In security, when you have to restrict access to “resources” (websites, files, IP addresses, ports, etc), you can deploy while or black lists. The term “white list” refers to a list of resources which are allowed or granted. At the opposite, a black list refers to resources which are denied or unrecognized.
Both methods have pro and cons. While implementing a white list, the default action will be to deny access to all unknown resources. This imposes a strong management of your white list(s). Otherwise, your users could have their access to required or valid information denied or applications prohibited to access some valid resources.
In case of a black list, everything is allowed by default and access is restricted on a case by case. Your users or applications will always have access to their resources but also to potential dangerous ones. Management of a black list will be easier but you will always be “behind the times” to block malicious resources. Which one if the best between the two access methods? A best practice is use the “least privilege” principle to restrict access to resources. Quoted from Wikipedia, least privilege is defined as:
“In information security, computer science, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.“.
That’s why maintaining white lists is a pain and a recurrent process. To not reinvent the wheel, why not use online white lists? If you plan to restrict access to files and applications using a while list, consider the following new tool.
The ISC (“Internet Storm Center“) provides a direct access to the NIST National Software Reference Library database. This database is a collection of digital signatures of well-known software applications (The current database contains nerlay 40 millions of records). Provide a MD5, SHA1 or a file name and you will receive useful information. Check out the search interface here.
Note that the database is also available via DNS request! Very convenient to check your files directly from a script. Perform DNS queries on md5.dshield.org. Here is an example:
$ dig +short 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org TXT "cmd.exe | NIST"
Note: If you need to test a complete system, NIST has a very convenient bootable CD ISO for collecting metadata, hashing and storing in NIST NSRL format. There are also images of CD with the hashes databases available.
How to use this database? Via the following script, you can search for files created on a file system and query the online database:
$ find /data -type f -ctime 1 -exec dig -short /bin/md5sum {} \; | while read L
do
set $L
dig +short $L.md5.dshield.org TXT
done
The database must be considered as a while list. It contains only signatures of “good” applications and no malwares or other suspicious tools. But some tools can be detected as dangerous in some environments (Nmap is a good example). This could be interesting to implement this security check in parallel to a host based IDS like OSSEC.
I remember old times when there was TBAV/DOS antivirus which has functionality to calculate/keep whole system’s checksums and then one could compare it later and find out any modifications. I think similar sulution exist in today’s AV products… F.e. Avast ? The problem is how effective/friendly is this solution…
Hi Xavier,
Thanks for your answer.
I will try to use it. Really good idea.
Regards
Hello Renaud,
It seems that the DNS gateway is very unstable! 🙁 After the article being posted, I had the same problem. Now it’s ok (tested a few seconds ago):
$ cd /mnt/My\ Documents/Temp
$ md5sum cmd.exe
6d778e0f95447e6546553eeea709d03c cmd.exe
$ dig +short 6d778e0f95447e6546553eeea709d03c.md5.dshield.org TXT
“cmd.exe | ISC”
Note that no valid DNS answer will be returned if the lookup failed (unknown file as example)
Regards,
Xavier
Hi,
Really interesting concept, i plan to automatize this on machines, for a first test.
Really good thing for the dns requests.. (udp, rapidity..Etc)
Anyway my first test aren’t really OK, let explain:
On a Debian OS, with a mounted windows partition (XP):
1)
$ find /mnt/win/Program\ Files/Nmap/nmap.exe -type f -exec /usr/bin/md5sum {} \;
ae4323c5dd77b1df988a34cbb124d32c /mnt/win/Program Files/Nmap/nmap.exe
2) $ dig +short ae4323c5dd77b1df988a34cbb124d32c.md5.dshield.org
==> nothing.
In capture i see a servfail..
I tried with other binaries, same results.. except for your example :
$ dig +short 84C0C5914FF0B825141BA2C6A9E3D6F4.md5.dshield.org TXT
“cmd.exe | NIST”
Any clue ?
Thanks!