now browsing by author


SANS – Super Huge News – SEC504 – Acting as a Mentor for the SANS SEC504 class

SANS SEC504 - Acting as a Mentor for the SANS SEC504 class

I will be acting as a Mentor for the SANS SEC504 class

Source:  SANS Mentor SEC504 Session and SANS Mentor Page and SANS 504 Flyer

I am pleased to announce that I will be acting as a Mentor for the SANS SEC504 class ( Hacker Tools, Techniques, Exploits and Incident Handling ), coming up in February 2016

What has me most excited, is the format of the class, and the whole Mentor program. The mentor program is great for students who prefer or are forced to study on their own, as opposed to sitting in a 5-day class. How the class format works, is students are responsible for studying the material, and the class meets once a week for a group session of studying, or answering questions.  I am available to students for over 10 weeks, to assist in studying, and answering questions.  I see this as a huge positive, as many of us in the industry are, we are self-learners, and we have taught ourselves to learn on our own. The SANS Mentor program, is a perfect example on learning on your own, and moving at a decently rapid pace.

I am extremely excited to get the opportunity to work with SANS, on this fun and exciting course. It has been my favorite SANS course I’ve attended, and it will be exciting to get to mentor future students in the class and help them on their way to become a SANS GIAC Certified Incident Handler (GCIH).

From the GCIH information page:

Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. The GCIH certification focuses on detecting, responding, and resolving computer security incidents and covers the following security techniques:

  • The steps of the incident handling process
  • Detecting malicious applications and network activity
  • Common attack techniques that compromise hosts
  • Detecting and analyzing system and network vulnerabilities
  • Continuous process improvement by discovering the root causes of incidents


From the SANS SEC504 page:

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn’t!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

By helping you understand attackers’ tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, this course helps you turn the tables on computer attackers. It addresses the latest cutting-edge insidious attack vectors, the “oldie-but-goodie” attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. It will enable you to discover the holes in your system before the bad guys do!

The course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

[pdf-embedder url=””]

The myth of the cybersecurity skills shortage

Cyberseuciryt skills shortage

Source: ComputerWorld by Ira Winkler

Interesting article up for a read at ComputerWorld. Which all in all, is a good thing. The article talks of “The myth of the cybersecurity skills shortage” Winkler calls out companies that are claiming there is a cybersecurity skills shortage; which I don’t necessarily believe there is.

From the article at ComputerWorld:

The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.

Mr. Winkler hit the nail on the head with this statement. I have a significant amount of security experience, I’ve worked for the government, large companies, medium companies, and small companies. I will generally do reasonably well at any interview question poised for me. The problem I’m seeing, is there are companies out there, that have beaten it into the head of their employees, that they are looking for someone that is an absolute master of skillset X, and disregard everything else. I, like many other security practitioners have my weaknesses; if I am slightly weaker in skillset X, then I am immediately assumed not a good fit for the job. 

The way I like to pursue jobs, is I aim for something I want to do, with a company I wouldn’t mind doing it for. Whether I have 100% strength on skillset X, or whether I’m slightly weaker at X, but extremely strong, at skillsets Y and Z; I will still apply, but a decent amount of time, I’ll get shot-down, due to the assumption, that because my skillset at X isn’t the greatest, I’ll never be able to catch up. This is where the fallacy in the argument lies. Company X, needs to look at candidate skills, and make their decision the ability of the candidate to learn skillset X (if skillset X is truly the reason for hiring). So again, there are areas where I’m slightly weaker, such as DLP. That doesn’t mean I don’t know what DLP is, or how it functions, but I’ve never sat in front of a host that does DLP and used it on a day to day basis. Does that mean I’m not right for any position at your organization due to the fact I’ve not been a DLP administrator?

Just something to think about. I always judge interview candidates on not just what they know, but what I think they will learn, and how strong of learners they are.

Vulnerability Discussion/Videos

YouTube Logo

As noted before, like in this post, I am a huge fan of RSS feeds, but I also love instructional videos, demo videos, and other similar stuff.

I’ve been toying around the idea of doing video tutorials of attacking vulnerable distributions, like those found on VulnHub, and documenting the process that I go through. Maybe some other things, like various CTF challenges as well. I’m trying to get an idea, how people would react to seeing such videos posted here/on youtube.

If you have any opinions on this, please shoot me an email, and let me know if you think I should do some videos on vulnerability discussion topics and vulnerability videos.

How broken is Malware Investigator?

Malware Investigator - Broken

I have been steadily using Malware Investigator since its public debut in early March of 2015.

I have grown more and more upset with the service over this time period, and in the end, I’ve realized its not providing me any more of a service, than what is being provided via cuckoo, virus total, or malwr. Furthermore, even with some of the early on problems faced by malwr, I still believe that malwr is more available than the Malware Investigator tool is.

Problems experienced using Malware Investigator:

1) Downtime – Their servers are often down outside normal business hours, and even down sometimes during business hours. Often times, the SAML authentication that occurs between the InfraGard website and Malware Investigator fails, or I get redirected to various error pages at Malware Investigator.

2) Processing Time – It often takes an insane amount of time to analyze my traffic. For the majority of the malware that I have submitted to their website, I would guess that the mean time to analyze is approaching a week and a half. I feel that they should have enough resources at their disposal to process malware faster than 1.5 weeks.

