Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FTP Hacking on the Rise

CmdrTaco posted more than 6 years ago | from the how-long-before-a-protocol-becomes-retro dept.

Security 212

yahoi writes "The disco-era File Transfer Protocol (FTP) is making a comeback, but not in a good way — spammers are now using the old-school file transfer technology to serve up bot malware, and even as a backdoor into some enterprises that neglect to lock down their oft-forgotten FTP servers. Researchers at F-Secure have spotted a new wave of exploits that use FTP — rather than a malicious URL, or an email attachment — to deliver their malware payloads because few gateways scan for FTP attachments these days."

cancel ×

212 comments

Sorry! There are no comments related to the filter you selected.

What's next? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22728210)

Gopher?

Re:What's next? (5, Funny)

gnick (1211984) | more than 6 years ago | (#22728468)

Gophers are actually not that hard to hack, although most of my experience is with prairie dogs. About 250 yards out with a decent scope and 'opening a port' is not that hard. Known exploit.

Re:What's next? (2, Funny)

PitaBred (632671) | more than 6 years ago | (#22728800)

Every try opening a port with a .30-06? You don't have much left to hack...

Re:What's next? (2, Funny)

3p1ph4ny (835701) | more than 6 years ago | (#22728828)

It depends on the architecture.

Re:What's next? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22728826)

i know many /.ers are sexually frustrated, but we really don't need to hear about how you're experienced "scoping" prairie dogs' ports.

Re:What's next? (4, Funny)

ObsessiveMathsFreak (773371) | more than 6 years ago | (#22729166)

WARNING: Attempting to hack Groundhogs may result in an infinite loop.

Re:What's next? (1)

Em Adespoton (792954) | more than 6 years ago | (#22729124)

Nah; why use Gopher? It requires too much infrastructure and nobody has a client that can handle it anymore.... sort of like Archie.

I'd place my bets on something like WAIS or LDAP myself ;)

most servers have delete blocked... (0)

Anonymous Coward | more than 6 years ago | (#22728214)

a good number of servers block incoming ftp delete messages, but most don't totally block incoming files... which is where the issue is. Way back in the day (1990s), hackers could delete stuff in ftp left and right like crazy. Security has improved to stop that, but not this.

Uh oh (4, Insightful)

B3ryllium (571199) | more than 6 years ago | (#22728228)

Further proof that FTP is for chumps. :) scp to the rescue!

Re:Uh oh (3, Informative)

Brian Gordon (987471) | more than 6 years ago | (#22728270)

SCP? Still disco-era. Try sftp, might as well since we tunnel every other service under the sun through ssh.

Re:Uh oh (5, Insightful)

B3ryllium (571199) | more than 6 years ago | (#22728438)

Disco-era? It was first implemented in 1995. That's the New Kids era, not the Disco era.

Re:Uh oh (5, Funny)

winkydink (650484) | more than 6 years ago | (#22728686)

Agree. The disco era ended sometime in the late 70's / early 80's. Of course, that's before half of the /. posters were born, so it's understandable that they wouldn't know this.

Hey! You! Get off my lawn!

Xmodem! (0, Redundant)

wsanders (114993) | more than 6 years ago | (#22728940)

Dagnabbit you kids get the hell off my lawn, you're messing up my 2400 baud modem reception!

Re:Uh oh (5, Funny)

Anonymous Coward | more than 6 years ago | (#22728998)

The disco era ended sometime in the late 70's / early 80's.
It didn't end, it just got too cool for you.

-- Disco Stu

Re:Uh oh (4, Informative)

Anonymous Coward | more than 6 years ago | (#22728872)

Disco-era? It was first implemented in 1995.

Then why were people writing about it in 1971?
http://tools.ietf.org/html/rfc114 [ietf.org]

Moderation borked? (0)

Anonymous Coward | more than 6 years ago | (#22729086)

Staring score: -1, Informative moderation: 0?

Re:Uh oh (4, Informative)

fizzup (788545) | more than 6 years ago | (#22729088)

I think you may have misunderstood. RFC 114 refers to FTP, which is from the 70s. The poster was talking about scp, which is certainly from the mid-90s.

Now, whether 1971 counts as disco-era is another question. I would say that it is pre-disco, since every school child knows that the disco era started with Soul Makossa [wikipedia.org] in 1973.

