Saturday, 24 June 2017

Facebook Live Oyster Pearl Party Scams

A little off-topic but recently I've been asked so many times about the Pearl Parties live broadcasts appearing all over Facebook status walls. If you haven't heard of Pearl Parties, they are sales broadcasts where the hosts entice viewers to buy sealed oysters which are opened live on the broadcast, any pearls found inside are sent to the buyer, and there always seems to be plenty of pearls found.

So after watching a few of these broadcasts, it becomes clear why these broadcasts are appearing all over Facebook, as the party hosts constantly offer the chance to win free oyster opening to all viewers that share the broadcast. After further investigation, it becomes even clearer these Pearl Party broadcasts aren't the harmless fun the presenters insinuate but are scams.
Oysters Originate from the Far East & Individually Vacuum Packed

The oysters you see opened on the Facebook live broadcast are real enough, they are bought in wholesale by the oyster party, but the copious pearls discovered inside them aren't quite as legit, rare and valuable as you might think. I have discovered two methods behind the high number pearls found inside them.  Either the freshwater oysters have been cultured, basically hacked and farmed into growing the pearls, or the oysters had the pearls inserted within them, after which they are dropped into a chemical bath to make them snap close, killing and preserving the oyster. With either method, the oysters individually vacuum packed before being shipped off from the Far East to the party hosts in bulk.
Cheap as Chips Oysters are bought in Bulk

On the Pearl Party broadcasts I observed, it cost £30 to £50 to open a batch of 5 oysters, which is a considerable markup from the direct online price of around £1 to £2 per oyster. Often the punters don't get the chance to buy a set number of oysters to be opened in the hope of receiving any pearls found inside, as there is a random based game to be played to determine how many oysters are opened for their set payment. These games involve rolling a dice or spinning a wheel to decide the number oysters open, which in itself probably breaks gaming licensing laws in many countries. This game is part of the scam, it is used to make buyers think they have won something and disguise the fact are paying well over the odds for the low grade nearly worthless pearls they end up receiving.

Pearl Party Sales are similar to the Shopping Channels

As the party host opens each oyster on the broadcast, they blag how wonderful the pearls look, using lightening and display techniques to make each pearl look as glamorous as possible, the same techniques employed the professionals on jewellery shopping channels, but with fibs. The reality is these pearls are nothing of the quality of actual rare high-value natural pearls. Some hosts will even measure, rate the colour and shape, and conclude a value for each pearl, which is always way more the buyer has actually paid, again all part of the con. If the host really thought the pearls were worth as much as they are saying, why on earth would they bother with the broadcast and just sell them directly themselves!

The host will also offer to set your pearls in jewellery, like earrings and necklaces, all for an extra cost of course.

I also found some hosts operate on behalf of companies in a pyramid-like scheme, where they pay a set amount in, oysters are supplied to them, the more they sell the more they rise up the pyramid ranks and the more money they make.

So be warned, don't participate in promoting these scams to your friends by sharing Pearl Party Facebook Live broadcasts. You'd think Facebook would do something about these types of illicit practices on their Facebook Live service, but apparently not. Given the lawless of Facebook Live, I think we can expect further scams of this nature in the near future.

Thursday, 1 June 2017

Cyber Security Roundup for May 2017

The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses store, process and/or transmits credit/debit card data (cardholder data). 

Hackers stole a copy of Disney's forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn't pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied




Friday, 19 May 2017

How to Stay Safe in the Cloud

No business or individual should ever assume 'Cloud Services' are sufficiently secure to protect their data and their cloud service provision. There are always elements of cloud service security responsibility which sit squarely with the service buyer (business) and users. Sage have put together a simple to understand InfoGraphic on Staying Safe in the Cloud, which neatly highlights the threats and the security pitfalls to be aware of when adopting cloud services.

Tuesday, 16 May 2017

WannaCry Ransomware Bite Sized Business Prevention Advice

The top three actions to reduce the risk and impact of a WannaCry type Cyber Attack at a business
  1. Perform regular Staff Awareness specifically on spotting Phishing Emails
  2. Have a robust Patch Management Processes. Ensure all Microsoft Windows systems have Microsoft Critical Updates applied quickly - they are marked as critical for a reason!
  3. Have Anti-Virus running on all Microsoft Windows systems, with AV definitions kept up-to-date
Security in Depth
There are further security risk-reducing steps like filtering web traffic, ensuring data is regularly backed up, security monitoring, and network segmentation, but the above three are the most simple and most effective in terms of prevention against this type of attack, especially within the SMB space where security budgets are limited. Expect further versions of the WannaCry ransomware.

