OR
Uploaded byOleksandr Reminnyi
658 views

Windows security

The document discusses code signing and user access control (UAC) compliance. It recommends signing installers, executables, and DLLs with certificates. It also recommends prompting users for shortcuts and writing data to standardized locations rather than the installation folder. The document then discusses how certificate authorities work and the process for obtaining certificates, including providing documentation. It notes a past security incident with a certificate authority and demonstrates obtaining a certificate.

Embed presentation

Security: A Code Signing Tale Oleksandr Reminnyi SoftServe Oleksandr.Reminnyi@gmail.com
New face of paranoia: is that really so annoying?
But I am administrator! • My Oleksandr Documents User • Registry Oleksandr • … • My Oleksandr Documents Administrator • Registry • …
UAC compliant application  Code Sign the installer AND the executable programs as well as any supporting DLLs.  Manifest the program & Installer  Prompt the user for creation of shortcuts  No option to run the program at the end of the install  Never write to any file (even an INI file) in installation folder - it is "read only“  Data should go into a UAC location based on CSIDL values such as APPDATA.
How do they trust you? Certificate authorities We provide verifications! Running platform (Win, Application IE, Firefox, Code etc.) Root trust SSL certificate signing certificate s certificate
Certificate authorities – who cells the air?  Diginotar story - July 10, 2011
Paper monsters - what was needed to apply for certificate  Passport  Driver license  Copy of a recent bank statement (you may blacken out the Account Number)  Copy of a recent Land line phone bill.  Copy of a recent major utility bill(i.e. power bill, water bill, etc.).
My paper monsters – how I applied for CoMoDo  Passport/ Driver license  Recent bank statement -2 times  Life :) contract plan  Personal email, bound to concrete domain  Translations!
Generating…  Windows XP  IE  Get the file! (not the CSP!)  Pay for 3 years…  ….  Don’t click back – next in browser while applying!  Creating a ticket on CoMoDo  Verifying the documents  Collecting the certificate on the SAME WinXP OS
Demo
What was not mentioned  We should not count on other applications, that is not UAC compliant. It’s now new times!  Crash dumps – they are possible, and some people even upload reports to MS! And even sometimes they are downloadable from MS servers.
Windows security

More Related Content

PPTX
Small Tips for android Users
byEric Moon
 
PPT
Windows Mobile Presentation
byamsedky
 
PDF
Apple's Latest Toys for Developers 2016
byEvan Stone
 
ODP
Firefox Mobile Talk @ CeBIT 2011
byCarsten Book
 
DOC
Microsoft Code Signing Certificate Best Practice - CodeSignCert.com
byKayra Obrain
 
PDF
Windows Systems & Code Signing Protection by Paul Rascagneres
byShakacon
 
PDF
La signature de code - Code signing
byAlice and Bob
 
PDF
Mobile Securty - An Oxymoron?
bymorisson
 
Small Tips for android Users
byEric Moon
 
Windows Mobile Presentation
byamsedky
 
Apple's Latest Toys for Developers 2016
byEvan Stone
 
Firefox Mobile Talk @ CeBIT 2011
byCarsten Book
 
Microsoft Code Signing Certificate Best Practice - CodeSignCert.com
byKayra Obrain
 
Windows Systems & Code Signing Protection by Paul Rascagneres
byShakacon
 
La signature de code - Code signing
byAlice and Bob
 
Mobile Securty - An Oxymoron?
bymorisson
 

Similar to Windows security

KEY
What is-flame-miniflame
byVenafi
 
PDF
Avoiding the Pandora Pitfall
byTyler Shields
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PDF
The Best Practices of Symantec Code Signing - RapidSSLonline
byRapidSSLOnline.com
 
PPT
network security for mobile and others types
byAbdullahOmar704132
 
PDF
Smart Bombs: Mobile Vulnerability and Exploitation
bySecureState
 
PDF
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
PDF
The Principles of Secure Development
bySecurity Ninja
 
PPTX
Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should ...
byLumension
 
PPTX
News bytes Sept-2011
byAshwin Patil, GCIH, GCIA, GCFE
 
PDF
What Every Software Engineer Should Know About Security and Encryption
byAll Things Open
 
PDF
Social and Mobile and Cloud OH MY!
byInnoTech
 
PDF
Re-Thinking BYOD Policy.pptx
bytmbainjr131
 
PDF
php blunders
bydecatv
 
PPT
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
PDF
Crash Course In Brain Surgery
bymorisson
 
PPTX
Pentesting iOS Applications
byjasonhaddix
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
PDF
Brief Tour about Android Security
byNational Cheng Kung University
 
