lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBKENAGFAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: Call for discussion

A closed source database application offering known good hashes and forensic
details of files published by vendors... These people are headed in a positive
direction, but the closed source part bothers me for some reason.

Have a look at one alternative:
http://www.knowngoods.org/

I'd like to know what people here think the ideal solution is to the challenge
of keeping track of all binary (and source) files ever published so that we
can determine conclusively (or as close to it as possible) what's on our hard
drives in the real world.

Are all potential solutions flawed in the same way by being dependent on
people's intentional contributions?

What about an RPC DCOM worm that crawls around hashing everything it finds and
reports back to an open source central repository? Seriously, applications
that profile your hard drives would be tricky to write without doing away with
privacy, but without some automated mechanism to catalog everything that
exists, the cost to build and maintain such things may keep the really
valuable ones closed source indefinitely.

Jason Coombs
jasonc@...ence.org

--

Vendor coalition touts file validation plan as security measure

The goal is to help companies identify and fix any accidental or malicious
changes to their software

By JAIKUMAR VIJAYAN
AUGUST 05, 2003

Content Type: Story
Source: Computerworld

A coalition of vendors led by Portland, Ore.-based Tripwire Inc. today
announced an initiative to build a File Signature Database (FSDB) that would
allow users to validate the authenticity of files that make up their software
systems and applications (download PDF).

The effort, which is meant to allow companies to better monitor and correct
any accidental or malicious file changes that could compromise security,
includes several well-known charter members: Hewlett-Packard Co., IBM,
InstallShield Software Corp., Sun Microsystems Inc. and RSA Security Inc.

The file signature repository will include individual file information, such
as a "born-on" date, file name, digital hash value and other unique attributes
published by each of the vendors. Companies can then verify the identity and
integrity of the software running on their own systems by comparing it against
a heterogeneous collection of "good file information" contained in the FSDB,
said Wyatt Starnes, founder and CEO of Tripwire.

"Almost 95% to 97% of the downtime in larger enterprises is caused by
uncontrolled change" in the IT environment, Starnes said.

While software from vendors such as Sun, IBM and Microsoft Corp. come with
functionality that allows users to verify the integrity of files, there's no
common way for users to do that today, Starnes said. The FSDB will give users
one place to go for verifying heterogeneous file sets.

The FSDB's approach is different from tracking "known bad" files, such as
viruses and other signature-based malicious code, said Chris Christiansen, an
analyst at Framingham, Mass.-based IDC, in a statement accompanying the
announcement.

"By knowing what the good state is, improper and corrupted files can be
eliminated by exception before they execute their poisonous instructions,"
Christiansen said.

The FSDB is currently populated with more than 11 million known-good file
signatures from each of the participating members. Each charter member will
populate the database with new file information as new software is published.

Licensed users will have multiple ways of accessing the file information
contained in the FSDB, according to Starnes. One is a Web service that will be
launched sometime during the first half of 2004 that will give users access
over the Internet. Sometime next year, hardware appliances will also become
available that will allow users to self-populate and host only the file
information that is relevant to their networks.

The FSDB will also be made available separately to government and law
enforcement agencies.

"I think it's a great initiative," said Ken Tyminski, chief information
security officer at Prudential Financial in Newark, N.J. "It will give people
the ability to ensure the code they have is really the right code. It will
also help from a problem-determination perspective. If you think something is
not at the right level or has been altered, you can look it up."

Doing so now involves going to multiple sources for the correct file
information, Tyminski said. The FSDB, in contrast, will give users a single
place to go for the information.

Tyminski said he hopes more companies join the initiative. "I would like to
see other players involved in this as well. To me, it looks like a win-win for
everybody," he added.


Source: Computerworld


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