The Reasons Behind this Advice
(1) The WannaCry ransomware infects an initial system via a phishing email, the user executes the malware within an attachment or through a weblink. The Microsoft security update will not stop the initial ransomware execution, (3) but updated Anti-Virus system now blocks the current strain of the malware from executing. (2) The Microsoft MS17-010 security update stops WannaCry from rapidly propagating (i.e. worm malware) from the initially infected system to other vulnerable Windows systems (without the MS17-010 update) attach to the local network.

For full details about WannaCry see my other blog posting - 

Monday, 15 May 2017

The IT Security Expert Blog is 10 Years Old

Ten years ago today I published my first ever blog post about a BBC news story titled "Home Network Security Scrutinised". A decade ago it was rare to see an IT security or hacking story make the news media, and back then the term 'Cyber Security' would conjure images of Dr.Who's metallically clad arch-villains in most people's minds in the UK.
The Face of Cyber Security in 2007

Fast forward ten years, IT security has long been rebadged as 'Cyber Security' and on Friday the top ten news stories on Sky News were all Cyber Security related, albeit about the same global attack, but how times have changed.

'I found the following article on the BBC news website, which happens to be exactly what I had been talking about in my presentations this week. None of the findings is surprising to me, but I find many people I talk with are in the dark about digital security. Anyway, I thought I'd write this post about it and start my own blog' - 15th May 2007
How times have changed since I started writing this blog, the use of computing devices has vastly increased, with IT systems and devices becoming ever more sophisticated, most of us possess powerful 'smartphone' computers in our hands and we have countless connected devices within our homes. It is clear our society has grown ever more dependent on information technology as evident by the NHS cyber attack on Friday, the loss of NHS workstations due a fairly simple ransomware attack led to cancelled operations and A&E closures.

Some of the highlights from the last Ten Years
  • 2007 Web 2.0
  • 2007 The iPhone is launched
  • 2007 HMRC loses unencrypted CD holding millions of UK citizen's personal details
  • 2007 WikiLeaks is founded (later to be used by Snowden and Manning)
  • 2007 ISPs using WEP (broken) Wifi encryption
  • 2007 Estonia DDoS of government websites and businesses
  • 2007 PCI DSS compliance is pushed
  • 2007 TJX Max 45 million credit card breach is disclosed
  • 2007 Nationwide fined £1m by FSA due to data breach
  • 2008 The Rise of Hacktivism: Scientology attacked by Anonymous
  • 2009 Heartland 130 million credit card data breach
  • 2009 The Gary McKinnon Extradition
  • 2009 The Conficker Worm infiltrates millions of PCs worldwide
  • 2009 Zeus trojan/bot becomes more widespread
  • 2011 EU Cookie Law
  • 2011 PlayStation Network Hack and 102 million Record Data Breach 
  • 2011 DUGU industrial controls virus
  • 2011 Third Party Breach
  • 2011 Lush credit card data breach
  • 2011 Bank of America had 85 million credit cards taken by a Turkish hacker
  • 2012 Flame cyber espionage malware
  • 2012 LinkedIn data breach, 165 million accounts compromised
  • 2013 65.5 Million emails and password leaked from Tumblr
  • 2013 Evernote had 50 million records compromised
  • 2013 Target breached by HVAC third party, 40 million credit cards stolen
  • 2014 Sony Picture DDoS over "The Interview" North Korea satire movie
  • 2014 General Data Protection Regulation (GDPR) agreed by the EU
  • 2014 The Heartbleed bug
  • 2014 Rambler 98 million accounts compromised
  • 2014 Yahoo 500 million accounts compromised
  • 2014 Homedepot 56 million credit cards stolen
  • 2015 TalkTalk Hacked
  • 2015 Rise of IoT insecurity
  • 2015 Jeep car hack
  • 2015 21.5 million personal records stolen from US Government
  • 2015 Superfish privacy invasion by Lenovo
  • 2016 Yahoo 1 Billion Personal Record Data Breach
  • 2016 $101m hack of the Bangladesh Bank
  • 2016 US electron hacking
  • 2016 Friendfinder 412 million accounts compromised
  • 2016 360 Million Stolen MySpace accounts posted online
  • 2016 67 million Dropbox accounts compromised
  • 2016 Massive DDoS attack against DNS provider reg-123
  • 2017 APT10 Cloud Hopper Campaign Threatens
  • 2017 Global Ransomware outbreak which severely impacted the NHS
Of course, cyber security is not ten years old! In 1903 Nevil Maskeylne disrupted John Ambrose Fleming's public demonstration of Macroncies wireless telegraph technology by sending insulting morse code messages through the auditorium's projector. In essence that was a successful hack of an information technology device.

