Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to verify program authenticity?


  • Please log in to reply
15 replies to this topic

#1 smak451

smak451

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 22 October 2010 - 10:18 PM

Hey guys -- Wow, nice looking new interface! How does one verify a program download is intact and hasn't been tampered with? Is it safe to rely on the certs (I know there's a tutorial on certificates), but for example when downloading NMAP they state "It often pays to be paranoid about the integrity of files downloaded from the Internet. Popular packages...[and] software distribution sites at the Free Software Foundation, Debian and Sourceforge have been successfully compromised..."

From what I've gathered here you can compare hashes (SHA2,SHA1, MD5, etc) but how? They go on to say that even these downloads can be tampered with in real time (albeit with a lot of experience), and one should use the PGP signatures (s/he recommends a link to GNU Privacy Guard to do this but it was broken). Can anyone explain or refer me to reference materials to learn how to do this? Especially when the NMAP page shows up "IP Unverified" by Prevx. I found a program called MD5Summer which I think is geared to this, but not sure how it works (or any of these programs for the record). Thanks!

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 23 October 2010 - 09:44 AM

From your mention of MD5Summer, I gather you're looking for Windows advice.

When you download a Windows program, you can always check if the program is digitally signed (AuthentiCode signature) and if this signature is valid. To do this, right-click on the file in Windows Explorer and select Properties. If the program is digitally signed, you will have a Digital Signature tab. Select this tab, select the signature and click on details. A new dialog will open, telling you if the signature is OK or not. When the signature is not OK, this doesn't necessarily mean that the program has been tampered with after it was signed. It could also be that you don't have the root CA from which it was signed.
FireFox is an example of a digitally signed install program.

If the program has no digital signature, you can check the cryptographic hash (like MD5, SHA1) if one is provided by the author.
I use Hashtab to calculate and compare cryptographic hashes. When you install Hashtab, it will add a tab to the Properties dialog box, allowing you to calculate and check hashes (CRC32, MD5, SHA1, SHA2, ...) directly from Windows Explorer.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:12:43 PM

Posted 23 October 2010 - 04:47 PM

That's good advice. I rely very heavily on hash checking since I've had to do it when downloading games that have been flagged by certain antivirus programs as malicious. Of course they were proven fine by more sources than they were proven malicious, so I have loved them. Good programs for hash checking are:
Chaos MD5
makeMSI mainly for creating windows installers, (but it does provide that functionality through a context menu windows explorer extension)
Nir Sofer's HashMyFiles

Those are the ones with which I have familiarity. And related to what was previously said about certificates, if a sig is not recognized, it could also mean that the person created their own cert. If a mod or member with more experience in this sees this, please correct me if I am wrong.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:43 AM

Posted 24 October 2010 - 06:48 AM

Here are my few cents about digitally signed files :
- Earlier this year we saw Stuxnet which was signed using stolen Realtek certificates. An exe is digitally signed and certificate is good, does not always mean everything is ok. I think we should also look for the origin of the file.
- Not all programs are digitally signed. Only commercial software is digitally signed.

ChromeBuster if a digital certificate is not verified, then either the file was modified after it was signed. Or as you said someone used own certificate not obtained from an authorized company like VeriSign. You can always look at the details of the certificate in the file properties.

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 24 October 2010 - 02:17 PM

Only commercial software is digitally signed.

No, Mozilla applications, like FireFox, have an AuthentiCode signature.
Sysinternals' tools are signed too, they were already signed even before Microsoft acquired them.
And I also sign my free software.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:43 AM

Posted 24 October 2010 - 08:35 PM

Thanks Didier for clearing it up :flowers: I should have type 'mostly' before commercial :trumpet:

Sorry, I did not notice earlier it was Didier Stevens :inlove: Thanks for joining BleepingComputer community. I am a follower of your blog and I would be looking forward for some great advice from a security expert like you.

:thumbsup:

Edited by Romeo29, 24 October 2010 - 08:36 PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 25 October 2010 - 08:10 AM

Thanks for the warm welcome Romeo29!

And it is true that most non-commercial Windows software is not signed.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:12:43 PM

Posted 25 October 2010 - 09:36 PM

While we're on the topic then, how is it that we can make our own certificates recognized by Windows, firefox, and others? I have always been curious about that since not all of us can afford to pay the large price for certs, yet we still want to make our users feel comfortable. any input on this would be great. Thanks.

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#9 smak451

smak451
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 26 October 2010 - 12:28 AM

Thanks guys, that feedback is very helpful. Sorry for not clarifying that yes, it was Windows I was asking about. Cheers.

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 30 October 2010 - 06:49 AM

While we're on the topic then, how is it that we can make our own certificates recognized by Windows, firefox, and others?


I wrote up some lesser know facts about AuthentiCode here.

To make your own certificate, including a self-signed root CA and a chain from this cert to the root cert, follow my instructions here.

To sign executables with this cert, follow my instructions here.

When you write "make our own certificates recognized by Windows", I assume you want Windows to tell you that the signature is OK when you look at the details of the Digital Signatures tab?
You can do this by installing the root CA in your trusted root CA certificate store.

Take the root ca certificate you created (see my OpenSSL procedure): ca.crt
  • Double-click it
  • Click Install certificate
  • Click Next
  • Select Place all certificates in the following store
  • Select Trusted Root Certification Authorities
  • Click Next
  • Click Finish
You'll get a security warning: click yes.

From now on, all code signed with this root CA cert (or intermediate certs created with this root CA cert) is trusted.
IE also uses this certificate store.
There is no integration with Firefox, it has its own certificate stores. To import in Firefox, goto Tools/Options/Advanced/Encryption
Click View Certificates, Import and select the root ca file ca.crt.
Then select the purposes for which you want to trust this cert.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:43 AM

Posted 30 October 2010 - 02:11 PM

Can a free certificate from StartCom be used to digitall sign files?

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 31 October 2010 - 03:17 AM

Can a free certificate from StartCom be used to digitall sign files?


Most likely not. CAs limit the usage of the certificates they issue. An SSL certificate can't be used for code signing.

If you've a StartCom certificate, open it and view the details tab.
Look at field Extended Key Usage: this should list Code Signing if you can use the certificate for code signing.

And take a look at StartCom's FAQ: Q 60 & 27. From what I read here, they don't issue free certificates for code signing.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:43 AM

Posted 31 October 2010 - 05:43 AM

I have Class 1 certificate from StartCom so I am not allowed to do code signing. Thanks Didier Stevens :thumbsup:

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 31 October 2010 - 08:40 AM

I have Class 1 certificate from StartCom so I am not allowed to do code signing.


You can always create your own cert, like I explain here.

And here is explained how to use this cert.

Finally, to have your cert trusted by other users or on others machines, follow these instructions.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:12:43 PM

Posted 02 November 2010 - 08:25 PM

I like those instructions you provided for us. Thanks. And Open SSL does work on Windows, doesn't it? And another thing similarly related to this. Can the procedure you showed us in creating a self-signed Cert also help us to make sure that viewers of our web sites do not get security warnings about untrusted certs? For that drives me crazy, and my friend said that creating your own certificate is being lazy. Thanks.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users