If OP is concerned about updates/service packs (the latter makes me think Windows) from a vendor, then worrying about MD5 collisions is probably moot.
Also, if this is Windows, then any of the application packaging applications (Wise etc.) will do this. They snapshot before/after you make changes, and package everything up for you.
Cheers
Ken
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Jeffrey Walton
Sent: Friday, 15 June 2012 7:55 AM
To: Dave Kleiman
Cc: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Operative System Updates
On Thu, Jun 14, 2012 at 2:41 PM, Dave Kleiman <dave (at) davekleiman (dot) com [email concealed]> wrote:
> haZ,
>
> For the files changed portion of your question, you could use something like Log Parser to gather lists of MD5s of files and compare them after.
> Like if you wanted EXEs in the sys32.
>
> logparser "SELECT Path, HASHMD5_FILE(Path) INTO EXE_MD5s.csv FROM
In 2008, researchers set up a rogue CA. They were able to engineer collisions. "MD5 considered harmful today,"
http://www.win.tue.nl/hashclash/rogue-ca/. CAs responded with, "Past certificates are OK, its only future certificates we need to worry about."
So a bunch of certs signed with MD5 continued to live. Mozilla told us (in 2008) they were working with CAs about those certificates: "MD5 Weaknesses Could Lead to Certificate Forgery,"
In 2012, bad guys were able to engineer collisions, too. But in a way that no researcher (that I am aware) took to proof of concept. The chosen prefix collision attacks are one of the reasons why Flame malware stayed under the radar for so long. "Microsoft Sub-CA used in malware signing,"
Now that MD5 is more broken (???) - as if just "broken" was not enough
- such that an attacker could potentially create a second binary file with an expected hash due to chosen prefix collisions and empty space in binaries, do you really think its suitable as a tripwire?
Jeff
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of haZard0us
> Sent: Thursday, June 14, 2012 13:45
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Operative System Updates
>
> Hi all,
>
> I need to create a script that gathers information of the OS before and after the updates in order to detect changes and which updates/service packs were used.
>
> To be honest, I really don't know where to start. So, my question is which information should i gather in order to detect correctly which files were changed and which updates were used.
Also, if this is Windows, then any of the application packaging applications (Wise etc.) will do this. They snapshot before/after you make changes, and package everything up for you.
Cheers
Ken
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Jeffrey Walton
Sent: Friday, 15 June 2012 7:55 AM
To: Dave Kleiman
Cc: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Operative System Updates
On Thu, Jun 14, 2012 at 2:41 PM, Dave Kleiman <dave (at) davekleiman (dot) com [email concealed]> wrote:
> haZ,
>
> For the files changed portion of your question, you could use something like Log Parser to gather lists of MD5s of files and compare them after.
> Like if you wanted EXEs in the sys32.
>
> logparser "SELECT Path, HASHMD5_FILE(Path) INTO EXE_MD5s.csv FROM
> C:\Windows\System32\*.exe" -i:FS -recurse:0 -o:csv
No, not MD5.
In 2008, researchers set up a rogue CA. They were able to engineer collisions. "MD5 considered harmful today,"
http://www.win.tue.nl/hashclash/rogue-ca/. CAs responded with, "Past certificates are OK, its only future certificates we need to worry about."
So a bunch of certs signed with MD5 continued to live. Mozilla told us (in 2008) they were working with CAs about those certificates: "MD5 Weaknesses Could Lead to Certificate Forgery,"
http://blog.mozilla.org/security/2008/12/30/md5-weaknesses-could-lead-to
-certificate-forgery/.
But the damn things are still around in 2012: "By default, stop accepting MD5 as a hash algorithm in certificate signatures,"
https://bugzilla.mozilla.org/show_bug.cgi?id=590364.
In 2012, bad guys were able to engineer collisions, too. But in a way that no researcher (that I am aware) took to proof of concept. The chosen prefix collision attacks are one of the reasons why Flame malware stayed under the radar for so long. "Microsoft Sub-CA used in malware signing,"
http://lists.randombit.net/pipermail/cryptography/2012-June/002961.html.
Now that MD5 is more broken (???) - as if just "broken" was not enough
- such that an attacker could potentially create a second binary file with an expected hash due to chosen prefix collisions and empty space in binaries, do you really think its suitable as a tripwire?
Jeff
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of haZard0us
> Sent: Thursday, June 14, 2012 13:45
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Operative System Updates
>
> Hi all,
>
> I need to create a script that gathers information of the OS before and after the updates in order to detect changes and which updates/service packs were used.
>
> To be honest, I really don't know where to start. So, my question is which information should i gather in order to detect correctly which files were changed and which updates were used.
>
> Thanks in advance.
[ reply ]