Wednesday, 23 January 2008

WinZip Encryption Password Security

Recently I have received several Emails asking about WinZip encryption, and specifically whether it is good enough for business use, especially in light of the current climate of data breaches in the UK, where serious data breaches involving public information are announced almost on a weekly basis. So can WinZip do the job to encrypt sensitive data held on disks posted through public postal systems? Well the answer is Yes, but only if used properly…

With WinZip encryption, it is important to understand older versions of WinZip, pre-version 9, uses its own proprietary encryption, which simply broken. Essentially data archived with WinZip version 8 or below, using “WinZip Encryption” with passwords of any strength can very easily be recovered. WinZip version 9 and above has the option to use an industry strength and NIST approved encryption algorithm, namely AES (Advance Encryption Protocol). The application provides the choice of several strengths (bit length – the longer the stronger), AES-128, AES-192 and AES-256, you may as well pick the strongest bit level AES-256, although AES-128 is currently strong enough to the do the job to industry best practice and standards.

The weakness in using WinZip AES encryption, is it uses “Symmetric” encryption, which means it uses a single private password to encrypt and decrypt the Zip archive. Therefore complexity and strength of the password is “the” protection and weak point, as the bad guys have unlimited attempts at guessing and trying password combinations to decrypt the WinZip archive. One of the password breaking attacks these bad guys use is a dictionary attack, which is as it sounds, tries regular words found in the dictionary as well as commonly used passwords, usually the cracker (the bad guy) has his own specific database of commonly used and known passwords, so passwords like “Pa55word” are extremely weak and just doesn’t cut it.

Another attack to crack WinZip passwords is a “Brute Force” attack; this attack tries every single combination of characters possible e.g. aaaa to zzzz. I carried out some testing for this post on my home PC, I was able to crack a 6 digit password of completely random upper case, lower case and numeric values in 1 hour 15 minutes (see image below). For every digit length of the password the longer it takes to brute force, so when I tried to brute force a 7 digit password it took a several days and I think it would took a couple of months to crack an 8 digit password on my not so powerful home computer. So I would say 8 character passwords just aren’t strong enough for WinZip AES password encryption.

The main factor to consider with the brute force attack is the processing power (the speed) of the computer trying the combinations. The bad guys can increase their processing power by networking several computers and using them in tandem to reduce the time to find the password. I previously posted about using PS3 to brute force passwords, as a PS3’s multi-thread type processor (which is used by the new generation of PCs), can try several combinations at the same time and therefore be very efficient for brute force attacks.

There is another attack which could be used which attack the AES encryption algorithm itself, however AES is so powerful at these sorts of bit lengths, that these sorts of attacks aren’t really a viable option for business security at the moment, and there certainly aren’t any known issues with AES, which used and approved by leading banks and the military, therefore I’m not going to go into further detail within this post.

So with WinZip AES encryption the password strength is the key aspect to the security of the encryption, therefore my own suggestion is for the following password rules provide a business level of strong encryption (Are you reading this HMRC?)

The WinZip password should be…

1. At least 12 characters in length
2. Be random not contain any dictionary, common words or names
3. At least one Upper Case Character
4. Have at least one Lower Case Character
5. Have at least one Numeric Character
6. Have at least one Special Character e.g. $,£,*,%,&,!

There is nothing black and white or anything written down about this, this is my own suggestion and recommendation (jn the year 2008). If you are struggling to create these sorts of complex password, I suggest you check out password generation applications, or look at online sites like GRC.com, which has a free online random password generator, which does an excellent job in generating good strength random passwords.

Most significantly within the password, by introducing at least one “special character”, makes the password extremely difficult to brute force, usually the bad guys don’t even try brute forcing trying any special characters, as it takes an impossibility long time to try all the combinations inclusive of special characters. So if I added special characters to my 6 digit password, the time it takes to successfully brute force increases 12 fold, the longer the password using special characters, the greater the factor of increase.

To give an idea of the numbers we are talking, using the rules I listed as a minimum, roughly we are talking about 475,920,314,814,253,000,000,000 possible combinations to brute force, which equates to around 13,851,104,153,269 hours processing time on a regular PC, bur don’t forget you can use multiple PCs and more powerful machines to conduct a brute force attack, so just divide their number/power by the processing time, however with these sorts of numbers I think it’s more than strong enough protection. You might be thinking I’m going a little too far with 12 character length password as a minimum standard, as I do tend to lean on the side of caution so perhaps you are right, like I said it’s your call. So here’s the numbers for a random 10 character alpha, numeric with special characters for comparison 53,861,511,409,490,000,000 combinations, which equates to 17,179,869,184 hours processing time, 10 characters without special characters is 839,299,365,868,340,000 combinations taking 24,426,825 hours, so you can see the factor effect of using special characters with the password.

Of course these sorts of complex length passwords require good password management and decent business processes in place; it’s no good using a decent length complex password and writing it down on disk you send!

Finally there is one final issue to consider with WinZip, is that even without knowing the password, you are able to browse the AES encrypted WinZip archive and read the file names, so it may be a good idea to Zip the file to a single zip file to hide the file names, and then Zip it again with AES encryption.

So WinZip encryption can be used to protect sensitive information in transit, but given a choice of options, my personal preference would be to use a product like PGP (or the free version GnuPG), which uses Asymmetric encryption, which helps to take the sting out of password management while providing better end-to-end guarantees. I can post specifically about PGP and Asymmetric encryption if asked (please post in the comments). Oh if you found this post useful, please post a positive comment, as it will encourage me to post further “how-to” posts.

