Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 06 April 2009 15:08 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44A6728C1EF for <saag@core3.amsl.com>; Mon, 6 Apr 2009 08:08:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.008
X-Spam-Level:
X-Spam-Status: No, score=-6.008 tagged_above=-999 required=5 tests=[AWL=0.591, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjgEodIN5e4x for <saag@core3.amsl.com>; Mon, 6 Apr 2009 08:07:59 -0700 (PDT)
Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by core3.amsl.com (Postfix) with ESMTP id 6615D28C230 for <saag@ietf.org>; Mon, 6 Apr 2009 08:06:19 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 67909481AFC; Tue, 7 Apr 2009 03:07:24 +1200 (NZST)
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iylXS6pBu5is; Tue, 7 Apr 2009 03:07:24 +1200 (NZST)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 30AB2481AF3; Tue, 7 Apr 2009 03:07:23 +1200 (NZST)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 7F8801DE4001; Tue, 7 Apr 2009 03:07:22 +1200 (NZST)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1LqqPy-0004YB-AP; Tue, 07 Apr 2009 03:07:22 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: benl@google.com, pgut001@cs.auckland.ac.nz
In-Reply-To: <1b587cab0904060714h4deb48b2of69d0252988be2f5@mail.gmail.com>
Message-Id: <E1LqqPy-0004YB-AP@wintermute01.cs.auckland.ac.nz>
Sender: pgut001 <pgut001@cs.auckland.ac.nz>
Date: Tue, 07 Apr 2009 03:07:22 +1200
Cc: art.barstow@nokia.com, Frederick.Hirsch@nokia.com, saag@ietf.org
Subject: Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: Digital Signatures spec published on March 31
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2009 15:08:00 -0000
Ben Laurie <benl@google.com> writes: >On Mon, Apr 6, 2009 at 2:47 PM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: >> Ben Laurie <benl@google.com> writes: >>>I find it pretty annoying that signing widgets is described as a "trust and >>>quality assurance mechanism". >> >> It's a valid comment though. =A0A large-scale study (from Microsoft's malware >> research group) has shown that the majority of CA-certified signed malware is >> in the "severe" or "high-risk" category. =A0So seeing a signature on malware >> provides a high level of trust that this is the high-quality stuff you're >> seeing and not some cheap knockoff. > >Awesome! Link? http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx (this was what motivated my "Asking the drunk whether he's drunk" post on the cryptography list a few months back). As a general comment, signed malware has been out there for some years now, but this is the first large-scale (I mean seriously large-scale) study of it. 1.78M signed non-malicious files, 173K signed malware files, so one in ten signed files on a PC is genuine CA-certified signed malware (and that's a lower bound based on what's detectable by the MMPC scan, any decently-infected machine will have scanning disabled or subverted so it won't register). From the report: Of signed detected files, severity of the threats tended to be high or severe, with low and moderate threats comprising a much smaller number of files: Severe 50819 High 73677 Moderate 42308 Low 1099 So there you go, signing definitely does provide a "trust and quality assurance mechanism". If it's a CA-certified signed rootkit or worm, you know you've been infected by the good stuff. Peter.
- [saag] Fwd: [widgets] New WD of Widgets 1.0: Digi… Thomas Roessler
- Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: … Ben Laurie
- Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: … Peter Gutmann
- Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: … Ben Laurie
- Re: [saag] Fwd: [widgets] New WD of Widgets 1.0: … Peter Gutmann