Clement, Nathalie, and Alain the Portals administrators wishes you a warm welcome.
Great supplements to help you reach your certification goals
Get a FREE copy of the Hakin9 Magazine Posted by cdupuis on Thursday, 04 March 2010 @ 22:50:58 EST (185 reads) TopicHakin9
NOTE FROM CLEMENT:
Here is another issue of Haking 9 being given away for FREE. It is a bit less than a year old but still VERY relevant to todays threat. The magazine will give you an idea of the content you usually find in Hakin9. ENJOY!
The increase in sophistication of the Microsoft (MS) Windows family of operating systems (Windows 2000, XP, 2003, Vista, 2008, and Windows 7) as well as that of cybercrime has long required a corresponding increase or upgrade in incident response and computer forensic analysis techniques.
- Harlan Carvey
Analyzing Malware Introduction to Advanced Topics
In this final article in our three-part series on analyzing malware we will discuss more advanced topics. The topics we are going to include are: polymorphic code, metamorphic code, and alternative data stream.
- Jason Carpenter
Hacking ASLR & Stack Canaries on Modern Linux
This article will demonstrate methods used to hack stack canaries and Address Space Layout Randomization (ASLR) on modern Linux kernels running the PaX patch and newer versions of GCC.
- Stephen Sims
Mashup Security
Mashups will have a significant role in the future of Web 2.0, thanks to one of the most recent data interchange techniques: JSON. But what about security
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
Damn Vulnerable Web App (DVWA) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Version v1.0.6
Fixed a bug where the logo would not show on first time use. 03/09/2009 (ethicalhack3r)
Database Setup To set up the database, simply click on the Setup button in the main menu, then click on the ’Create / Reset Database’ button. This will create / reset the database for you with some data in.
If you receive an error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php
Xplico version 0.5.5: reconstruct attachment from a PCAP File Posted by cdupuis on Thursday, 04 March 2010 @ 11:43:55 EST (142 reads) TopicSniffers
About
The goal of Xplico is extract from an internet traffic capture the applications data contained.
For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer.
Xplico is an open source Network Forensic Analysis Tool (NFAT).
Xplico is released under the GNU General Public License (see License for more details).
Port Independent Protocol Identification (PIPI) for each application protocol;
Multithreading;
Output data and information in SQLite database or Mysql database and/or files;
At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
TCP reassembly with ACK verification for any packet or soft ACK verification;
Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
No size limit on data entry or the number of files entrance (the only limit is HD size);
IPv4 and IPv6 support
Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you
Nsploit (Popping boxes with Nmap) SecTor 2009 Posted by cdupuis on Thursday, 04 March 2010 @ 11:13:45 EST (170 reads) TopicNMAP
AS SEEN ON THE SECURITYAEGIS BLOG AT: http://www.securityaegis.com/
Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.
Similar to the db_autopwn via fasttrack script (available in Backtrack 4), Nsploit does even more granular service level Nmap scanning to identify versions and exploits. Then passes of these to Metasploit and launches the pain at your target box.
It Uses Nmap’s NSE’s to trigger Metasploit commands via XMLRPC. Anything we can identify with an Nmap Script we can launch and get a shell… hopefully a meterpreter shell
Fraudsters hone their attacks with spear phishing Posted by cdupuis on Thursday, 04 March 2010 @ 11:11:11 EST (182 reads) TopicPhishing
By Roger A. Grimes Created 2010-03-02 03:00AM
In my previous column, I said that the No. 1 way to reduce IT security risks [1] in your organization is to "simply" prevent end-users from installing stuff they shouldn't. This, of course, is much easier said than done.
Although infected innocent Web sites results in a large percentage of security breaches, fraudulent emails still abound. Unfortunately, long gone are the days when it was easy to identify malicious phishing [2] email by their strange subject lines and horrible grammar.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute webcast, Data Loss Prevention [3], which covers the tools and techniques used by experienced security pros. | Learn how to secure your systems with InfoWorld's free security newsletter [4].]
Today's phishers, at the very least, are grammatically correct. The ones without enough education or experience to use language correctly naturally made less money and fell out of the criminal business early on; either that, or they hired smarter people.
