Suggestion: CryptoSuite Rootkit Edition

Discussion in 'Other Ghost Security Software' started by ano6, Jan 2, 2004.

Thread Status:
Not open for further replies.
  1. ano6

    ano6 Guest

    1.
    "Some people for instance don't want to let others who use the computer like wives, siblings, daughters, sons, etc that they are encrypting documents. Hiding the fact you encrypt things is a common requirement for a lot of people." -- by Jason

    I fully agree with Jason that it is an advantage of container solutions that encryption can be hidden.

    In the meantime, I have tried CS. I have not noticed a stenographic encryption feature. It seems to me that the trial version can only produce .cse files (i.e., the fact that data is encrypted will not be hidden). Please correct me if I'm wrong. In any case, stenographic
    encryption will not really help if you want to hide a lot of files or even entire directories.

    2.
    Sample scenario: Husband has installed a separate, stand-alone email client (like The Bat!) which is used for private e-mail correspondence. Moreover, husband uses mIRC for delicate IRC chat sessions. He also enjoys downloading pics and vids. His wife does exactly the same. Both spouses are not expected to know from each other's activities.

    3.
    Goal: The directories where The Bat!, the email database, mIRC and the IRC log files are located must be encrypted and hidden. The same applies to the pics and the vids.

    4.
    Solution: CryptoSuite Rootkit Edition

    a)
    Pre-condition is that CS will support "on-the-fly" en-/decryption. I know that this feature is difficult to implement. On the other hand, I understand that CS is an ambitious project.

    b)
    CS can be optionally installed in "stealth mode". This includes file & process cloaking plus registry key cloaking. In other words, there will be no visible CS process in the Windows Task Manager, no CS installation directory, no visible CS registry entries, no CS shell integration and no CS entries in the startmenu. The cloaking functions can be realized using rootkit technology (like Hacker Defender does). See also "Folder Guard Pro" for a less sophisticated approach.

    c)
    If CS is installed in "stealth mode" it can be activated via a hotkey combination. If the hotkey combination is pressed an inexpressive window will pop up. If you enter the right password, CS will be activated and shell integration will become visible. While CS is activated you can minimize it to the system tray.

    d)
    CS has an additional feature called "Cloak List". You can drag & drop (almost) any files or folders into the Cloak List. Alternatively, you can use the CS shell extension to add files or folders to the list. You will not be allowed to add files from the Windows directory and certain other important directories (including those directories which are referred to by autostart entries) to the Cloak List.

    e)
    Any files contained in the Cloak List will be automatically encrypted/decrypted "on-the-fly" (i.e., they will remain encrypted unless they are in use). The files will not be decrypted while CS is in stealth-mode which is important if file cloaking (see below) ever fails. In such case the files will get visible but cannot be read due to encryption.

    f)
    If CS is activated there will be a big red button called "Cloaking Disabled". If you press the button it will turn to a green "Cloaking Enabled". If Cloaking is enabled CS's rootkit functionality will be extended to any files and folders contained in the Cloak List (i.e., these files will instantly get invisible and cannot be used anymore).

    5.
    Summary: The above feature would allow a person, who needs to share a computer with other people, to set up a "private area" in a convenient manner.

    There are already applications with similar features like Folder Guard Pro (which is relatively comfortable but which neither supports encryption nor does it have the comfy Cloak List described above), Encrypted Magic folders (which is not convenient at all), Hide Folders XP (not comfy, no encryption) and formerly (?) StealthDisk Pro (I don't know what happened to Invisicom's website). However, I believe that none of the above applications is a perfect solution for the above scenario. In addition, they do not support full rootkit functionality.

    6.
    Finally, it would be most interesting to see the DCS guys coding something like a stable rootkit :cool:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Geesh. If these two talk in their sleep, they might need to encrypt that. Cryptosuite isn't the solution here, sounds more like divorce material. :D
     
  3. ano6

    ano6 Guest

    Hi Peter,

    There are also more legit (but less funny) scenarios:

    For example, let's imagine you want to run a Dungeon Siege game server on your machine for an extended time. Or you want to use Earthstation 5 ...

    In such cases you may be afraid that your computer gets haxx0red for some unexpected reasons and confidential data gets stolen.

    CS Rootkit Edition would generally prevent such data theft if you add any confidential data to the Cloak List and enable file cloaking when you are online.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    CS as it stands does just fine for that. I do have some sensitive data, and I've encrypted it in a file with a 40 random character password. Let them steal it. Good luck trying to use it. Also I must confess I wouldn't have much sympathy for anyone who would leave a machine on line acting as a server for purposes of playing a game, and who also left sensitive information on that machine. That strikes me as a failure of the main security device between the ears.
     
  5. ano6

    ano6 Guest

    "CS as it stands does just fine for that. I do have some sensitive data, and I've encrypted it in a file with a 40 random character password. Let them steal it. Good luck trying to use it. "

    Correct. This will work if you have to protect some sensitive data. And it will work even better after keylogger protection has been added to CS.

    By contrast, if you want to protect many files (e.g., all your word documents, various databases etc.) and you cannot put such files in a permanent archive (since you still need to use them frequently) a more comfortable solution may be the preferred one. This requires on-the-fly de-/encryption which will be implemented anyway if I have correctly understood Jason ("I do have a certain liking for containers where you can mount them as a partition, usually because these are used to store only documents which need to be protected. CryptoSuite will expand in the future to add support for this, and will probably support existing archives.").

    "Also I must confess I wouldn't have much sympathy for anyone who would leave a machine on line acting as a server for purposes of playing a game, and who also left sensitive information on that machine. That strikes me as a failure of the main security device between the ears."

    Once again, you are not wrong. In a perfect world you would not share your computer with anybody and you would use a separate computer for internet gaming etc. However, some people may be unable to afford several computers. Morever, it depends on how you define the term "sensitive information". I completely agree that, for instance, you should not store important business secrets on a game server.

    In summary, there are already many encryption and protection utils on the market. Consequently, you can choose a util which exactly meets your needs. I could imagine that there is also some need for a CS Rootkit Edition.
     
  6. ano6

    ano6 Guest

    Btw.: Hacker Defender 1.00 Source Code has been released ...
     
  7. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Well depending on which route I take to implement containers I could add some operating system hiding functions. I already know how to do this since Process Guard contains some functionality like this, so it is quite a good possibility.

    Your post did make for a laugh though Ano6. :)

    -Jason-
     
Thread Status:
Not open for further replies.