Tuesday, 22 January 2008

MOD Don’t Encrypt All Laptops

Perhaps I am being a little naive but I would of thought all MOD laptops would be deployed with hard disk encryption, but apparently not so, as the MOD laptop stolen last week from a parked car in Birmingham didn’t have any hard disk or file level encryption, despite holding masses of private data. This MOD laptop held 600,000 records of military personnel, personal data including passport numbers, national insurance numbers, drivers' licence details, family details, doctors' addresses and bank details, which is probably why we know about this breach, I'm sure the MOD would rather this incident to be kept out of the public eye.

Organisations which use thousands of laptops in the field (should) accept and understand that a certain percentage of laptops will be stolen. Sure you can try to reduce the numbers stolen and the risk by educating users, but it inevitable that a minor quantity of laptops will be stolen, it's the way of the world. This is nothing new either, the theft of laptops has been common place since their introduction 20 years ago. Most large organisations in the private sector understand this and the risk of data breach associated with such laptop thefts, and as a matter of course enforce the encryption all of their laptop hard disks across the board. And the cost of buying the software to properly encrypt laptop hard disks and secure the information held on them? Well it, is around £20 to £50 per laptop, which is around 5% of the cost the laptop, so there’s really is no excuse for these types breaches today.

The other question I have with this particular breach, is why is there so much sensitive data being held in a laptop in the first place, it’s probably laziness or incompetence, but nether-the-less no one should or need to be walking around with that amount of information on a laptop, hard disk encrypted or not.

On the back of the MOD breach news story, I noticed yet another government agency, namely the Department of Work and Pensions (DWP) disclosed another data breach, in that hundreds of documents containing sensitive personal data of citizens were found on a public roundabout in Devon. It appears this is not the first time this has happened as well. And on the same day the Stockport Primary Care Trust released that they lost 4,000 patient records.

It appears to be a growing trend to announce data breaches on the back of bigger breaches, I’m sure there are press officers just sitting there reading news reports, “oh there goes a seriously big breach, quickly release our breach, they won’t notice”…

Tuesday, 8 January 2008

HMRC Breach a Fuss about Nothing? Not Really

BBC TV Top Gear presenter Jeremy Clarkson who writes for the Sun newspaper, was so convinced the HMRC Data breach in his own words "was a fuss about nothing" published his own bank account and sort code details in the newspaper, and I quote "All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing," he told Sun readers

However when he next checked his bank statement he saw someone had set up a direct debit which automatically removed £500 from his bank account, apparently transferring the money to a charity, now that's what I call ethical hacking!

To quote Clarkson further after discovering this, "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again. I was wrong and I have been punished for my mistake."

I think it just goes to show that there are many people who just don't care that their personal information and their banking details are being lost, and could be in the hands of fraudsters. I'm planning a post on encryption next, but after that I'll try to explain what exactly the bad guys could do with your personal information and your banking details, and hopefully show how this sort of information has real value associated with it and therefore must be protected by those organisations entrusted in holding it.

Finally to quote Clarkson further "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." - I'm with him on that!

Monday, 7 January 2008

HMRC: Update with my Grievance

I said I would blog about my own progress in obtaining answers and info on the improvements with the initial incident with HMRC when they lost the Standard Life CD with my data on it on 8th November, two weeks prior to the 25 Million record breach. I wrote several letters at that time to the powers that be and I have received several replies so far.

I had a reply from my local Member of Parliament, David Borrow, who said "I am looking into the points you have raised and I will contact you again as soon as I have more information.

I had a letter receipt acknowledgement from Michael Wills MP, the government minister for Data Protection.

I've also had an interesting response from The Information Commissioner’s Office (ICO)...

"Thank you for your correspondence dated 8th November 2007 regarding the security breach by HM Revenue and Customs which involved the loss of a computer disc containing Standard Life customer details.

The Information Commissioner’s Office (ICO) is responsible for administering the Data Protection Act 1998 (the Act), which is concerned with the processing of personal data. The Act requires, amongst other things, that organisations which process personal data employ appropriate safeguards in order to ensure the security of that data. If an organisation fails to take appropriate steps to ensure the security of the data they hold then it is likely that that organisation will have breached the requirements of the Act.

HM Revenue and Customs has reported this serious breach to the ICO, and as you may be aware, as a result of a further security breach the Chancellor has announced an independent review of HM Revenue and Customs. The Chancellor has agreed that the full report will be made available to the ICO and we will then decide what further action is appropriate. The ICO will release a statement as soon as he has considered the findings of the independent review.

As we have already been made aware of the breach, and as we will be provided with the full report following the independent review of HM Revenue and Customs, we do not require details of individual complaints. However we will keep a copy of the information you have provided on file as evidence should it be required in the future.

The Information Commissioner's Office is aware that you may have concerns about the security of the lost data; If you would like some practical guidance about avoiding identity theft you may wish to view pages 30 - 33 of our Personal information toolkit.

I hope this information is useful. If we can be of any further assistance please contact our Helpline on 08456 30 60 60, or 01625 545745 if you would prefer to call a national rate number, quoting your case reference number. You may also find some useful information on our website at www.ico.gov.uk

Yours sincerely

Sharon Boot
Senior Customer Service Officer"