Security through password-protected ZIP files?

In the internet age where information travels around the globe within seconds, passing many routers and servers on its way there should be an understanding to secure one’s communication. However, the generation of leaders and decision makers in Japanese corporations did not grow up with the internet and in many cases are lacking an understanding of how data is flowing and being processed on the way from the sender to the receiver.

Apparently a common way of trying to protect sensitive information like cost calculations, project plans or meeting minutes etc. is to compress the documents into a password- protected ZIP file and send it via Email. The password is often given in the same Email or another e-mail sent directly afterwards. Therefore a “man in the middle” who is able to read all Email traffic would also be able to open the ZIP file. The revelations by Ed Snowden show the extend of global surveillance and make a case for industrial espionage using sophisticated and highly-automated data acquisition and data mining techniques. Therefore it is more then naive to believe that protecting sensitive information using ZIP- files would be sufficient.

Actually, it might be even dangerous to send password-protected ZIP files, because they can do major damage to the business partner. Let me explain why. The Email protocol was designed more than 40 years ago, at a time when the internet was still small and the users where responsible persons who trusted each other. Actually it is very easy to use a fake Email address (so-called Email spoofing) when sending mails, because the core protocol does not support authentication. This means somebody on the internet could just pretend to be someone else and send you and Email containing some kind of malware. Nowadays most mail servers use anti-spam heuristics and virus filters, but if an Email would contain a password-protected ZIP file it cannot be checked by the virus filter. The receiver would have to trust that the sender of the Email was actually the person who he or she claims to be. In many cases it is sufficient to open just a single compromised Email attachment to let intruders take command over the victims computer and copy, manipulate or delete precious data.

There are various solutions for securing Email communication to a certain degree, like PGP or S/MIME just to name two of the more popular methods. Electronic eavesdropping is a multi-billion dollar business and probably a very profitable one as well. To many companies the dangers might seem not much concrete and the damage done to corporations might seem hard to prove or to measure at this state. Especially in times of cost cuts it’s hard to justify investments in some kind of “virtual security infrastructure”. However, in the end the game will be made by players who understand the rules and implement countermeasures effectively.