7-zip apps is flawed, what compression files are least to be hacked

We have been working with 7-zip form some time as matter fact was recommend by EE, we use it for large compression and complex-long password protected files.  Today in a meeting we were informed that 7-zip can be hacked.  We didn't believe until the person ran an apps and unzip one of our supposedly secure 7-zip files.  So our question is which compression apps is least to be hacked (WinZIp, WinRar, etc.?), which one can we trust? Is the oldies WinZip & WinRar also hacked?.
rayluvsAsked:
Who is Participating?
 
btanExec ConsultantCommented:
what did u mean by "Go for multi-factor or container based tool mentioned earlier"?
what I meant is to have the files in the container creayed by veracrypt (for example).
0
 
btanExec ConsultantCommented:
Actually it is more due to secure coding which leads to vulnerability that can be exploited. It is a free software afterall. It being also open-source is peer reviewed and frequently tested by researchers, and any vulnerabilities should (in theory) get ironed out faster than, say, the proprietary RAR.

That said, the developer took a while before being persuaded to secure the code. See https://nakedsecurity.sophos.com/2018/05/09/critical-bug-in-7-zip-make-sure-youre-up-to-date/

But if the demo is on the latest version then I will say it is a real concern but if it is on a weak password protected zip being brute forced successfully or even taking control of the terminal doing some keylogging etc, then that can also happen to most software. Patching is a rat chase, we know that so diligently we just have to shorten the window of exposure.

But looking at other archiving software such as Winrar and even 7zip, they would frequently stores temporary files in temp folders and memory. A hacker can easily monitor those locations and extract private data.

That is why ultimately we cannot just just depebd in one layer. If really frantic I am even thinking just use veracrypt and have a container to store those file, go for multi authentication like 2FA instead.  Ultimately, if those files are really important keep adopt file folder type of encryption.
0
 
McKnifeCommented:
Look Rayluvs, you Need to define what you are talking about.
What happened? Was someone able to open a Password protected 7-zip file? How was it created, which algorithm was used, was the Password strong, and foremost, which Version of 7-zi was used to create it...? Without knowing that, all this is just hot air and so will be the suggestions.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
JohnBusiness Consultant (Owner)Commented:
The newest versions of 7-Zip and WinZip (according to a brief read through Google) appear to be roughly equally secure.

Everyone in the world can crack ANY password (read Google) UNTIL they actually have to do it.  /me yawns.
0
 
rayluvsAuthor Commented:
yes of course, we are clear nothing is 100% safe, all can be cracked one way or another, but not this fast.  I have download apps to crack WinZip and WinRAR files and they some do get cracked, but it takes days.  But the apps for cracking 7-zip files, not even a seconf.

Read the nakedsecurity link and decided to test it as follows:

- Download the latest 7-Zip, version 18.05.
- Compressed it with AES-256 (only option in 7-zip)
- Password used:
skj@%d982h-(@#&y)(#!|8542po926drom.a/.ml;kas\=-9087_hj209jmj%$as0089671_%$#@%$#@

And still the crack was in seconds.

We area at awe here; never seen this so fast.
And still the apps extracted all files within.
0
 
McKnifeCommented:
So will you share the Name of wondertool that does the cracking?
0
 
rayluvsAuthor Commented:
So you are at awe also?

Its 7zcracker.
0
 
McKnifeCommented:
Sure, since that would mean a tool that is widely used is totally flawed. That is not cracking, cracking takes time - that is simpy reading out the Password. Will have to try that.
0
 
rayluvsAuthor Commented:
To be exact:
https://sourceforge.net/projects/sevenzcracker/files/latest/download

When we were shown this, the link was given to us to see for ourselves.
0
 
rayluvsAuthor Commented:
Tomato Potato whatever name you wanna give, it's the same thing: the files contents has been accessed.
0
 
rayluvsAuthor Commented:
and it was the latest version of 7zip.
0
 
JohnBusiness Consultant (Owner)Commented:
Perhaps a weak, alphanumeric password .  Try a password with special characters and a decent (10 character) length and try again.

See if is can speedily crack a password like $eR%22Abrq!$
0
 
rayluvsAuthor Commented:
How's this for a password:

Ûèч¯ìÇä¾ÜĐÿ´ÓÛþ·›°Ú͸øõ¸¡òóÀä³êÔɤ¥  ˆìÖÊ–ó¼È”˜ ª®ýŽ³ž·¸–ƒÉ¬ßÜÛÔÇà¯Â›üŹÀÀüê´›²¡ûøöÖ˜‰¢§Ì¢üñÆÂξËïÑû½¨Ÿ“öÁ®¾›êÕç¾Û¸ßÁ±’›¥®Ñ†ÿ¯¹ÿÞ£ÎõŒšûÜÿÊÏëðæË·

in 1 second it extracted the contents.
0
 
JohnBusiness Consultant (Owner)Commented:
Then I would try a different Zip Product.
0
 
btanExec ConsultantCommented:
if brute force tool, there are a couple like Rarcrack, or oclHashcat.
http://rarcrack.sourceforge.net/
https://hashcat.net/hashcat/#features-algos
Go for multi-factor or container based tool mentioned earlier, that said, ultimately such tool may still exist
and it is a matter of risk based approach
0
 
JohnBusiness Consultant (Owner)Commented:
7-Zip is open source and the password "cracker" may have found a way around the password. Try a commercial product.
0
 
