Monday, April 17, 2006

WANA BAG’a CERTIFICATE – Let’s see how ?? & which one ??

WANA BAG’a CERTIFICATE – Let’s see how ?? & which one ??

There are hundreds of programs in today’s certification landscape. How can you tell the good from the bad, the winners from the losers, or what’s up-and-coming from programs on their way down? While careful analysis of the market is always warranted, and reality checks against current classified employment ads and job postings are highly recommended, I present lists of leading certifications in this story, across various categories we believe to be of definite interest to our readers.

Program/Certification Selection and List Order

In analyzing certification offerings according to specific criteria—like those used in this story—it’s important to understand how individual certifications and programs stack up against them. Wherever possible, we used the relative size of certified populations and such consensus as was available about the appeal, popularity, employability and pay for certification holders to break ties among otherwise equally ranked programs. In many cases, item order is arbitrary.

Best Hands-On Programs

Certifications in this category involve exams that not only test real-world skills and knowledge, but also demand that the test-takers demonstrate such skills and knowledge as a part of an exam or hands-on training. Such exams or programs are sometimes called “performance-based,” “practicum” or “laboratory” (lab) exams. Whatever name is used to identify these certifications, they all involve on-the-spot analysis and problem-solving and do their best to stage (or simulate) real-word system and hardware situations. Roll up your sleeves, and get your hands dirty while getting as close to a reality check as any certifications deliver today.

  1. Cisco Certified Internetwork Expert (CCIE): With more than 10,000 CCIEs certified worldwide, this nonpareil credential includes a challenging, one-day lab exam that’s still widely regarded as the toughest certification exam around. Most CCIE candidates take the $1,250 lab exam—which also requires travel expenses for those who don’t live within driving distance of one of the 10 lab test centers around the globe—more than once to get certified. While neither cheap nor easy, the CCIE remains a valued prize as certifications go, which explains why it appears at or near the top of lists of the most desired or most valuable IT certifications. See www.cisco.com/go/ccie.
  2. Red Hat Certified Engineer (RHCE): The RHCE exams take an entire day and include about six hours worth of what the company calls performance-based exams—where candidates must install, configure or troubleshoot Red Hat servers and related network protocols and services. Highly regarded as representative of real-world situations and circumstances, these challenging exams also get high marks from certified professionals and their employers alike. The Red Hat Certified Technician (RHCT) exam is also performance-based and gets many of the same accolades. (It originally ranked as No. 4 in this list, but was dropped as a separate entry for brevity’s sake). See www.redhat.com/training/rhce/courses/.
  3. Novell Certified Directory Engineer (CDE): Novell calls the CDE exam a practicum, which requires logging into a carefully contrived and constructed set of networking components—servers, services and directories fully populated with users, groups, accounts, access controls and so forth—to analyze, design, configure, troubleshoot and repair the directories that make them work. Successful exam takers label the exam as demanding and intense, but also as an honest test of real-world knowledge and skills. See www.novell.com/training/certinfo/cde/.
  4. Oracle9i DBA Certified Professional (OCP): With the introduction of the Oracle9i DBA program, Oracle also now requires all candidates to complete an instructor-led hands-on course that involves significant real-world interaction and problem-solving, in addition to standard multiple-choice exams. This injects the kind of hands-on component needed to qualify for this list. See www.oracle.com/education/certification/index.html?dba9i_ocp.html.
  5. Oracle9i Database Administrator Certified Master (OCM): This credential requires a grueling two-day practicum exam administered at Oracle University locations. The exam’s still too new for a lot of intelligence to be available, but word is that it’s demanding, comprehensive and difficult. See www.oracle.com/education/certification/index.html?dba9i_ocm.html.
  6. Field Certified Systems Engineer (FCSE): Sponsored by the Field Certified Professional Association (FCPA), whose mission is to provide certifications based on the principles and practices of performance-based testing, the FCSE is available for Windows NT 4.0 and Windows 2000/XP environments, with numerous additional environments slated for coverage. Initial reports describe the credential as living up to its promise to identify individuals with real-world skills and knowledge appropriate for senior system engineering positions. See www.fieldcertification.org/Exams/FCSE_Exams/FCSE_Exams.htm.
  7. Field Certified Systems Administrator (FCSA): A more junior-level version of the FCSE, available for Windows NT 4.0, Windows 2000/XP and Cisco-based networking environments. See www.fieldcertification.org/Exams/FCSA_Exams/FCSA_Exams.htm.
  8. Field Certified PC Technician (FCPT): One of the Field Certified Help Desk Technician group of exams from the FCPA, this credential aims to identify individuals with real-world PC skills suitable for a bench technician, installer or help-desk professional. Numerous additional credentials in this general area are planned and should be worth watching. See www.fieldcertification.org/Exams/FCHDT_Exams/FCPT_Exam/FCPT_Exam.htm.
  9. Certified Professional Information Technology Consultant (CPITC): A certification from the Professional Standards Institute, an organization devoted to establishing performance-based credentials for all kinds of professionals, this credential covers a broad range of IT subject matter and must be supported with documentation and testing designed to measure real-world knowledge and expertise. The credential also carries hefty annual recertification requirements. To learn more, see www.professionalstandardsinstitute.com/cpitc.htm.
  10. Cisco Career Certifications (Associate, Professional and Specialist): Although the various Cisco certifications beneath the CCIE do not include lab exams or practicums, they do make extensive use of simulation technology to include real-world problem-solving and to measure real-world skills as part (but not all) of the current exams relevant to these credentials. This makes them worthy of mention as the last item in this list. See www.cisco.com/go/certification.