The Cyber Security Game is afoot
The more devices and the more complicated they are, the more likely there are to be vulnerabilities which are exploited by criminals and nation-state actors hellbent on making money and causing mayhem. There is no winning scenario with cyber security, it is a continuous process and the challenge of staying ahead of the bad guys, knowing if you stand still for just a minute like the NHS not upgrading Windows XP systems and not applying Microsoft Critical Security Patches on time, you are going to lose the cyber game big time. So here's to another ten years...

Friday, 12 May 2017

WannaCry Global Cyber Attack Killing the NHS Explained & Help

A large-scale cyber-attack has impacted organisations around the world today, including badly affecting NHS services, with at least 25 NGS organisations hit by a mass ransomware outbreak. The ransomware responsible is known as WanaCrypt0r 2.0, WannaCry or WCry2, once it infects a system not only does it encrypt data on the host system, but it attempts to infect other computers over the local network. 

This aggressive malware uses an exploit method named EternalBlue, details of which was posted online by the Shadow Brokers dump of NSA hacking tools on April 14th, 2017. WannaCry exploits this Windows vulnerability (CVE-2017-0145) to enable it to spread quickly over the network (i.e. Worm malware), the vulnerability was security patched by Microsoft on 14th March 2017. More specifically, the vulnerability lies within the SMB protocol, which is used for network file sharing, which the WannaCry malware exploits to replicate itself to other vulnerable Windows devices also attached to the same network.

WCry2 Ransomware Demand

To avoid the WannaCry ransomware infection within a network environment, make sure Microsoft Critical Security Update MS17-010 is applied to all Microsoft Windows. The update was released by Microsoft on 14th March 2017, so if you have operated a good patch management process or allow Microsoft to automatically update your system and run anti-virus and kept AV definitions up-to-date, then you should be well protected from WannaCry mass outbreak. Failing an ability to patch your system, you can look into disabling the SMB service to prevent the malware from spreading.

The MS17-010 stops the WannaCry ransomware from spreading (within a network), it does not stop WannaCry ransomware from running when clicked upon within in a phishing email attachment or link.

To prevent execution update your anti-virus and be vigilant with scam (phishing) emails enticing to click on links or open attachments.

For the full Microsoft breakdown see - Note Microsoft has specifically released the patch for non-supported Windows platforms, such as Windows XP and Windows Vista.

Controlling an ongoing WannaCry Mass Infection
Where there are multiple malware infections detected, the priority is to contain the spread of the ransomware and the subsequent impact. This means powering off any potentially vulnerable systems and disconnecting them from the network immediately. Before re-connecting any potentially vulnerable system, apply all the security updates and then run a full anti-virus (AV) scan to check for the presence of the malware, and make sure your AV product is able to detect WannaCry, which most common AV products now are.

Live global map of WannaCry of the infection spread

Worried about a Mass Infection at your Business
If your organisation is yet to be infected by this malware and you are concerned, ensure the MS17-010 update is applied on all Windows devices, check Anti-Virus definitions are up-to-date and consider disconnecting from all third party networks until you are certain all systems are fully protected.

Infected: Should I Pay the Ransom to get my data back?
I do not recommend paying a ransomware ransom. At this point in time, there is no workaround to decrypt WCry (.wcry) encrypted files. Bitcoin intelligence shows people are paying the WannaDry ransom, and according to reports those that are paying are slowly receiving working keys to decrypt their WannaCry data.

If you don't plan to pay and there is data encrypted (not backed up) you want to keep, I suggest keeping a backup or drive image of the infected systems/encrypted files, as it might be possible to decrypt the data in the future. 

