back to article Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server

A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers. The miscreant behind the attack on the internet-facing file store tried to sell access to the infiltrated system to other crims on Christmas Day, we're told. Hold Security – which this year has …

COMMENTS

This topic is closed for new posts.
  1. M Gale

    If it's not broke...

    See title. Just because it's old, doesn't mean it doesn't work. And with very much less overhead than sending big files via HTTP.

    Though granted, a restricted-access FTP site should really be sFTP.

    1. Wzrd1 Silver badge

      Re: If it's not broke...

      True enough.

      Add in that an FTP server should be living on the DMZ and have minimal potential access to machines on the inside network, it's a dead non-issue.

      Jeez, next week, that "hacker" (read script kiddie) will announce he hacked into DOS 3.3.

      1. big_D Silver badge

        Re: If it's not broke...

        Have the Beed moved onto 3.3? I thought they were still on 2.1 :-D

        sFTP and DMZ should make this pretty much a non-story. Unless it wasn't in the DMZ...

        Hopefully they have their house in order now.

      2. Lusty

        Re: If it's not broke...

        "should be living on the DMZ"

        Should be on A DMZ, not THE DMZ. Why should my FTP server be anywhere near the web server or mail server? Modern firewall design allows individual dirty networks for services so why only have a single big dirty network playground for hackers? The fewer systems they can access from the compromised one the less likely it is they will spread to the internal networks.

        I also hate the term DMZ since the dirtiest network after internet is often the internal client one, and DMZ sits next to the internal networks rather than between them and internet these days so DMZ is very outdated.

        1. Anonymous Coward
          Anonymous Coward

          Re: If it's not broke...

          your autism is showing.

          1. M Gale

            Re: If it's not broke...

            Many top-notch computer scientists and hackers have some kind of autistic spectrum disorder. It's one of those weird conditions that in milder cases can actually be beneficial if your job involves systems analysis and design. Not so much if it involves a lot of customer-facing work.

            Though I do have to wonder exactly which one of the buttload of comments up there you were replying to?

      3. Richard Harker
        Mushroom

        Re: If it's not broke...

        "Add in that an FTP server should be living on the DMZ"

        you mean hosting it on the border of North and South Korea ?

    2. Anonymous Coward
      Anonymous Coward

      Re: If it's not broke...

      The BBC still uses Solaris?! Wow, they must have some dated tech.....

      1. Anonymous Coward
        Anonymous Coward

        Re: If it's not broke...

        Solaris? It's an FTP site, last I head you don't need 24 core, 8 processor systems with 8TB of RAM. I'm more surprised to find it's not an NT4 system, the one that no one knows exactly what it does, but dare not turn it off.

      2. Anonymous Coward
        Anonymous Coward

        Re: If it's not broke...

        Solaris was the OS of choice for the ex R&D lot. Doesn't surprise me that kit might still be around. There were people there who loved Solaris so much it might be considered unhealthy........

    3. ElReg!comments!Pierre

      Re: If it's not broke...

      Yup, nothing wrong with FTP if you ask me. It's simple, robust and can be made as secure as a remote connection can be. Certainly the method of choice for the Beeb's field reporters, safer and more robust than pretty much anything more "current", bar sFTP (which ain't that "current" itself, if a good 20 years younger).

      1. Lusty

        Re: If it's not broke...

        "safer and more robust than pretty much anything more "current""

        There is also FTPS which predates SFTP by a few years while using the actual FTP protocol and daemons. Of course, the protocol isn't what the problem was here, it was a software bug leading to rights escalation and so could just as easily affect SCP/SFTP. It's less likely that anyone would find the bugs in the FTP/S daemon these days when compared to SFTP due to lower usage but if someone wants your system there is usually a way.

        1. ElReg!comments!Pierre

          Re: If it's not broke...

          > There is also FTPS

          I don't usually consider FTPS a separate protocol; it's still FTP

          > a software bug leading to rights escalation and so could just as easily affect SCP/SFTP.

          Indeed. Especially SCP, which is known to be vulnerable (which is why most "scp" clients actually use SFTP under the hood).

    4. Anonymous Coward
      Anonymous Coward

      Re: If it's not broke...

      "FTP is a 1970s vintage protocol".

      Yes, like TCP and IP and many others in everyday use. What's your point?

    5. Cheshire Cat

      Re: If it's not broke...