Best Vendor-Neutral Credentials
Programs that not only preach vendor-neutrality, but also deal frankly, freely and fairly with both weaknesses and strengths in specific solutions, while covering a realistic range of offerings, are more prevalent in certification program descriptions than in actual practice. The following programs do a good job of maintaining vendor-neutrality as well as claiming that perspective. Because such neutrality is a hallmark of academia, many leading contenders also have strong academic roots and relationships. It’s no accident that with only a single exception, all the organizations listed here are industry or professional organizations or consortia with strong roots in academia as well as in industry.

  1. National Association of Communication Systems Engineers (NACSE): With 12 certifications at multiple levels of competency in the areas of data networking, Web design and development and telecommunications currently available, and 12 more on programming topics under development, NACSE offers a large slate of vendor-neutral certifications developed in concert with academic institutions and industry players. See www.nacse.com/pages/orgcharts/certinfo.asp.
  2. National Association of Radio & Telecommunications Engineers (NARTE): With numerous certifications in the areas of telecommunications, electromagnetic compatibility/interference, electrostatic discharge control and wireless systems installation, NARTE also administers FCC commercial operator license exams. See www.narte.org.
  3. Project Management Institute (PMI): PMI is best known for its Project Management Professional (PMP) credential. The PMP embodies the kinds of strong credentials and broad acceptance that powerful alliance between academia and industry can create. Numerous undergraduate and graduate programs in computer science, engineering, MIS, IT and similar disciplines routinely offer curriculum elements that can lead to PMI certifications. See www.pmi.org/info/PDC_CertificationsOverview.asp.
  4. Field Certified Professional Association (FCPA): See the listing in the “Hands-On Programs” section for more information on the association’s certifications. See www.fieldcertification.org.
  5. Information Systems Audit and Control Association (ISACA): Parent to the large and popular Certified Information Systems Auditor (CISA) program and to the recently released Certified Information Security Manager (CISM) program, ISACA has already certified more than 30,000 CISAs worldwide. Its credentials are highly regarded for their even and open-handed approach to tools, technologies, policies, principles and practices. See www.isaca.org.
  6. BICSI: This group acts as a credentialing organization for the telecommunications industry and offers various certifications that include the Registered Communications Distribution Designer (RCDD) and other installer and technician credentials. The organization and its credentials are highly regarded for their general applicability and vendor-neutrality, as well as for preparing professionals to be effective in the workplace. See www.bicsi.org/Training/Index.aspx.
  7. Service & Support Professionals Association (SSPA): This trade association sponsors four help-desk/support-related certifications ranging from certs for support professionals and specialists who work in the trenches to credentials for managers and executives who must oversee service and support operations. With an emphasis on skills and knowledge throughout, as well as best practices, the SSPA maintains a strictly neutral stance on vendor products and platforms. See www.sspa.org.
  8. Linux Professional Institute (LPI): This nonprofit organization works to advocate and assist users worldwide who wish to work with Linux, open-source and free software. Best known for its Linux skills certifications for end-users and administrators, the organization works in multiple languages and locations around the world to reach the broadest possible community. Its stance on the technologies it covers is deliberately vendor-neutral, though it does include implementation-specific details in some of its exams. See www.lpi.org.
  9. The Computing Technology Industry Association (CompTIA): A leading proponent of and source for vendor-neutral certifications, CompTIA is a consortium that involves individuals, businesses and government players at all levels and also includes significant academic and research institutions. Its certifications seek to meet broad industry knowledge and skills needs and are vendor-neutral to serve the biggest possible audience. See www.comptia.org.
  10. Brainbench: A skills assessment and training organization, Brainbench does a great deal of business evaluating and assessing skills and knowledge to help employers gauge current and prospective employee qualifications for specific job roles and duties. In its mix of hundreds of exams and assessments, Brainbench does a great job of presenting vendor-neutral concepts and basics across a broad range of topics. See www.brainbench.com.

Most Technically Advanced Programs
Some certifications in this list require mastering an enormous amount of material in and of themselves; others require ingesting somewhat less information by volume but come with seriously hefty prerequisites. All of them, without exception, require deep skills and knowledge so that nearly all individuals who qualify for these certifications have eight to 10 years of relevant work experience, if not more.