Re:Uh oh (1)

leamanc (961376) | more than 6 years ago | (#22729082)

The history lesson continues. 1995 was hardly the New Kids era. Their era ended in '90 or '91. The New Kids put out a ridiculous pseudo-gangsta album in 1994 as NKOTB [wikipedia.org] and broke up shortly thereafter.

If anything, 1995 was the post-grunge hangover era. Bands like Bush, Seven Mary Three and POTUSA ruled the airwaves. And Alanis. Unfortunately, I associate 1995 with hearing "You Oughta Know" 18 times a day on the radio.

Re:Uh oh (0, Redundant)

driddle (963264) | more than 6 years ago | (#22729148)

I think you mean the current generation of FTP was created in 1985 not 1995.

See http://tools.ietf.org/html/rfc959 [ietf.org]

But that was not the first RFC published on FTP the first was in 1971

http://tools.ietf.org/html/rfc114 [ietf.org]

Here is a history of FTP:

The first FTP standard was RFC 114, published in April 1971, before TCP and IP even existed. This standard defined the basic commands of the protocol and the formal means by which devises communicate using it. At this time the predecessor of TCP (called simply the Network Control Protocol or NCP) was used for conveying network traffic. There was no Internet back then. Its precursor, the ARPAnet, was tiny, consisting of only a small group of development computers.

A number of subsequent RFCs refined the operation of this early version of FTP, with revisions published as RFC 172 in June 1971 and RFC 265 in November 1971. The first major revision was RFC 354, July 1972, which for the first time contained a description of the overall communication model used by modern TCP, and details on many of the current features of the protocol. In subsequent months many additional RFCs were published, defining features for FTP or raising issues with it. RFC 542, August 1973, the FTP specification looks remarkably similar to the one we use today, over three decades later, except that it was still defined to run over NCP.

After a number of subsequent RFCs to define and discuss changes, the formal standard for modern FTP was published in RFC 765, File Transfer Protocol Specification, June 1980. This was the first standard to define FTP operation over modern TCP/IP, and was created at around the same time as the other primary defining standards for TCP/IP.

RFC 959, File Transfer Protocol (FTP), was published in October 1985 and made some revisions to RFC 765, including the addition of several new commands, and is now the base specification for FTP. Since that time a number of other standards have been published that define extensions to FTP, better security measures and other features. (Some of these are discussed in the general operation section in the appropriate places.)

http://www.primusweb.com/fitnesspartner/library/activity/gf_guide1.htm [primusweb.com]

Re:Uh oh (1)

klx (458077) | more than 6 years ago | (#22729224)

New Kids era? They were implemented in 1986. Try Hanson era.

Re:Uh oh (1)

B3ryllium (571199) | more than 6 years ago | (#22729312)

Fair enough. :)

Re:Uh oh (0)

Anonymous Coward | more than 6 years ago | (#22729334)

I think you'll find FTP is a little older than that.

"The first FTP standard was RFC 114, published in April 1971"
(http://www.tcpipguide.com/free/t_FTPOverviewHistoryandStandards.htm)

Re:Uh oh (1)

revlee (105742) | more than 6 years ago | (#22729360)

1995? That may have been when you first used it, but the RFC's (http://www.wu-ftpd.org/rfc/ [wu-ftpd.org] ) date back to 1971.

Re:Uh oh (2, Interesting)

Critical Facilities (850111) | more than 6 years ago | (#22728446)

Yeah, cause no one [networkworld.com] uses [gatech.edu] FTP [leo.org] anymore [redhat.com] , right [slackware.com] ?

Re:Uh oh (1)

B3ryllium (571199) | more than 6 years ago | (#22728518)

I dunno about you, but I downloaded my last two distro ISOs (Knoppix and Ubuntu) using BitTorrent ... :)

Re:Uh oh (1)

Critical Facilities (850111) | more than 6 years ago | (#22728590)

Absolutely I did, but I'm just saying it's not like FTP is obscure.

Re:Uh oh (1)

Critical Facilities (850111) | more than 6 years ago | (#22728540)

Whoops, that first "no one" [yggdrasil.com] was supposed to have that link.

Re:Uh oh (5, Insightful)

ivan256 (17499) | more than 6 years ago | (#22728624)

Some of us don't care to waste cycles encrypting data that doesn't need to be encrypted.

