I am a big fan of computer based training ? I think the potential for this is enormous especially for organizations that are looking to train large numbers of their staff. One obvious advantage is the ability to scale easily across many employees and many sites. But another important and perhaps overlooked advantage is the ability to help students really gain confidence over the material, understand their weak spots, consider areas that they need to work on and finally prepare for any certification goals. They can also be used to simulate the real exam and provide results that can then feedback into a study plan.

Recently a close friend, Mano Paul, launched Express Certifications, a training and certification company focused on developing innovative testing and training solutions, one of which is the new training portal focused on the CISSP and the SSCP exams. This site is the Official (ISC)² Practice Self Assessment provider and provides CISSP Practice Exams as well as SSCP Practice Exams. The main benefit this site provides is in helping you with gauging your readiness for the certification exam. One of the thing I like about it is that it targets not just the end result but also the preparation. The idea being you first assess yourself, figure out what areas you need to focus on, continue to work on those areas of weakness until you have perfected the material and then finally take the certification exam. And because the subscription to this site is not time limited, it allows you to prepare and give the exam at your own pace rather than allowing your preparatory material make the determination as to when you take the exam. One of the really cool things Mano has done with this site is to provide for rich reporting which can act as your personal study planner. Finally, it also simulates the experience of taking the real exam before you actually take it. Of course as you go through this entire process you can perform SWOT analysis and check your own personal readiness while watching all the time how you are trending towards your final goals.

There's also benefits to larger organizations attempting to certify some or all of their employees. The main thing perhaps is the ability to judge whether your employees are ready for the certification exam before investing in the cost of the exam itself. Further, even without the certification goals, the ability to view the competence levels of your employees in the different domains of security is in itself a great benefit for security teams. Finally, it is very competitively priced allowing both individuals and organizations to sign up at relatively low cost. In fact they offer corporate and affiliate that could provide advantages if signing up in volumes.

In any case, I am pretty excited by this offering and apparently so is perhaps one of the most discerning clients ? the Department of Defense (DoD) - it uses this training portal to assess the readiness of their information assurance personnel as part of the 8570.1 directive. Good luck Mano J and good luck to all of you preparing for the CISSP / SSCP examinations. Hopefully this site can help with that endeavor.

For more details visit the site or use the contact information in the sidebar.

?

?

?

?

?

?

?

I was reading my buddy Alex Smolen's post the other day on Java Applet Security and figured I would see his post and raise it with a post on ActiveX control security. Actually, as you can probably see I have been slacking on the posting front so figured it is about time and this specific issue ? ActiveX control security has been something I have been seeing a lot of in assessments but it doesn't seem to be covered enough in both the testing literature out there or indeed in secure development guides.

As it turns out, ActiveX controls are at the end of the day C++ or C# or (pick your favorite language) code so much of the guidance on secure application development continue to apply as you would expect. However, ActiveX controls obviously add another interesting dimension ? they are mobile code and execute not on the server like typical web applications do but on the client machine. That means any vulnerabilities in this control place each and every one of your customers at risk. In fact with some popular ActiveX controls this is such a rampant problem given that they are installed on hundreds of thousands if not millions of computers across the globe. What perhaps exacerbates the risk even more is these ActiveX controls typically provide very powerful functionality by leveraging deep access into the client computer. This in turn can mean you are putting your users at risk even if you have no stereotypical vulnerabilities in your control code. Let me explain, why just not having buffer overflows and the like is not enough to protect your customers.

Well it all really comes down to the trust model and the sandbox built for ActiveX controls in the browser ? Internet Explorer for the most part. Enter the notion as being "safe for initialization and / or scripting". The relevant MSDN documentation on this is shown here:

?

When it comes to ActiveX controls designed for the browser, it is more likely than not that these are marked as safe for scripting.

The problem is this approach is very binary ? or in other words you can either mark an ActiveX control as never safe for scripting or always safe. Like we just said most developers will mark the object safe for scripting and all seems well. This is where it begins to get really interesting from a security perspective. A control marked as safe for scripting can be loaded by any and every web page developer whether they work for your organization or are the teenage, blackhat hackers down the street or in some dark basement half way across the globe.

Consider, now a familiar use case for an ActiveX controls ? a control that lets you browse your local file system and add or delete files from / to the server. Developing this control just gave your company the award for most usable site on the entire World Wide Web and as they say business is good. Joe Hacker down the street is an avid user of your site and hence your ActiveX control realizes he might have a way to create a nice little botnet for himself through your ActiveX control. So here is what he does:

1. Creates a phishing site that looks perhaps just like yours or indeed anything else.
2. Within this site he loads your ActiveX control using the object tag he noticed in the HTML source of your website
3. Uses the interfaces, methods, events exposed by your ActiveX control within his fake website
4. You see where this is going, the more powerful your control the more power Joe Hacker has in his evil, evil hands ?. Sigh L

So what is the solution you ask? As tempted as I am to leave that for another day and build on the suspense ? I shall not J.

