What's the easiest way to manage/maintain a whitelist?

Re: Who can we trust?

Exactly. And it's been proven multiple times that
1) CA's aren't doing background checks, they're simply taking money and handing out certs.
2) They aren't protecting those certs and they're easily hacked etc.

So how can there be reform? Can we ever trust CA's? How can we make sure CA's are doing their jobs? How can we have a manageable whitelisting certificate system if we can't trust the distributors?

Do we need the government to standardize vetting procedures and enforce them? Can we rely on the companies to do it as a form of competition? Community? Or is it impossible?

 

Re: Who can we trust?

That I don't know. AppLocker scans the files looking for digital signature (when you choose Publisher) and reports what it finds. It can't verify if the signature can be trusted or not.

There are ways to mitigate the risks using Group Policy where you can set to check for certificate revocation, certificate errors and certificate address mismatch. There's also, of course, IE9's Smartscreen filter

Good question which is why in my previous example one still should take whatever steps necessary before installing a signed application, and then test it for a bit to make sure it soesn't exhibit odd and suspicious behaviour befoer they "lock it down" by whitelisting it.

The main point of my example was to show that not all files contain a digital signature, even when the installer is digitally signet.

All it boils down to is:

• you want a certain program
  
• you find it at the most trustworthy source you can locate
  
• you download it, maybe scan it with one or more av programs or better yet try it sandboxed or in a vm.
  
• you have to keep in mind it may not be a signed program, including the installer. If you insist on a signed installer and it isn't, then you either dump it or you accept it for what it is because it's a program you really want badly and there's nothing else like it around.
  
• after you've done your best to verify it's safe, you install it.
  
• Create publisher rules for it for all signed files.
  
• If not signed, you can create Hash or Path rules for it.

It's now locked down and ready to use.

 

Re: Who can we trust?

Yeah but it's not "Can I run an insecure program without being infected?" it's "Can we trust certs?"

Yeah, you can take steps to run blatantly hacked programs right on your computer and you'll be fine. But the idea behind a cert is that you can trust the program or website.

The problem is that certs are being handed out for money or being straight out hacked - so can you ever really trust them? Because, as I said, the idea is that you're supposed to be able to trust them.

Further, are certs really a good system? Can there be a good whitelisting system (and I'm not talking about some local thing set up by the user, I'm talking about a cert-type system where someone else is whitelisting.)

 

Re: Who can we trust?

Since the only way I know of to verify certs is by what I listed above, you either have to accept things the way they are or you don't. If you worry that much about signed programs, then maybe avoid them altogether. Unforyunately, it's probably not going to be the most productive approach to take. You are skilled and knowlegeable enough, I'm sure, to make a really acurate determination on a signed program's trustworthiness by analyzing its behaviour when it's running and there are numerous search engines at your finger tips where you can seek opinions from so many others, especially if it's an application that's been in circulation with a decent popularity level for a long time.

It's good to be cautious but if you let paranoia consume you by drumming up every conceivable "what if" scenario you can think of, you'll never get any real work done.

BTW, I can tell you with 100% certainty, that whenever I've downloaded an app from a source I felt I can trust, it has always come up clean. This is in the last 8 years at least of downloading dozens upon dozens of apps from the Internet. Where you download from plays a huge part in finding a safe application.

 

Re: Who can we trust?

The problem is that this isn't some "What if?" situation... it's been happening quite a lot for a while now. And it's either the companies not protecting themselves properly or not properly vetting applications.

And that the cert system is used on basically every mainstream OS.

At this point certs are going to be virtually useless in terms of verifying an application as legitimate or not. Trusted source isn't super reliable either. Combined? Sure, it's a good start. But the idea of a whitelist is not to make guesses based on generic things like "Manufacturers site" or "Certificate" the cert is supposed to take care of that on its own.

 

Re: Who can we trust?

Basically... how can anyone trust certs when the system is so broken? It's easy to simply buy a cert if you've got the money and the vetting process is often just not there.

No one is making sure that the CAs are doing their jobs so how can we possibly trust anyones certs?

 

Re: Who can we trust?

Well, that's the way things are, I guess. All I know is I've downloaded numerous apps over the years, both signed and unsigned, and never found one that was malicious. You can call this flukey if you want, but I thinks it's a pretty good barometer that indicates things aren't as bad as they may seem, especially when prudent steps such as downloading from trusted sources and a virus scan or two are part of one's approach.

 

Re: Who can we trust?

=p You haven't but millions have. And the cert system is cross-platform, hence why it's more serious than say some Windows exploit.

Certs are used in enterprise situations, home situations, all over different platforms.

 

Re: Who can we trust?

Which begs two question

1. Am I just luckier than those millions?
or
2. What am I doing differently than those millions?

 

Re: Who can we trust?

I'd say it's about usage differences.

I know in one case someone was looking to watch the latest episode of a TV show so they Google'd "Dexter watch online season 4 ep 4" or something and simply clicked a few links. That was enough for an infection.

Some people just use the internet differently, and there shouldn't be a one-way-to-do-things kinda internet. The problem is that malware creators target these people.

And then there's luck components with pure coincidence. I went to some hacked website but my friend went an hour later and it wasn't hacked anymore. It's just about being one of those unlucky few who got to it while it was compromised.

 

Re: Who can we trust?

But that's not really cert related.

The idea of a cert is to remove suspicion from a program/ website. "Oh, someone looked into it and it's all good. Cool, I'll enter my bank info/ let it install."

 

Hungry Man,

If you're looking to program something, maybe have a look at paper "Tracer: Enforcing Mandatory Access Control in Commodity OS with the Support of Light-Weight Intrusion Detection and Tracing" (hxxp://www.ee.sunysb.edu/~xwang/public/paper/asiaccs17-shan.pdf).

Unfortunately Tracer apparently hasn't been publicly released.

 

Thanks I'll look into that.\\
edit: This paper is very helpful.