Lucky You, Microsoft has Sent You an Email! (Think Again).
While you are working, your email program notifies you that you have a new email. Of course, as a true computer maniac you check the email you have just received. Surprised, you see that the email is from Microsoft and contains a newly released patch for Windows as an attachment. “Ah! They have great customer support,” you think. They even sent you the patch so that you don’t have to waste any time looking for it to install it. Wrong…THINK AGAIN!!
As you might have suspected, in this article I will discuss the malicious attempts to trick people with faked emails claiming to originate from Microsoft, along with ways to identify these attempts and avoid them. I feel that in order for this article to be helpful it is best if I break the article into two parts to include all the necessary information on the subject.
The first part will provide mainly information. I believe that many of us have received hundreds of these emails trying to mislead us in an attempt to cause problems to our system. Thus, it’s a good idea to have in mind some practices for identifying malicious emails as well as learn Microsoft’s approach to the issue. In addition, I will make a brief introduction to digital signatures that should help with verifying the legality of any message.
In the second part of this article I will provide you with technical details on how to digitally sign and verify a digital signature using Outlook Express.
First I will talk about digital signatures, as it is a concept that we will need later on to cover Microsoft’s approach and to be able to identify faked emails. Then I will discuss the phenomenon of receiving bogus emails claiming to originate from Microsoft and best practices on how to recognize and avoid them. Finally, I will present three features provided by Windows in order to verify the integrity of system and driver files based on digital signatures.
A digital signature has the same purpose as a handwritten signature. When you digitally sign an electronic document (email, spreadsheet, text file, and so on), you provide a means for the recipient to authenticate you as the writer of the document. In addition, by receiving a digitally signed document, you can verify that it has not been altered in any way since the writer created it.
The importance of using digital signatures is crucial to all B2B, B2C or C2C transactions because it guarantees non-repudiatable communication; this means that the transacting parties cannot deny later on that they performed a specific action, for example a customer sending an order to a company.
How does digital signature technology work?
Digital signatures are created and verified by public key cryptography. Public key cryptography uses a pair of keys, the private and the public key. The first one, as its name indicates, is kept private by its owner, whereas the second one is available to anyone who needs it and is associated with a digital certificate. When you want to send encrypted data to our well-known person Bob, you use his public key to encrypt the message. Bob will then use his private key to decrypt the message.
However, digitally signing a document does not mean that you encrypt it. In order to send a digitally signed message to Bob:
First you use your signing software on the message to compute a message digest. This process is called hashing. Keep in mind that the process is irreversible, meaning that it is impossible to change the message digest back into the original data from which it was created.
Then you use the signing software to encrypt the message digest with your private key. Doing so, you create your digital signature.
The signing software appends the digital signature to the document. You send the message to your dear friend Bob, who can’t wait to get it.
Now that Bob has received your message, he will try to verify that it is sent by you and that the message has not been altered by Trudy the intruder who pokes her nose into everything. So, Bob uses his software to decrypt the digital signature by using your public key, and gets the message digest.
If the decryption is successful, Bob knows that you signed the document. After all, you are the only one who has the corresponding private key to the public key he used (or not?).
Then, Bob uses his software to compute the message digest (also known as hash value) of the received message.
The software checks that the computed message digest is the same as the message digest created when the digital signature was decrypted.
If the verification is successful, Bob knows that Trudy the intruder has not altered the signed message.
Figure: Process of applying and verifying a digital signature
Microsoft gives its users the ability to subscribe to security email notifications regarding security software updates or security incidents. Unfortunately, many of us receive faked emails claiming to be from Microsoft. What do you do in this situation? Surely you don’t panic!
There are several indications that will help you identify a bogus email.
Legitimate emails from Microsoft contain no attachments. Microsoft’s approach is to never send software updates or provide a link to the update. Instead, the email references Microsoft’s website for obtaining further information.
Web site posting precedes email notification. Keep in mind that Microsoft never sends information about updates or incidents before posting it on the website. So, if you are not sure about the content of the email, you'd better check the website to find new announcements.
Legitimate emails include valid URLs. If you suspect that you received a bogus email, don’t use any of the Web links included in the message, as they may be spoofed. It’s better to go directly to Microsoft’s website and navigate to the information you want.
In addition, to be sure that, when you visit Microsoft’s website it is actually the intended website, it’s best to reference the website over https:// instead of http://. When accessing Microsoft’s website over https:// you can verify that it’s the legitimate website by checking its certificate. Look for the ‘Issued to’ field and verify that the name provided on the certificate is the same as the URL you visited. You can access the certificate by double-clicking the lock icon located on the status bar at the bottom right of the browser.
Figure:Microsoft’s website digital certificate
Legitimate emails are digitally signed using the Microsoft Security Response Center’s digital signature. The Microsoft Security Response Center uses its digital signature to sign all the email notifications send to subscribers. You can verify the legitimacy of the signature using the key published at http://www.microsoft.com/technet/security/bulletin/pgp.mspx.
In addition, Microsoft digitally signs software updates; so it’s wise to verify the signature of any executable before installing it on your system. Released software updates can be obtained from Microsoft Windows Update, Microsoft Office Update, or Microsoft Download Center. Bear in mind that when using, for example, Windows Update, the verification of the digital signature is made internally by Windows.