      The problem with the "If its not broke, don't fit it" attitude is that, when it infects management, it is used as an excuse to deny or delay all preventative maintenance, patching, and so on. Resulting in, eventually, system failures and security breaches due to outdated, bugged, and vulnerable versions of software or sub-optimal configuration. Management would often prefer to have failures they can blame on software bugs or attackers to having a failed modification or patch being blamed on their own department.

      Yes, FTP is a relatively lightweight and efficient protocol, but you still need to keep up with the patching and improve security (such as switching to sFTP or FTPS as you mentioned).

      1. M Gale

        Re: If it's not broke...

        The problem with the "If its not broke, don't fit it" attitude

        And when the Damagement have the desire to fix everything regardless of whether it's broke, we end up with the Windows 8 UI. The problem is in how to educate the bosses enough that they understand what "maintenance" is without going batshit crazy on "new". Or worse, "better because it's newer".

  2. Vimes

    I wonder if they'll be getting advice from Spencer Kelly on this? After all somebody working on his program was quite willing to pay for botnet access when it suited them.

    http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm

    Incidentally just because you hadn't stolen anything when breaking into a house doesn't mean you didn't commit a crime.

    IMO the BBC staff involved ought to have been paid far more attention by the police in regards to unauthorised access to systems (computer misuse act 1990). That they didn't then use such potentially illegal access for even more illegal purposes is irrelevant in my opinion.

    1. Anonymous Coward
      Anonymous Coward

      For op

      http://www.urbandictionary.com/define.php?term=squinny

    2. Anonymous Coward
      Anonymous Coward

      It's this thing called investigative journalism, a bit like where you buy drugs off drug dealer then pretend to want bigger, to find out who supplied him.

      It's murky, but sometimes lines have to be crossed for the better good.

      still if you prefer you news to consist of this weeks talentless bimbo spouting her opinions on twitter, feel free.

      1. Vimes

        @Lost all faith

        Except that paying criminals in this case didn't serve any investigative purpose whatsoever. Botnets and how they function were already well known. What they were trying to explain could have easily been put into words without handing over cash to crooks.

        This is no different to a reporter paying somebody to break into a house to show how easy it is but not steal anything. I'm sure that they would argue that no harm was done but the home owner would still feel violated and the reporter would still be in trouble with the police.

        Why should it be any different with the online world?

        1. Matt 21

          Re: @Lost all faith

          I thought the server where they post their stories had been broken into a long time ago. How else can we explain the BBC pushing Twitter use so hard? It must be someone from Twitter modifying nearly every story to get some positive mention for the company. The peak came around the Olympics so I'd suggest looking at the logs from around that time.

          The only other explanation is bribery but that can't possibly be true.

          1. Professor Clifton Shallot

            Re: @Lost all faith

            "The only other explanation is bribery but that can't possibly be true."

            While I reckon your suggestion is a good one I am sure there might be some other possibilities for the paranoid - has the Beeb been under instruction to promote social media firms that oblige snoopy government perhaps?

            (I suspect it is probably nothing more than rampant over-enthusiasm for communicating with viewers / listeners coupled with an institutional deep lack of understanding of technical and business issues but that is much less fun).

    3. This Side Up

      "Incidentally just because you hadn't stolen anything when breaking into a house doesn't mean you didn't commit a crime."

      On the other hand if you fall into an elephant trap it's not your fault it was there.

  3. Stevie

    Bah!

    Dear God, tell me there was no damage to the 12 episodes of Top Gear BBC America "owns".

  4. pete 22
    Coat

    It is not clear how deep the hacker managed to penetrate Auntie

    You have just made my day. It's almost as bad as a threesome with Margaret Thatcher and Janet Reno.

    1. Anonymous Coward
      Anonymous Coward

      Re: It is not clear how deep the hacker managed to penetrate Auntie

      Then they should assume the worst, that every single corner of the bbc was hacked and copied. That's what any responsible com poo any has to do. Ironically BBC raped Sony for their worst case reporting of their hack. Karma at work. BBC had lost all your logos and passwords, nothing was encrypted, I'm just filling in the blanks with my own made up bullshit, the same as they did then....

  5. Anonymous Coward
    Anonymous Coward

    Siemens

    Why blame the BBC? This stuff was outsourced to Siemens in 2004. I should know, I was one of the poor sods who was sold!