Re:Uh oh (-1, Flamebait)

Oliver Defacszio (550941) | more than 6 years ago | (#22728704)

Dude, don't you know that it's Slashdot-hip to be ultra-paranoid about absolutely everything? Picking and choosing your encryption needs based upon, gasp, practicality and with an eye toward efficient use of your technological resources isn't going to win you any points around this place.

Just a heads-up before you get scorched and jabbed for taking a level-headed approach to something.

Re:Uh oh (3, Funny)

B3ryllium (571199) | more than 6 years ago | (#22728712)

... you probably recycle your waste electrons, too, don't you?

Re:Uh oh (1)

gnick (1211984) | more than 6 years ago | (#22728788)

What do you suggest I do when my bit-bucket fills up?

Re:Uh oh (1)

Anonymous Coward | more than 6 years ago | (#22729152)

In the era of unwarranted wiretaps that funnel information to large corporate interests, who are building concentration camps on US soil and who have piloted the "let's see who we can imprison indefinitely while making end-runs around the legal system" programme, you have data that /doesn't need to be encrypted/?

You must be new here.

Re:Uh oh (1)

cHiphead (17854) | more than 6 years ago | (#22729160)

More than that, this is not news at ALL. All of the malware has been using FTP for years, its the 'other' distribution methods that seem to be showing up a little more often, but FTP traffic is a lot less suspicious on very large LAN.

Cheers.

Re:Uh oh (1)

ajs (35943) | more than 6 years ago | (#22728900)

Disco-era? FTP?! Hmmm... last I checked, FTP was one of the world's most widely used file transfer protocols.

... and so on.

Re:Uh oh (2, Insightful)

B3ryllium (571199) | more than 6 years ago | (#22728986)

"Disco-era" is meant literally in the case of the original post, since its advent coincides with that of disco music.

And being one of the most widely used protocols doesn't mean it's not for chumps. It just means there are a lot of chumps.

Re:Uh oh (1)

Otto (17870) | more than 6 years ago | (#22729028)

All the FTP usage is probably under a couple of percent. Torrents surpassed 50% of the total internet traffic some time ago.

Nothing wrong with ftp (4, Insightful)

koffie (174720) | more than 6 years ago | (#22729396)

except perhaps for the sloppy authentication in the clear and the awkward use of random ports initiated in the wrong direction (from server to client).

What is wrong is that there are ftp servers allowing anonymous write access. That is how those miscreants work: they put a malicious file up on an anonymous ftp server (that allows write access) and then craft ftp URLs to spam people with.

I remember we warned all ftp server administrators about the issue 10 or more years ago, back when I was a rookie.

Of course scp/sftp is way better, everyone knows that. Or not?

Big deal.. (5, Insightful)

Junta (36770) | more than 6 years ago | (#22728238)

First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location? Is ftp://whatever.example.com/badcode/ [example.com] not a URL because it's ftp now? That's a goofy statement.

And then, this isn't about ftp being hacked, just that bad software is being hosted using ftp as well as http (which I presume is what is meant by 'URL' or being emailed.

And, ftp is not merely an ancient, deprecated protocol. It's still widely used because it does what is intended for well and works under high load readily.

Re:Big deal.. (1)

Ed Avis (5917) | more than 6 years ago | (#22728404)

It's true that ftp works reliably under high load. Then again, so does http. If you just want to serve some files to an anonymous public, I can't see much reason to not just put them in a directory and let Apache serve them - or some faster web server if you really have such a fast network link that Apache can't saturate it.

For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Re:Big deal.. (1)

Firehed (942385) | more than 6 years ago | (#22728516)

Depends on the sensitivity of what's being transported. With both protocols, all you need (from a user perspective anyways) is a good login and password. But if someone is eavesdropping on the connection, you really don't want your DB connection credentials or latest internal builds going over a plaintext line.

Re:Big deal.. (2, Insightful)

PlusFiveTroll (754249) | more than 6 years ago | (#22728528)

Yes because http is the best way to download a directory of uncompressed files all at once

Stuffing everything in a big compressed file sucks for dial up users, ftp has its purpose.

Re:Big deal.. (3, Informative)

garett_spencley (193892) | more than 6 years ago | (#22728572)

"For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?"