McKnifeCommented:
Does not work here, your Cracker produces 0kb Output files.
 Did you ever care to open those?
1
 
rayluvsAuthor Commented:
Mcknife, it's my cracjker (i wish it was hahaha!) - as-per-instruction in README.txt, you have to download additional 7za.exe  file, if you don't, won't work.

btan & john, thanx for the info; yes, we have to change the compression tool and go back to WinZip and/or WinRAR (those I have seen it's more difficult to crack the encrypted file)

btan, you said "Go for multi-factor or container based tool mentioned earlier", do you mean after zipping the files, save in a encrypted (veracypt) container as an added security?
0
 
rayluvsAuthor Commented:
We found a workaround in order for the file not be hacked; checkmark "encrypt file names".  We noticed that 7zcracker just kept running and running (hours) and no results yet.

FYI

btan, what did u mean by "Go for multi-factor or container based tool mentioned earlier"?
0
 
nociSoftware EngineerCommented:
If you want better sucurity don't use an archiver with security bolted on. Why not use a tool mean for security to encrypt files....
f.e.:
aespipe   http://loop-aes.sourceforge.net
aescrypt      https://www.aescrypt.com/
pgp   (couldn't find a quick link).
gpg    http://www.gnupg.org/
0
 
rayluvsAuthor Commented:
Thanx... the Loop seems linux but know how it works... the other 3 never heard of them, i guess they prone to same security breach; but will take a look at them (if not too complicate to use).
0
 
JohnBusiness Consultant (Owner)Commented:
Also reconsider commercial zip tools. No add-ons, workarounds or other stuff need. Just password the zip file.
0
 
nociSoftware EngineerCommented:
They have not the SAME security breach.... as those are not archive tools.  
easpipe not is a loop device, but written by the same people.

See:
https://linux.die.net/man/1/aespipe

It just encrypts a stream of data. There is no readble list of files..., there isn't even a key in them.
FYI. The "CABLE GATE" ( US embassy messages)  a fewa years back were published a  big AESCRYPT file.
and published around the world as an insurrance against the assination of one or two persons that were analysing them.
You would need the key to decrypt them, the key was distributed amongst a few newspaper redactions.

So if those tools could be cracked that would be world news.  effectively you would have a crack against AES in general then.....
Like is said, that would be news.

Strange that you never heard of (PGP) Pretty Good Privacy (Phil Zimmerman, published it a open source code), that was the tool that effectively liberated Strong Encryption from the US NSA in the 1990's.
it made encryption available to the public. Because there was some "non-free" code in it, GNU made a cleanroom equivalent...
called GPG (Gnu Privacy Guard)
PGP has been incorporated into many mail programs.
1
 
rayluvsAuthor Commented:
Yes John, we are considering it.

noci, I ddn't know they were are not archive tools; understood, but our question directed on these tools.
0
 
rayluvsAuthor Commented:
just saw your entry btan... understood, you mean instead of using archive tools, just save them to a encrypted container.
0
 
nociSoftware EngineerCommented:
Or send the created .zip file through one of the stream encryption tools then you have reliably encrypted archives.
0
 
btanExec ConsultantCommented:
We found a workaround in order for the file not be hacked; checkmark "encrypt file names".
Actually I think the encrypted filename make it difficult as default w/o that, an encrypted ZIP file can be opened without the password. The only time you'll need the password is to actually extract the files out of the ZIP/7z file to use them.
1
 
McKnifeCommented:
Rayluvs, of Course I used that "Cracker" as advised in the Manual with the 9.20 7za component. It does not work, it immediately says "Password is 1" (it is not) and the result files are 0-byte-files.

Your "Workaround" again suggests that you don't understand the tool and that you think as soon as you see the file names, the "cracking" has worked, while you see them anyway, even without a Cracker, without needing a Password.

Please upload a small .7z Archive that you are able to "crack" for us to verify.
0
 
btanExec ConsultantCommented:
Same as McKnife shared findings. Initially, I thought it is x64 libraries but tried and still the same  
The Password Was: '1'
Time Used: '1.00554' Average Performance: '0' Passwords/Minute
PW:1
I have tried also the latest  standalone is 7za.exe from "7z1805-extra.7z" and the cracker's states "7za910.zip", but still the same  '1'.
0
 
☠ MASQ ☠Commented:
The proposed tool doesn’t work here either, haven’t tried looking at what it actually does but with my whitehat on suggest you don’t try decrypting the file on the machine you encrypted it on and then looking at how it copes. Move it onto a USB and a separate PC.
0
 
nociSoftware EngineerCommented:
With encrypted ZIP files the directory (at the end of the file) May or May not have been encrypted.
If encrypted it requiresa password also, if NOT encrypted the contents filenames, sizes, CRC's & dates are available.
(using a hexdumper and looking at the tail of the file will show the difference between encrypted & non encrypted.
In the latter the filenames should be reconizable.
1
 
rayluvsAuthor Commented:
Sorry for the delay.  Just re-read all entries, went over the cracker and yes, it gives 0 bytes.  Couldn't find the original zip file that was opened by the tool, so the testing did now resulted to what a lot of you seen, "0 bytes".

Concluded that most probably didn't noticed the "0 bytes".  So very sorry for the misleading observations.

Will proceed close the question.

Thank you all.
0
 
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.