  1. CCIE: A leader in many aspects of certification, the CCIE tops our list of technically advanced programs because of its broad and deep content coverage and the extreme demands it makes of candidates’ knowledge, analytical and troubleshooting skills.
  2. ASIS International: Formerly known as the American Society for Industrial Security, ASIS International now serves a global audience. This organization’s Physical Security Professional (PSP), Certified Protection Professional (CPP) and Professional Certified Investigator (PCI) credentials impose strict experience requirements on candidates, as well as involving large amounts of complex, detailed subject matter. These are capstone certifications for those seeking to specialize in physical security, general security strategy and implementation or security-related investigations. See www.asisonline.org.
  3. NACSE: This organization offers multiple certification ladders of three or more levels across numerous topics of interest to communications engineers and telecommunications professionals. For more information, see the discussion in the preceding vendor-neutral certifications section. Here, it suffices to say that programs are both broad and deep, and the highest-level credentials are quite technically advanced.
  4. NARTE: This organization offers several deeply technical certifications of interest to radio and telecommunications professionals and engineers. For more information, see the discussion in the preceding vendor-neutral certifications section. The credentials require broad and deep knowledge, and the highest-level certifications are quite technically advanced.
  5. HP Master Accredited Systems Engineer (Master ASE): The former highest-level Compaq certification, this HP credential requires multiple HP/Compaq and third-party certifications as prerequisites, along with a dizzying array of deeply technical certification options that range from enterprise management to various database platforms. To learn more, see www.hp.com/certification/levels/mase.html.
  6. (ISC)2 Certified Information Systems Security Professional (CISSP): By itself, the CISSP imposes a pretty serious technical burden on certification candidates. The CISSP concentrations—including the Information Systems Security Architecture Professional (ISSAP), Management Professional (ISSMP) and Engineering Professional (ISSEP)—permit CISSP-certified professionals to further concentrate in the areas of security architecture and design, security management and national-security-oriented engineering. As such, they raise the technical bar higher and present formidable technical challenges to candidates. See www.isc2.org.
  7. SANS GIAC Security Expert (GSE): A daunting set of five intermediate-level GIAC certifications—each of which must also be kept current to remain certified as a GSE—are the prerequisites that GSE candidates must first complete. They must qualify for honors in at least one of these areas, then sit for the GSE exam and complete a research project. The effort is intense, the amount of material enormous and the cost fairly high. As of this writing, only two people have qualified for this credential worldwide! See www.giac.org/track_cert.php.
  8. Sun Certified Enterprise Architect for the Java 2 Platform, Enterprise Edition: Another capstone credential, this one sits atop Sun’s highly regarded Java certification program. Candidates must not only accumulate at least two prerequisite certifications, they must also complete a multiple-choice exam, submit a completed design assignment and write an essay about that work. The time investment is significant, the learning curve steep, and the amount of related material quite large. See suned.sun.com/US/certification/java/java_archj2ee.html.
  9. Senior Protocol Analysis Certifications: These include Sniffer Technologies’ Sniffer Certification Program (www.networkassociates.com/us/services/education/sniffer/certification.htm), the Pine Mountain Group’s Certified NetAnalyst program (www.pmg.com/cna_chart.htm) and Wildpackets’ Network Analysis Expert program (www.wildpackets.com/services/certification). Protocol analysis requires deep and thorough knowledge of networking, protocols, messaging, services, security and more. All of these credentials require years of experience, cover a huge amount of territory and require intense study and effort.
  10. Master Certified Novell Engineer (Master CNE): With a serious prerequisite (CNE), plus four further required and elective exams (with CompTIA’s IT Project+ among the core exams), the Novell Master CNE was an original capstone, advanced IT certification. It has stood the test of time and remains both a challenging and highly regarded professional credential. See www.novell.com/training/certinfo/mcne.

Best Supporting Materials
Many of these certifications enjoy absolutely universal third-party support from practice test vendors, study guide and exam cram publishers, plus a plethora of Web sites, reports and exam intelligence, and analyses in magazines like this one. Others benefit from the very best official training and study materials around. Some—like those from Cisco—qualify on both counts! Coverage of these areas does not include pointers (they are far too numerous to do them justice):

  1. Cisco: Great in-house training materials, a strong official press, great coverage in the aftermarket and more choices for popular topics than you might believe. It doesn’t get any better than this anywhere! See www.cisco.com/go/certification.
  2. Microsoft: While the Microsoft Official Curriculum (MOC), MS Press books and other internal publications and information sources sometimes come in for their share of knocks (depending on the topic), no one can argue that Microsoft enjoys the best support in the aftermarket. Be it third-party training, study guides, exam crams, practice tests, flash cards—you name it—Microsoft still benefits from broad and comprehensive coverage. See www.microsoft.com/traincert.
  3. Novell: Strong in-house training materials, another strong official press and reasonable coverage in the aftermarket keep Big Red near the top of this list. Though neither NetWare’s market share nor aftermarket coverage of Novell cert exams are as big as they were 10 years ago, this program still enjoys strong support. See www.novell.com/training/certinfo.
  4. CompTIA: Especially for its biggest and most popular exams (A+ and Network+), CompTIA certifications enjoy extraordinary aftermarket support. Though the company itself offers no official training, the CompTIA Authorized Quality Curriculum (CAQC) program provides an official imprimatur for aftermarket materials that meet the company’s requirements for coverage, comprehensiveness and quality. See www.comptia.org/certification.
  5. Oracle: The biggest of the database vendors offers a formidable array of official training, supports a decent official press and benefits from aftermarket support across the board. Though frequent releases of Oracle versions mean equally frequent updates to training and certification materials—with occasional lags between release and availability nearly inevitable—there’s no shortage of good training and study material on Oracle certification topics. To learn more, see www.oracle.com/education/certification.
  6. Macromedia: With numerous certifications on ColdFusion, DreamWeaver and Flash available, an active official training program, a strong official Macromedia Press, lots of additional aftermarket support and a keen eye for compelling design and interesting content, Macromedia’s materials are hard to beat. See www.macromedia.com/support/training/certified_professional_program/.
  7. Sun Microsystems: With numerous publishers supporting Solaris and Java certifications, a strong official training channel and equally strong aftermarket support for training, practice tests and so forth, Sun’s certifications benefit from a broad array of supporting materials, some of which are as good as anything available to IT professionals anywhere. See suned.sun.com/US/certification.
  8. Apple Computer: Long a pioneer of technology innovation and information sharing, Apple’s various certification programs get strong internal support in the form of training, publications and online information. Aftermarket support for its offerings varies by topic, but its Apple Certified Technician for Pro Products program is targeted for strong support. See www.apple.com/training.
  9. (ISC)2 CISSP: The best-known of the intermediate-to-advanced information security certifications (and the new follow-on concentrations) are well supported through officially sanctioned training and study materials, but also with great aftermarket support. See www.isc2.org.
  10. Certified Wireless Network Professional (CWNP): With wireless technologies popping up in organizations and companies worldwide, the CWNP credentials from Planet3 Wireless are enjoying great interest and support. A strong official curriculum (developed by the same people who crafted the exams), a nice official press and strong aftermarket support give this area coverage to match its current cachet. See www.cwne.com.

