IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> digital signatures and certificates, [split] from Hotfix for 8.0.0.357!
saso
post 16.05.2008 14:14
Post #1


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Julian @ 15.05.2008 20:11) *
Hopefully we don't have whitelists for real malware (e.g. from big brother wink.gif )


another similar question... on several places we have the notice to automatically trust signed executables, but how are the certifications for the signing controlled? i don't think it would be impossible for an malware author/group to get an certificate to sign their files, will KIS/KAV automatically set it as trusted?! huh.gif


--------------------
Go to the top of the page
 
+Quote Post
Baz^^
post 16.05.2008 14:19
Post #2


Wrestling Champion
**************

Group: Gold beta testers
Posts: 8799
Joined: 10.03.2007




I was thinking about this too..... Recently saw a blog post about malware posing as flash player signed as "Jeanette K Murphy"....the digital signature seemed to be valid so would this file be able to run without and hinderance whatsoever?


--------------------
Kind Regards,

Baz
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 14:20
Post #3


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




QUOTE
another similar question... on several places we have the notice to automatically trust signed executables, but how are the certifications for the signing controlled? i don't think it would be impossible for an malware author/group to get an certificate to sign their files, will KIS/KAV automatically set it as trusted?!

-there's a blacklist of digital signatures;
-if the signature is not valid (fake) it's ignored
-if the analysis finds a malware inside (even heuristically) it's untrusted regardless of certificate
Go to the top of the page
 
+Quote Post
saso
post 16.05.2008 14:36
Post #4


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Lucian Bara @ 16.05.2008 12:20) *
-there's a blacklist of digital signatures;
-if the signature is not valid (fake) it's ignored
-if the analysis finds a malware inside (even heuristically) it's untrusted regardless of certificate


- of course all certificates can be revoked (black listed) or signatures can be added for the detection etc. but all this happens after the attack. use of the file signing checking however is here sort of used as an proactive defense (and when done correctly can also be a very good one).
- fake/not valid signed files or certificates are not really the issue here, it is about valid certificates that would be used to sign malware.
- standard av signature/heuristics detection yes... however HIPS application control is used as another level of protection above this two so again signature and heuristics are not really the issue here since "the test case" for the effectivnes of the system should be an malware sample that was modified to evade the basic signatures and heuristics. also to note here is that several of the trusted signed executables have a high danger index by the HIPS internal heuristics.

i don't know how the sign checking mechanism is working (it is why i am questioning it here smile.gif ), but i am afraid that it is working wrong. IMO it should not trust all signed applications but only those signed by known trusted certificates (a white list of certificates from microsoft, kaspersky, adobe,... should be used for this).

This post has been edited by saso: 16.05.2008 14:43


--------------------
Go to the top of the page
 
+Quote Post
norwegian
post 16.05.2008 14:45
Post #5


Posting guru
*************

Group: Members
Posts: 3790
Joined: 8.05.2005
From: Australia




Without committing to the "+1" we shoulding be blacklisting certs without at least allowing or having specific whitelisted ones. Then this is a question, as I don't fully understand how you have set this up but it has been a concern for most of my testing the implications of this.

Speculative thinking here, what is to say the program can make these decisions, I realise you are aiming at that and using a third party to help with that line of approach, but there are still many holes as it is still young that you have not filled, and malware writers will find them. Saso's comments only highlight this for one section.

This post has been edited by norwegian: 16.05.2008 14:47


--------------------
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
Go to the top of the page
 
+Quote Post
Bayard
post 16.05.2008 14:52
Post #6


Advanced Member I
***

Group: Members
Posts: 167
Joined: 28.07.2005
From: Haut-Rhin - France




QUOTE(saso @ 16.05.2008 12:36) *
- of course all certificates can be revoked (black listed) or signatures can be added for the detection etc. but all this happens after the attack. use of the file signing checking however is here sort of used as an proactive defense (and when done correctly can also be a very good one).
- fake/not valid signed files or certificates are not really the issue here, it is about valid certificates that would be used to sign malware.
- standard av signature/heuristics detection yes... however HIPS application control is used as another level of protection above this two so again signature and heuristics are not really the issue here since "the test case" for the effectivnes of the system should be an malware sample that was modified to evade the basic signatures and heuristics. also to note here is that several of the trusted signed executables have a high danger index by the HIPS internal heuristics.

i don't know how the sign checking mechanism is working (it is why i am questioning it here smile.gif ), but i am afraid that it is working wrong. IMO it should not trust all signed applications but only those signed by known trusted certificates (a white list of certificates from microsoft, kaspersky, adobe,... should be used for this).


Hello sasso,

I agree with you to 100 %. bravo.gif
I wanted also to show my point of view but you do it better than me. I am not a specialist. smile.gif
I am impatient to know the KLab's arguments.


--------------------
KIS 12.0.0.374 (a.b.) + Windows 7 Ultimate-64 bits
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 14:53
Post #7


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




QUOTE
i don't know how the sign checking mechanism is working (it is why i am questioning it here ), but i am afraid that it is working wrong. IMO it should not trust all signed applications but only those signed by known trusted certificates (a white list of certificates from microsoft, kaspersky, adobe,... should be used for this).

i agree with that and asked ... the answer was that most of the time the certificates will be good ones so blacklisting will require less effort (and less heaaches for users whose applications will be restricted..)

This post has been edited by Lucian Bara: 16.05.2008 14:54
Go to the top of the page
 
+Quote Post
norwegian
post 16.05.2008 14:59
Post #8


Posting guru
*************

Group: Members
Posts: 3790
Joined: 8.05.2005
From: Australia





So how often does a certified program have an exploit, quite a few times. So my question also is once something is exploited that is been allowed, how will it then be noted that a change has happened that would cause compromise? Simply because malware follows trends? Which has been allowed for in heuristics/Hips etc? Just curious.


