RE: Winzip and Due Diligence

From: Password Crackers, Inc. (pwcrack@pwcrack.com)
Date: Fri Mar 09 2007 - 20:03:14 EST

• Next message: Nicolas RUFF: "Re: What protocol to choose for a new fuzzer?"
• Previous message: Craig Wright: "RE: SQL injection attacks"
• In reply to: Matthew Webster: "Winzip and Due Diligence"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are tools that can run a brute-force attack on Winzip files even if
they are AES-256 encrypted. However, the attack is slower than with a
traditionally encrypted .zip file and therefore only effective (in a
reasonable length of time) on short, simple and/or easily guessable
passwords.

I would not describe this as a weakness of Winzip, since virtually all
encryption programs would be similarly vulnerable including RAR and PGP disk
encryption. The bottom line is if your password is weak strong crypto isn't
going to help.

Bob Weiss
President
Password Crackers, Inc.

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Matthew Webster
Sent: Thursday, March 08, 2007 3:49 PM
To: pen-test
Subject: Winzip and Due Diligence

Folks,

   I was poking around on Google and noticed there are some tools for
cracking WinZip passwords. Does anyone know whether or not these tools also
work on AES-256 encryption. My question is academic from a due diligence
standpoint. Technically WinZip is FIPS compliant, but if it can be cracked
easily, is this something we should really be recommending?

Thanks,

Matt

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Nicolas RUFF: "Re: What protocol to choose for a new fuzzer?"
• Previous message: Craig Wright: "RE: SQL injection attacks"
• In reply to: Matthew Webster: "Winzip and Due Diligence"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT