Credits: The Register
Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam’s employees using insecure .zip files and other archive formats to electronically transfer information.
The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America’s National Institute of Standards and Technology (NIST), asking that the standards body put together a guidance document for government workers on alternatives to .zip archiving tools.
“I write to ask that NIST create and publish guidance describing how individuals and organizations can safely share sensitive documents with others over the internet,” Silicon Ron urged. “Government agencies routinely share and receive sensitive data through insecure methods – such as emailing .zip files – because employees are not provided the tools and training to do so safely.”
As Wyden points out, data security experts have long considered the encryption algorithms used by stock .zip archiving tools, including those built into some editions of Microsoft Windows and Apple macOS, to be next to useless: they are usually too weak and can be easily cracked. Thus, creating password-protected .zip files to send government and other sensitive documents over the ‘net is considered unwise because the underlying algorithms used are probably insufficient, unless the sender goes out of their way to use software that employs stronger encryption.
For instance, back in 2005, eggheads devised a simple method to crack encrypted password-protected .zip archives created by Windows XP. The weak cipher used, and other since-cracked encryption methods, are still employed by many .zip archiving tools today.
And this is assuming the archives are password protected at all.
When government employees use these insecure tools to create .zip archives, Wyden argues, they are potentially putting sensitive information at risk of decryption and theft, and possibly creating a national security hazard should the messages be intercepted or the scrambled compressed archives be stolen.
The senator is not alone, either. Security experts agree that agency workers should not be using .zip archive tools for moving government documents.
“We cryptographers are arguing over PGP key sizes,” noted Associate Professor Matthew Green, a cryptography expert at Johns Hopkins University in Baltimore. “Meanwhile government employees are emailing each other documents encrypted with a cipher that was handily broken in the 1990s. This is one of those areas (like legacy SMS) where we’ve somehow gotten stuck with the least common denominator.
“There’s a huge opportunity for smart people in this field to come up with something much better.”
It appears Wyden wants NIST to do just that.
“The government must ensure that federal workers have the tools and training they need to safely share sensitive data,” he wrote. “To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.”