Unfortunately there's a lot of software that simply does not support ssh/scp/sftp and will only work with FTP. Joomla is an example of a CMS that uses FTP to update template files and such that the web server can not write to. In this case you create an FTP server that listens on 127.0.0.1:21 and the PHP script, run under the web server user, FTPs to the host and logs in under a different user to upload the changes.

I've also got some business software that I run on my local machine that FTPs to my web server to upload new files. I really wish it would support ssh but it doesn't.

Maybe ssh tunnels are the way to go for such situations ? Either way FTP is still used for such circumstances. These programmers really need to get with the times.

Re:Big deal.. (1)

cromar (1103585) | more than 6 years ago | (#22728848)

Couldn't you use SSH tunneling [oreillynet.com] ?

Re:Big deal.. (4, Insightful)

Mr. Sketch (111112) | more than 6 years ago | (#22728658)

is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?
Well, since no version of Windows I know of comes with SSH/SCP/SFTP support out of the box, I think you have your reason right there. People don't want to have to download third party programs to do what they consider basic tasks, so providers fall back to protocols that have wide support (HTTP/FTP). Bittorrent seems to be an anomaly in this argument, but probably because it has more uses.

Re:Big deal.. (1, Troll)

daveime (1253762) | more than 6 years ago | (#22728746)

Yes, because if it did, they'd just be accused of anti-competitive practices ONCE AGAIN, bad old Microsoft, stealing the food from the mouths of poor SSH client developers, naughty naughty. Damned if they do, damned if they don't :-(

Re:Big deal.. (1)

Ferzerp (83619) | more than 6 years ago | (#22729308)

I don't really think this a troll. It is pretty true.

Re:Big deal.. (2, Informative)

Hatta (162192) | more than 6 years ago | (#22728922)

I trust the security of vsftpd more than I do apache.

Re:Big deal.. (1)

faxafloi (228519) | more than 6 years ago | (#22729382)

For authenticated file transfers, is there any reason to use ftp instead of the ssh file transfer protocol (sftp)?

Depends on how they're authenticated. If your customer has a shell account on your machine, you're right. But some ftp servers that authenticate against, say, ldap or a database. Keeps your customers out of /etc/passwd.

You could certainly do this for a few files with http. But when there are ~2000 files totaling ~100 GB, and the customer is of the old school who probably doesn't know (or care) what torrent is, ftp is the way to go.

Re:Big deal.. (0)

Anonymous Coward | more than 6 years ago | (#22728418)

First off, since when is a 'URL' considered a transport mechanism rather than syntax for specifying a transport mechanism and location?
<reply type="snakry">Since August 1998 [ietf.org] </reply>

Re:Big deal.. (1)

Sebastian Reichelt (1241416) | more than 6 years ago | (#22728512)

You are correct about the mistakes in the summary. However, this is also about FTP servers being hacked, to make them distribute the malware in the first place. Getting upload access to an abandoned FTP server is probably much easier than using SSH or some Windows folder sharing stuff, especially since you automatically have a URL where everyone can download the malware.

And the newest exploit... (4, Funny)

downix (84795) | more than 6 years ago | (#22728244)

They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

Re:And the newest exploit... (3, Informative)

Frozen Void (831218) | more than 6 years ago | (#22728318)

google "NTP exploit"

Re:And the newest exploit... (2, Funny)

Idiomatick (976696) | more than 6 years ago | (#22728756)

Oddly enough this post showed up as 4th on google right after your post. Time loop?

Re:And the newest exploit... (0)

Anonymous Coward | more than 6 years ago | (#22728406)

While I'd love to have a piece of malware as an excuse for why I show up to work late (;>), the idea itself is actually a pretty serious one -- _plenty_ of OS platforms are now using NTP to keep their clocks in sync, particularly on servers. A buffer overflow or some other vulnerability in a common NTP implementation combined with a compromised NTP server could theoretically spell disaster -- hundreds of thousands of machines could be compromised on the very next sync.

This is one funny idea that I hope never gets implemented.

Re:And the newest exploit... (1)

sm62704 (957197) | more than 6 years ago | (#22728484)

They have conquered WWW and Email, now FTP, next on their list... NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

They alrteady did! [slashdot.org]

Re:And the newest exploit... (1)

Otter (3800) | more than 6 years ago | (#22728548)

NTP! Yes, hacking through your clock, I can see it now! Malware which will make you either cronically early, or late!

I'm not sure if that's a typo or a pun...

