Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Tuesday, June 05, 2012

Software Code Signing Certificates. Do you care?

I always considered it important to have our program clearly defined as an authentic application. There is a value in proving a file you’re about to install on your computer comes from a reputable company like BillP Studios.  This is currently accomplished through the use of a code signing certificate created specifically for BillP Studios and used during the creation of WinPatrol.  Before the release of any new version I run a code signing program from Microsoft that uses two encrypted files with uniquely assigned keys to validate and identify our WinPatrol files.

The use of code signing certificate provides anyone who downloads our program proof that their download comes from BillP Studios and isn’t malware created to fool people into thinking they’re downloading WinPatrol. It also prevents any changes to our files.

verifieduacWhen someone installs WinPatrol they currently may see this dialog providing proof that the file has been “signed” using a certificate created for BillP Studios.  To obtain a code signing certificate BillP Studios must prove it’s a legitimate company. Our name, address, phone, bank account and other assets are validated by a company that is authorized to assign certificates. In our case, the “certificate authority” is VeriSign which is owned by Symantec. For a one year certificate we also have to pay a fee of $499 USD for the validation process. Since our information has remained the same over the years we’re pretty easy.

BillPCertIf you click on the details arrow located on the dialog above you can learn more about who created the file and read information included in their certificate.

As you can see, this particular certificate expires on June 9th, 2012. I only have a few days to decide if I will continue relying on the code certificate technology to valid WinPatrol and other programs I create

 


Most people don’t really pay attention to the information provided in the first dialog and in the older dialogs below most people really didn’t notice much difference.  It has been a common practice to download programs which weren’t signed. 

Last weekend the value of a signed file was even more diminished. It was publicly exposed how certificates could be faked and the virus known as “Flame” was shown to be using a certificate that appeared to come from Microsoft. This forced Microsoft to release a dangerous emergency update this weekend to revoke some security certificates.

So, the question facing me this week is, should I pay $500 to Symantec so I could continue to have WinPatrol an officially signed and certified application?

On older versions of Windows and IE the difference in a signed application and one not signed wasn’t significant. Both dialogs don’t give you confidence about downloading from the internet.

signedold
This is what users would see if they downloaded the setup program for WinPatrol. How dare they suggest my file could harm someone’s computer?

notsignedold
If I didn’t sign our setup program the text here is actually more precise in its explanation. Most people knew what they were getting and I don’t think anyone would have been deterred by this message.

Now however, Microsoft Windows has increased their warning and made it harder to install unsigned programs.

iesigned
A signed application downloaded by Internet Explorer 9 will still include a yellow warning but it’s nothing compared to the red warning that shows up if the download is not signed. 
iewarning1
There is no option to Run a non-signed program.  To continue you must click on Actions which generates more fear from IE’s SmartScreen dialog. Instead of code signing Internet Explorer can also base its advice on a known “Reputation”. I’m told as a small developer the best way to maintain a good reputation is to sign your code.

iewarning2
The SmartScreen filter doesn’t give you any option to continue running a non-signed program unless you click on “More Options”.

Luckily, other browsers don’t scare users as much and your warning will come from the Windows User Account Control dialog.
chromeunsigned 
Shown above is when the WinPatrol setup is un-signed.

verifieduac 
Here’s the friendly dialog you’ll see if a WinPatrol has been signed. I doubt many users actually click on Show Details to find out more about the Verified publisher. It might be useful if a program appears out of nowhere but since most users make a choice to download WinPatrol having it signed doesn’t really seem to be necessary. Would you see the difference and cancel a setup based on the difference in these two dialogs?

Again, I’m faced with the question of paying $500 to Symantec so I can distribute WinPatrol as a program signed using a valid certificate. Is $500 worth it for those of you who understand digital code signing? I don’t believe the concept of code signing is something users know about or understand.

As someone with an interest in cyber security my first response is to applaud Microsoft for forcing more developers to sign their code.  As a developer I’m hesitant to trust code signing.  I’d really rather use the $500 fee towards a new copy of Adobe Photoshop than a security certificate nobody will pay attention to.

I’ll make a decision within a couple days so I welcome your feedback. Leave your comments here or on Twitter to @BillP


Update June 8, 2012: Thank you all for providing great feedback. Comments were even more detailed than I expected. Based on well thought out advice I will continue to sign WinPatrol, its components and setup program. Most folks say they ignore code signing information but they also agree it’s respectful to WinPatrol users for BillP Studios to provide a validated WinPatrol file before they download it. 

It was actually a friend working for Microsoft who pointed me to a “certificate authority” that provided a code signing certificate for $95 USD instead of the $500 I’ve been paying every year.  It’s always good to shop around but in this case the difference in price for virtually the same product is amazing.