Beware of bogus ransomware removal tools, there are plenty of dodgy websites offering fake ransomware recovery software or instructions to install further malware. Such illicit tools often come with a price and can destroy any hope of file recovery, so avoid any tools from untrusted online vendors.

WannaCry Removal 
I recommend completely wiping any infected system's hard drive, and recovering data from a recent 'non-infected' clean backup, and obviously ensuring all those Microsoft security updates are applied and anti-virus is running and up-to-date. If you do want to remove the WannaCry ransomware infection without wiping, see - WCry Removal Instructions.

Why is NHS so badly Hit?
Going off tweeted screenshots of the NHS WCry infections, there still appears to be many instances of Windows XP used within the NHS. Windows XP is a long outdated operating system and has been unsupported for security updates by Microsoft for a number of years. This means Windows XP is completely open to infection by WCry and other forms of malware, although Window XP's security can be beefed up using application whitelisting, I personally wouldn't recommend using it as an operating system due to its insecurity. 

To compound problems staff working within the NHS have been describing a flat network via social media, so instead of a network of firewalled ring-fenced small network segments, it suggests the NHS has a large open network, which allows network self-propagating malware like WCry to spread far and wide rapidly throughout the organisation. 

The advice initial advice is to upgrade away from Windows XP to a supported operating system ASAP, that's a bit tricky for a cash-strapped organisation like the NHS I know. However IT systems are critical components of the overall health service provision, and as such, they should not be neglected when comes to prioritising budgets. Given it is the NHS, I believe the political ramifications of this cyber attack are going to go on for some time, make no mistake what happened with the NHS today is a world-class landmark cyber attack, we'll be talking about it for years within the cyber security industry. 

Could it be Cyber Terrorism or a Nation-State Cyber Attack?
As reports of this global cyber attack initially flooded in, the first thought was it could be Cyber Terrorism or a Nation-State orchestrated, given the same ransomware type had been reported attacking organisations on mass. The fact 'national infrastructure' type organisations like Telefonica and utility gas firms like Iberdrola were hit could be seen as a smoking gun on a more sinister intent behind the attack than criminal money making. It certainly fits the objective of a cyber-terror attack, spreading fear by causing public mayhem, and placing lives at risk by closing down country-wide critical services, especially health services. However I believe these attacks are unlikely to be terror or nation-state related, we'll have to wait until more details about how the ransomware initially infiltrated these organisations to be certain. Ransomware is predominately a cyber-criminal tool, so perhaps this is a case the malware's 'network worm' propagating element being over successful, as all cyber criminals want is to get paid the ransom, not kill services, and in the case of WannaCry, we know the bad guys are getting paid ransoms.

Above all, today's cyber attack impact serves a harsh lesson to what can go wrong when organisations ignore years of warnings to upgrade unsupported operating systems, and the necessity to apply critical security patches soon after release.

Wednesday, 3 May 2017

Cyber Security Roundup for April 2017

In April the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda, which I have featured in a separate blog post - Detecting & Preventing APT10 Operation Cloud Hopper.

The InterContinential Hotel Group, a hotel giant best known for the Crowne Park Plaza and Holiday Inn in the UK, reported data breaches within 12 of its hotels, however, Brian Krebs, the investigative journalist who first broke the story, reckons that there could be more than 1000 locations affected. A statement released on the hotel's website says that the malware, which infected the hotels' card payment systems, was identified between 29 September and 29 December 2016.

Payday loan firm Wonga reported a data breach which may affect up to 245,000 of its UK customers. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.

A BBC Click investigation has thrown doubt on claims that the small, personal email server Nomx can provide "absolute security". The BBC investigation started by taking the device apart to find that it was built around a £30 Raspberry Pi computer. As the operating system for the Pi sits on a removable memory card, Mr Helme was able to download the device's core code so he could examine it closely and found they were about to crack the device's simple passwords.

There was the usual raft of security updates which fixed security vulnerabilities in April, with Microsoft patches causing the most stir with security researchers, some of whom suggested the firm had held back patching some of its products.