    That said from the sounds of it, the ftp access pre-dates even BBC Technology back to the days of the beardy wierdy geniuses at Kingswood Warren.

    1. Anonymous Coward
      Anonymous Coward

      Re: Siemens

      Cos it's BBC worldwide which is run in house....

    2. Anonymous Coward
      Anonymous Coward

      Re: Siemens

      The service part of Siemens was bought out by Atos.

      There are many parts of BBC IT outsourced to Atos (BBC Desktop for example) but much is run in house as well by BBC Technology / Tech Ops (most of the web based services and as noted above, BBC Worldwide).

      There will probably be much finger pointing as there often is with these things. That's if there was any serious threat. A "stepping stone" it may have been, but into what exactly? And let's face it, the Beeb is just a media organisation, not a bank or a holder of huge amounts of important personal data.

      Maybe someone could have done us a favour and taken Radio 1 off the air.

      1. Mr Fuzzy

        Re: Siemens: To be fair...

        It's pretty safe to say that the BBC have enormous amounts of personal data.

        Given the prevalence of password reuse, they hold plenty of concern even if you only think in terms of email/password pairs. That said, I do see your point. Anybody with best practices in mind when watching “World's Craziest Fools," is fine.

        *nips off to change some passwords*

  6. Anon5000

    The 1337day site has an exploit for sale which claims to be for ProFTPD 3.3.3g and quotes the BBC FTP site. Some of their exploits for sale have been a bit dubious in the past so rather than it being a new ProFTPD vulnerability it may just be instructions on a misconfiguration of that particular server.

    Always have loved the simplicity and stability of FTP personally and added secure SSL functionality has been available for years on many clients/servers. FxP'ing between servers still happens!

  7. Crazy Operations Guy

    "account running the ftp daemon"

    Since this was the bbc, what are the chances that ftp was running as root?

    1. Wzrd1 Silver badge

      Re: "account running the ftp daemon"

      Since the site is contracted out, what is the chance that FTP is running as root and the password is "1234"?

    2. Anonymous Coward
      Anonymous Coward

      Re: "account running the ftp daemon"

      "Since this was the bbc, what are the chances that ftp was running as root?"

      Since it was runing Solaris it probably doesnt make much difference - that OS has nearly as many holes as Linux....

      1. Anonymous Coward
        Anonymous Coward

        Re: "account running the ftp daemon"

        Is this A/C actually Eadon?

        It's a clever plan, pretend to be such a rabid Windows fanbouy, that it makes all windows users look like dickheads, therefore making Linux users, by default look cool and rebellious.

        In reality, most of us that have finished puberty, realised a long time ago, you use what you are happy with and accept all OS's / kernels / software has flaws.

        99/100 is users that are the biggest issue, not the software.

        1. chivo243 Silver badge
          Pint

          Re: "account running the ftp daemon"

          Eadon? Haven’t seen his posts in a while... Is he real? Or just a puppet account the Reg uses to get the Reg some more posts/traffic?

          And you have a wonderful philosophy. Use the best tool for the job and remember that nothing is perfect! I wish some of my colleagues could grasp this concept.

          Have a pint, and celebrate the New Year!

          1. kain preacher

            Re: "account running the ftp daemon"

            Edon got perm ban

            1. M Gale
              Coat

              Re: "account running the ftp daemon"

              Edon got perm ban

              Now I understand that some people have an irrational dislike of hairstyles, but isn't that a bit ridiculous? People with mullets up against the wall next?

  8. TimChuma

    Yes? And...?

    I still prefer to use FTP to my own server that I pay for the 100Gb space on and not have to rely on a 3rd party to look after my files. When the files are downloaded I can delete them. It is only me with the access.

    For seven years I was uploading photo galleries via FTP, it was a lot more straight forward except for when I had to take stuff down.

  9. Anonymous Coward
    Anonymous Coward

    Many of our clients still use ftp to send data to us every few minutes throughout the day (Gas Industry). This is all over Europe and beyond not just in the UK so FTP is very far from dead. As for the attack itself, shocker, an FTP account where the username and password are sent in plain text was compromised (although it seems the attacker here had it even easier). That is why an FTP box just does FTP and sits out on its own in the DMZ and only has the required ports open to the outside (in other words was SSH available to the Outside). I do also wonder if they restrict user accounts, I only allow 3rd parties FTP and FTPS access (and that FTPS access is not run by my SSH daemon either), they have no shell so would have to find a vulnerability in order to elevate themselves somehow. Even if they did compromise the box, it wouldn't help them much here as it has no access to anything else. I live under the assumption I have been hacked or will be, makes it much easier to manage risk. I hope the BBC do the same.