Best New Programs or Certs
Though not all of the items in the following list are less than a year old, most are still relatively new to the IT certification scene. These new offerings represent innovative topics or subject focus, certify interesting and useful skills and knowledge or represent ways to involve IT professionals early in programs that require years of documented work experience. In the interest of brevity, these certifications are listed in no particular order and without additional supporting detail:

  1. EC-Council Certified Ethical Hacker (CEH): See www.eccouncil.org/CEH.htm.
  2. Apple Certified Technician for Pro Products: See www.apple.com/software/pro/training/cert_programs.html.
  3. Dell Certified Enterprise Engineer (DCEE): See www.dell.com/training/lookingtoyou.
  4. (ISC)2 Associate Program: This program lets individuals who don’t yet meet experience requirements pass the CISSP exam, then qualify when experience criteria are satisfied. See www.isc2.org/cgi/content.cgi?category=84#cat07.
  5. Sun Business Component Developer: See training.sun.com/US/certification/java/java_busj23e.html.
  6. ISACA’s CISM: See www.isaca.org/Template.cfm?Section=CISM_Certification.
  7. CWNP Program: See www.cwne.com.
  8. Novell Certified Linux Engineer (CLE): See www.novell.com/training/certinfo/clefaqfinal.pdf.
  9. CompTIA Security+: See www.comptia.org/certification/security/.
  10. HP’s Revamped Certification Program: This program does a great job of rationalizing former HP and Compaq credentials, while keeping the best of both programs going. See www.hp.com/go/certification.

Best Enty-Level Certifications
Those who wish to walk the certification trail, or climb one or more certification ladders as they tackle increasingly more difficult or demanding subjects, have to start somewhere. All the certifications in this list represent popular places for IT professionals to start. Most are highly regarded and remain widely sought-after. In the interest of brevity, these are listed in no particular order and without much additional supporting detail:

  1. Cisco Certified Network Associate (CCNA): See www.cisco.com/go/ccna.
  2. Certified Wireless Network Administrator (CWNA): See www.cwne.com/cwna/.
  3. Sun Certified Programmer for the Java 2 Platform (SCJP): See suned.sun.com/US/certification/java/java_progj2se.html.
  4. Red Hat Certified Technician (RHCT): See www.redhat.com/about/presscenter/2002/press_rhct.html.
  5. LPI Level 1 (LPIC1): See www.lpi.org/en/certification.html.
  6. SANS GIAC Security Essentials Certification (GSEC): See www.giac.org/subject_certs.php#GSEC.
  7. CompTIA A+: See www.comptia.org/certification/a/.
  8. CompTIA Security+: See www.comptia.org/certification/security/.
  9. CompTIA Network+: See www.comptia.org/certification/network/.
  10. Microsoft Certified Professional (MCP): See www.microsoft.com.

Best Specialty Certifications
Specialty certifications exist to permit intermediate- to senior-level IT professionals to focus in tightly on relatively narrow (but often very deep) subject areas. Most apply to specific vendor offerings or technologies; many leverage one or more prerequisite certifications; all require serious study and effort to obtain.

  1. Cisco Specialist Certifications: Topics include broadcast media, telephony, firewalls, virtual private networks (VPNs), wireless technologies and more. See www.cisco.com/en/US/learning/le3/le2/le41/learning_certification_level_home.html.
  2. Project Management Professional (PMP): An increasingly important adjunct certification for IT professionals from all parts of the industry, from services to development jobs. See www.pmi.org/prod/groups/public/documents/info/pdc_pmp.asp.
  3. ISACA’s CISA: One of the most popular and respected credentials in the increasingly important system audit area. See www.isaca.org/Template.cfm?Section=CISA_Certification.
  4. CISSP Concentrations: Add-ons to the popular and respected CISSP certification in the areas of security engineering, architecture and management. See www.isc2.org/cgi-bin/content.cgi?page=240.
  5. Nortel Networks Certified Architect (NNCA): A highly respected, senior-level credential for those who specialize in Nortel switches, systems and networks. For more information, see www.nortelnetworks.com/certification.
  6. IBM Tivoli Software Program: A range of specialties related to the Tivoli Management Environment (TME) and its capabilities for software distribution, management and security. See www-1.ibm.com/certify/certs/tv_index.shtml.
  7. HP Accredited Systems Engineer (ASE) and Master ASE: These offer numerous areas of specialization on server topics from systems management to high availability and clustering to DBMS platforms. See www.hp.com/go/certification.
  8. IBM DB2 Universal Database Certifications: A top IBM platform gets a top-notch specialist certification program to match. See www-1.ibm.com/certify/certs/dm_index.shtml.
  9. SAP Certified Technical Consultant: The leading ERP software vendor offers a rich, interesting and often highly lucrative certification program. See www.sap.com/usa/education/certification/techconsultant.asp.
  10. Microsoft MCSA/MCSE Specializations: Specializations in security and messaging are now available for Windows 2000 and Windows Server 2003. These are definitely worth investigating for those interested in Windows messaging or security work. To learn more, see www.microsoft.com/traincert/mcp/mcsa or www.microsoft.com/traincert/mcp/mcse.

Toughest Recertification Requirements
These days, the majority of credentials come with some kind of expiration date or is tied to specific software or platform releases (which themselves tend to vanish from the workplace after a while, rendering related certifications more or less obsolete). The credentials in this list are ranked as tough because they require one or more of the following:

  1. Novell CDE: Probably the toughest around, with yearly recertification required. Because this means CDEs must retake the practicum exam annually, it’s a toughie!
  2. Red Hat Certifications (RHCE, RHCT): Within one year of new major product releases, certificants must recertify when the release upon which their credential is based goes two revisions back (in other words, as soon as the second major release becomes available).
  3. Cisco Certifications: All Cisco certifications are time-stamped and must be renewed within two or three years. More senior credentials last two years, more junior certifications last three. When a specific recertification exam is not available, certificants must requalify on current exams for that certification.
  4. CISSP: Certification holders must meet continuing professional education (CPE) requirements or retest every three years and pay annual dues to (ISC)2. The exam is fairly expensive, and meeting CPE requirements can cost even more.
  5. GIAC Security Certifications: Candidates must recertify every two years, which means reviewing current online training materials and taking a “refresh exam.”
  6. TruSecure ICSA Computer Security Associate (TICSA): Holders must recertify every two years, which means meeting continuing education requirements at a minimum and which may also mean retesting depending on recertification policies in effect at the time of renewal.
  7. IBM Platform- and Software-Specific Programs
  8. Oracle Programs
  9. Macromedia Programs
  10. Microsoft Programs

Items 7 to 10 are tied to specific software or platform versions, in that recertification is required no later that 12 to 18 months from the date of new software, OS or platform releases (and applies most stringently to partners who must maintain a minimum complement of certified professionals on staff to remain actively enrolled in such programs).