Incidentally, while TFA is interesting, the summary here is a mix of inaccurate and incoherent.

Re:And the newest exploit... (1, Funny)

Anonymous Coward | more than 6 years ago | (#22728708)

Malware which will make you either cronically early, or late!
I believe that is referred to as Daylight Saving Time.

Re:And the newest exploit... (3, Informative)

skeeto (1138903) | more than 6 years ago | (#22729242)

Actually, the OpenBSD guys believed the original NTP implementation to be a security risk and thus created their own: see Using OpenNTPD [openbsd.org] and this post [advogato.org] by the OpenNTPD maintainer.

Don't forget (0)

bperkins (12056) | more than 6 years ago | (#22728258)

to type "bin."

Re:Don't forget (1)

jo42 (227475) | more than 6 years ago | (#22729054)

You mean "pasv" then "bin".

Different protocol, but same stupidity (5, Informative)

DigitalSorceress (156609) | more than 6 years ago | (#22728262)

Well, for my money, anyone who blindly clicks on a link.... FTP or HTTP and runs an executable that comes from it is going to get infected regardless of what protocol was used for it.

The fact that a lot of gateways prevent certain actions based on the protocol just makes the "any key" users blindly click on stuff without worry - after all, they've "got protection"

When it comes to any infection vector that involves social engineering, your brain (should you choose to use it) is your best virus protection.

Re:Different protocol, but same stupidity (0)

Anonymous Coward | more than 6 years ago | (#22729340)

Hang on a second... Let me code up a hidden iframe and put in an an advertisement (or some other such) and put it on a public web site, lets say: Wired.com.

Voila, you typed wired.com into your address bar and you got exploited.

When again did you click on a link????

FTP attachments? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22728264)

because few gateways scan for FTP attachments these days.

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

Re:FTP attachments? (3, Informative)

phaunt (1079975) | more than 6 years ago | (#22728320)

because few gateways scan for FTP attachments these days.


Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?

I believe the writer of the summary has mixed up two things:
  • Gateways don't bother with FTP traffic
  • Instead of malicious attachments, e-mails include links to ftp servers.

Re:FTP attachments? (1)

DigitalSorceress (156609) | more than 6 years ago | (#22729030)

Yeah, I think they're probably talking about firewalls / anti-spam appliances. I used the term "gateways" myself in another reply, but I was thinking of firewalls...

I blame it on a severe caffeine deficiency which I shall now remedy.

Re:FTP attachments? (1)

plague3106 (71849) | more than 6 years ago | (#22728410)

Er, that's because there's no such thing as an FTP attachment? If you are referring to links, then I'm not aware of any virus checkers that automatically download and check HTTP links either.

Can anybody translate this into something that makes sense?


Yes, virus checkers can check the HTTP stream and abort the download if they find something. I think Norton was doing this in early 2001, I don't know if they still are.

Re:FTP attachments? (0)

Anonymous Coward | more than 6 years ago | (#22728930)

Yes, virus checkers can check the HTTP stream and abort the download if they find something.

I don't think any virus checkers do that. They hook into the filesystem and check newly created files, don't they? In which case, it doesn't matter whether the file was downloaded via HTTP, FTP, or any other protocol.

Re:FTP attachments? (2, Interesting)

WK2 (1072560) | more than 6 years ago | (#22728608)

Can anybody translate this into something that makes sense?

OK. Via spam, F-Secure found a malware web page with an ftp link. They think this is going to be a trend. Some businesses proxy http connections, and scan downloads for viruses. They believe that malware authors will shift away from http to ftp because there is a less likely chance that downloads will be scanned.

I don't see this happening. It is speculation, and I think malware authors will just use whatever servers they have access to, or whatever they know how to set up. Few organizations scan http or ftp files that go through their gateways.

To be fair to F-Secure, though, they used tech terms correctly. They properly distinguished between email attachments, http, and ftp. They didn't use the word URL in the entire article. The reporter (or possibly CmdrTaco) likely didn't fully understand what the article says, and thought, "ZOMG!! NEW HAX ATTACKS!! MUST ALERT SLASHDOT!!!"

Re:FTP attachments? (1)

Sylver Dragon (445237) | more than 6 years ago | (#22728798)

I think one of the other important points the article makes is that the hacked FTP servers aren't just random FTP server nor are they just small shops running Windows SBS with the Next-Next-Next install and no one monitoring them. The FTP servers were from large companies whom users might trust.