This is where the SiteLock template comes in. From the download page:

"The SiteLock ATL template enables an ActiveX developer to restrict access so that a control is only deemed safe when used in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes."

Essentially SiteLock allows the developer to define a set of website domains (or Internet Explorer Zones) that are allowed to load this control. This information is built into the control itself and each time the control is loaded, it checks the site that is loading it to make sure it is part of the white list defined by the original developer. If not it will refuse to load. In fact SiteLock can also support "expiring" an ActiveX control after a certain time period. The idea being here is that functionality present in the ActiveX control can be disabled after a certain date. Both of these measures provide risk mitigation both against malicious (innocent as well actually) repurposing of your control as well as possibly lowers risk if the control were to have an unpatched vulnerability such as a buffer overflow. It is thus an excellent example of defense in depth and risk mitigation which is easy enough to code into the system and thus there is little reason for not doing so.

For the technically inclined the SiteLock template functions by providing its own custom implementation for the aforementioned IObjectSafety ? IobjectSafetySiteLockImpl. This implementation provides the magic security sauce which does all the checking described in the previous paragraph.

References:

Designing Secure ActiveX Controls

Best Practices for ActiveX Control Updates

New Version of SiteLock Template

P.S. It is important to note that what has been discussed here bears no relation to whether the control is signed or unsigned which is what Alex's post talked about. Instead it focuses on the properties of a legitimate ActiveX control. The browser will still show the regular warnings whether the control is signed or unsigned depending on how your browsing security policy is defined. It will however NOT let you know if the site attempting to use an ActiveX control is legitimate or malicious ? it really has no way of doing that. So as a developer your action item is to make sure all your controls that will be hosted in a browser are protected using SiteLock. If your controls are never intended to run in a browser do not mark them as safe for scripting. Internet Explorer does not load such controls so problem solved!

If you are a end user then make sure the controls you use have this protection or hound the developers if you can until they provide this protection. In the meantime, refuse to load ActiveX controls whether signed or unsigned from untrusted websites!

Again I know this is off topic but I had to share this. Thanks to my co-worker Jeremy Allen for sharing it with me. I did not have the opportunity to take any classes with this Professor while I was at CMU but I have heard of his work and what he has done at the Entertainment Technology Center. He rocks!

At the beginning of the year I was flying to California and the movie playing on board was The Queen featuring Helen Mirren. At a number of times during the movie the word "God" shows up - after all the anthem of the UK is God Save The Queen and the movie did deal with the royals and the passing away of Princess Diana. Anyways a few weeks after that this news made its way around the Internet. The airlines came out saying it was the distributors fault. While the distributor accepted responsibility they blamed an overzealous rookie who was tasked with taking out profanities and blasphemy!

Well now it has happened again, I was on a plane today watching the Fantastic Four sequel and again there are a few more "Oh My God!" moments and all you hear is "Oh My"! I wonder how they will explain it away this time? I don't know if it's the same distributors or not but it will still be interesting to hear the explanation.

The interesting thing is I have a few friends who are atheists and agnostics and having spoken to them, none of them said they would be offended if the word "God" was NOT censored. So I am not really sure where this political correctness is coming from. More importantly none of the references I have seen are anything out of the ordinary - I mean it isn't like worship of a particular God or following a particular religion was being advocated. It's nothing you would not hear in a regular day to day conversation. In fact funnily enough in the case of the Queen incident, the movie was followed with a seemingly uncensored episode of The Office which had a fair few maturer themes as you would expect J.

Anyways I know this is bit of an off topic for me but still thought it was kind of strange!

Much has been made about poor Miss Teen South Carolina messing up on Geography and everything else remotely academic. But honestly if Google News (with all of its Ph.Ds and Mensa members), NBC and KTUU can think Iraq is in Africa then who are we to criticize ;).

P.S. Yeah I know slip of the tongue (or keyboard perhaps in this case) and all but still funny I think J. And yes I did check that he didn't *also* visit Africa. At least the article being linked to doesn't say so now. My guess is it originally mentioned Africa in the title and that's when Google indexed it but since then some editor at KTUU updated it and its only a matter of time before Google picks up the new version. Hence this screenshot to save it for posterity ;).

P.P.S. Yeah I know Google has nothing to do with this - but forgive my Google bashing for today J.