[Tutor] application whitelisting
Albert-Jan Roskam
fomcl at yahoo.com
Sat Sep 22 17:11:54 CEST 2012
<snip>
>On 21/09/12 20:51, Albert-Jan Roskam wrote:
>> Hi,
>>
>> My company just started application whitelisting. Now a new version of
>>a (benign!!) dll does not work as it (or rather, its file hash, if I
>>understood it correctly) is not whitelisted.
>
>Then get it whitelisted. If your company doesn't have the ability to
>update the whitelist when your software updates, it's even more stupid
>than it seems.
You are right, I should treat it like any other update. What I hate is the amount of paperwork and time involved.
<snip>
>It's worse than that. If the application whitelist is using md5 (and wanna
>bet that at least 50% of the commercial whitelist software out there is?),
>then it is already broken. An attacker can easily take an arbitrary
>application, and generate a new application with the same MD5 sum and the
>same length, differing by 128 bytes.
>
>http://www.mscs.dal.ca/~selinger/md5collision/
>
Very interesting indeed! I noticed that the link to the original article was broken. This one works:
http://www.infosec.sdu.edu.cn/uploadfile/papers/How%20to%20Break%20MD5%20and%20Other%20Hash%20Functions.pdf
"In this paper we described a powerful attack against hash functions, and in
particular showed that finding a collision of MD5 is easily feasible.
Our attack is also able to break efficiently other hash functions, such as
HAVAL-128, MD4, RIPEMD, and SHA-0."
<snip>
More information about the Tutor
mailing list