  10. Anonymous Coward
    Anonymous Coward

    Main news story for me is that a reg hack thinks that FTP is "legacy" and not used anymore. Good to know how out of touch with reality some reg reporters are.

    1. pepper

      Exactly, I was wondering what the El Reg Hack was thinking the BBC should use then..

  11. Anonymous Coward
    Anonymous Coward

    Software Clients - pass the blame

    Maybe this is something to do with Microsoft, having failed to support sftp clients/servers as part as their supplied install packages, whilst maintaining support for ftp.

    1. Anonymous Coward
      Anonymous Coward

      Re: Software Clients - pass the blame

      Erm, but Microsoft has supplied and supported an RFC based FTPS (FTP over SSL) server ever since IIS7....

      1. AJ MacLeod

        Re: Software Clients - pass the blame

        FTPS != SFTP (which is far more widely used IME)

  12. Mystic Megabyte
    Happy

    This is the BBC..

    In today's news we can report that President Putin is a really nice guy and has opened a home for stray puppies.

  13. Bob Hoskins
    FAIL

    Brandon Butterworth

    His fault.

    1. Anonymous Coward
      Anonymous Coward

      Re: Brandon Butterworth

      I always told him that connecting the BBC to those intertubes would be bad!!

      See! I was right! I was right!!

  14. Anonymous Coward
    Anonymous Coward

    aspera

    They use a pretty convoluted aspera based ingest system for almost everything important, content wise anyway.

    That said, the bbc is a loose collection of individuals who basically hate each other and are allowed to operate as virtually separate companies.

    There are hundreds of FTP servers operating internally and externally for various puropses, getting files on and off the system for engineering purposes, providing logs to suppliers for support, just the usual mash up.

    They use a broad range of operating systems ranging from windows 3.11 all the way up to win8 and a whole host of x like systems. Nothing gets patched, in case the patch upsets some of the unsupported 15 year old mission critical software that Dave from FM&T wrote in 1999.

    I swear, only a few years ago, I looked after ceefax that has only just been switched off, when asked to find out why it kept falling over, I found the servers in a cupboard and they were a rag tag assortment of 386's the occasional Pentium 1 and, well, you can imagine the rest.

    They do take perimeter network security reasonably seriously though so I very much doubt that this FTP server will have made an easy stepping stone into the rest of the network.

  15. caffn8me

    ITN hacked via FTP too

    Many years ago (about 1999/2000) I was called in to deal with a hack via FTP which defaced ITN's web ste. That was a Solaris box to - a Sun E450.

    It wasn't a technically difficult hack though. FTP was world available, the username was ITN and the password ITN. This account had root privilege. Doh!

    1. Piro Silver badge

      Re: ITN hacked via FTP too

      I wouldn't say that was a hack, more just turning the handle on a door and walking in.

  16. pewpie

    Shame it was just an FTP server..

    Nothing would be more joyful than seeing auntie's network downed in epic fashion.. Maybe just replace it with a picture of a freshly laid turd, gently steaming in the cool evening air.

  17. J.G.Harston Silver badge

    Err.... how else do you upload data to a website?

    1. caffn8me

      "Err.... how else do you upload data to a website?"

      HTTP upload, SCP or SFTP perhaps. Even shared directories over VPN.

      Lots of options

    2. Stuart Halliday

      If you allow uploading. Make the account write only?

  18. Steven Holmquist

    Nothing new

    Had an account exec a few years ago that bragged about being able to FTP from his desktop. He used the built-in support in his browser as the FTP tool and regularly posted to the server. Tried to get the FTP access shut down, but since he was higher in the food chain, my concerns were overlooked. He's now a VP of Digital at an advertising agency. I'd be willing to guess he's still using FTP through his browser.

  19. Stuart Halliday

    I love it when Hackers try to get access to my FTP server.

    They always try 'root' or 'admin'. As if I'd be so stupid.

    I also change the welcome message so they think it's an ancient Server running ancient code.

    BBC IT staff in charge of their Server needs to be flogged or user who left their login at a cybercafe needs strung up? :)

This topic is closed for new posts.

Other stories you might like