The next generation of phishing messages, which is still prevalent today, strongly resembles legitimate messages from our banks, cable companies, online electronic payment services, and credit card companies. Everything in the emails looks legitimate, including the graphics that originate from the real company's Website. (The ones that included a notice to watch out for fake phishing messages always made me giggle.) The only thing that's fake in the entire message is the link that victims are required to click to complete the requested action.
This form of phishing is pretty effective, but the messages at least contain a small clue (the bogus URL link) to users that they should evaluate the legitimacy of the request. Today's browsers, with antiphishing features, might even warn an end-user against loading the bogus site.
But now end-users are being targeted by a new form of phishing, called "spear phishing," which specifically targets a user or company. Spear-phishing emails look more authentic than the aforementioned breed, often including the user's complete name or referring to a real project that the user is working on. Spear phishers often gather this information by doing tactical research or even breaking into a database, and it's effective enough to fool even the savviest end-users.
Often these forms of phishing attempt to entice the end-user into running a Trojan horse program, which then compromises the computer and the company's network. Most of the companies I work with these days have been exploited by one of these spear phishing e-mails. If the end-user is running antimalware [5] scanning software, the product may block the Trojan install.
To get around that previous mentioned potential blocks, phishing writers are now creating emails that do not contain any obvious malicious links. They don't ask users to visit bogus Websites or to install unexpected software. Rather, they attempt to fool a user or system admin into opening up holes in the company's network defenses.
Here's an example of one of these messages, sent to me by my friend and CISSP, Bob McCoy. It was addressed to him directly and appeared to come from his company's email service provider. (For brevity and safety, I've removed the vendor names, authentic-looking graphics, and links from the message.)
Dear Valued Customer,
We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010. Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx - xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx - xx.xxx.xxx.xxx)
If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.
We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.
Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.
Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.
Simply analyzing the phishing message's contents would not reveal anything out of the ordinary. Unlike regular phishing e-mails, all links and e-mail addresses were legitimate. There were no bogus Web sites and no Trojan horse executables to install. Rather, the attackers are essentially instructing the victims to open up their e-mail server for spam relaying.
Upon opening this message, Bob suspected the scam immediately. His suspicions were confirmed 10 minutes later when he received an identical message from another vendor. Others users have not been as lucky.
I'm already aware of several clients who've fallen for this scam. In each case, the victim remembered getting a similar sort of email message when they first signed on with a service and, thus, thought the bogus message was legitimate -- especially because their cloud/hosting providers keep bragging about all the new data centers they're continuing to bring online.
Other phishing messages have instructed users to disable their host-based firewalls [6] and to open up unprotected network shares and enable overly permissive peer-to-peer file sharing. It makes the old days of hoax messages that caused users to delete legitimate operating system files seem relatively harmless.
As with any suspected phish email, recipients should contact the purported senders using another out-of-band method to confirm the legitimacy. Moreover, you should update your end-user education materials to include these sorts of phishing e-mails.
2010 CWE/SANS Top 25 Most Dangerous Programming Errors Posted by cdupuis on Thursday, 04 March 2010 @ 11:02:15 EST (129 reads) TopicWeb Applications Security
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit.
They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.
Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.
Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/).
MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.
The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The new version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The new list also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented by CWE.
Finally, many high-level weaknesses from the 2009 list have been replaced with lower-level variants that are more actionable.
Get your own copy at: http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf
Web Security DOJO V1.0 has been released Posted by cdupuis on Thursday, 04 March 2010 @ 07:31:36 EST (296 reads) TopicWeb Applications Security
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
What?
Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v9.10.
Why?
The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started - tools, targets, and documentation.
To install Dojo you can install and run VirtualBox, then "Import Appliance" using the Dojo's OVF file. Go here for Virtual Box instructions. As of version 1.0 a VMware version is also provided.
Who?
Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996
Pangolin 3.2.1.1020 Released Posted by cdupuis on Thursday, 04 March 2010 @ 07:20:07 EST (193 reads) TopicWeb Applications Security
Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user"s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
Release Notes 1.Support Microsoft SQL Server 2008; 2.Improved SQL Injection for MySQL. Support detecting function Unhex(). 3.New option added Scan->Extend scan mode. Optimize ability to Inject. 4.Improved Cookie detection. Multiple URL redirection will be Inject correctly.
