Analysis of the critical error in the operation of the CIB SEARCHINFORM encryption algorithm
Control of all information circulating in the organization is one of the main tasks in the practical implementation of organizational and administrative documents (information security policy and other internal documents of lower levels) of the organization.
The systems for preventing the leakage of confidential information from an information system (Data Leak Prevention, DLP) are capable of solving this problem.
In today's market, there are enough variations of these systems, for example, such as: SearchInform DLP, Infowatch Traffic Monitor DLP, Zecurion DLP, Symantec DLP and others. But today this article will be about the product of SearchInform LLC.
The Information Security Circuit SearchInform (CIB Surproform) is a serious and flexible customizable software package that, by its functionality and extensive analytical tools, creates serious competition to other companies in this field. But like all products, CIB Surchinform has one of the drawbacks, which is now discussed.
')
Figure 1 - Logo KIB Searchform
In CIB Surveyform, one of the sources of information collection is the agent (Windows / Linux). Agent for OS Windows, as well as for OS Linux, has a modular system for collecting information, if necessary, they are enabled or disabled. We will consider the Device module (control of external devices, network devices, processes, etc.). The demo version of this product can be obtained officially through the developer’s website (with full functionality). Further actions will be implemented using the obtained license key - version of EndPointController 5.51.0.9 (agent version 5.51.0.9).
The main problem in the operation of this module is the algorithm for encrypting information on external removable devices. Consider the principle of the encryption algorithm in CIB Surroundform.
We install the agent on the workstation and expose for the working control of external devices (Device module) in the section “Networked environment” EndPointController 5.51.0.9
Figure 2 - Installation and activation of the module
We make the encryption configuration in the settings of the Device module of the “Encryption” tab: we generate the key and enable encryption for all media (it is possible to enable encryption only for certain media).
Figure 3 - Setting up the white list
Figure 4 - Encryption Configuration
Now we proceed to the analysis of the file encryption algorithm for this product. Copy the files “Install.exe” and “The Basics of Rights.rtf” from the WINOC controlled workstation to the external removable media “Removable Disk ( :)”. As seen in Figure 5, in the hidden folder “System Volume Information”, the objects “Install.exe” and “The Basics of the Right.rtf” were created. Thus, we can conclude that the “System Volume Information” folder contains a list of encrypted objects on removable media.
Figure 5 - the “System Volume Information” folder
Figure 6 - Root folder removable media
As you know, there are three aspects on which information security is based - integrity, accessibility and confidentiality. These aspects are violated using this encryption approach, since the system information about whether an object is encrypted or not should be in the object header itself.
With the current construction of the algorithm, options for accidentally modifying / deleting objects of the System Volume Information folder on removable media are possible, with further loss of the original encrypted objects, as well as modification of the objects themselves at uncontrolled stations (for example, renaming the Install.exe object with the network path E : \ Install.exe ”on the computer without an agent, while the information file of the CIB Library product in the“ System Volume Information ”folder“ Install.exe ”by the network path“ E: \ System Volume Information \ Install.exe ”remains unchanged, since there is no agent which of ENITA service information, and the opening of the file has become impossible).
Hopefully, the developer will take note of this shortcoming in the work of the encryption function of removable storage media in the CIB Library product and change its algorithm.
The systems for preventing the leakage of confidential information from an information system (Data Leak Prevention, DLP) are capable of solving this problem.
In today's market, there are enough variations of these systems, for example, such as: SearchInform DLP, Infowatch Traffic Monitor DLP, Zecurion DLP, Symantec DLP and others. But today this article will be about the product of SearchInform LLC.
The Information Security Circuit SearchInform (CIB Surproform) is a serious and flexible customizable software package that, by its functionality and extensive analytical tools, creates serious competition to other companies in this field. But like all products, CIB Surchinform has one of the drawbacks, which is now discussed.
')
Figure 1 - Logo KIB Searchform
In CIB Surveyform, one of the sources of information collection is the agent (Windows / Linux). Agent for OS Windows, as well as for OS Linux, has a modular system for collecting information, if necessary, they are enabled or disabled. We will consider the Device module (control of external devices, network devices, processes, etc.). The demo version of this product can be obtained officially through the developer’s website (with full functionality). Further actions will be implemented using the obtained license key - version of EndPointController 5.51.0.9 (agent version 5.51.0.9).
The main problem in the operation of this module is the algorithm for encrypting information on external removable devices. Consider the principle of the encryption algorithm in CIB Surroundform.
We install the agent on the workstation and expose for the working control of external devices (Device module) in the section “Networked environment” EndPointController 5.51.0.9
Figure 2 - Installation and activation of the module
We make the encryption configuration in the settings of the Device module of the “Encryption” tab: we generate the key and enable encryption for all media (it is possible to enable encryption only for certain media).
Figure 3 - Setting up the white list
Figure 4 - Encryption Configuration
Now we proceed to the analysis of the file encryption algorithm for this product. Copy the files “Install.exe” and “The Basics of Rights.rtf” from the WINOC controlled workstation to the external removable media “Removable Disk ( :)”. As seen in Figure 5, in the hidden folder “System Volume Information”, the objects “Install.exe” and “The Basics of the Right.rtf” were created. Thus, we can conclude that the “System Volume Information” folder contains a list of encrypted objects on removable media.
Figure 5 - the “System Volume Information” folder
Figure 6 - Root folder removable media
As you know, there are three aspects on which information security is based - integrity, accessibility and confidentiality. These aspects are violated using this encryption approach, since the system information about whether an object is encrypted or not should be in the object header itself.
With the current construction of the algorithm, options for accidentally modifying / deleting objects of the System Volume Information folder on removable media are possible, with further loss of the original encrypted objects, as well as modification of the objects themselves at uncontrolled stations (for example, renaming the Install.exe object with the network path E : \ Install.exe ”on the computer without an agent, while the information file of the CIB Library product in the“ System Volume Information ”folder“ Install.exe ”by the network path“ E: \ System Volume Information \ Install.exe ”remains unchanged, since there is no agent which of ENITA service information, and the opening of the file has become impossible).
Hopefully, the developer will take note of this shortcoming in the work of the encryption function of removable storage media in the CIB Library product and change its algorithm.
Source: https://habr.com/ru/post/444980/
All Articles