--------------------
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
Go to the top of the page
 
+Quote Post
saso
post 16.05.2008 15:14
Post #9


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Lucian Bara @ 16.05.2008 12:53) *
i agree with that and asked ... the answer was that most of the time the certificates will be good ones so blacklisting will require less effort (and less heaaches for users whose applications will be restricted..)


on one side, i fully understand the decision made by KL and could even sort of support it... however on the other side, i know that personally i would strongly prefer the white listening approach. here are few thought to think about:

- file signing is one of those system that theoretically allow for 100% system protection.
- whitelisting is also one of those systems that theoretically allow for 100% system protection since it allows you to have full control over the situation (only known good friends are allowed to the party smile.gif ). in fact file signing is one way of whitelisting.
- blacklisting allows you to only block known unwanted items so there is always a large number of the "unknowen", similar to what we have with the standard signature detection.

this system could (should?!) be a step above standard signature detection, but with the blacklisting approach i see it no different and so i question if it is really needed. ok, when i rethink again i see that it is used, but only to help users more automatically add their application to the list. IMO, this system has allot more power and unfortunately it is not used here.

This post has been edited by saso: 16.05.2008 15:18


--------------------
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 15:18
Post #10


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




i agree with the whole whitelisting aproach, or at least a popup when a signed application not known to the online database has a high threat leavel (75% for eg): "application is digitally signed but smells fishy, do you want to continue execution....)

unfortunatly at this time good apps with digital signatures >> bad apps with digital signatures, specially when you think that they come in variants (you can have 1000 zlob installers with the same digital signature for example). who knows maybe in time.
Go to the top of the page
 
+Quote Post
saso
post 16.05.2008 15:24
Post #11


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




QUOTE(Lucian Bara @ 16.05.2008 13:18) *
unfortunatly at this time good apps with digital signatures >> bad apps with digital signatures, specially when you think that they come in variants (you can have 1000 zlob installers with the same digital signature for example). who knows maybe in time.


indeed the situation at the moment is not really hot about this, however what do you think is more simple, to have whitelisting and have a list of maybe just 100 known valid safe certificates (IMO as little as 100 known good certificates could cover allot/most of user applications), or blocking (adding to blacklist) potentially thousands of certificates used by something like zlob once they find out that it works and that they are able to somehow get them.

This post has been edited by saso: 16.05.2008 15:26


--------------------
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 15:39
Post #12


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




that's actually the thing, there are more then 100 good certificates a lot of software developers start signing their programs.
Go to the top of the page
 
+Quote Post
claudiu
post 16.05.2008 16:59
Post #13


Advanced Member III
*****

Group: Gold beta testers
Posts: 559
Joined: 27.04.2007
From: Cluj-Napoca, Romania




An interesting article about digital signature (hacking) http://mindprod.com/jgloss/digitalsignatures.html.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 17:12
Post #14


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




and your point is....? that's not something you can do with your random exe file (or a way to use it to bypass kis)
Go to the top of the page
 
+Quote Post
claudiu
post 16.05.2008 17:20
Post #15


Advanced Member III
*****

Group: Gold beta testers
Posts: 559
Joined: 27.04.2007
From: Cluj-Napoca, Romania




Like appears in the article:"The big problem with a digital signature is someone can steal a copy of your private key, and you would never know it".
So someone can obtain the SC and put some malware in that file and signed it.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 17:23
Post #16


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




a private key is something else, it reffers to the pgp key for example or the key in a java applet, not to the certificate of an application.

QUOTE
So someone can obtain the SC and put some malware in that file and signed it.

yeah right, there are dozens of malware with the mcirosoft signature running around, they are in the wild!
Go to the top of the page
 
+Quote Post
claudiu
post 16.05.2008 17:51
Post #17


Advanced Member III
*****

Group: Gold beta testers
Posts: 559
Joined: 27.04.2007
From: Cluj-Napoca, Romania




It's about java applet like appears in the article:"When an Applet is created, the vendor creates a secret key SV and a public key PV". What about it?
Go to the top of the page
 
+Quote Post
Lucian Bara
post 16.05.2008 17:53
Post #18


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




what...does it have to do with kis and certificates in EXE files, java applets do not fall under kaspersky's hips grouping etc.
Go to the top of the page
 
+Quote Post
saso
post 16.05.2008 19:15
Post #19


Professional II
************

Group: Gold beta testers
Posts: 3111
Joined: 10.04.2005
From: ljubljana, slovenia




File signing actually works on the same basic asymmetric cryptography principles as PGP. The certificate is actually more or less the same as an private and public key that enables you to sign your files (with the private key) and enables others to verify the signature (with the public key). File signing certificates however are normally produced and so also signed by an authorized party (for example some like VeriSign).

I would wish that stiling certificates (private keys) would not be an issue, that companies, specially those big ones, would know how to protect them, but unfortunately it has happened before that bad applications ware signed with microsoft certificate huh.gif

But yes, we have probably went a bit to far off topic here... However IMO several good and important points have been pointed out in this discussion that could be reevaluated by developers for the future...

This post has been edited by saso: 16.05.2008 19:21


--------------------
Go to the top of the page
 
+Quote Post
claudiu
post 16.05.2008 19:49
Post #20


Advanced Member III
*****

Group: Gold beta testers
Posts: 559
Joined: 27.04.2007
From: Cluj-Napoca, Romania




Lucian the file signing works in the same manner (from Comodo Code Signing CA):
http://www.instantssl.com/code-signing/

This post has been edited by Lucian Bara: 16.05.2008 20:27
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 21.10.2014 14:21