Awareness, Education and Threat Intelligence
  • The 2017 Verizon Breach Investigations Report (DBIR) Released
    • 75% of data breaches are down to outsiders and a 25% are insiders
    • 73% are conducted for financial reasons with half involving organised crime.
    • 62% of breaches feature hacking, it still disappoints to see that 81% of hacking related breaches leveraged either stolen and/or weak passwords. Half of breaches included malware, but physical loss of devices is now down to just eight% and errors were a factor in 14% of breaches.
    • Ransomware rose 50% compared to last year and accounted for 72% of all malware incidents in the healthcare sector. 
    • Financial services are the most targeted sector at 24%, while healthcare accounts for 15%, the public sector close behind on 12% and the combined total of retail and accommodation accounting for 15% of breaches.

Wednesday, 12 April 2017

Detecting & Preventing APT10 Operation Cloud Hopper

There has been much concern over a state-sponsor threat known as APT10 Operation Cloud Hopper, also known as Stone Panda, after the UK National Cyber Security Centre (NCSC) recently spooked UK businesses and their suppliers about a Chinese threat actor posing a serious threat to IT Managed Service Providers (MPS) and their UK clients.   

Overview of the Threat
APT10, a Chinese-based hacking group also known as Stone Panda, MenuPass, CVNX, and Potassium is operating a hacking campaign known as Operation Cloud Hopper, which is believed to have been underway since 2014. There are intelligence reports which indicate the APT10 threat actor has significantly upscaled their capabilities and attack sophistication in early 2016. The APT10 Cloud Hopper campaign focuses on sending malware infected emails to staff working at IT Managed Service Providers (MPS), once executed the malware creates a backdoor which allows the attacker remote access to the MSP's backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to the use of tailored malware which is undetectable by anti-virus and security monitoring systems.

So how do you know if your business has been infiltrated or is being attacked by APT10, aside from the NCSC informing you are a victim?
PwC and BAE Systems have been assisting NCSC with APT10, have produced a list of known source IP addresses of the attackers, which can be imported into security monitoring solutions such as firewalls, IDS/IPS, proxy servers, content filtering and SIEM \ log management solutions. Any hits against these IP addresses would be highly concerning, in such scenarios I would recommend unplugging the network cable (and not powering off) all suspect systems, and then seeking help from external qualified and experienced digital forensic investigator if you don’t have one to hand in your business. There are other known APT10 IP addresses to be found within the NCSC CiSP forum, but you will have to sign up to get those here.

PwC and BAE Systems have also provided an extract list of known APT10 malicious MD5 file hashes (unique identifier for the known malicious APT10 related files).These MD5 hash lists can be used to scan for the presence of known malicious APT10 files on servers and workstations. I recommend importing those file MD5 hash lists into a scanner, such as the Nessus Vulnerability Scanner, and scanning the entire IT estate on a regular basis if your business is an IT MSP.

APT10 is Active and Here to Stay
Keep an eye on the NCSC, PwC and BAE Systems for updates about the APT10 threat, as they are likely to provide updated lists of known associated IP addresses and further MD5 file hashes as more incidents are investigated and intelligence comes to their attention. Given this threat actor is said to be still active and is known to be operational for several years, don't expect APT10 to be going away anytime soon, after all APT actually stands for Advanced 'Persistent' Threat. So if you are an IT MSP, it will be prudent to routinely check and update your lists of APT10 suspected IP addresses and MD5 file hashes to be monitored and regularly scanned.

Most anti-virus and web filtering vendors worth their salt should now be aware of this threat and should be keeping up-to-date with the latest APT10 related malware and associated IP addresses and file hashes as well, but it is well worth asking them about their position. It goes without saying that it is paramount to keep all security prevention and monitoring systems bang up-to-date, as is performing regular external and internal network vulnerability scans, and monitoring and acting upon any signs of compromise.

Tuesday, 11 April 2017

WinZip Encryption Password Security (2017)

9 years ago I wrote a post on WinZip Encryption Security, that post has received tens of thousands of visits over the years and continues to be pretty popular, but it is high time for that advice to be refreshed. The advice below also applies to 7-Zip, which also supports the same type of encryption as WinZip.

Do not use WinZip ‘Standard Zip 2.0 Encryption’
WinZip pre-version 9 only offered WinZip's own proprietary encryption algorithm called Zip 2.0 encryption, which is broken, so never use WinZip pre-version 9 or the “WinZip's Zip 2.0 Encryption” as an option, as passwords of any strength can very easily be recovered with third party cracking tools. WinZip versions 9 to 21 defaults to use the National Institute of Standards and Technology (NIST) scrutinised and US government agency approved encryption algorithm called the Advanced Encryption Standard (AES) - . This is great, however, WinZip still includes the option to change the encryption to use the flawed Zip 2.0 encryption.

