Government agencies still send sensitive files via hackable .zips

We – as in, both the public and private sectors – are under the delusion that emailing content as password-protected .zip files is a secure way to share files, Senator Ron Wyden said in a letter sent to the National Institute of Standards and Technology (NIST) on Wednesday.

That’s just one of the non-secure ways that government agencies are sharing sensitive data, he said, because they don’t know how else to do it.

Government agencies routinely share and receive sensitive data through insecure methods – such as emailing .zip files – because employees are not provided the tools and training to do so safely.

That’s where you come in, Wyden said in the letter to NIST Director Walter G. Copan, asking that NIST come up with guidance on how to safely share sensitive documents with others over the internet. We need some help, Wyden said, given that it’s commonly thought that passwords protect .zip files…

…but often they don’t.

Wyden noted that off-the-shelf hacking tools can be used to break into many password-protected .zip files:

[M]any of the software programs used to create .zip files use a weak encryption algorithm by default

But it’s password protected!

Wyden’s absolutely right, concurred Matthew D. Green, a cryptography associate professor at Johns Hopkins University. As he said in a Twitter thread, on many old versions of Windows, when you password-protect a Zip file with the operating system’s default utility, it’s done with the crusty, old, broken legacy scheme.

In fact, we explained how to crack old-school zip files right here on Naked Security about two years ago, as a way of recovering for free from ransomware called Filecode, which relied on the original zipcrypt “cipher” scheme to scramble your files.

As Green said:

We cryptographers are arguing over PGP key sizes. Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 90s.

We’re at risk if we don’t do something

It’s bad enough that the government has to contend with hostile states cyber-stalking the government and cyber-targeting US infrastructure.

We shouldn’t also be using broken encryption schemes and leaving sensitive data vulnerable by insecure file-sharing workflows. It leaves us open to yet more data breaches and cyber attacks. From Wyden’s letter:

The government must ensure that federal workers have the tools and training they need to safely share sensitive data.

To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.