3) Correlations – This is the part that really got me excited to use Malware Investigator. However, it seems as if it is a little bit of a misnomer. I had thought, that it would allow me to compare the malware I find, and compare it to other malware used in higher profile breaches / incidents, and it would alert me to that (with a certain level of discretion of course, understanding different classification levels of information provided by the FBI). Unfortunately, correlations generally gives you the ability to see other usernames of people that have uploaded that same piece of malware.

4) General Brokenness –

a) My profile has become littered with malware that I never submitted. There are a number of .dll files littering my screen that has had analysis performed against it (supposedly), that I never submitted.

b) I can’t get the proper listing of malware that I submitted to the site, unless I happen to remember the name of the malware that I submitted. The general overview, where you should be able to browse all the malware you submitted, however, that is completely broken for me, and the only way to find the malware I submitted, is if I happen to remember the name of the malware that I submitted; so it seems the search process still works, however, the listing of malware doesn’t.

I will point out, the single feature I like at Malware Investigator, and the only reason I still use it. I use it to analyze all the linux, unix, mips, and other non-windows malware that I am able to collect. That is the single weakness of both malwr and VirusTotal, is that they will not, or maybe properly said, do not have the ability to analyze the various linux/unix/mips/whatever malware variants that I upload.

So, with all these problems I have experienced, I ask the question, “How broken is Malware Investigator?” And, “Is Malware Investigator broken beyond belief?”

Do you think that malwr and VT should start accepting, and being able to process linux malware, or does it represent such a low number of infections, that it would be going too far? Let me know, by posting a comment down below.

Please leave a comment, let me know if you use Malware Investigator, if you don’t, and why; I want to hear other peoples reaction to Malware Investigator.

Class: Penetrations and Remediations – Update 2

Ok, final update to the Penetrations and Remediations class from July 18.

I had a bunch of people asking me for the slides to the class, so; without further ado.

Here they are.

If you have any questions regarding our first take on this class, please feel free to contact me at:

40 year impact from OPM breach

OPM Breach

Source: FedScoop

Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.

I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.

From the Article at FedScoop:

The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.

The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.

Too Big to Care – Advance Fee Fraud

Advance Fee Fraud

Warning: So, this post might sound politically motivated to some, I assure you, I’m looking beyond the politics of the American way of life, and talking about people in general.

My wife went on a trip this past week, to visit her mother, and other family, up in Montana. When she got to her mom’s house, she had found out, that her mom shut off her phone due to an “advance fee fraud” scam that she had fallen victim to. It made me take a step back, and examine things from a new aspect.

My mother-in-law, who is not “well off”, lost well over $20,000.00 to scammers located in Jamaica. She was continuing to send them money and brand new phones, all so she could get the promised $1.25 million that they had promised her.

So, it all makes me think about the ethics of everyone involved in this scam. So, obviously, I’m going to say terrible things about the scammer, but what about everyone else involved?

I notified both MoneyGram and Western Union. I notified the state’s attorney general, I notified the FTC, I notified the IC3, I notified my mother-in-law’s bank. I also notified APS, as I think this is also a case of elder abuse. I’m reaching to the end of my abilities as far as notification procedures, of who I can contact.

I also registered an account on scamwarners, and read through other’s posts about similar types of scams, just to see what other people have to say about these scams.

All this stuff, which I had to go through, I thought about the ethics of everything involved, and in the end, it really makes my blood boil.

With the understanding, this this is fraud related, there is very little the government is going to do to help, via IC3/FTC/FBI/SS/NW3C. The companies involved, MoneyGram and Western Union don’t care, as they’ve collected their money already, the bank can’t legally keep my M-I-L away from her money.

It all makes me wonder, what can be done to prevent this kind of fraud?

After going through all this with my M-I-L, I immediately called my dad, and told him of this scam, how not to fall for it, and to contact me, if there is absolutely anything he ever questions. But beyond that, what can I do?

Class: Penetrations and Remediations – Update 1

Just a quick update, about the class I taught on Saturday.

It was completely nerve-wrenching; one of my biggest fears is public speaking. Not to mention the stress of everything else going on in my life, at this very second.

We had a great turnout at Denhac for the class.

While I do think the class run a little longer than it should have, people started dropping after about 3 to 4 hours in the class. We did have a few hiccups, that I honestly should have been prepared for, and also, I think if I had bothered to dig up all the information, I think I should have tried to prepare the class before-hand, so there would have been less delays, while teaching the class.

So, the awesome part is, though there were a few a hiccups, things did, overall, go very well; I am planning on teaching the class again. Also, with these known issues, it will better help me prepare for next time I teach the class. I also got some pointer from the very kind people, who helped me put on the class, The Software Freedom School.

All in all, it was a great learning experience for not only the students, but me as well.

I will post one more update related to the class, which will include details and the presentation.

Potential Downtime – Known Issues

Hello all – Just wanted to post a quick note about some potential downtime 556 Forensics may be seeing in the next week or two.

We are transitioning a bunch of our domain names, as well as our hosting server, and a bunch of other stuff. Due to my crazy work schedule, there is the possibility that our website, may have some downtime, and I won’t be around to fix it. So, for the next 3 weeks, you might want to consider this website in flux, until everything gets all straightened out.

Again, just wanted to post this, that it is known we are going to run into some bumpy roads for the next couple of weeks, and that all issues are known.

UPDATE: Penetrations and Remediations Class

Just wanted to post a quick update. The class has been moved back a week, to July 18.

About the Class:
Location: Denhac 700 Kalamath Street
Date: 7/18
Time: 11am – 4pm