-DaNNy

# posted by ~~ DaNNy ~~ : Monday, April 17, 2006  1 Comments

Wednesday, April 12, 2006

PKI - "Infrastructure; OF the people, BY the people, FOR the IT-Security Companies"

PKI for the “Lame - Scan – People” –

Dudes’

I’m addressing PKI as mentioned (promised) before. I am attempting to start off, without any previous knowledge. I know just as much most people do – Nothing!

PKI goes beyond what most think … Beyond signatures and authentication … Beyond Guarantee of authenticity … This is where my knowledge stopped about PKI …

Damn it … I’ve run out of “Royal Challenge”.

Consider this business case with the two actors:

DaNNy (DaNNy@IBlog.4NoReason)

Middun (Middun.Mohun@IThinkIRock.Not)

Say, Middun received a mail on his mailing address, Middun.Mohun@IThinkIRock.Not from DaNNy@IBlog.4NoReason stating:

Dear Middun,

Kindly give a complete handover to “DKTheNewDumbGuy”, you are hereby transferred to your old department as per your request.

Thanking you and good riddance,

You hard-ass boss,

-DaNNy

Middun complies by moving to his old department.

However, this is where the trouble starts …

1) DaNNy claims that no such mail was sent.

2) Middun has proof that the mail exists in his inbox.

3) DaNNy can prove that NO such mail exists in his “sent items”

4) Eventually DaNNy fucks Middun’s happiness … and DKTheNewDumbGuy looses his job … Because DaNNy had not hired him in the first place.

Now … All this could have been prevented, if only there was PKI

PKI is there to ensure …

Evidence:

A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.

If DaNNy’s mail to Middun had a signature that could be related to Middun’s mail client, the spoofed mail could have been identified.

Ceremony:

The act of signing a document calls to the signer's attention the legal significance of the signer's act, and thereby helps prevent "inconsiderate engagements.

DaNNy should signed his mail … Hence Middun could have understood he difference between the fake and real mail.

Approval:

In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect.

Middun could have sued DaNNy for his actions … IF THE MAIL WAS DIGITALLY SIGNED …

Efficiency and logistics:

A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption.

Middun and DaNNy could have saved the trouble of hustling at each other and the organization would be a secure workplace.

OK … Lots of jargon there … Let’s simplify it …

Authentication:

Authentication is generally the process used to confirm the identity of a person or to prove the integrity of specific information. More specifically, in the case of a message, authentication involves determining its source and providing assurance that the message has not been modified or replaced in transit.

(Effectively means that DaNNy & Middun have to log on to a secure environment to communicate)

Signer authentication:

A signature should indicate who signed a document, message or record, and should be difficult for another person to produce without authorization.

(Which means signatures should be difficult to crack)

Document authentication:

A signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection.

(Middun should have demanded an authenticated document from DaNNy)

According to PKI Law (http://www.pkilaw.com):

Legally speaking these acts should have been complied with in this case:

Affirmative act:

The affixing of the signature should be an affirmative act which serves the ceremonial and approval functions of a signature and establishes the sense of having legally consummated a transaction.

Efficiency:

Optimally, a signature and its creation and verification processes should provide the greatest possible assurance of both signer authenticity and document authenticity, with the least possible expenditure of resources.

COOL STUFF DUDE … BUT … HOW DOES THIS WORK??

Let us now understand how Digital Signature Technology actually Works …

Digital signatures are created and verified by cryptography, the branch of applied mathematics that concerns itself with transforming messages into seemingly unintelligible forms and back again. (This is really interesting)

Digital signatures use what is known as "public key cryptography", which employs an algorithm using two different but mathematically related "keys"; one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form.

Computer equipment and software utilizing two such keys are often collectively termed an "asymmetric cryptosystem".

The complementary keys of an asymmetric cryptosystem for digital signatures are arbitrarily termed the private key, which is known only to the signer and used to create the digital signature, and the public key, which is ordinarily more widely known and is used by a relying party to verify the digital signature.

If many people need to verify the signer's digital signatures, the public key must be available or distributed to all of them, perhaps by publication in an on-line repository or directory where it is easily accessible. Although the keys of the pair are mathematically related, if the asymmetric cryptosystem has been designed and implemented securely it is "computationally infeasible to derive the private key from knowledge of the public key. Thus, although many people may know the public key of a given signer and use it to verify that signer's signatures, they cannot discover that signer's private key and use it to forge digital signatures.”

This is sometimes referred to as the principle of "irreversibility."

Another fundamental process, termed a "hash function", is used in both creating and verifying a digital signature. A hash function is an algorithm which creates a digital representation or "fingerprint" in the form of a "hash value" or "hash result" of a standard length which is usually much smaller than the message but nevertheless substantially unique to it.

Any change to the message invariably produces a different hash result when the same hash function is used. In the case of a secure hash function, sometimes termed a "one-way hash function," it is computationally infeasible to derive the original message from knowledge of its hash value.