This task will be analyzed in detail in part II of this article, as I believe that digitally signing documents, code, and so on helps to prevent security incidents from happening when we actually know HOW to use and verify digital signatures. Otherwise, it’s a weapon we have and don’t know how to use it; probably it will explode in our own hands!
You are not signed up for notifications by Microsoft. You have not subscribed to any security notifications and yet you receive emails from Microsoft? Lucky you… Or not? Probably it’s a fake email and you should be extremely careful with what you do with this message. The best approach is to delete it and then consult Microsoft’s website for possible software releases or security incident notifications.
While there are a great number of security threats we should have in mind and try to avoid, it is reassuring to know that Microsoft has implemented appropriate mechanisms to ensure the integrity of system and driver files that we install on our computers.
Microsoft's approach to the subject is to digitally sign Windows device drivers and operating system files. By doing so, Microsoft assures their customers about the quality of the newly released files, meaning that the files have been tested exhaustively and they have not been altered since their creation.
Windows includes the following features to ensure that the device drivers and system files you install remain in their original, digitally signed state:
Windows File Protection
System File Checker
File Signature Verification
Windows File Protection
There is always the danger when installing new applications that you will replace important system files, causing failure to the operating system.
The Windows File Protection feature prevents other programs from replacing protected system files. It runs in the background and protects all the files installed by the Windows Setup program.
The line of operation of Windows File Protection is based on the file’s digital signature; the program uses the digital signature of the file to verify that it is the original with a correct Microsoft version. If the verification fails, Windows File Protection either replaces the file from the backup stored in the dll cache folder or from the Windows CD. In the case where the Windows File Protection cannot locate the specified file, it prompts you for the location. The file replacement attempt is written to the event log; so it is a good tactic to check over the event log frequently.
Microsoft distributes signed files through:
Windows Service Packs
Hotfix distributions
Operating system upgrades
Windows Update
Windows Device Manager/Class Installer
In order to set the file signature verification options, you have to complete the following steps:
Click Start -> Control Panel ->System.
On the Hardware tab select Driver signing.
Under File signature verification click:
Ignore to allow all device drivers to be installed on the computer, regardless of whether they have a digital signature.
Warn to display a warning message whenever an installation program attempts to install a device driver without a digital signature; this is the default behavior for Windows.
Block to prevent an installation program from installing device drivers without a digital signature.
The System File Checker feature scans all protected system files and verifies their versioning; if the version is incorrect, the File Checker replaces it with a correct Microsoft version file.
Bear in mind that only a member of the Administrators group can execute the sfc (System File Checker) command.
Syntax: The syntax to call the System File Checker is the following:
Parameters: The sfc command can be called using the following parameters:
/scannow: Scans all protected system files immediately.
/scanonce: Scans all protected system files once at the next boot.
/scanboot: Scans all protected system files every time the computer is restarted.
/revert: Returns the scan to its default operation.
/purgecache: Purges the Windows File Protection file cache and scans all protected system files immediately.
/cachesize=x: Sets the size, in MB, of the Windows File Protection file cache.
/?: Displays help at the command prompt.
Results: When using the System File Checker, if it finds that a protected file is incorrect, it uses the %systemroot%\system32\dllcache folder or the Windows CD to retrieve the correct version of the file and replace the incorrect one.
File signature verification tool
Another feature of Windows that can be used to verify the originality and integrity of system files and device driver files is the File Signature Verification tool. Using the tool, you can identify files that are not digitally signed and view the following information about them:
The file’s name
The file’s location
The file’s modification date
The file’s type
The file’s version number
In order to use the File Signature Verification tool you must complete the following steps:
Click Start -> Run, type sigverif, and then click OK.
Click Advanced.
On the Search tab, click one of the following:
Notify me if any system files are not signed. This option checks only the Windows system files and all device driver files to verify that they have a digital signature.
Look for other files that are not digitally signed. This option checks specified file types and the location of non-system files for a digital signature.
On the Logging tab, select the Save the file signature verification results to a log file check box.
Click one of the following:
Append to existing log file. This option adds new search results to the end of an existing log file.
Overwrite existing log file. This option replaces the existing log file with a new log file.
In Log file name, you can specify a name for the log file that will be used by the tool to write the search results.
Sometimes things are not what they seem to be. We need to be cautious and investigate things beyond their obvious purpose.
In this article I talked about digital signatures, what they are and how they work. It’s important to remember that by digitally signing a document we achieve two things, authentication of the origin and integrity of the message at all times.
In the case of the bogus emails that seem to originate from Microsoft, we need to consider the practices I analyzed. It is important not to install something on our system when we are not sure of its origin or its actual function. When in doubt, it’s better to adopt a cautious approach than to act thoughtlessly.
Also, it is a good strategy to configure your system accordingly and verify that all system and driver files are properly signed by Microsoft using the System File Checker feature or File Signature Verification tool.
Securing your system requires a lot of effort; it’s neither a simple task nor something you can take lightly. Nevertheless, if something happens after all, formatting is still an option!
Windows Security 
/ 8 
Microsoft Patch Update for July
