Federal workers and the public in general might be mistaken about the security of .zip files,Sen. Ron Wyden says, and he’s asking theNational Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet.
“Many people incorrectly believe password-protected .zip files can protect sensitive data. Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools,” the Oregon Democrat writesin a letter obtainedby CyberScoop. “This is because many of the software programs that create .zip files use weak encryption algorithms by default.”
Part of Wyden’s concerns stem from the fact thatalthough there are two common types of encryption options available for .zip files, people may be using the weaker option without realizing it. Those files are more vulnerable to password crackers, Wyden says, such as Advanced Archive Password Recovery.
“Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed,” Wyden writes to NIST Director Walter G. Copan. NIST cybersecurity guidance — whether issued specifically for federal networks or the public in general — ishighly influential, so any action by the agency would potentially have an effect on security practices nationwide.
“The government must ensure that federal workers have the tools and training they need to safely share sensitive data,” Wyden writes.
Of the two common forms of .zip encryption — Zip 2.0 legacy encryption and Advanced Encryption Standard — the AES is generally understood to be stronger. But there are numerous pieces of software available for creating .zip files,and users might not be aware of which encryption standard their app uses. Evenif users are taking advantage of AES, there are varying levels of it, depending on the size of the keys used to encrypt data. The 256-bit AES version is generally understood to be stronger than the128-bit AES version, for example.
Also, in most cases, the only protection for a .zip file is the password itself, notesDave Kennedy, founder of cybersecurity company TrustedSec. A second layer of user verification isn’t really available.
“Unlike other password technologies, zip files in general do not support two-factor authentication and are subject to the same types of attacks as other password systems,” Kennedy says.
Kennedy, a former analyst at the National Security Agency, told CyberScoop that in security tests for customers, his company has an 87 percent success rate in cracking zip files within a few hours and a 97 percent success rate within a week.
NIST has engaged in .zip file security standards before. The AES came to be as a result a 1997 NIST competition, which was kicked off in part because the Data Encryption Standard, then two decades old, “was growing vulnerable in the face of advances in cryptanalysis and the exponential growth in computing power.” AES has since been adopted as a Federal Information Processing Standard.
A NIST spokesperson said the agency is reviewing the letter and will respond to Wyden directly.
Sean Lyngaas contributed to this story.
[documentcloud url=”http://www.documentcloud.org/documents/6161420-Wyden-Letter-to-NIST-on-Zip-Guidance.html” responsive=true]
FAQs
▼ Zip files encrypted with passwords are at high risk of compromise. Passwords-encrypted zip files are considered in the industry to be relatively simple to crack. Unlike website logins, encrypted zip files are easy for cybercriminals to access because unlimited password attempts are allowed.
Are zip files safe? ›
Zip files are not dangerous. However, it is essential to take caution when opening files you have imported from unknown sources or the files you have downloaded from the internet. Some may contain a virus, zip bombs, Trojans, or other malware.
Do hackers use zip files? ›
Left undetected, these unsafe archives can remain dormant in file storage for extended periods of time before trusted users unwittingly open and activate their contents. Further, even without using malicious code, threat actors can weaponize . ZIP files by filling them with immense quantities of data.
Is emailing a Zip file secure? ›
One thing to keep in mind though is that if you're sharing confidential information, you'll need to encrypt the zip file before sending it via email. Email on its own does not protect your information whatsoever.
What is the most secure zip encryption? ›
256-bit AES is stronger than 128-bit AES, but both of them can provide significantly greater security than the standard Zip 2.0 method described below. An advantage of 128-bit AES is that it is slightly faster than 256-bit AES, that is, it takes less time to encrypt or decrypt a file.
Can malware be hidden in zip files? ›
That's because scanning a zip file might not show that infected or suspicious files exist within it because of the threats hidden within layers of the archive. Detecting viruses and other malware hidden in a zip file requires first unpacking the archived file.
What is the disadvantage of Zip file? ›
One of many disadvantages associated with ZIP archive files is compression limits. Some files cannot be compressed much more than they already are. This is especially true for MP3 files and JPG files. So, if you frequently work with video and image files, the ZIP format won't help you save very much storage space.
Can a virus escape a Zip file? ›
As zip file viruses are popular vectors for malware authors, zip files can indeed potentially contain a virus or other malware. Cyber criminals can use zip files to distribute their malicious software because they can pack multiple files together into a single file and make it easier to distribute.
What files do hackers want? ›
Hackers love data. They want to get their hands on the email addresses, phone numbers, financial details, Social Security Numbers (SSNs), and other sensitive information stored in your system. This information may belong to your employees, customers, or business associates. Whatever you've got, hackers want it.
Does anyone still use zip files? ›
The most popular method is called ZIP, which was first introduced back in 1989 and is still being used (although there are others just as, or more, efficient, such as RAR and TAR). Once upon a time, you would have had to use a third-party app in order to zip or unzip files.
In computing, a zip bomb, also known as a decompression bomb or zip of death (ZOD), is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional malware.
Is a zip file encrypted? ›
Although the file is password protected, it's the compressed file content that is encrypted (see screenshot: Encrypted +) but the filename, the filsize, filedate, ..., all that metadata is not encrypted. That can be read without knowing the password.
Why block zip files in email? ›
To protect your account from potential viruses and harmful software, Gmail doesn't allow you to attach: Certain types of files, including their compressed form (like .
Is it safe to send a zip file? ›
The simple answer is that zip files are very safe and can be used to protect your private information. In fact, many businesses use zip files to send invoices and employee's confidential personal information. There are a few ways to make your zip file even more secure.
How safe are encrypted files? ›
Can hackers see encrypted data? No, hackers cannot see encrypted data, as it is scrambled and unreadable until the encryption key (or passphrase) is used to decrypt it. However, if a hacker manages to obtain the encryption key or crack the encryption algorithm, then they can gain access to the data.
Can password-protected zip files be scanned? ›
It can depend on how the file has been protected, if the zip was also encrypted then the virus scan isn't able to read the files until they are unzipped.
Is 7-Zip good encryption? ›
7-Zip is good for encrypting containers, so if you have more than one file to encrypt it's particularly useful. From any Windows Explorer window (e.g. My Documents), right-click on the file or folder you want to encrypt. Select 7-Zip and then Add to archive.
How secure is a password-protected 7-Zip file? ›
7zip is secure since it uses AES-256 in CBC mode that can provide CPA security and there is no problem there. Keep in mind that CBC has no integrity and authentication.
