Clik here to view.
Poken Peek
OK, after getting side-tracked by /JBIG2Decode PDFs, let’s get back on the smartcard and RFID track. The Poken is a little USB stick you keep on your keychain. You link it to your online identities. To...
View ArticleClik here to view.
Quickpost: TrueCrypt’s Boot Loader Screen Options
Ready for some Security Through Obscurity fun? I’ve been playing with TrueCrypt‘s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption. It’s probably...
View ArticleClik here to view.
The Ultimate Disaster Recovery Plan
The ultimate disaster recovery plan is not a corporate plan. This plan is for your family, to help them take over from you, when you’re not able to take up your role in the family. Hopefully, this will...
View ArticleClik here to view.
Yubikey, Trojans and Twitter
Stina, Yubico’s CEO, gave me a Yubikey at RSA London last year. It’s a small keyfob simulating a USB keyboard. Each time you press the button while it’s inserted in a USB port, it generates a...
View ArticleClik here to view.
Quickpost: Adding Certificates to the Certificate Store
A couple of people asked me how to get self-signed certificates recognized by Windows. For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this: The...
View ArticleClik here to view.
Quickpost: Disassociating the Key From a TrueCrypt System Disk
TrueCrypt allows for full disk encryption of a system disk. I use it on my Windows machines. You probably know that the TrueCrypt password you type is not the key. But it is, simply put, used to...
View ArticleClik here to view.
Flame Authenticode Dumps (KB2718704)
There seems to be some interest in the Authenticode signature used in some components of Flame that chain up to Microsoft’s root CA. So I decided to post the full dump of this signature. I extracted...
View ArticleClik here to view.
New Authenticode Tools
I’ve worked on a couple of new tools to analyze the digital signature found in PE files. In this post, I’m sharing some invalid signatures I found on my machines. This signature is invalid because the...
View ArticleClik here to view.
Searching For That Adobe Cert
You probably know by now that Adobe will revoke a compromised code signing certificate in a couple of days. As we seem to have more code signing related security incidents recently, I started to...
View ArticleClik here to view.
Update: AnalyzePESig Version 0.0.0.2
I added several new fields to the output produce by my new tool AnalyzePESig: countCatalogs catalogFilename signatureTimestamp creationtime lastwritetime lastaccesstime dwFileAttributes...
View ArticleClik here to view.
Howto: Add a Digital Signature to a PDF File – Free Software
This is an update to my post Howto: Add a Digital Signature to a PDF File, but this time I found free software. Again we use our certificate which we install (open the .p12 file). Install the free...
View ArticleClik here to view.
Howto: Make Your Own Cert And Revocation List With OpenSSL
Here is a variant to my “Howto: Make Your Own Cert With OpenSSL” method. This time, I needed a signing cert with a Certificate Revocation List (CRL) extension and an (empty) CRL. I used instructions...
View ArticleClik here to view.
Adobe Reader and CRLs
There’s something that I wanted to test out for quite some time, but kept postponing until recently. Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action...
View ArticleClik here to view.
Quickpost: Signed PDF Stego
A signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation. Open a signed PDF document in a hex editor and search for string...
View ArticleClik here to view.
A Bit More Than A Signature
Soon I’ll release new versions of my Authenticode Tools. Detecting extra data in the signature field is one of the new features. For example, it will analyze the size specified in the optional header...
View ArticleClik here to view.
MS13-098: Fixing Authenticode
In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it. This year I reported on some installer programs using this padding trick. With...
View ArticleClik here to view.
Video: Checking the Digital Signature of Windows Executables
I produced a new video: a simple howto for users who don’t know how to use Windows explorer’s properties dialog to check a digital signature. Later in the video, it gets a bit more technical by using...
View ArticleClik here to view.
Forensic Use of CAT Files
I found this executable A0000623.sys with 6 detections on VirusTotal. Are these false positives or true positives? The file was found in the _restore system folder. It looks like it is a Windows system...
View ArticleClik here to view.
Clik here to view.
Stoned Bitcoin
There are reports of anti-virus false positive detections of Bitcoin files. More precisely for the old Stoned computer virus. I found the smoking gun! These reports should not be dismissed as hoaxes....
View Article