By blog Jan 14 2022
In our 2021 blog series, we discussed PPAP, a file sharing method that is commonly used in Japanese companies and organizations, and its disadvantages. Approximately a year later, as PPAP is more and more viewed as an inadequate security measure, cloud storage is becoming the popular choice to replace it.
In our first blog of the year, we will revisit PPAP, examine recent developments and problems, and explain why cloud storage can be the best alternative.
While problems with PPAP have been known for a long time, there have been even more recent significant developments in the past year. One of the most important has been the change in policy by Japanese government agencies.
On December 1st, 2021, the Ministry of Education, Culture, Sports, Science, and Technology (MEXT) announced the introduction of a system that will automatically save and download attached files in a cloud storage system instead of attaching them to emails after January 4th, 2022. One reason given for this change is “that in light of recent cases where malware, such as Emotet, has been able to bypass security checks through attached ZIP files with password protection, which raises concerns from a security perspective, [MEXT] is introducing this measure to strengthen security.”
While the Japanese Cabinet Office and Cabinet Secretariat had already abolished PPAP in November 2020, this government security policy change is expected to impact the private sector as well.
When MEXT announced the discontinuation of PPAP, malware attacks were cited as one of the reasons. In particular, the ministry named “Emotet,” a cyber attack first detected in 2014 and the cause of a series of infections since 2019.
According to a JPECRT Coordination Center report released in February 2020, at least 3,200 organizations in Japan have been infected by Emotet, including Tokyo Metropolitan University (18,843 email addresses leaked), NTT West (1,343 email addresses, including customer email addresses, leaked), and Kansai Electric Power (3,418 email addresses, including external parties, leaked), and other large corporations that should have implemented more careful security measures.
While Emotet’s activities seemed to have subsided after February 2020, there was new activity in July 2020, and in November 2021, the Japanese Information-technology Promotion Agency (IPA) announced that there were indications that Emotet attacks had resumed.
Emotet, which even forced MEXT to change its policy, is characterized by its high infectivity and spread. Difficult to detect, it cleverly disguises itself in Word or Excel files with macros to download the malware. When the victim opens the file and clicks on the “Enable Editing” or “Enable Content” button, the macro is triggered, and the email address and contents are stolen. It can be difficult to detect the danger because infected files have frequently used names in the business world, such as “Meeting information.” Once in the system, the infection can quickly spread to other computers in the company or business partners, causing the damage to spread even further.
MEXT’s main concern was that the PPAP method of sending a password-protected ZIP file attachment was not enough to detect and stop malware infection. In the following section, let’s review potential problems with PPAP.
As pointed out in a previous blog post, one problem is that even if a protected ZIP file and password are sent in separate emails, if a third party can gain access to one of them, it is highly likely that they will be able to obtain both. Research has verified that it can be quite easy for an attacker to compromise PPAP security in this way.
In addition, if a third party obtains the protected ZIP file but not the password, PPAP is based on the assumption that the ZIP file is still safe. However, is that really the case? Passwords can be vulnerable to someone with the right skills and a powerful, high-speed computer.
Digital Arts Ltd., an information security company, conducted a password security analysis using publicly available computers and an open-source password recovery tool. Searching at about one billion times per second, they found that, surprisingly, a 6-digit combination of upper and lowercase letters could be cracked in less than one second. An increase to eight digits only took 20 seconds. Adding numbers to the letters resulted in a password that took a little longer to crack: a maximum of about two days.
Of even greater concern is that a group of specialized hackers can increase the computation speed and processing by hundreds or thousands of times by using multiple computers and high-performance GPUS simultaneously.
This means that there is not only a risk of malware infection with PPAP, but also a high possibility that ZIP file contents can be easily stolen.
Other identified problems with PPAP include the fact that a separate application is required to view ZIP files on mobile devices, which is an obstacle to the introduction of remote work, and that many companies automatically zip files and send passwords, which is a poor security measure. Obviously, there are some serious concerns regarding the use of PPAP, and companies would be wise to find more secure options.
To prevent malware infection, we all need to improve our digital literacy, avoid opening unverified attachments, and keep our security software and systems up-to-date. However, in the case of PPAP, considering the risk of passwords being compromised, a fundamental change is needed, and PPAP needs to be abolished immediately.
One of the easiest and most effective measures that companies can implement is a shift to cloud storage, something MEXT has already done as an alternative to PPAP.
With our cloud storage service, Tsukaeru FileBako, you can generate a link to the file you want to share, and then communicate the link and its password to another party through different media (e.g., email for the link and chat tool for the password), which solves one of the security risks of PPAP. Tsukaeru FileBako uses AES 256-bit encryption, which is one of the strongest encryption technologies currently. Two-factor authentication is also available.
One benefit is that this very high level of security does not require a dedicated interface for installation. FileBako can be used immediately in a familiar and comfortable format with shared folders that can be handled in Explorer for Windows and Finder for Mac.
With Tsukaeru FileBako, you don’t need a dedicated application for exchanging files as you do with PPAP. You can immediately synchronize and share files for remote work and on-site communication.
The low monthly unit price of 10,780 JPY, with a default capacity of 1TB, is the same whether 100 or 1,000 users, and there is no additional fee for adding more accounts.
To experience the functionality and peace of mind of using cloud storage for sharing files, please contact us below for a free trial of our Tsukaeru FileBako service.
Click here to learn more about Tsukaeru FileBako.
Call toll-free: 0120-961-166
Office hours: 10:00-17:00
Stopping Cyber Attacks: Four Reasons Why Companies Should Rethink Their Backup Strategies Now