If Uncle Sam could quit using insecure .zip files to swap info across the 'net, that would be great, says Silicon Ron Wyden Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam's employees using insecure .zip files and other archive formats to electronically transfer information. The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America's National Institute of Standards and Technology (NIST), asking that the …
WinZip has supported AES-256 encryption since around 2003. The real issue is that it continues to support PKZIP 2.0 which is probably what the average users uses if they encrypt anything at all, and WinZip defaults to no encryption. The WinZip folks simply setting the default on versions going forward to AES-256, and make it take a bunch of mouse clicks to turn if off (thus making it beyond most govt workers abilities or work ethic), would fix most of the problem.
Maybe one of the open source projects like Veracrypt can make a free "zipper" that only supports strong encryption. Maybe give the files a new extension while their at it.
Not sure where that would lead to. Sure though that some won't be happy with really "strong zips". Ever tried to send a password protected .zip in another .zip to a gmail address/ person? Nope, you can't. Hmmm, would that be because Google only wants stuff that it can "look into"?
And before you go out on a rant... Yes, sure, it's a safety thing. So is:
tar -cz foo | openssl aes-256-cbc -salt -pbkdf2 -out bar.aes
Only over the phone, but I so wish public keys were more commonly in use, particularly among support teams that start a conversation with send me a feedback file--including those of vendors for whom the government is a customer--which are too often just un-encrypted zip files. However, it seems that 7-zip doesn't support public key encryption. I suppose this is among the many reasons public key cryptography was more ubiquitous.
> I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet"
Hey, don't forget the backdoor: "how individuals and organizations can safely, with a backdoor, share...".
Government only wants us citizen (Wyden doesn't bur certain agencies do) to have backdoors. In this case, he's saying the government itself has the problem. Though the reason might be that government uses bad encryption because maybe an agency such as the CIA etc. want to know what the government is doing.
Was going to joke about forcing them to use tar, but dammit the suggestion above about 7-zip made too much sense: which is exactly why the PHBs in Government IT will never do it, and Congress will let them get away with it. Best part for them is that the Media is even more clueless and inattentive to detail, so the public will never know.
This is a problem that's personally impacting me at work, I see people exchanging encrypted ZIP file around, because major banks are not interested in using PGP as we do.
And the password, you ask? Why, it's in the body of the email, of course. Or, best case, in a second email sent right after the first.
So, really looking forward to a NIST best-practice paper.
UK government departments do this all the time. We receive details of housing payments for vulnerable people from several local authorities every month. Highly sensitive data that includes a lot of PII and they send it in a password protected zip with the password either in the preceding or following email. If the recipient at our end has any problems extracting the data their first solution is to resend the password. *facepalm*
At least that's better than the council who decided to use Office 365 secure messages. Now we can't get records of their payments at all because it only works if you're an Office 365 customer (we're not) and the users at both ends don't understand why.
Old habits die hard. Windows XP had built-in functionality to add a password to a zip file; and the recipient was automatically prompted to enter the password to unzip. Teams who regularly exchange data built workflows around this functionality, so unsurprisingly it hasn't gone away.
The only workable solution is to demand that Microsoft add native AES zip encryption and decryption in Windows 10. If it's not available out-of-the-box, people simply won't use it.
First let's say nice things about Ron Wyden -- a lawmaker who actually understands a complex issue and tries to actually fix things related to it. Boy, could all nations, not just the US, use more like him.
Second, the problem addressed here is MUCH more difficult than most folks seem to think. The US government is **HUGE**. If we exclude the military and postal service, it has around 2,000,000 employees. And that doesn't count hundreds of thousands of contractors hired to do one time jobs or ten million state and municipal government employees the feds may have to interface with. Or the incredibly awful "free market" healthcare "system" that manages to consume 20% of the country's GDP. There are many millions of computers involved -- many of them second or third generation hand me downs from long defunct projects. Probably there are some AT bus 8086s running WFWG still alive here and there and doing useful work. Did I mention that budgets in that world are always tight?
And don't forget that in much of rural America, the "Information superhighway" is a rutted muddy track, barely capable of supporting a 32K modem on good days. There are government employees with computers at the ends of some of those information footpaths.
If you're going to exchange sensitive information in that world, the folks on both ends have to have compatible tools. And they have to know how to use them. BTW, the laws of mathematics pretty much guarantee that the average government computer user has an IQ around 100, and that some have lower IQs.
All Wyden is suggesting is that the National Institute of Standards and Technology try to come up with standards for government information handling that are a bit better than .ZIP. It's far from clear that can even be done. Or what the time frame for implementing such standards would be.
"...barely capable of supporting a 32K modem on good days."
Sounds like they need some good old fibre technology Huawei cabinets like we've had in the UK for the past several years.