 

Resources:
PC Magazine: Microsoft revokes Certificates Used by Flame Malware
June 4th, 2012

arstechnica: Flame malware hijacks Windows Update to spread from PC to PC  June 4th, 2012

arstechnica: “Flame” malware was signed by rogue Microsoft certificate
June 4th, 2012

Wikipedia: Code Signing

Symantec: VeriSign Code Signing Certificates

MSDN Blogs: Everything you need to know about Authenticode Code Signing  March 22, 2011   EricLaw’s IE Internals

Microsoft Security Response Center: Security Advisory 2718704: Update to Phased Mitigation Strategy June 4, 2012

Share on Facebook


Saturday, June 02, 2012

Targeted Cyber Threats Aren’t Just Attacking Iran

This week the news has been focusing on the computer threats called Stuxnet and Flame. Both have actually been around a few years but were not a problem to most Windows or Mac users. These threats have gotten attention lately because of a trend towards “targeted” computer infiltrations.

iran Stuxnet was designed to “worm” its way on to Windows computers specifically in Iran and then target specific computer devices which may be used to process the nuclear fuel, Uranium. International observers indicate that Stuxnet was likely responsible for the eventual destruction of 10% of the centrifuge machines at Irans Natanz nuclear facility. Flame is a newer, larger version but may be more detectable because it seems overly ambiguous.

Many cyber researchers, myself included, feel that Stuxnet and other worms targeting Iran were developed in Israel and supported by the U.S. Department of Homeland Security. By reverse engineering Stuxnet subtle clues backing this theory can be found encrypted in the code. If the developers wanted to blame our government these clues would have been more obvious.

On June 1st, the New York Times reported they had additional proof of our involvement. They claim a cyber sabotage program had been started under the George W Bush administration. During his first months as president Barak Obama ordered the expansion of the program, coded-named “Olympic Games”.  Instead of writing more about Stuxnet and Flame like everyone else, I think it’s more important to focus on targeted attacks in general.

Targeted attacks aren’t just being used against countries who are part of the axis of evil.  Businesses are being targeted by competitors, candidates running for office are targeted by their opposition, celebrities targeted by reporters and now we’re seeing an increase in targeted attacks on individuals who are tricked into installing Rogueware also called Exhortionware or Ransomware.

We’ve had reports of individuals targeted on the phone with callers claiming to be from Microsoft. Typically, the caller reports that a virus has been detected on your computer. They offer a solution which requires giving them access to your computer so they can fix the problem for free. phoneWhile you might think people wouldn’t fall for this trick, obviously enough users are convinced by their story to make it worth the time and effort. The virus always turns out to be worse than expected.  You’ll need to pay around $400 if you want your computer back. Even then you can expect your computer to include a quiet infection so that it still provides remote access.

Individual Targets
The extremely scary part is you’re no longer a name and number on a list. The bad guys have been doing their homework and they know about you before you hear their voice on the phone. Even if you don’t fall for their story, the feeling of a stranger knowing personal details calling your home will give most people an uneasy feeling of being violated.

A recent phone call to our home was designed specifically for me. The caller knew my name, address, my IP address, what kind of machine I had and even my professional background. My caller identified himself as Walt, and claimed to be a support tech for the Microsoft MVP program.  He knew I was an MVP and explained this was a new way of reaching out to MVPs. He claimed Microsoft was testing a new security solution but due to NDA restrictions I couldn’t download it. The only way to get this top secret program was to allow Walt access to my computer so he could install it.

This isn’t the first time I’ve been a target. In what you might call the glory days of AOL being an former employee with the screen name “BillP” made me a frequent target. Some assumed my account had special privileges or access to internal areas. Of course, back then all someone had to do was call AOL customer service and convince them they were Bill Pytlovany. Customer service would reset my passwords and they’d have access to my account. Eventually, AOL locked down my accounts and for a while I had the benefit of a RSA key to get online.

I suspect this recent attacker may have been hoping I had something under a Microsoft NDA because of my MVP status. It’s also possible Walt was someone looking to access my WinPatrol source code. I have shared my experience with other MVP’s in case they receive similar phone calls.  I admit, I make a lot of my personal information available. I do this so WinPatrol customers feel confident knowing they’re dealing with a real person. It’s a choice I’ve made but also means I have to spend some time looking over my shoulder and keeping my eyes open to imaginative attacks.

 

Included Links:

Gizmodo: Hack Politician and Son Arrested for Political Hack 5/24/2012

NY Times: Obama Order Sped Up Wave of Cyberattacks Against Iran 6/1/2012

Microsoft: About “Most Valuable Professional”

Share on Facebook