Feeds

back to article Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server

A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers. The miscreant behind the attack on the internet-facing file store tried to sell access to the infiltrated system to other crims on Christmas Day, we're told. Hold Security – which this year has …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

If it's not broke...

See title. Just because it's old, doesn't mean it doesn't work. And with very much less overhead than sending big files via HTTP.

Though granted, a restricted-access FTP site should really be sFTP.

52
2
Bronze badge

Re: If it's not broke...

True enough.

Add in that an FTP server should be living on the DMZ and have minimal potential access to machines on the inside network, it's a dead non-issue.

Jeez, next week, that "hacker" (read script kiddie) will announce he hacked into DOS 3.3.

16
0
Silver badge

Re: If it's not broke...

Have the Beed moved onto 3.3? I thought they were still on 2.1 :-D

sFTP and DMZ should make this pretty much a non-story. Unless it wasn't in the DMZ...

Hopefully they have their house in order now.

0
1
Anonymous Coward

Re: If it's not broke...

The BBC still uses Solaris?! Wow, they must have some dated tech.....

1
7
Silver badge

Re: If it's not broke...

Solaris? It's an FTP site, last I head you don't need 24 core, 8 processor systems with 8TB of RAM. I'm more surprised to find it's not an NT4 system, the one that no one knows exactly what it does, but dare not turn it off.

21
0
Bronze badge

Re: If it's not broke...

"should be living on the DMZ"

Should be on A DMZ, not THE DMZ. Why should my FTP server be anywhere near the web server or mail server? Modern firewall design allows individual dirty networks for services so why only have a single big dirty network playground for hackers? The fewer systems they can access from the compromised one the less likely it is they will spread to the internal networks.

I also hate the term DMZ since the dirtiest network after internet is often the internal client one, and DMZ sits next to the internal networks rather than between them and internet these days so DMZ is very outdated.

4
3
Silver badge

Re: If it's not broke...

Solaris was the OS of choice for the ex R&D lot. Doesn't surprise me that kit might still be around. There were people there who loved Solaris so much it might be considered unhealthy........

2
0
Silver badge

Re: If it's not broke...

Yup, nothing wrong with FTP if you ask me. It's simple, robust and can be made as secure as a remote connection can be. Certainly the method of choice for the Beeb's field reporters, safer and more robust than pretty much anything more "current", bar sFTP (which ain't that "current" itself, if a good 20 years younger).

14
0
Mushroom

Re: If it's not broke...

"Add in that an FTP server should be living on the DMZ"

you mean hosting it on the border of North and South Korea ?

5
2
Bronze badge

Re: If it's not broke...

"safer and more robust than pretty much anything more "current""

There is also FTPS which predates SFTP by a few years while using the actual FTP protocol and daemons. Of course, the protocol isn't what the problem was here, it was a software bug leading to rights escalation and so could just as easily affect SCP/SFTP. It's less likely that anyone would find the bugs in the FTP/S daemon these days when compared to SFTP due to lower usage but if someone wants your system there is usually a way.

1
0
Silver badge

Re: If it's not broke...

"FTP is a 1970s vintage protocol".

Yes, like TCP and IP and many others in everyday use. What's your point?

28
0
Silver badge

Re: If it's not broke...

> There is also FTPS

I don't usually consider FTPS a separate protocol; it's still FTP

> a software bug leading to rights escalation and so could just as easily affect SCP/SFTP.

Indeed. Especially SCP, which is known to be vulnerable (which is why most "scp" clients actually use SFTP under the hood).

1
0

Re: If it's not broke...

The problem with the "If its not broke, don't fit it" attitude is that, when it infects management, it is used as an excuse to deny or delay all preventative maintenance, patching, and so on. Resulting in, eventually, system failures and security breaches due to outdated, bugged, and vulnerable versions of software or sub-optimal configuration. Management would often prefer to have failures they can blame on software bugs or attackers to having a failed modification or patch being blamed on their own department.

Yes, FTP is a relatively lightweight and efficient protocol, but you still need to keep up with the patching and improve security (such as switching to sFTP or FTPS as you mentioned).

0
0
Silver badge

Re: If it's not broke...

The problem with the "If its not broke, don't fit it" attitude

And when the Damagement have the desire to fix everything regardless of whether it's broke, we end up with the Windows 8 UI. The problem is in how to educate the bosses enough that they understand what "maintenance" is without going batshit crazy on "new". Or worse, "better because it's newer".

4
0
Anonymous Coward

Re: If it's not broke...

your autism is showing.

0
1
Silver badge

Re: If it's not broke...

Many top-notch computer scientists and hackers have some kind of autistic spectrum disorder. It's one of those weird conditions that in milder cases can actually be beneficial if your job involves systems analysis and design. Not so much if it involves a lot of customer-facing work.

Though I do have to wonder exactly which one of the buttload of comments up there you were replying to?