;)
Whilst I agree it isn't easy, I think you are being a bit hard there. What the available network speed is should be irrelevant - if zip files can transfer it then some other properly encrypted archive can also be transferred (possibly with either better compression).
There are plenty of existing tools available that should solve this problem - many of them small, cross platform, low power and open source. So in theory there shouldn't be any real burden on existing even if old hardware as long as the right choices are made and take these requirements into consideration. Ok that's a big if.
I think where you do have it right is the fact you are dealing with such a large number of end users with ranging abilities, and likely refusals to put any effort into changing away from something that seems to work. The hard part is making it so the tools are so simple and easy to use that minimal training is needed, and getting it coordinated across such large estates.
So probably a multi billion government project which will end in failure then..
>"I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet," Silicon Ron urged. "Government agencies routinely share and receive sensitive data through insecure methods – such as emailing .zip files – because employees are not provided the tools and training to do so safely."
...
"The government must ensure that federal workers have the tools and training they need to safely share sensitive data,"
From this I take it that the US doesn't have pre-existing guidelines for secure inter-department communications, specifically, they don't go over the public internet except via 256-bit PKI encrypted site-to-site VPNs (which in turn may be over 256-bit PKI encrypted VPN). Perhaps they need to visit the UK - with IR35 (and more debatably BREXIT) there are plenty of well-experienced experts who would be will to advise and oversee the deployment...
The only issue I can see is where ad-hoc baseline security communications go outside of the government, to contractors/members of the public (if it were higher grade then see note about VPN). As here individual government employees would need to be aware of the need to encrypt the individual attachment, the use of suitable keys/password and then communicate the password/key to the recepient. But then this issue is largely solved by having the receipient create their own government account which they access via HTTPS etc etc.
I think we are beginning to understand why a (young) teenager in a UK bedroom can so easily gain access to US government systems; they not secure by design.
Also why they are so scared (sh*tless) about Huawei...
They want a turnkey solution which Just Works.
And to be fair, the data will generally be flying between non-technical people on a standard (and quite possibly heavily locked down) Windows machine. So if you're asking for something which can't be handled out of the box, it ain't going to happen.
If if something more secure is mandated, good luck getting it rolled out across the millions (if not hundreds of millions) of machines which are being used by Uncle Sam's civil servants, not least because I'm guessing it's not a homogenous estate, and you'll be dealing with tens of thousands of local IT support teams, many of which will struggle to do the work because they're under-resourced.
And then you'll have to train all the non-technical people to use the new process.
So while I appreciate the sentiment, I'm not convinced this is a scenario where you can just thunder "THIS IS BAD" and expect change...
The mistake this legislator is making is confusing the idea of a compressed tarball -- which is what a ZIP file is in real life -- with an encrypted channel. The built in encryption in these compression programs is OK for everyday use where it really doesn't matter that much if an adversary accesses those files but its wholly inadequate for secure communications. Adding whatever the algorithm-du-jour to the tarball's encryption won't help that much either because people don't crack encrypted data, they go after the key generation and distribution mechanisms. (So your AES-2048 encrypted data isn't going to be very secure if the key's just a hash of "Pa$$w0rd" with it written on a PostIt stuck to your monitor!)
For now if I want to move ZIP about securely I'll just use PGP. I'm just an ordinary person, not a bank or intelligence agency, so my communications aren't very interesting and don't really need iron clad security -- in fact if anyone wants to crack them have at it.....
Passwords on zip files winword docs, excel spreadsheets and such are all the computer equivalent of those combo locks that idiots use on their luggage. And about as easy to crack. Doesn't really matter the algorithm. Just geed it into jtr with a good wordlist like rockyou.txt and you are done.
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/src/zip2john.c
Anybody else wondering exactly what sensitive documents NIST would be handling? Knowledge of the accuracy level of a company's most accurate standards would be of limited use, and I'm not sure what else would be sent. Obviously there are other governmental bodies with very sensitive data, but NIST?
NIST stands for National Institute of Standards and Technology and they develop Federal Information Processing Standards that all federal agencies must follow. Among others, their Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities. SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems.
https://www.nist.gov/itl/nist-special-publication-800-series-general-information
My company recently installed a large amount of scanning devices for a major UK company, they would scan a document and send it as an email. Part way through the install someone decided we had to set the machines to use encrypted, secure email, this worked fine, except if they needed to send a document to an external user they had to incude the password with the "encrypted" document so making the whole process useless.
....the Government wants to ensure that Government documents are "properly secured" as these documents traverse the interweb.
....and the Government also wants to compromise "end-to-end" encryption so that the Government can read everyone else's documents as they traverse the interweb.
....and (in the past, and maybe in the future) people like Phil Zimmerman have been harassed by the Government for developing ciphers which the Government thinks are "too secure" for ordinary people to use.
.....and "ordinary people" are ending up with less privacy and less security.... and all the while they are paying for "the Government".
What am I missing here?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