As has been said by someone above, blindly trusting links you get in emails, and then running the linked executable, either requires an amazing amount of ignorance these days, or a special kind of stupid. Yet, somehow, trojans are alive and well in the intertubes.

Re:FTP attachments? (1)

hackstraw (262471) | more than 6 years ago | (#22728882)

becoose-a foo getooeys scun fur FTP ettechments zeese-a deys.

Um gesh dee bork, bork! Ir, thet's becoose-a zeere's nu sooch theeng es un FTP ettechment? Iff yuoo ere-a refferreeng tu leenks, zeen I'm nut evere-a ooff uny furoos checkers thet ootumeteecelly doonlued und check HTTP leenks ieezeer. Hurty flurty schnipp schnipp!

Cun unybudy trunslete-a thees intu sumetheeng thet mekes sense-a?

Re:FTP attachments? (1)

Crudely_Indecent (739699) | more than 6 years ago | (#22729420)

something that makes sense
This is a phenomenon I like to call "talking out of the side of your neck" which is a method of communication where the words that one speaks do not pass the brain prior to arriving at the vocal cords. Essentially, the words take a detour at the neck to avoid the mean and logical brain.

Most likely, this was penned by a copy writer who assumed that email has attachments, why not FTP? Who really cares what l33t haxxors call files through FTP. I call it so 70's....SFTP anyone? Chroot jail anyone?

FTP Attachment? (3, Insightful)

flajann (658201) | more than 6 years ago | (#22728302)

What the hell is a "FTP attachment"?
Doesn't make sense.

Re:FTP Attachment? (1)

Ferzerp (83619) | more than 6 years ago | (#22728376)

Every get the feeling that the summary was written by someone who doesn't quite grasp all the relevant details of the topic?

After that atrocious summary, I couldn't be bothered with RTFA

Dear Internets (2, Funny)

phoxix (161744) | more than 6 years ago | (#22728340)

Lets kill FTP once and for all! It doesn't serve a purpose anymoar! Its been replaced with HTTP, Rsync, and BT!

k thx bye!

Re:Dear Internets (1)

Anne Thwacks (531696) | more than 6 years ago | (#22728492)

Not to mention NYC!

F-Secure are FUDmeisters (3, Informative)

Werrismys (764601) | more than 6 years ago | (#22728358)

Just ignore them. It's good business for them to constantly cry "wolf".

Re:F-Secure are FUDmeisters (3, Insightful)

IBBoard (1128019) | more than 6 years ago | (#22728448)

And it's all in the final line of TFA:

Better make sure your gateway scanner is configured to scan FTP traffic as well. Our F-Secure Internet Gatekeeper does this by default.

"This wasn't done as a sales pitch, but buy our Gatekeeper software!"

So what's the major difference between an FTP hosted file and a HTTP hosted file for most people? Either way it downloads a file from a site that they can be convinced to run. Sounds all about the same to me.

Re:F-Secure are FUDmeisters (1)

PlusFiveTroll (754249) | more than 6 years ago | (#22728678)

>Sounds all about the same to me.

Yes, and this is where people fail and security problems come from. FTP is not HTTP. It is a different protocol. Your webbrowser uses a different mechanism to transfer files with it, and it goes over different ports on the internet. Your anti-virus/anti-spyware/firewall doesn't auto-magically block this stuff, it must be programmed to do so. If the programmer didn't think of a mechanism that files could get by the firewall for example, then a virus could get on the network.

Let me create an analogy (and probably get it wrong). You have a jewelry factory that you want to keep secure. You check all incoming and out going employees that arrive in a car for stolen merchandise. A number of semis come and go per day, but you do not perform a security check on them. Where do you think the thief is going to attack?

Re:F-Secure are FUDmeisters (1)

IBBoard (1128019) | more than 6 years ago | (#22729188)

That's a corporate vs home situation, though, where you're blocking at the boundaries rather than relying on standard AV where the source of the file should make no difference - it's a browser download so it should get checked.

FTP is a file download from a remote machine via an Internet connection. HTTP is a file download from a remote machine via an Internet connection. Both of them leave a file on your machine that you can then execute. I'd expect any normal firewall to check any files that a browser downloads - there's no obvious difference in where it comes from that means it is guaranteed safe just because it's a different protocol.

