If I’m not wrong (and please correct me if I am as I haven’t actually researched this :o) the problem today isn’t that the digital certificates are being cracked, but that some companies/individuals are willing to sign malware.
Is this right? If not then please direct me to a link so I can be correct in the future. 88)
Yes, you’re right.
Digital signatures are very difficult to fake with our current technology, but they’re not “mathematically” uncrackable. My comment was a response to the quote from Melih.
Of course they can be cracked but it is doable in a good time period? Like SHA1 can be cracked but it would take about 10 years using very powerful servers.
Also, stealing a certificate will render it useless becasue it will not be valid anymore.
I read about a year ago that enthusiasts gathered “home made” supercomputers using PS3 (CELL processor)…
Alex
That’s the way I’ve chosen to go and I have no complaints.
~Maxx~
[attachment deleted by admin]
Quoted Melih with making impact on ‘there is no way practically’. But appears there is – which is proven by the fact malware writers managed to use valid digital signature to sign malware (info from the 1st message).
---->
I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it
There was a lot of fanfare on Saturday when Microsoft and Verisign announced that they had worked together with Realtek to revoke the certificate in question, implying that this somehow improved the safety and security of users. One of our researchers, Mike Wood, who will be presenting a paper this year at Virus Bulletin on the use of certificates by cybercriminals, helped me out by looking into the specifics of how Windows treats signed drivers and DLLs.Mike came to two conclusions. One was that a driver signed with a certificate during its validity period will never expire. That the signing certificate is now expired is irrelevant because the rootkit was signed when the certificate was valid.
Second, Mike determined that the conclusion I had drawn in this week’s Sophos Security Chet Chat was incorrect. I thought that when the certificate was revoked this would prevent drivers that had been signed by it from loading into Windows. This is only partially true; it will only prevent drivers from loading that were signed after the certificate was revoked. This means all existing copies of Stuxnet that are in the wild will still happily load.
Why revoke the certificate at all? I have no clue. It accomplishes absolutely nothing as far as I can tell, except giving the appearance that the powers-that-be are taking actions to protect us
Why revoke the certificate at all? I have no clue. It accomplishes absolutely nothing as far as I can tell, except giving the appearance that the powers-that-be are taking actions to protect usIt prevents future infections by this specific certificate. That's still good enough in my book.
Unfortunately revoking a certificate does not help to expose already infected systems nor the spread of stuxnet for example.
Things could be tightened up by not allowing any driver without a valid signature. That would mean that vendors will have to maintain driver’s signatures until years after release. That’s a change.
Correct me if I’m wrong, but with CIS V5.3 a file signed with a revoked certificate would not be trusted. Thus revoking a certificate is very important.
Freeware and open source developers are already being ■■■■■■■ over by Microsoft’s driver signing ■■■■. Now you want time stamp certificates gone, so developers have to pay money to the CAs every year just to keep their existing software working?
That would be the solution when following the above line of thinking. I was thinking out loud when connecting their dots.
I am aware that this would greatly hurt the open source community.
Well I use Comodo because it alerts me and asks me for every single thing.
I want to know exactly what is going on and I want the option to disallow it if I feel the need for that.
I do NOT want anything trusted without my personal approval.
I would like an easy way to disable the TVL, better management of the TVL and the option to Opt-out of updates to the TVL, only allowing program updates to show notifications.
Please add support in the wish board for a topic like:
Add ability to deselect vendors from the trusted list.
Or create one or more wishes yourself. That way your ideas will be seen for sure.
Good if it is so, but that is only your supposition, right :-X
This improvement was listed in the release notes (“FIXED! AV does not validate the revocation status of the certificates in signed binaries”).
AV :-\ That’s not funny: how about Firewall/Defense+ components
It was fixed; thus it does validate the revocation status of the cert in signed binary’s
hope this helps
Jake
You didn’t tell smth new if you were referring to release notes displayed above. If you were not, then what was fixed?
Secondly, release notes tell “FIXED! AV does not validate the revocation status of the certificates in signed binaries”. So now AV does validate the revocation status. But AV is irrelevant, because Fw/D+ components of CIS are of special interest (whether they can recognise revoked cert and not trust it), not AV.
It is relevant because of how an unknown file gets assessed:
When an executable is first run it passes through the following CIS security inspections:These are the first things CIS checks.Antivirus scan
Defense+ Heuristic check
Buffer Overflow check
And if AV is not installed (by the way, officially supported CIS setup), is it relevant?
Why not give the option to allow a person to not use the trusted vender list and help prevent the spread of malware. every time I have had a problem it was beyond repair and could not submit any files so you better start surfing the web and find these viruses malware if you want to find the problems I have had my computer wiped out multiple times simply because of the ads many “trusted” vendors put on their page. They should be required to pay a $5000 fee for not checking their own page to the people they infected with the ads. I have had my computer wiped out twice on the microsoft page alone. The bad part If my computer didn’t allow the trusted vendor to just automatically connect to the internet, the malware would not have been able to wipe out my computer. I blame all firewall companies that use trusted vender lists to bypass what a customer wants. Why not allow the customer set it to ask if they want to use the trusted vender list or not and display a warning that when the vendor list is disable you will be prompted any time a new program wants to connect to the internet. Not hard but it does prove one thing the only thing any of these software companies that force the use of a trusted vender list are only after money and are telling their customers to go to h… I don’t use foul language but all of you companies that are ignoring your customers are getting on my nerves. >:-D >:-D >:-D