Information Assurance
Bugtraq Analysis: Steganos ExploitSecurity-Focus Article
Introduction:
Steganos is big. It owns “96% of the consumer encryption software market,” and it dominates the European Markets. (The company is based in Germany.) It uses one of the most secure encryption algorithms in the world, Advanced Encryption Standard [AES], with 256 bits to encrypt and decrypt data for more than two million customers.
The Software:
The file encryption software, Steganos Security Suite 2007, creates a “.SLE” file after encryption and places that in your “Documents and Settings” folder. Obviously, you are unable to view the encrypted files unless you have the user-password, also known as the pass-phrase.
The Vulnerability:
The way you get around the -almost- unbreakable encryption is by:
- Obtaining the target's ".SLE" file (This might actually be the trickiest part. Try sending emails... Mitch did it. 6 out of 10.)
- Disconnecting your internet connection.
- Installing the old “Steganos Safe 8” and not the new “Steganos Security 2007,” using a fake serial code you get off the net.(you must use a pirated copy, it’s necessary for this exploit.)
- Disabling the automatic update feature.
- After installation, turn the update feature back on. Force the program to update: simply right-click the Steganos system tray or restart the program.
- (Believe it or not) That is all you had to do. It is done.
The program would do the job for you now; sit back and relax. After the update, the software's anti-piracy mechanism will detect that you have installed a pirated copy and it will certainly punish you... It will reset all of your encrypted drives’ passwords, all of them, to “123” until you buy a registered copy.
It stores the passwords in plain text “123" and stored the text-file right next to your .SLE file, just in case you ever think of Steganos again.
Now that was the problem. There is no proper way to get around this other than making sure you .SLE file doesn’t fall in the wrong hands.
The Analysis:
The way to have prevented this exploit was to disable the program completely when a pirated version was detected instead of resetting the password and storing it in plain text. I checked Steganos' website and other exploit websites (Digg's tech); none mention anything about a new update or a patch. The exploit is still out there.
Security Suite 2007 is sold at $69.95 online.
You can download a trial online (30 days). I recommend it to see how amazing the software is for yourself... well, except for the little "123" thing.
The Features:
Some amazing things the software can do is to scare you to death, causing suspicion and paranoia is a great way to sell: For example, when you disable automatic time synchronization, prevent the media player from sending data, and\or stop errors logs, the software details that it is “still unknown what other information is sent along with the selected data to be disabled.”
Another feature, which I thought was actually pretty cool, was the random password generator. When you type in your own, it rates the password from "this does not provide any significant protection," through "this cannot be broken even by using large network computers", to "this cannot be identified by the secret services."
The best feature was the random password generator. You can select the length of the password; ranging from 0 (it's there I swear. The program will just laugh at you though) to 100 characters. Characters are generated randomly by prompting the user to move his or her mouse cursor on a small screen until the generator has enough information to generate a password\super pass-phrase.
The shredder and deep cleaning tools are pretty good too. You can choose from three methods to delete and\or deep clean your memory. The methods are:
- Complete overwrite (fast)
- Multiple overwriting (time consuming) -- US Department of Defense standard (DoD 5220.22 -M, NISPOM 8 - 306)
- Gutmann method (extremely time consuming). Gutmann is not a big fan of Vista by the way.