SQL Injection and Parameter Manipulation Video Clips Posted by cdupuis on Wednesday, 03 March 2010 @ 11:13:58 EST (181 reads) TopicSQL Security
NOTE FROM CLEMENT: These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering. It is not for the purpose to learn everything there is to know about the subject, that would take weeks, the goal is to educate people and developers on the issue. They are great because of their short length and I like the animations as well. One picture is worth a thousand words they say. In this case on minute of video clip is worth 10 minutes of talks. I will most certainly use them in some of my classes. Job well done. Clement
One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier. We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.
We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.
We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.
HPING3 Cheatsheet Posted by cdupuis on Wednesday, 03 March 2010 @ 10:57:45 EST (240 reads) TopicIn the News
HI,
After the NMAP cheatsheet version 5, we released one for hping (www.hping.org).
We believe that having a quick reference tool is necessary because of its complexity, also including a description of the ICMP codes and the structure of TCP, IP, UDP and ICMP will be useful when combining this information with the appropriate hping flags to craft packets.
Also, some examples are enclosed in order to approach special requests with this awesome tool.
As weel as with the NMAP one, we released a translated version to spanish.
pwntooth (pown-tooth) is designed to automate Bluetooth Pen-Testing. It scans for devices, then runs the tools specified in the pwntooth.conf; included blueper, bluesnarfer, Bluetooth Stack Smasher (BSS), carwhisperer, psm_scan, rfcomm_scan, and vcardblaster.
Blueper is a tool designed to abuse Bluetooth file transferring. It uses ussp-push to transfer files from one device to another. The design of this tool provides several possible end results. One is an annoyance of continual popups of file transfer requests on the remote device. Another, is to write data to a remote device disk without user interaction. It can even lock up or crash some devices.
vCardBlaster is a tool designed to abuse the sending of vCards over Bluetooth. It allows the user to send a continual stream of vCards to attempt a Bluetooth DoS or abuse other device recourses. A user can send a specific vCard or allow vCardBalster to send a new generated vCard for each iteration. It also allows for an attack on one or all Bluetooth enabled devices in the area.
SpoofTooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).
Katana V1.5 has been released -- A Linux multiboot DVD Posted by cdupuis on Wednesday, 03 March 2010 @ 08:51:03 EST (305 reads) TopicLinux Distro for testers
Katana v1.5 (Z@toichi) has been released! (Click here for Katana project page) After several months of work and some reconsiderations of the pre-packaged tools, this award winning project has a new release. This release has a couple of major changes to the disto list and the introduction of the Katana Tool Kit. The new version should be much more friendly for all the Windows users out there. The addition of the Katana Tool Kit should make using all the portable Windows apps much easier. Another key addition to Katana is a USB write blocker to prevent that pesky anti-virus from deleting some of the tools. Katana can be Downloaded directly or through it's Torrent.
What is Katana? For those who are not familiar with the project, Katana combines hundreds of security tools to run off a single USB thumb drive. Katana brings together many of the best security distributions (Backtrack, Ophcrack, UBCD, Trinity Rescue Kit, Derik's Boot and Nuke, etc.) along side hundreds of portable Windows applications (Wireshark, HiJackThis, OllyDBG, The Sleuth Kit, ClamAV, FindSSN, AngryIP , etc.) to form a Portable Multi-Boot Security Suite. Katana includes distributions and Windows applications which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, Malware Removal and more.
Katana is also highly customizable. One of the major goals in the project was to develop an environment where users could tailor Katana to their needs. Users can customize Katana by adding and removing Distros and Portable Applications with relative ease. The best resource for these sorts of modifications is the Hack From A Cave Forum.
There has been a major overhaul in the distros which come pre-loaded with Katana. A lot of this overhaul was due to interests on the forum. Thank you to all the requests and posts we've had. Fear not, instructions on installing all the distros from v1.0 can still be found on the Forum
Removed
Got Root? Slax
Slax is not being included by default, but Katana users are encouraged to add a Slax based distro and modules to fill in some of the gaps in functionality in the included distrso.
OSWA Assistant
Due to the overlap in functionality between this distro and other distros this project has been removed.
Damn Small Linux
This project does not appear to be supported anymore.
Damn Vulnerable Linux
While this distro is great for learning purposes, it is not as useful for field use.