Hash functions therefore enable the software for creating digital signatures to operate on smaller and predictable amounts of data, while still providing robust evidentiary correlation to the original message content, thereby efficiently providing assurance that there has been no modification of the message since it was digitally signed.

Thus, use of digital signatures usually involves two processes, one performed by the signer and the other by the receiver of the digital signature:

Digital signature creation … uses a hash result derived from and unique to both the signed message and a given private key. For the hash result to be secure, there must be only a negligible possibility that the same digital signature could be created by the combination of any other message or private key.

Digital signature verification … is the process of checking the digital signature by reference to the original message and a given public key, thereby determining whether the digital signature was created for that same message using the private key that corresponds to the referenced public key.

Verification of a digital signature is accomplished by computing a new hash result of the original message by means of the same hash function used to create the digital signature.

Then … using the public key and the new hash result … the verifier checks …

(1) Whether the digital signature was created using the corresponding private key; and

(2) Whether the newly computed hash result matches the original hash result which was transformed into the digital signature during the signing process.

The verification software will confirm the digital signature as "verified" if …

(1) The signer's private key was used to digitally sign the message, … which is known to be the case if the signer's public key was used to verify the signature because the signer's public key will verify only a digital signature created with the signer's private key; and

(2) The message was unaltered, … which is known to be the case if the hash result computed by the verifier is identical to the hash result extracted from the digital signature during the verification process.

Various asymmetric cryptosystems create and verify digital signatures using different algorithms and procedures, but share this overall operational pattern.

As discussed above the immediate legal effect of these is …

The processes of creating a digital signature and verifying it accomplish the essential effects desired of a signature for many legal purposes:

Signer authentication:

If a public and private key pair is associated with an identified signer, the digital signature attributes the message to the signer. The digital signature cannot be forged, unless the signer loses control of the private key (a "compromise" of the private key), such as by divulging it or losing the media or device in which it is contained.

Message authentication:

The digital signature also identifies the signed message, typically with far greater certainty and precision than paper signatures. Verification reveals any tampering, since the comparison of the hash results (one made at signing and the other made at verifying) shows whether the message is the same as when signed.

Affirmative act:

Creating a digital signature requires the signer to use the signer's private key. This act can perform the "ceremonial" function of alerting the signer to the fact that the signer is consummating a transaction with legal consequences.

Efficiency:

The processes of creating and verifying a digital signature provide a high level of assurance that the digital signature is genuinely the signer's. As with the case of modern electronic data interchange ("EDI") the creation and verification processes are capable of complete automation (sometimes referred to as "machinable"), with human interaction required on an exception basis only.

Compared to paper methods such as checking specimen signature cards -- methods so tedious and labor-intensive that they are rarely actually used in practice -- digital signatures yield a high degree of assurance without adding greatly to the resources required for processing.

The processes used for digital signatures have undergone thorough technological peer review for over a decade. Digital signatures have been accepted in several national and international standards developed in cooperation with and accepted by many corporations, banks, and government agencies. The likelihood of malfunction or a security problem in a digital signature cryptosystem designed and implemented as prescribed in the industry standards is extremely remote, and is far less than the risk of undetected forgery or alteration on paper or of using other less secure electronic signature techniques.

-DaNNy

Sources:

The Open-source PKI Book ( THIS IS A MUST READ & DOWNLOAD)

PKI Law (http://www.pkilaw.com)

American BAR ;) Association (http://www.abanet.org/scitech/ec/isc/footnotes.html)

The PKI-Page (www.pki-page.org/)

NIST PKI Program (www.csrc.nist.gov/pki/)

Wikipedia (www.en.wikipedia.org/wiki/PKI)


# posted by ~~ DaNNy ~~ : Wednesday, April 12, 2006  4 Comments

Tuesday, April 11, 2006

Internet "Ass"plorer Vulnerabilities - SANS Top 20

To all the readers,

Folks ... I really to apologize for all the spelling mistakes and language that would be in today’s write-up.

Have you people heard of "Royal Challenge"? It’s a really nice (Indian) whisky.

Before we start I would like you to read the fine print up on the main blog page. That will tell you how much of a fan I am of this product.

BTW ... I'm doing something called "Patch Management" ... Really bad job ... I know a few guys who did this for almost a year and think they are the dudes... “The Security dudes”.

You don't have to know the MS KB numbers by-heart. You must have an understanding of the security hole instead. According to one my seniors, "This will be a good learning experience for you".

OK ... Back to work (and Royal Challenge)

According to the assholes at SANS "Microsoft Internet Explorer is the most popular browser used for web surfing".

Don't believe me check this out (http://www.sans.org/top20/#w2)

As some people would say "Yeah! Right!!! 'Dusht'"

Let us start with a quote from SANS:

Microsoft Internet Explorer is the most popular browser used for web surfing and is installed by default on each Windows system. Internet Explorer contains multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious webpage or reads an email. Exploit code for many of the critical Internet Explorer flaws are publicly available.

These flaws have been widely exploited to install spyware, adware and other malware on users' systems. The spoofing flaws have been leveraged to conduct phishing attacks. In many cases, the vulnerabilities were 0-days i.e. no patch was available at the time the vulnerabilities were publicly disclosed.

During the past year Microsoft has released multiple updates for Internet Explorer.

1. Cumulative Security Update for Internet Explorer (MS05-052)

2. Cumulative Security Update for Internet Explorer (MS05-038)

3. JView Profile Remote Code Execution (MS05-037)

4. Cumulative Security Update for Internet Explorer (MS05-025)

5. Cumulative Security Update for Internet Explorer (MS05-020)

6. Cumulative Security Update for Internet Explorer (MS05-014)

7. Windows Shell Remote Code Execution (MS05-008)

8. Cumulative Security Update for Internet Explorer (MS04-040)

9. Cumulative Security Update for Internet Explorer (MS04-038)

10. Cumulative Security Update for Internet Explorer (MS04-025)

Note that the latest cumulative update for Internet Explorer includes all the previous cumulative updates.

