Do you
wonder how vulnerable password-protected word-processing, spreadsheet,
and Zip files are when users send them into the wild blue yonder? Wonder
no more. Some great utilities can show how easily passwords are
cracked. But there are some countermeasures you can take as well. Read
on to learn more about both.
Ideally, you don’t want to rely on users to make decisions about what they should use to secure sensitive information, but it’s better than nothing. Stress that a file encryption mechanism, such as a password-protected Zip file, is secure only if users keep their passwords confidential and never transmit or store them in unsecure cleartext (such as in a separate e-mail).
If you’re concerned about unsecure transmissions through e-mail, consider using a content-filtering system or a data leak–prevention system to block all outbound e-mail attachments that aren’t protected on your e-mail server.
How to crack files
Most password-protected files can be cracked in seconds or minutes. You can demonstrate this “wow factor” security vulnerability to users and management. Here’s a hypothetical scenario that could occur in the real world:- Your CFO wants to send some confidential financial information in an Excel spreadsheet to a company board member.
- She protects the spreadsheet by assigning it a password during the file-save process in Excel.
- For good measure, she uses WinZip to compress the file and adds another password to make it really secure.
- The CFO sends the spreadsheet as an e-mail attachment, assuming that the e-mail will reach its destination.The financial advisor’s network has content filtering, which monitors incoming e-mails for keywords and file attachments. Unfortunately, the financial advisory firm’s network administrator is looking in the content-filtering system to see what’s coming in.
- This rogue network administrator finds the e-mail with the confidential attachment, saves the attachment, and realizes that it’s password protected.
- The network administrator remembers a great password-cracking tool available from Elcomsoft called Advanced Archive Password Recovery that can help him out so he proceeds to use it to crack the password.
If you carefully select the right options in Advanced
Archive Password Recovery, you can drastically shorten your testing
time. For example, if you know that a password is not over five
characters long or is lowercase letters only, you can cut the cracking
time in half.
You should perform these file-password-cracking tests on files that
you capture with a content filtering or network analysis tool. This is a
good way to determine whether your users are adhering to policy and
using adequate passwords to protect sensitive information they’re
sending.Countermeasures
The best defense against weak file password protection is to require your users to use a stronger form of file protection, such as PGP, or the AES encryption that’s built in to WinZip, when necessary.Ideally, you don’t want to rely on users to make decisions about what they should use to secure sensitive information, but it’s better than nothing. Stress that a file encryption mechanism, such as a password-protected Zip file, is secure only if users keep their passwords confidential and never transmit or store them in unsecure cleartext (such as in a separate e-mail).
If you’re concerned about unsecure transmissions through e-mail, consider using a content-filtering system or a data leak–prevention system to block all outbound e-mail attachments that aren’t protected on your e-mail server.
Blogger Comment
Facebook Comment