Added
Kaspersky Live
Added some anti-virues capabilities to the distro list.
Trinity Rescue Kit
Some additional tools for recovery and repair operations on Windows machines
Clonezilla
Clone and backup any system.
Puppy
Puppy was added to replace DSL. Puppy seems to be better supported.
Derik's Boot and Nuke
Quickly erase a disk.
Updated
Backtrack
Moved from "Backtrack 4 pre" to "Backtrack 4".
- Katana Tool Kit -
The Katana Tool Kit (KTK) is a suite of Windows applications which can be run of a USB Flash Drive. Without the need for installation on the base system, users can bring a suite of uncompromised tools with them anywhere. Tools like Wireshark, HiJackThis, Firefox, PuTTY, Unstoppable Copier, OllyDBG, ProcessActivityView, SniffPass Password Sniffer, ClamAV, Undelete Plus, IECookiesView, MozillaCacheView, FreeOTFE, The PC Decrapifier, FindSSN, The Sleuth Kit, and OpenOffice. There are over 100 unique projects included in the KTK.
The KTK facilitates fast access to all the Katana Windows applications. The applications are broken down into the following categories: Anti-Virus, Backup, Encryption, File System, Forensics, Media, Networking, Office, Recovery, Registry, System, Utilities. Each project provides unique functionality to the various categories listed above.
The KTK also facilitates the easy addition of other portable applications. By simply installing applications to a sub-folder of the "PortableApps" directory, your favorite applications will appear in the KTK the next time it is launched.
In Katana v.1.5, several new utilities have also been added to the Katana Tool Kit:
The GnuWin32 project provides Win32-versions of GNU tools, or tools with a similar open source license. The ports are native ports, that is they rely only on libraries provided with any standard 32-bits MS-Windows operating system.
This is a collection of utilities and libraries By George M. Garner Jr. is intended for forensic or forensic-related investigative use in a modern Microsoft Windows environment. The components in this collection are intended to permit the investigator to sterilize media for forensic duplication, discover where logical volume information is located and to collect the evidence from a running computer system while at the same time ensuring data integrity (e.g. with a cryptographic checksums) and while minimizing distortive alterations to the subject system.
Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features
SpyDLLRemover is the standalone tool to effectively detect and delete spywares from the system. It comes with advanced spyware scanner which quickly discovers hidden Rootkit processes as well suspcious/injected DLLs within all running processes.
Eraser Portable is a secure data removal tool that runs directly from your iPod, USB thumbdrive, portable hard drive or any other portable media. You can plug it right into any Windows computer and use it just like you would on your own. It is a repackaged version of the popular Eraser utility designed with portability in mind, so it has all the same great features of Eraser, but there's nothing to install.
VLC Media Player Portable is the popular VLC media player packaged as a portable app, so you can take your audio and video files along with everything you need to play them on the go.
InfraRecorder Portable is the popular InfraRecorder CD/DVD burning program packaged as a portable app, so you can do your disk burning on the go. It has all the same great features of InfraRecorder including the creation of custom data, audio and mixed-mode projects and recording them to physical discs as well as disc images.
SiteShoter is a small utility that allows you to save a screenshot of any Web page into a file. It automatically creates hidden window of Internet Explorer, loads the desired Web page, and than save the entire content of the Web page into an image file (.png, .jpg, .tiff, .bmp or .gif). You can also use SiteShoter to convert .html file on your local drive into image file.
uTorrent is the world's most popular BitTorrent client. Most of the features present in other BitTorrent clients are present in uTorrent, including bandwidth prioritization, scheduling, RSS auto-downloading and Mainline DHT (compatible with BitComet).
gVim Portable is a feature-rich and not-too-hard-to-use text editor, and a very feature rich one at that. With gVim you can code, highlight syntax, and do everything else you would expect of a text editor worth its weight in megabytes.
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
- USB Write Blocker -
A USB write blocker application has been added to help prevent malware installing on the USB Flash Drive and to prevent the anti-virus from deleting any of the totally awesome apps from the Katana Tool Kit. By running the MakeUSBReadOnly.bat on mount, unmounting and remounting the drive, going about you business, and running MakeUSBWritable.bat after you are done, you can prevent most interference by applications on the base OS.
- Misilanious Changes -
- Added drive logo. - Changed directory for user data from "home" to "Documents". - Modified boot menu to add scrolling.
