Cryptography (11%)

Certified Information Security Manager (CISM) – ISACA

  • Information Security Governance
  • Information Security Steering Group
  • Legal and regulatory issues
  • Information Security Process Improvement
  • Recovery Time Objectives
  • Security Metrics
  • Due Diligence
  • Security Baselines
  • Disaster recovery
  • Collecting and presenting evidence
  • Cost Benefit Analysis
  • Privacy and Tax laws

Certified Information Security Auditor (CISA) – ISACA

  • SACA IS Auditing Standards, Guidelines and Procedures and Code of Professional Ethics
  • Control objectives and controls related to IS
  • CoBit controls
  • Procedures used to store, retrieve, transport, and dispose of confidential information assets
  • Control Self-Assessment (CSA)
  • IS auditing practices and techniques
  • IT governance frameworks
  • Quality management strategies and policies
  • Risk management methodologies and tools
  • Use of control frameworks (e.g., CobiT, COSO, ISO 17799)
  • Practices for monitoring and reporting of IT performance
  • Benefits management practices for CISA Certification
  • Processes for managing emergency changes to the production systems

Certified in Risk and Information Control (CRISC – “see-risk”) – ISACA

  • Risk Identification Assessment and Evaluation (RI)
  • Risk Response (RR)
  • Risk Monitoring (RM)
  • IS Control Design and Implementation (CD)
  • IS Control Monitoring and Maintenance (MM)

Certified in the Governance of Enterprise IT (CGEIT) – ISACA

  • For experienced IT governance personnel.
  • Covers:
  • IT Governance
  • Strategic Alignment
  • Value Delivery
  • Risk Management
  • Resource Management
  • Performance Measurement


Certified Ethical Hacker (CEH) – EC-Council

  • Required for admin at US Govt
  • Penetration testing methodologies
  • Stealthy network recon
  • Passive traffic identification
  • Remote root vulnerability exploitation
  • Privilege escalation hacking
  • IPv6 Vulnerabilities
  • Remote access trojan hacking
  • Running shellcode in RAM vs. on disk
  • Wireless insecurity
  • Breaking IP-based ACLs via spoofing
  • Abusing Windows Named Pipes for Domain Impersonation
  • Evidence removal and anti-forensics
  • Attacking network infrastructure devices
  • Hacking by brute forcing remotely
  • Hiding exploit payloads in jpeg and gif image files
  • Hacking Web Applications
  • Breaking into databases with SQL Injection
  • Cross Site Scripting hacking
  • Hacking into Cisco routers
  • Justifying a penetration test to management & customers
  • CEH review
  • Defensive techniques

EC-Council Certified Security Analyst (ECSA) – EC-Council (ADVANCED ETHICAL HACKING)

  • Leverage 0day (private unreleased exploits) attacks as part of the “Advanced Persistent Threat”
  • Run sophisticated attacks against client side applications
  • Use fuzzers and dynamic analysis to attack custom and COTS apps
  • Reverse engineer binaries to find new vulnerabilities never discovered before
  • Exploit secured web applications
  • Run chained exploits to pivot from multiple exploitable systems
  • Attack and defeat VPNs, IDS/IPS and other security technologies

Certified Computer Hack Forensic Investigator (CHFI) – EC-Council

  • Computer Forensics Training with open source tools
  • Overview of Computer Crime
  • Preparing sterile examination media
  • Acquisition, collection and seizure of magnetic media.
  • Documenting a “Chain of Custody”
  • Understanding Microsoft Windows from a forensics point of view
  • Working with NTFS
  • Combing Partition table and boot record
  • Investigating The Master File Table (MFT)
  • Recovering Internet Usage Data
  • Recovering: Swap Files/Temporary Files/Cache Files
  • Digital Camera Computer Forensics
  • PDA and Mobile Computer Forensics
  • Linux/Unix computer forensics
  • Investigating data streams
  • File storage dates and times
  • File deletion/recovery
  • Preservation and safe handling of original media
  • Making bitstream copies of original media
  • Common data hiding techniques
  • Examining CD-ROM media
  • Carving out files “hidden” in unallocated disk space
  • Issues when presenting data in court
  • The marking, storage and transmittal of evidence.
  • Word document forensics and password cracking
  • Use tools such as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic ToolKit (FTK), Linux dd, etc.

Certified Penetration Tester (CPT) – IACRB

  • Writing buffer overflow exploits
  • dlmalloc Heap Overflow exploits
  • Win32 Heap Overflow exploits
  • Linux stack overflow exploits
  • Defeating non-exec stacks
  • Return-to-libc shellcode
  • Function pointer overwrites
  • Crafting Injectable Shellcode
  • Defeating non-executable stacks
  • Linux LKM Rootkits
  • Windows Kernel Rootkits
  • Reverse engineering training
  • Vulnerability development and discovery
  • Attacking and blinding IDSs
  • Hiding your attacks from IDSs
  • Encrypted covert channels
  • Global Offset Table Overwrites
  • Windows Shellcode
  • Integer Overflows
  • Linux shellcode
  • “no listening port” trojans
  • A whole day on breaking through enterprise DMZs
  • Reconstructing binaries from sniffed traffic
  • Circumventing antivirus
  • Bi-directional Spoofed Communication
  • Session fixation
  • Advanced SQL Injection
  • Justifying a penetration test to management and customers
  • Defensive techniques