Source: SANS Top 20

Here are some patches I feel are important … However understand the vulnerability … Don't just patch because it’s a Tuesday and Microsoft said so … … …

Some vulnerability have been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user's system, conduct cross-site/zone scripting and bypass a security feature in Microsoft Windows XP SP2.


1) Insufficient validation of drag and drop events from the "Internet" zone to local resources for valid images or media files with embedded HTML code. This can be exploited by e.g. a malicious web site to plant arbitrary HTML documents on a user's system, which may allow execution of arbitrary script code in the "Local Computer" zone.

This vulnerability is a variant of SA12321

NOTE: Microsoft Windows XP SP2 does not allow Active Scripting in the "Local Computer" zone.

2) A security site / zone restriction error, where an embedded HTML Help control on e.g. a malicious web site references a specially crafted index (.hhk) file, can execute local HTML documents or inject arbitrary script code in context of a previous loaded document using a malicious javascript URI handler.

Successful exploitation may allow execution of arbitrary HTML and script code in a user's browser session in context of arbitrary sites, or execution of local programs with parameters from the "Local Computer" zone using a HTML Help shortcut.

NOTE: This will bypass the "Local Computer" zone lockdown security feature in SP2.

3) A security site / zone restriction error in the handling of the "Related Topics" command in an embedded HTML Help control can be exploited by e.g. a malicious website to execute arbitrary script code in the context of arbitrary sites or zones.

MS05-052

This update resolves a newly-discovered public vulnerability and other privately-reported variations of the same vulnerability. The Microsoft DDS Library Shape Control (Msdds.dll) and other COM objects could, when instantiated in Internet Explorer, allow an attacker to take complete control of an affected system. Because these COM objects were not designed to be instantiated in Internet Explorer, this update sets the kill bit for the affected Class Identifiers (CLSID) in these COM objects. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?

When Internet Explorer tries to instantiate certain COM objects as ActiveX controls, the COM objects may corrupt system memory in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How could an attacker exploit the vulnerability?

An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

MS05-038

Packages for this security update that were located on the Microsoft Download Center have been updated as the initial packages were corrupt, causing some Systems Management Server (SMS) and Internet Explorer installation failures. New packages are now available and Microsoft encourages users to re-download the packages from the links below and re-apply. Updates downloaded from Automatic Update, Windows Update, Microsoft Update and Windows Server Update Services (WSUS), were not affected by this issue.

This update resolves several newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the “Vulnerability Details” section of this bulletin and in addition to changes introduced in previous Internet Explorer security bulletins, this update introduces a change to disable the use of arbitrary system monikers in OBJECT tags in Internet Explorer as a defense in depth improvement. For more information about monikers, see the product documentation. This update also changes the behavior of the Favorites control in Internet Explorer as a defense in depth improvement. After you apply this security update, the Favorites control can only be used as intended and only be called from certain Internet Explorer dialog boxes.

To help protect customers who have these objects installed, this update prevents older versions of these objects from running in Internet Explorer. It does this by setting the kill bit for the older versions of these objects that are no longer supported. For more information about kill bits, see Microsoft Knowledge Base Article 240797.

This update also sets the kill bit for the COM objects listed under 'What does the update do?' in the Vulnerability Details section. For more information, see the ‘COM Object Instantiation Memory Corruption Vulnerability - CAN-2005-1990’ in the vulnerability details section in this bulletin.

Does this update contain any other changes to functionality?

Yes. This update also includes non-security-related changes that were introduced in previous Internet Explorer security bulletins.

MS05-037

This update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?
Microsoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period.

MS05-025

This update resolves two newly-discovered, publicly and privately reported vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.


ActiveX Controls are the "Main cause of sorrow ..." This is how to stop an ActiveX control from running in Internet Explorer

1. Determine the CLSID for the ActiveX control that you want to disable. If you are not sure of the CLSID for the control, contact the manufacturer. If the control is installed, you may be able to determine its CLSID if you know its friendly name. To do this, examine the Default string value for the ProgID key for each of the CLSID keys in HKEY_CLASSES_ROOT\CLSID. You may have to remove as many ActiveX controls as possible, except for the one that you want to disable, to make it easier to identify the appropriate CLSID. For more information about how to remove ActiveX controls, click the following article number to view the article in the Microsoft Knowledge Base: 154850

2. Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\CLSID of the ActiveX control where CLSID of the ActiveX Control is the class identifier of the appropriate ActiveX control.

3. Change the value of the Compatibility Flags DWORD value to 0x00000400.

Microsoft Internet Explorer Drag and Drop Vulnerability

http-equiv has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to insufficient validation of drag and drop events issued from the "Internet" zone to local resources. This can be exploited by a malicious website to e.g. plant an arbitrary executable file in a user's startup folder, which will get executed the next time Windows starts up.

http-equiv has posted a PoC (Proof of Concept), which plants a program in the startup directory when a user drags a program masqueraded as an image.

This vulnerability is a variant of an issue discovered by Liu Die Yu. SA9711

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.

NOTE: The vulnerability is actively being exploited in the wild.

Source: Secunia

“Sweet Heart some ice please … Hyderabad is crazy hot”


OK!! Let’s exploit the fucker

OK … Enough of those dumb patches …

So, 8 pegs high on MSIE … & I feel like hacking …

This is my attempt to replicate an exploit for MSIE:

“If you don’t understand XML and HTML … I really cannot help you here … Talking about RPC’s in the last post; “Do you know that there is an XML-RPC too?”

All "createPopup" does is create a (featureless) window containing an empty HTML document, this does not pose a threat, but later on, that document has HTML injected to it (using innerHTML), which is the actual problem.