1
0
Bronze badge

I wonder if they'll be getting advice from Spencer Kelly on this? After all somebody working on his program was quite willing to pay for botnet access when it suited them.

http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm

Incidentally just because you hadn't stolen anything when breaking into a house doesn't mean you didn't commit a crime.

IMO the BBC staff involved ought to have been paid far more attention by the police in regards to unauthorised access to systems (computer misuse act 1990). That they didn't then use such potentially illegal access for even more illegal purposes is irrelevant in my opinion.

7
4
Anonymous Coward

For op

http://www.urbandictionary.com/define.php?term=squinny

1
4
Silver badge

It's this thing called investigative journalism, a bit like where you buy drugs off drug dealer then pretend to want bigger, to find out who supplied him.

It's murky, but sometimes lines have to be crossed for the better good.

still if you prefer you news to consist of this weeks talentless bimbo spouting her opinions on twitter, feel free.

5
10
Bronze badge

@Lost all faith

Except that paying criminals in this case didn't serve any investigative purpose whatsoever. Botnets and how they function were already well known. What they were trying to explain could have easily been put into words without handing over cash to crooks.

This is no different to a reporter paying somebody to break into a house to show how easy it is but not steal anything. I'm sure that they would argue that no harm was done but the home owner would still feel violated and the reporter would still be in trouble with the police.

Why should it be any different with the online world?

11
3
Bronze badge

Re: @Lost all faith

I thought the server where they post their stories had been broken into a long time ago. How else can we explain the BBC pushing Twitter use so hard? It must be someone from Twitter modifying nearly every story to get some positive mention for the company. The peak came around the Olympics so I'd suggest looking at the logs from around that time.

The only other explanation is bribery but that can't possibly be true.

4
0
Bronze badge

Re: @Lost all faith

"The only other explanation is bribery but that can't possibly be true."

While I reckon your suggestion is a good one I am sure there might be some other possibilities for the paranoid - has the Beeb been under instruction to promote social media firms that oblige snoopy government perhaps?

(I suspect it is probably nothing more than rampant over-enthusiasm for communicating with viewers / listeners coupled with an institutional deep lack of understanding of technical and business issues but that is much less fun).

3
0

"Incidentally just because you hadn't stolen anything when breaking into a house doesn't mean you didn't commit a crime."

On the other hand if you fall into an elephant trap it's not your fault it was there.

1
0
Silver badge

Bah!

Dear God, tell me there was no damage to the 12 episodes of Top Gear BBC America "owns".

2
2
Coat

It is not clear how deep the hacker managed to penetrate Auntie

You have just made my day. It's almost as bad as a threesome with Margaret Thatcher and Janet Reno.

5
1
Anonymous Coward

Re: It is not clear how deep the hacker managed to penetrate Auntie

Then they should assume the worst, that every single corner of the bbc was hacked and copied. That's what any responsible com poo any has to do. Ironically BBC raped Sony for their worst case reporting of their hack. Karma at work. BBC had lost all your logos and passwords, nothing was encrypted, I'm just filling in the blanks with my own made up bullshit, the same as they did then....

1
5
Silver badge

Siemens

Why blame the BBC? This stuff was outsourced to Siemens in 2004. I should know, I was one of the poor sods who was sold!

That said from the sounds of it, the ftp access pre-dates even BBC Technology back to the days of the beardy wierdy geniuses at Kingswood Warren.

5
0
Anonymous Coward

Re: Siemens

Cos it's BBC worldwide which is run in house....

1
0
Anonymous Coward

Re: Siemens

The service part of Siemens was bought out by Atos.

There are many parts of BBC IT outsourced to Atos (BBC Desktop for example) but much is run in house as well by BBC Technology / Tech Ops (most of the web based services and as noted above, BBC Worldwide).

There will probably be much finger pointing as there often is with these things. That's if there was any serious threat. A "stepping stone" it may have been, but into what exactly? And let's face it, the Beeb is just a media organisation, not a bank or a holder of huge amounts of important personal data.

Maybe someone could have done us a favour and taken Radio 1 off the air.

5
0

Re: Siemens: To be fair...

It's pretty safe to say that the BBC have enormous amounts of personal data.

Given the prevalence of password reuse, they hold plenty of concern even if you only think in terms of email/password pairs. That said, I do see your point. Anybody with best practices in mind when watching “World's Craziest Fools," is fine.

*nips off to change some passwords*

1
0

The 1337day site has an exploit for sale which claims to be for ProFTPD 3.3.3g and quotes the BBC FTP site. Some of their exploits for sale have been a bit dubious in the past so rather than it being a new ProFTPD vulnerability it may just be instructions on a misconfiguration of that particular server.

Always have loved the simplicity and stability of FTP personally and added secure SSL functionality has been available for years on many clients/servers. FxP'ing between servers still happens!

4
0
Bronze badge

"account running the ftp daemon"

Since this was the bbc, what are the chances that ftp was running as root?

0
3
Bronze badge

Re: "account running the ftp daemon"

Since the site is contracted out, what is the chance that FTP is running as root and the password is "1234"?

