tag:blogger.com,1999:blog-3798604115389836864.post7639178410264810798..comments2024-03-13T13:04:53.453+00:00Comments on IT Security Expert Blog: HMRC: Emails Confirms Poor CD Password ProtectionSecurityExperthttp://www.blogger.com/profile/02816379340772195492noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-3798604115389836864.post-89293325594769237802007-12-14T11:06:00.000+00:002007-12-14T11:06:00.000+00:00Thanks. My working assumption is that there are 2 ...Thanks. My working assumption is that there are 2 csv files - each with 12.5 million lines of data. On each line will be a surname of every person in receipt of child benefit.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-29010319417144430972007-12-14T09:46:00.000+00:002007-12-14T09:46:00.000+00:00Q388 Mr Dunne: Can we turn to the actual data itse...Q388 Mr Dunne: Can we turn to the actual data itself? Are you able to tell us, without giving away public information - either tell us now or privately - the version of software on which the data was sent on to the CD?<BR/><BR/>Mr Hartnett: I am not able to tell you that. Sarah?<BR/><BR/>Ms Walker: No.<BR/><BR/>Mr Hartnett: The only thing I can tell you - and we will write to you, Mr Dunne - is how the CD was protected, which was with Winzip 8.<BR/><BR/>Q389 Mr Dunne: Winzip 8?<BR/><BR/>Mr Hartnett: Eight not nine.<BR/><BR/>Q390 Mr Dunne: Does Winzip 8 allow for automatic encryption?<BR/><BR/>Mr Hartnett: No, I think that is nine. Winzip 8 allows for compression. I am sorry, I am not a technician, but it allows for compression and password protection is my understanding.<BR/><BR/>Q391 Mr Dunne: Are you able to tell us, again without making this easy for someone who may have these CDs, whether a dictionary password was used for password protection?<BR/><BR/>Mr Hartnett: I do not know the answer to that.<BR/><BR/>Q392 Mr Dunne: Would you be able to write to us privately - I do not know if we can keep that confidential - and, secondly, the number of symbols in the password? Would that be possible to provide confidentially or will that come out in the Kieran Review?<BR/><BR/>Mr Hartnett: It will come out in the Kieran Pointer Review."<BR/><BR/><BR/>There is a big difference between a password protected zip file created with WinZip version 8 and below, and WinZip version 9 and above, hence the question. <BR/><BR/>However even WinZip 9 passwords can be brute forced, namely every combination of letters, special characters tried until the password is found, in this scenario the longer the more complicated the password, the longer it take to crack, also the processing power of your PC effects speeds. i.e. 4 characters seconds, 6 characters an hour, 8 characters a almost a day etc<BR/><BR/>However WinZip 8 and below are vulnerable to a different password cracking method, which can be cracked in under an hour on a standard PC. The password "recovery" software I use relies on the number of files within the zip archive rather than file size or text within the zip archive, usually 5 files+ is enough to recovery any password within an hour.<BR/><BR/>I tell you what I'll do, I run some experiments with WinZip 8, find out for sure and post the results in a fresh post.<BR/><BR/>Thanks for the interesting commentsSecurityExperthttps://www.blogger.com/profile/02816379340772195492noreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-75135064576258234272007-12-14T01:12:00.000+00:002007-12-14T01:12:00.000+00:00It's q 389 on the link provided.http://www.publica...It's q 389 on the link provided.<BR/><BR/>http://www.publications.parliament.uk/pa/cm200708/cmselect/cmtreasy/uc57-iii/uc5702.htm<BR/><BR/>I've been told that with winzip 8, you need to have a good sample of the text inside the document to crack the encryption. DO you have any views on the truth of that?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-21735085961138840282007-12-12T11:19:00.000+00:002007-12-12T11:19:00.000+00:00Thanks for the info on WinZip.If the WinZip 8 arch...Thanks for the info on WinZip.<BR/><BR/>If the WinZip 8 archive has over 5 files in it, the password can be easily recovered in less then an hour on a regular PC, regardless of the password complexity and length.SecurityExperthttps://www.blogger.com/profile/02816379340772195492noreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-16547688309279010972007-12-12T01:05:00.000+00:002007-12-12T01:05:00.000+00:00It was Winzip 8 if you're interested.It was Winzip 8 if you're interested.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-60130317636163564122007-12-04T02:22:00.000+00:002007-12-04T02:22:00.000+00:00see my other post on bruteforcing a zip password h...see my other post on bruteforcing a zip password http://blog.itsecurityexpert.co.uk/2007/12/power-of-playstation.htmlSecurityExperthttps://www.blogger.com/profile/02816379340772195492noreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-44176548612762994962007-11-23T15:35:00.000+00:002007-11-23T15:35:00.000+00:00Sure I'm guessing which zip application was used, ...Sure I'm guessing which zip application was used, perhaps it's a free one either way you can still brute force / dictionary attack against a zip file password until the cows come home no matter what encryption is applied, sure it does take longer against a WinZip 9, but if you were determined enough could find ways to speed up the process.<BR/><BR/>One brute force Zip file cracker, "ZipCure" claims it can crack 90% of passwords within an hour with the right settings, including WinZip 9 files. Perhaps I should run some experiments with it and find out for sure.<BR/><BR/>It would be really interesting to find out the strength of the password HMRC used, but you know that will never come out. I really want to believe they used a non-trivial long password...<BR/><BR/>If only HMRC used PGP to zip the file, providing asymmetric encryption, guaranteeing only the recipient can decrypted/unzip and read the information. It's not as though PGP costs great deal more than WinZip either.SecurityExperthttps://www.blogger.com/profile/02816379340772195492noreply@blogger.comtag:blogger.com,1999:blog-3798604115389836864.post-59778845444035376592007-11-23T14:26:00.000+00:002007-11-23T14:26:00.000+00:00Not entirely true. If Winzip v9 or later was used,...Not entirely true. If Winzip v9 or later was used, there is a a mucch more secure password/encryption scheme used involving an RFC2898 password to key derviation function and AES encryption.<BR/><BR/>If they used this and a non-trivial short password then crack programs would struggle to reveal the password used.<BR/><BR/>See http://www.winzip.com/aes_info.htm<BR/>and<BR/>http://www.lastbit.com/zippsw/default.aspAnonymousnoreply@blogger.com