How to Verify File Integrity using Checksums

Verifying file integrity is an important step when downloading and installing applications, especially when these applications are relied upon to perform a security function.  An application that is not downloaded completely or correctly may be weakened and fail to provide the necessary security.  Worse, users may be the victims of a watering hole attack where the download site is infected with malware, or some targeted individuals are redirected to look-alike sites.  In this instance the software in question would be modified to suit the attacker’s aims and its security could be bypassed entirely.  The easiest way to have some assurance that your downloaded applications are intact and legitimate is to verify their integrity using checksums and a checksum calculator.

There are also some other reasons that a checksum calculator may be handy.  For example, if you wish to transmit an attachment to another person through email, a cloud storage account, or other digital medium, a checksum could be used to verify the file had not been tampered with in transit.  Checksums can also be used to ensure that two files are are identical.  For example, if you backup a large folder to a USB flash drive you can compare the checksums of the two folders to ensure they are the same.

I constantly push this technique in my live classes and never cease to be amazed at the minuscule number of participants who every take any steps at all to verify the integrity of applications before executing them.  It appears to me that this skill is applied only by the smallest handful of users. The other major problem I run into when teaching (and when downloading software myself) this is the lack of a single, independent checksum repository from which to pull known-good checksums for comparative purposes.  This is perhaps at least part of the problem inherent in verifying file integrity.

As a result I have slowed down on the blog in the past couple of weeks to expand and update the checksums page. Though many do not, some security applications post checksums on their download pages.  Even so I still believe it is important to verify checksums from an alternate source; if you are redirected to a forged download page and download a corrupted file, it would be a simple matter for the forger to post his or her own checksum.  If you acquired both a corrupt file and its corresponding checksum from a forged site, the result would be worse than not verifying the file at all: you would receive a false positive, causing you to misplace trust in the application.

This is the primary motivating factor in my recent expansion of my checksums page.  There seems to be no comprehensive, third-party repository of checksums for security software.  The checksums posted there are SHA-256 and SHA-512. MD5 is insecure and there are credible reports of vulnerabilities in SHA-1 dating back several years.

Methodology: Before calculating checksums I download the application in question.  If a GPG signature is available I will use the signature to verify the integrity of the application, and then use a checksum utility to calculate a hash.  If a signature file is not available for a given application, I will compare it against a checksum found on a third-party site.

Windows:  The CHK Checksum Utility is the simplest and most user friendly checksum calculator I have found for Windows operating systems.  CHK runs in portable mode so there is no need to install it.  Simply download and open the executable.  Drag the file or files to be verified into the interface.  The checksums will automatically be calculated in SHA-1; to change this open the Options menu and select the desired algorithm.

CHK 1

Next, right click on the file to be verified and select Verify…CHK 2

In the pop-up that appears, paste a known-good checksum and click Verify.

CHK 3

A green checkmark will appear next to the application if the checksums match; if not a red “X” will appear beside the application name.

Checksums for the CHK Checksum Utility itself are available on my checksums page.

OS X:  Mac users have checksum verifying ability built-into their operating systems, though it requires a trip to the Terminal.  Open Launchpad and select Terminal.  Enter the command “shasum” into the terminal.  Next, drag the file itself into the terminal window and press Enter; by default this will calculate SHA-1 hashes.  If you wish to verify the file using a SHA-256 or SHA-512 checksum use one of the following commands (disregarding the file path which is represented in italics):

  • SHA-1:         shasum /user/macbook/desktop/filename.dmg
  • SHA-256:    shasum -a 256 /user/macbook/desktop/filename.dmg
  • SHA-512:    shasum -a 512 /user/macbook/desktop/filename.dmg

This method merely displays the calculated hash for the selected file.  To verify its authenticity requires a visual check.  This is tedious and can be mistake-prone but is not impossible.  I recommend copying both versions of the checksum (the output of the terminal calculation and the checksum collected from the internet) and pasting them into a word processing document, one on top of the other, in the same pitch and font.  This makes differences much more easily identified visually.

Mac shasum

There are also several GUI-driven checksum calculators available for OS X but I confess I have not yet tried one.  There are very few that have been either recommended by a reputable source or well-reviewed.

Linux:  Given Linux’s proclivity for eschewing graphic user interfaces (GUIs) over the terminal it is somewhat surprising that an excellent GUI-driven checksum calculator exists for Linux.  It is called GtkHash, and will not be covered here.

Privacy Compromising Updates in Windows 7/8.1

Since the release of Windows 10 it has been no secret that Windows is collecting a great deal of data about its adopters be default.  Though some of this tracking cannot be opted out of most of it can, and this blog will cover these techniques for Win10 next week.  What is more alarming (at least to me) is that Windows is quietly installing some of these privacy-invading “features” on Windows 7 and 8.1 machines in the form of updates.  These updates send a great deal of information about your usage back to Microsoft.  Fortunately for users of Windows 7 and 8.1 these updates can be quickly and easily uninstalled.

The updates are (each is hyperlinked to a full description at microsoft.com) :

To uninstall these updates navigate to Control Panel>>System and Security>>Windows Update.  Click “View Update History”, and the click “View Installed Updates”.  This will open a list of the updates that have been installed on your machine.  Search for each of the four updates listed above.  If you find that any of them have been installed, right click on the update and select Uninstall.  You will be asked to confirm your decision.

Win7 Privacy UpdateI am disappointed that Microsoft has chosen to hold user privacy in such disregard, though my disappointment does not rise to the level of surprise.  This is a great example of something I talked about in Your Ultimate Security Guide: Windows 7 Edition.  Allowing updates to download and install automatically can have some serious negative consequences.  I prefer to download updates automatically but choose when to install them.  This gives you the chance to avoid updates like these that are not in your best interest.