What is-flame-miniflame
byVenafi
 
Avoiding the Pandora Pitfall
byTyler Shields
 
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
The Best Practices of Symantec Code Signing - RapidSSLonline
byRapidSSLOnline.com
 
network security for mobile and others types
byAbdullahOmar704132
 
Smart Bombs: Mobile Vulnerability and Exploitation
bySecureState
 
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
The Principles of Secure Development
bySecurity Ninja
 
Dousing the Flame: How This Tom Clancy-Esque Attack Worked and What Should ...
byLumension
 
News bytes Sept-2011
byAshwin Patil, GCIH, GCIA, GCFE
 
What Every Software Engineer Should Know About Security and Encryption
byAll Things Open
 
Social and Mobile and Cloud OH MY!
byInnoTech
 
Re-Thinking BYOD Policy.pptx
bytmbainjr131
 
php blunders
bydecatv
 
Security Testing for Mobile and Web Apps
byDrKaramHatim
 
Crash Course In Brain Surgery
bymorisson
 
Pentesting iOS Applications
byjasonhaddix
 
Securely Deploying Android Device - ISSA (Ireland)
byAngelill0
 
Brief Tour about Android Security
byNational Cheng Kung University
 

Recently uploaded

PDF
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
PDF
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
PDF
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PDF
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
PPTX
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
PDF
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 
PDF
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 
Computer Science Conferences 2026 | Research by SAI Conference
byHealth Conference 2026
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
5G Explained! A High Level Overview [Introduction]
byLuciano Motta
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
AI in Marine Insurance Future of Smarter Risk, Faster Claims & Safer Shipping...
byAutomationEdge Technologies
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
What ONIX can do: Leveraging metadata to support the discoverability of First...
byBookNet Canada
 
Azure DevOps Managed Services: Driving Speed, Security, and Business Growth
byjohncarterjn
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Ethical AI applied to publishing: Presenting wâsikan kisewâtisiwin, an AI too...
byBookNet Canada
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Teaching Robots how to Read 1/2: AI Center & Classic Document Understanding (...
byanabulhac
 
Webinar: EVerest for Production: Accelerating EV Charger Development w/ Indus...
byDanBrown980551
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
How the EU Ecolabel's Record Growth Creates ESG Opportunities for CRE
byWastify AI
 
Talaria: A Sound-Driven Music Search Engine for Discovery Beyond Metadata
byShuen-Huei Guan
 
One String, Many Prompts: AI Code Generation
byGeoffrey Goetz
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Mastering SQL Server Replication: Types, Setup & Troubleshooting
byGeoPITS Global Pvt Ltd
 

Windows security

  • 1.
    Security: A Code SigningTale Oleksandr Reminnyi SoftServe Oleksandr.Reminnyi@gmail.com
  • 3.
    New face ofparanoia: is that really so annoying?
  • 4.
    But I amadministrator! • My Oleksandr Documents User • Registry Oleksandr • … • My Oleksandr Documents Administrator • Registry • …
  • 5.
    UAC compliant application Code Sign the installer AND the executable programs as well as any supporting DLLs.  Manifest the program & Installer  Prompt the user for creation of shortcuts  No option to run the program at the end of the install  Never write to any file (even an INI file) in installation folder - it is "read only“  Data should go into a UAC location based on CSIDL values such as APPDATA.
  • 6.
    How do theytrust you? Certificate authorities We provide verifications! Running platform (Win, Application IE, Firefox, Code etc.) Root trust SSL certificate signing certificate s certificate
  • 7.
    Certificate authorities –who cells the air?  Diginotar story - July 10, 2011
  • 8.
    Paper monsters -what was needed to apply for certificate  Passport  Driver license  Copy of a recent bank statement (you may blacken out the Account Number)  Copy of a recent Land line phone bill.  Copy of a recent major utility bill(i.e. power bill, water bill, etc.).
  • 9.
    My paper monsters– how I applied for CoMoDo  Passport/ Driver license  Recent bank statement -2 times  Life :) contract plan  Personal email, bound to concrete domain  Translations!
  • 10.
    Generating…  Windows XP IE  Get the file! (not the CSP!)  Pay for 3 years…  ….  Don’t click back – next in browser while applying!  Creating a ticket on CoMoDo  Verifying the documents  Collecting the certificate on the SAME WinXP OS
  • 11.
  • 12.
    What was notmentioned  We should not count on other applications, that is not UAC compliant. It’s now new times!  Crash dumps – they are possible, and some people even upload reports to MS! And even sometimes they are downloadable from MS servers.