3
0
Anonymous Coward

Re: "account running the ftp daemon"

"Since this was the bbc, what are the chances that ftp was running as root?"

Since it was runing Solaris it probably doesnt make much difference - that OS has nearly as many holes as Linux....

1
13
Silver badge

Re: "account running the ftp daemon"

Is this A/C actually Eadon?

It's a clever plan, pretend to be such a rabid Windows fanbouy, that it makes all windows users look like dickheads, therefore making Linux users, by default look cool and rebellious.

In reality, most of us that have finished puberty, realised a long time ago, you use what you are happy with and accept all OS's / kernels / software has flaws.

99/100 is users that are the biggest issue, not the software.

10
0
Bronze badge
Pint

Re: "account running the ftp daemon"

Eadon? Haven’t seen his posts in a while... Is he real? Or just a puppet account the Reg uses to get the Reg some more posts/traffic?

And you have a wonderful philosophy. Use the best tool for the job and remember that nothing is perfect! I wish some of my colleagues could grasp this concept.

Have a pint, and celebrate the New Year!

4
1
Bronze badge

Re: "account running the ftp daemon"

Edon got perm ban

0
0
Silver badge
Coat

Re: "account running the ftp daemon"

Edon got perm ban

Now I understand that some people have an irrational dislike of hairstyles, but isn't that a bit ridiculous? People with mullets up against the wall next?

1
0

Yes? And...?

I still prefer to use FTP to my own server that I pay for the 100Gb space on and not have to rely on a 3rd party to look after my files. When the files are downloaded I can delete them. It is only me with the access.

For seven years I was uploading photo galleries via FTP, it was a lot more straight forward except for when I had to take stuff down.

0
1
Anonymous Coward

Many of our clients still use ftp to send data to us every few minutes throughout the day (Gas Industry). This is all over Europe and beyond not just in the UK so FTP is very far from dead. As for the attack itself, shocker, an FTP account where the username and password are sent in plain text was compromised (although it seems the attacker here had it even easier). That is why an FTP box just does FTP and sits out on its own in the DMZ and only has the required ports open to the outside (in other words was SSH available to the Outside). I do also wonder if they restrict user accounts, I only allow 3rd parties FTP and FTPS access (and that FTPS access is not run by my SSH daemon either), they have no shell so would have to find a vulnerability in order to elevate themselves somehow. Even if they did compromise the box, it wouldn't help them much here as it has no access to anything else. I live under the assumption I have been hacked or will be, makes it much easier to manage risk. I hope the BBC do the same.

2
2
Anonymous Coward

Main news story for me is that a reg hack thinks that FTP is "legacy" and not used anymore. Good to know how out of touch with reality some reg reporters are.

24
0

Exactly, I was wondering what the El Reg Hack was thinking the BBC should use then..

0
0
Anonymous Coward

Software Clients - pass the blame

Maybe this is something to do with Microsoft, having failed to support sftp clients/servers as part as their supplied install packages, whilst maintaining support for ftp.

3
2
Anonymous Coward

Re: Software Clients - pass the blame

Erm, but Microsoft has supplied and supported an RFC based FTPS (FTP over SSL) server ever since IIS7....

0
2

Re: Software Clients - pass the blame

FTPS != SFTP (which is far more widely used IME)

1
0
Silver badge
Happy

This is the BBC..

In today's news we can report that President Putin is a really nice guy and has opened a home for stray puppies.

5
0
FAIL

Brandon Butterworth

His fault.

1
0
Anonymous Coward

Re: Brandon Butterworth

I always told him that connecting the BBC to those intertubes would be bad!!

See! I was right! I was right!!

1
0
Anonymous Coward

aspera

They use a pretty convoluted aspera based ingest system for almost everything important, content wise anyway.

That said, the bbc is a loose collection of individuals who basically hate each other and are allowed to operate as virtually separate companies.

There are hundreds of FTP servers operating internally and externally for various puropses, getting files on and off the system for engineering purposes, providing logs to suppliers for support, just the usual mash up.

They use a broad range of operating systems ranging from windows 3.11 all the way up to win8 and a whole host of x like systems. Nothing gets patched, in case the patch upsets some of the unsupported 15 year old mission critical software that Dave from FM&T wrote in 1999.

I swear, only a few years ago, I looked after ceefax that has only just been switched off, when asked to find out why it kept falling over, I found the servers in a cupboard and they were a rag tag assortment of 386's the occasional Pentium 1 and, well, you can imagine the rest.

They do take perimeter network security reasonably seriously though so I very much doubt that this FTP server will have made an easy stepping stone into the rest of the network.

2
0

ITN hacked via FTP too

Many years ago (about 1999/2000) I was called in to deal with a hack via FTP which defaced ITN's web ste. That was a Solaris box to - a Sun E450.

It wasn't a technically difficult hack though. FTP was world available, the username was ITN and the password ITN. This account had root privilege. Doh!

1
0

Page:

This topic is closed for new posts.