The Honeynet Project Forensic Challenge 2010 Posted by cdupuis on Sunday, 28 February 2010 @ 10:42:45 EST (202 reads) TopicTraining
The Honeynet Project has revived an successful program from the past: The Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to do so. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.
It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. Currently, we are running our second challenge provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter. It deals with client-side attacks and is titled browsers under attack. (accessible at https://www.honeynet.org/challenges/2010_2_browsers_under_attack)
The deadline for submissions is Monday, Match 8th 2010 and results (including a sample solution) will be posted on Monday, March 22nd 2010. The top 3 submissions will be awarded with prizes.
Cheatsheet for NMAP Version 5 Posted by cdupuis on Friday, 19 February 2010 @ 09:00:32 EST (515 reads) TopicNMAP
Hi everyone,
Here i attached a quick reference (also known as cheatsheet) for NMAP, incorporating in addition to common parameters, some commands which are specific of the last branch released. I've also incorporated on the lower section some examples with typical scans which can be performed with this tool.
Security+ Tutorial for the CompTIA certification SY0-201 Posted by cdupuis on Saturday, 13 February 2010 @ 12:04:40 EST (6575 reads) TopicIn the News
Good day to all,
Today I am proud and excited to announce our new series of Flash Based Tutorial for the Security+ certification exam from CompTIA. Our intend is to produce one tutorial per domain, as well as MP3 files, quizzes, cram study guides, and to give you the ability to prepare and pass the exam the first time you try it after you have studied all of the domains. The tutorial can be used as a supplement to your live classroom training or as your main source of study.
Countless hours have been spent on creating unique content that is well researched and well presented. We did produce quite a few diagram using drawing tools such as Visio to help you understand key topics. The graphics and content is 100% from CCCure and whenever we use resources such as books or online content we have included a reference to the source.
We hope that you will enjoy this new series of tutorial and your feedback is most welcome. Feedback could include tips and tricks, reporting typos, suggesting new content, or anything else you think of that can help us improve the content and benefit to others. If you know of URL, Documents, Sites, or anything else related to the Security+ Certification please do let us know and we will add it to our download and links resources.
HOW MUCH WILL THIS COST ME?
This is always the big question. You probably heard me say in the past that NOTHING IS FREE, I still stand by this statement. However, I think I have an approach that is very appealing and you will most likely appreciate it.
I came out with this new DonationWare approach. The way it works is very simple, instead of buying the tutorials at $400 to $700 which is a lot of money, I will let you make use and learn from my tutorials and once you have made it through, you make a donation of an amount that you determine yourself if you can afford it. It is totally up to you whether or not you wish to donate.
This is the approach I am going to use for the first domain of the Security+ series of tutorials. This approach is based on the honor system which is a great value from my military days. Nobody will be running after you with an AK47 to get your money :-)
Based on the success or failure of this new approach, the future of the other domains will be decided, it is up to you to decide if you wish to support this approach or if you prefer that I do like other content prublishers and sell it instead for a large amount of money :-) I think the decision is a no brainer...
The second requirement is that you must create an account (see link below) on our portal to access the material. As stated very clearly in our Usage Agreement: I will send you advertising from our sponsors once in a while and this is the price to pay to be a CCCure portal member. I will never sell or give your email address to anyone else. I will pass messages from my sponsors but they do not get access to your email address. The messages you will receive are related to higher education or security products, I do not send emails on male enhancement products, lottery scheme, etc... Usually we send only a few messages per month, you will not be inundated with traffic. Please read our Usage Agreement before joining.
ARE YOUR AN INSTRUCTOR, A TRAINING COMPANY, A COLLEGE, A UNIVERSITY ??
Our resources are NOT to be used within any commercial offering, bundle, media compilation without you obtaining a license first.
If you are an instructor, a training company, or an higher education institution, and you are are interested in helping your student in their learning path, helping them achieve their certification goals, we will be please to license our resource for your own usage within your commercial offering.
We do have very attractive pricing for you and I am sure you will like it. Our license price is less than what you would pay for a few days of work from a skilled courseware developer. We have done the work and you can reap the rewards. Send me an email at clement(dot)dupuis[at]cccure(dot)com if you are interested.
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.