If AV writers have been overlooking that yet have the sense to check HTTP and SMTP/IMAP incoming files then it just makes me feel even safer that I now only run Linux.

As for FTP downloads at work, I've never been able to do them because the two places I've worked at have blocked them from most of their network. One let you access FTP if you dug out the necessary proxy settings, but in a corporate environment it solves the problem without needing some Gatekeeper product.

NEXT! (3, Insightful)

Frosty Piss (770223) | more than 6 years ago | (#22728360)

I'm sorry, but if when setting up server services the admin "forgets" to lock down FTP, they need to be canned. That is all. NEXT.

FTP through email (4, Interesting)

whitehatlurker (867714) | more than 6 years ago | (#22728378)

This has come full circle - back before internet connectivity was so wide spread, there were a few ftp via email gateways. (Yes, there were other networks alongside the internet.) You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result.

Now you have email viruses delivered via FTP. Cool.

Yeah I'm old - get off my lawn!

Re:FTP through email (0)

Anonymous Coward | more than 6 years ago | (#22728600)

As others have pointed out, this is largely fear-mongering on F-Secure's part (they're notorious for it). The article itself actually suggests one of their own products as a solution to this supposed problem "on the rise," so I don't know how seriously I would take it.

Re:FTP through email (1)

pak9rabid (1011935) | more than 6 years ago | (#22728622)

Yeah I'm old - get off my lawn!
Hmm, it is true old people are often concerned that there are children on their lawns.

Re:FTP through email (1)

Thornburg (264444) | more than 6 years ago | (#22729234)

You'd send your ftp commands and get email back (a few days later or the next week) with the uuencoded result.
I actually remember doing that. I was a freshman in high school at the time. Does that mean I'm old too?

My first computer access that required a password was a VAX...

WUSTL pwns FTP (0)

Anonymous Coward | more than 6 years ago | (#22728384)

wu-ftpd FTW! shouts out to my wustl crew! Wustl CS 4-evah!

3rd Party Services (2, Interesting)

boris111 (837756) | more than 6 years ago | (#22728616)

Speaking of FTP I was appalled the other day when my girlfriend told me their small company is paying $100 a month for a service [ftptoday.com] to use FTP for their clients. This service has a space limit of 300 MB!!! With GMAIL and Yahoo email offering unlimited storage this seems unbelievably small.

Re:3rd Party Services (0)

Anonymous Coward | more than 6 years ago | (#22728846)

Speaking of FTP I was appalled the other day when my girlfriend told me their small company is paying $100 a month for a service [ftptoday.com] to use FTP for their clients. This service has a space limit of 300 MB!!! With GMAIL and Yahoo email offering unlimited storage this seems unbelievably small.
Uhh, what are they using it for? That doesn't seem to make any sense.

Even if they did need it, you could get something like a Rosehosting virtual server for $30/mo, stick OpenVPN+samba or apache (WebDAV+ssl) and get something much more secure. 5gb storage, 300gb transfer. For $60/mo you get the same thing but they admin and support it.

For OpenVPN+samba, just firewall off all ports except for udp 1194. Have each client computer OpenVPN into it and then access the samba shares. Everything will be nice and encrypted unlike with ftp.

For WebDAV you can map it as a drive in windows/OS X/Gnome/KDE (iirc, xp has issues with webdav+ssl, though, not sure about 2k or vista). Or leave it unencrpyted and close it off and just access it via OpenVPN. Or just do the same with ftp through OpenVPN.

Re:3rd Party Services (1)

boris111 (837756) | more than 6 years ago | (#22729020)

They're an advertising firm. Occasionally they need to send large files to their customers. We're talking 10-20 users at most. I should offer my services (for a small fee of course). They have an IT guy, but apparently he's stubborn and doesn't listen to the needs of the employees/customers.

Re:3rd Party Services (0)

Anonymous Coward | more than 6 years ago | (#22728858)

you don't understand.

When you are dealing with a company the secretaries tape your phone number on all their phones. They call and call and call.

Women are especially difficult customers, they have a tendency to be abusive on the telephone and blame their lack of basic skills on the tech support's inability to teach them quickly enough.

Oh no, if you are dealing with a corporate customer of any kind you must jack up your price.