Use AES-256, but there’s nothing wrong with AES-128
The latest version of WinZip (Version 21) defaults to use the AES-256 encryption and also supports AES-128. There is hardly any noticeable speed advantage in encrypting and decrypting with AES-256 over AES-128 given the brilliant efficiency in the way AES cryptographic algorithm works, so given the lack of overhead, it makes sense to stick with the default and much stronger flavour of AES-256. 
However, both AES-128 and AES 256 are considered strong enough for commercial industry best practice and both are NIST approved to use until at least the year 2031. To put the strength of AES-128 into perspective, the '128' bit number equates to 3,400,000,000,000,000,000,000,000,000,000,000,000,000 possible keys, so guessing or cracking a key of that length is far from feasible at the moment. We also know the AES algorithm doesn’t have any sufficiently serious flaws to get around the encryption process, the Achilles Heel is the password you choose to generate that encryption key.

Use a Complex Password (Super Important)
I recommend the following password rules if you are serious about protecting your data with WinZip AES encryption, or any other AES encryption which uses a password for that matter, use a password that is:
  • at least 12 characters in length
  • is random i.e. does not contain any dictionary, common words or names
  • is not commonly known or guessable password i.e. P@$$w0rD1
  • has at least one Upper Case Character e.g. A to Z
  • has at least one Lower Case Character e.g. a to z
  • has at least one number e.g. 0 to 9
  • has at least one Special Character e.g. !,",£,$,%,@,#
Recommended Vs WinZip Default Password Policy

Why you need a Complex Password
WinZip’s AES encryption uses “Symmetric” encryption, as such the password is used to generate an AES private encryption key, if you know or can guess the password, you beat the encryption. So the complexity and strength of the password is by far the weakness point. An attacker in possession of a WinZip encrypted file has unlimited attempts at guessing that password to decrypt the WinZip archive, the defence is time, by using a password complex and long enough the thwart the unlimited amount of attempts at being successful. Hackers mainly use two attack types to crack WinZip encrypted file passwords, Dictionary Attacks and Brute Force Attacks. We'll save Rainbow table encryption cracking for another post.

A Dictionary Attack is as it sounds, the attacker tries commonly known to be used passwords and words found in a dictionary. Hackers build their own password dictionary databases by harvesting password uncovered in past data breaches which are freely available online and on the dark web, such as the recent account passwords dump following the Yahoo Data Breach. The attacker then uses a tool to script attempts, allowing thousands of password attempts from their dictionary databases to be tried in minutes.

Dictionary Attack Tool

Top Ten Account Password in Breached Yahoo Accounts
  1. 123456
  2. password
  3. welcome
  4. ninja
  5. abc123
  6. 123456789
  7. 12345678
  8. sunshine
  9. princess
  10. qwerty
The other common password cracking technique is a Brute Force Attack, in which every single combination of characters possible e.g. aaaa to zzzz is attempted, which is why I recommend using different character cases and specialist characters within lengthy passwords, as it serious extends the timeline for this type of attack to be successful.

Brute Force Attack 

Document names can be read within Encrypted Archives
There is one final issue to be aware of with WinZip encryption, an issue you don't have with other file encryption applications. Without knowing the password it is still possible for anybody to browse and read the filenames within encrypted archive, which obviously can give an attacker vital clues about the content and whether the encrypted zip file password is worth the effort to crack. One way around this is to double zip the archive, giving initial zip archive a random name, or use an alternative encryption tool following the creation of the zip file.

Anyone can read the Encrypted Zip Archived file names without the password

File Encryption Applications to Consider
There are plenty of other encryption tools you can use for file encryption as an alternative to using WinZip. 
  • TrueCrypt is free, multi-platform and has been my personal recommendation for many years. However after its development was discontinued in May 2014 following an audit, it caused controversy in the cyber security industry. Despite that, I think the latest version of TrueCrypt is still safe to use.
  • Ver spawned out of TrueCrypt, an excellent and supported encryption tool which also works with Windows, Mac and Linux
  • AxCrypt is another free Windows-based encryption tool I recommend.
  • GNU Privacy Guard is an open-source version of the legendary Pretty Good Privacy (PGP)