Certified Expert Penetration Tester (CEPT) – IACRB

  • Attacking fully patched systems
  • Buffer Overflows against Windows 2008 Server, Windows 7 clients
  • 0day attacks
  • Attacking DMZs and other secured infrastructure
  • Port Redirection
  • Compromising secured infrastructure
  • Using egghunter and meterpreter shellcode
  • Metasploit scripting and automation
  • NMAP automation
  • Running exploits in RAM vs. on disk
  • Hiding from IDSs
  • Covert Channels
  • Privilege Escalation attacks on Windows 7
  • Advanced Man In The Middle Attacks
  • Traffic Interception
  • Hijacking SSL encrypted sessions
  • MiTM VoIP attacks
  • Intercepting VoIP traffic and attacking Ethernet enabled PBXs

Certified Reverse Engineering Analyst (CREA) – IACRB

  • Understanding hashing functions
  • Working with encrypted binaries
  • Reversing UPX and other compression types
  • Discovering stack overflows
  • Discovering heap overflows
  • Creating a sandbox to isolate malware
  • Unpacking malware
  • Monitoring registry changes
  • Identifying malware communication channels
  • Understanding Digital Rights Management (DRM) implementations
  • Thwarting anti-debugger code
  • Debugging multi-threaded programs
  • Recursive traversal dissasemblers
  • Reversing .NET bytecode
  • CREA Review
  • Legal issues and the DMCA
  • Understanding conditional branching statements
  • Virtual machines and bytecode
  • System vs. Code Level reversing
  • Identifying variables
  • Compilers and branch prediction
  • Memory management
  • Win32 executable formats and image sections
  • Fundamentals of IDA Pro
  • Advanced uses of IDA Pro with hostile code
  • Using Ollydbg for runtime analysis of malware
  • Kernel mode debugging with SoftICE
  • Dumping executables from memory with Dumpbin
  • Locating undocumented APIs
  • Reversing ntdll.dll
  • Obfuscation of file formats

Certified Data Recovery Professional (CDRP) – IACRB

  • Logical Recovery of disabled hard drives
  • Using file format recognition tools
  • Logical recovery via avoiding BIOS interrupts
  • Motions that unlock the actuator of a drive
  • Diagnosing the physical recovery of drives
  • Comparing pre-recorded sound samples to live drives
  • Logic board replacements
  • Single and Multi-Platter Swaps
  • Head Assembly replacement
  • P-List and G-List recovery
  • Addressing SMART values
  • Dealing with damaged sectors
  • Reverse scanning
  • Capturing SID protected folders
  • Resolving kernel or driver issues with a Linux bootable disk
  • Head Stack replacement
  • Working with the Service Area (SA) of a drive
  • Reviewing data structures with a Hex Editor
  • Diagnosing “clicking noises”
  • Mac OS X Data Recovery
  • Linux Data Recovery
  • RAID 0 Recovery & RAID 5 Recovery
  • Vista and Recovery of Shadow Copies
  • Clearing passwords on a password protected drive
  • Solid state drive recovery
  • Firmware issues

Certified Computer Forensics Examiner (CCFE) – IACRB

  • Computer Forensics Training with open source tools
  • Overview of Computer Crime
  • Preparing sterile examination media
  • Acquisition, collection and seizure of magnetic media.
  • Documenting a “Chain of Custody”
  • Understanding Microsoft Windows from a forensics point of view
  • Working with NTFS
  • Combing Partition table and boot record
  • Investigating The Master File Table (MFT)
  • Recovering Internet Usage Data
  • Recovering: Swap Files/Temporary Files/Cache Files
  • Digital Camera Computer Forensics
  • PDA and Mobile Computer Forensics
  • Linux/Unix computer forensics
  • Investigating data streams
  • File storage dates and times
  • File deletion/recovery
  • Preservation and safe handling of original media
  • Making bitstream copies of original media
  • Common data hiding techniques
  • Examining CD-ROM media
  • Carving out files “hidden” in unallocated disk space
  • Issues when presenting data in court
  • The marking, storage and transmittal of evidence.
  • Word document forensics and password cracking
  • Use tools such as Encase Forensic Edition, X-Ways Forensic Addition, Paraben, Forensic ToolKit (FTK), Linux dd, etc.

Certified Application Security Specialist (CASS) – IACRB

  • Web Application (In)security
  • Core Defense Mechanisms – OWASP Top 10
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards
  • Encoding Schemes, URL Encoding, Unicode Encoding
  • Bypassing Client-Side Controls
  • Transmitting Data via the Client
  • Hacking ASP.NET ViewState
  • Decompiling Java Bytecode
  • Coping with Bytecode Obfuscation
  • Reverse Engineering ActiveX
  • Manipulating Exported Functions
  • Attacking Authentication
  • Exploiting Verbose Failure Messages
  • Exploiting Vulnerable Transmission of Credentials
  • Attacking Password Change Functionality & Forgotten Password Functionality
  • Predictable Usernames & Initial Passwords
  • Prevent Misuse of the Account Recovery Function
  • Attacking Session Management
  • Attacking Access Controls
  • Common Vulnerabilities
  • Targeting Identifier-Based Functions
  • Securing Access Controls
  • Injecting into Interpreted Languages