I sell hosting for $100/year prepaid with email support, $300/year with voice support (and then I limit them to one person in the office for voice support, during business hours).

Small hosting companies that have a sysadmin located in the US or Canada are worth far more than large impersonal orgs that have an 800 number answered by some guy in India.

FTP is BAD! About DAMN time THAT makes press (4, Informative)

spitek (942062) | more than 6 years ago | (#22728646)

Clear TXT PASSWD = BAD Might as well bend over. I've made my hosting customers use SFTP/SCP for YEARS. Been very happy I have. Just like POP3 one day.. IF we are lucky people will stop using it. It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing. Just plan STUPID!

Re:FTP is BAD! About DAMN time THAT makes press (0)

Anonymous Coward | more than 6 years ago | (#22729064)

Just plan STUPID!
That's not FTPs fault, that's the fault of most IT managers

Re:FTP is BAD! About DAMN time THAT makes press (1)

omnipresentbob (858376) | more than 6 years ago | (#22729186)

It's like sending your tax return to the IRS in a clear envelope with your name birth date and SS # showing.
Ah, shit. My mother's maiden name and bank account number are showing too. I'm boned, aren't I? :(

Just plan STUPID!
Well I already knew that.

Re:FTP is BAD! About DAMN time THAT makes press (0)

Anonymous Coward | more than 6 years ago | (#22729296)

Clear TXT PASSWD = BAD Might as well bend over

If only more users would accept that. While you're busy educating the users, could you do us a favor and remind them that is the same reason why they need to stop using telnet?

I manage a Unix network for a department full of PhDs. And yet they insist on using telnet to communicate across the network, even after I set up all the ssh deamons for them.

Re:FTP is BAD! About DAMN time THAT makes press (0)

Anonymous Coward | more than 6 years ago | (#22729300)

If we were lucky your father would have used a condom and we wouldn't have to listen to your bullshit.

What the article infers... (2, Interesting)

johnlcallaway (165670) | more than 6 years ago | (#22728670)

It sounds like that 'trusted' sites have been hacked, and that nefarious forces may place files on those trusted sites, then send emails that look authentic. That is, the email looks like it is from a responsible site and has an FTP URL for that site, but the file on the trusted site contains malware of some type.

I have gotten fake hallmark cards in the past, and only because the URLs were obviously not hallmark did I check the headers. Transform this into a malware that installs a back door, grabs your address book, then sends the address book full of trusted names back to the originator. Now you have an email from a trusted source that has URLs to a trusted site to help spread it.

Maybe I shouldn't have typed all that out.....

Re:What the article infers... (1)

tychovi (1221054) | more than 6 years ago | (#22729174)

...is nothing. It says "takes you to an owned computer that has a(n) FTP site setup on it" and if you look at the URL at the bottom of the client window you can see that it's obscured, so unless you know that ip address you shouldn't be clicking anything (I have to agree with Digital Sorceress). I hardly think that Hallmark is going to be serving up cards out of Romania, so anyone who clicks on a link from an email similar to the one listed should promptly be taken out to the parking lot and stoned with 1.44MB 3.5 inch floppies.

FTP (tunneled, chrooted, whatever) is still a useful tool it's stable, resilient and does it's job. Blaming FTP for this is like blaming the hammer when your three year old uses it to smash your china...

 

IPS are on target (1)

bbasgen (165297) | more than 6 years ago | (#22728706)


  In mid-February Tipping Point (maker of an IPS) released new filters on FTP Put and Get commands due to this rise in exploits. Always nice to see the IPS on the leading edge, and it again provides a point of emphasis that the IPS is absolutely essential for an enterprise.

Anecdote (1)

BigJClark (1226554) | more than 6 years ago | (#22729184)


Funny (to me) anecdote: My first day on my first job in the IT biz (network admin at the university I grad'd from) the old network admin was showing me the ropes, and actually telneted across the network and logged in with his root account. Needless to say my first order of business was to change the root password :)

ahhh...

Snort...Disco era... (0)

Anonymous Coward | more than 6 years ago | (#22729258)

You can tell that was written by someone very young that doesn't remember the 80s or early 90s.

"Now"? (1)

rrohbeck (944847) | more than 6 years ago | (#22729444)

Rooted ftp sites have been used for warez and malware since the beginning of time, and the F-Secure folks discover this *now*?
Pretty lame.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>