For example, the following code will work just the same:




Note: innerHTML is not the only property used to dynamically insert HTML to any element, it is

also possible to use outerHTML, insertAdjacentHTML and more to gain the same results.)

Discussion:

So now that we identified the origin of the problem we can search for ways to dynamically insert HTML without using any Active Scripting at all. It will then become possible to use this vulnerability in more "protected" environments, such as Microsoft Outlook or Internet Explorer with Active Scripting and ActiveX disabled.

One of the exciting features that came along in IE4 was Data Binding; it enables developers to completely separate any application data from the presentation layer. The data sources (DSO) for Data Binding can be almost anything, CSV files (with TDC), HTML, XML and many more. Data Binding binds HTML elements (data consumers) such as div or span to the DSO without need for a single line of script code.

We found out that when the "dataFormatAs" attribute is set to "HTML" on the consumer, Data Binding internally uses innerHTML in order to insert the data into the element (otherwise innerText is used).

So all we need to do now is supply a DSO that contains the offending element, the rest will be done for us by the Data Binding engine, no scripting needed.

Exploit:

In the following example we're using an XML data-island as our DSO and a span element as the data consumer. Using XML is especially comfortable because it can be embedded within the document, without need for external requests that may be stopped by the host application.




Solution:

There is no configuration-tweaking workaround for this vulnerability, it will work as long as the browser parses HTML. The only possible solution must come in the form of a patch from Microsoft.

Update - 3 Mar 2002

Since the injected runs in the "My Computer" Zone changing the Internet Zone's settings couldn't affect it, but changing the affected zone's settings will prevent this exploit from running.

Here is the registry information:

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0]
Change the value of "1004" (DWORD) to 3.

This should work on:

(I really cannot guarantee this … Ensure that patches are not installed)

IE5.5 Win98.

IE5.5 NT4.

IE6 Win2000.

IE6 WinXP.

An online demo of calc.exe Can be found here and an advanced demonstration here.

Will someone please listen to me?

I sincerely feel that MSIE should not be used in IT companies. IT companies would e primary targets for hackers. Why use MSIE when we have awesome browsers like FireFox.

Almost a bottle down … I love you Firefox

This is my evaluation: MSIE v/s Mozilla Firefox

Let me investigate on Google:

Domain Names

Firefox - firefox.com

Some kind soul donated the domain to the Mozilla Foundation.

At least they own their own domain name.

Internet Explorer

internetexplorer.com Microsoft doesn't even own this one.

It's one of those generic search portals masquerading as an IE site.

Advantage - Firefox

Google Fights

Why does Internet Explorer crash all the time? - 2.57 million results

Vs.

Why does Firefox crash all the time? - 218,000 results

Next...

Internet Explorer - 22.8 million results

Vs.

Firefox - 23 million results

That one is definitely a surprise.

Next...

Internet Explorer will help me get laid - 1.34 million results

Vs.

Firefox will help me get laid - 75,700 results

A much better chance of getting lucky with IE.

Next...

Internet Explorer came with my computer - 6.9 million results

Vs.

Firefox came with my computer - 659,000 results

Tie breaker...

Internet Explorer is the best browser ever - 2,110,000 results

Vs.

Firefox is the best browser ever - 474,000 results

Advantage: Internet Explorer

Coin Flip - Best of 7

The coin flip was conducted using a 2000 Sacajawea dollar.

Internet Explorer - Heads

Firefox - Tails

Results: H-T-T-T-T-H-T

Advantage - Firefox

Stereotypical User

Internet Explorer - Brain dead newbie. Loves pop-ups, viruses, and spyware. Just wants to "surf the Internet and check my email." Oblivious to alternative lifestyles. Seeks help from "computer smart" nephew.

Firefox - Proselytizing ubergeek. Loves freedom, choice, and tabbed browsing. Just wants to "improve mankind with Open Source Software." Oblivious to market forces and the power of money. Seeks other geeks to join in on the evangelism.

Both are equally annoying.

Advantage - Even

Conclusions

It was a close battle, but Firefox edges out a victory against the Internet Explorer by a score of 3-2 with 1 tie and wins our Technical Award of Excellence.

Some really cool links that helped all night:


“”Least Vulnerability (6th April '06) … London Free Press””

http://lfpress.ca/newsstand/Business/2006/04/06/1522144-sun.html


What are other people saying about Internet Explorer?

http://browsehappy.com/why/



Some magazine called "Forbes"; they had something to say about MSIE v/s Mozilla Fiefox.

http://www.forbes.com/home/ebusiness/2004/10/04/cx_pp_1004mondaymatchup.html



Serious Internet Vulnerabilities and EXPLOITS:

This site is like never before...

http://www.hnc3k.com/ievulnerabil.htm


What does the almighty US govt say?

http://www.us-cert.gov/cas/techalerts/TA05-221A.html



Shocking revelation ... Almost dropped my glass here.

http://secunia.com/advisories/12889/?show_all_related=1#related

A small search query at secunia.com gave me 99 vulnerabilities. Dude ... We'll invetigate these later, sometime ... However I must warn you ... Some of them are really critical.



Also see …

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127

0-Day Exploits of MSIE

ttp://www.eweek.com/aricle2/0,1759,1891749,00.asp?kc=EWRSS03119TX1K0000594

Mozilla Vulnerabilities … No one is perfect …

http://secunia.com/product/4227/



Good Night folks … You should be sleeping now … I have a night-shift … Not you !!!

I’m seriously looking for feedback … Kindly help me there …

Cheers and greets fly out to my pal’s DK & Mithun Mohan.

Love and God bless!!!

-DaNNy


# posted by ~~ DaNNy ~~ : Tuesday, April 11, 2006  2 Comments

This page is powered by Blogger. Isn't yours?

Subscribe to Posts [Atom]