Blue chip FTP logins found on cybercrime server Security researchers have found a treasure chest of FTP passwords, some from high profile sites, on an open cybercrime server. Jacques Erasmus, CTO at security tools firm Prevx, stumbled across a site where a Trojan is uploading FTP login credentials captured from compromised machines. So far, Erasmus has found logins for ftp. …
So what this guys is saying is that some users' PCs have been compromised and their details were harvested...? As far as I can see, there's nothing to suggest that the ftp sites themselves have been compromised. That's not really a big deal when you think about it, and is almost to be expected.
Sure someone could then use those credentials to upload the latest 0-day warez!!!111! or some dodgy pics, but the unusual activity on the server should be noticed when the bandwidth or disk space logs are analysed, and you'd hope that are already restrictions are in place to stop someone uploading several GBs of data, in any case.
Not sure I really see the point this guy is trying to make - unless it's to point out that he has accessed some 'cybercrime server'. Whoop-de-doo for him!
one thing well two things I don't really get is
1. why anybody uses FTP for any kind of sensitive data with read and write grants (keep it read only for FTP, read/write for SFTP or SCP)
2. i'm against any password enabled admin access to externally visible sites, these guys should use tokens (hardware if possible) only
Having a login to ftp.bbc.co.uk doesn't give you access to the website or the content production system, just to the FTP server. The BBC network has an entirely different and non-public facing route for content that is going into the website.
(..which I shan't describe here for abundantly obvious reasons)
Still, pretty decent conclusion jumping for a hot and sticky friday afternoon!
Why not outlaw any internet access from Windows? Just imagine how much bandwidth would be released from all that spambot traffic. Not to mention that internet would come back to be what it was when it started.
Also, expect to regain some office status as "the guy who has internet", like in the past. I sometimes wonder how productivity in the pre-internet era could be so similar to what is today. Nowadays with all the time lost in offices due to web browsing we could probably double the productivity without increasing office hours.
it would not be a good idea to make such a law - we don't need any more meddling that aims to replace common sense thank you.
Oh, and btw, what would you define as 'up to date', and how would you police it?
is a daily update to your AV s/w up-to-date? is hourly? is secondly? see where I am going with this? if not:
for example, in theory as soon as a new vuln (technical or social) is found, a new virus/malware could be out to exploit it within hours, and hence that person is ciminalised by your new law, even though they updated a day ago.... replace hours with minutes, and day ago to hour ago, and it's even worse....
there are many more hypothetical situations that would make a mockery of this sort of law - face it, you are at the top of the IT game (i'd hope so, given that sort of comment - or are you of a social class constantly looking for more ways to voluntarily attend 'her majasty's' pleasure centres in order to get a decent meal and free sky TV ;), and others will not match you IT ability. So virii will spread. If the heaving masses did have your ability in such areas, you and many readers would be out of a job, so get over youself, while I get over myself, and let's go have a fun weekend instead.
as for policing it..... i think the police have enough on their plate without having to deal with this too.
anyway, enough short (ish), sharp (ish) putting down... it's Friday, and a rather warm one to boot, so mentioned above, I'm going home RIGHT NOW
Regards
"Would it not be a good idea to make it illegal to have a computer connected to the Internet that does not have up-to-date AV software?"
"Would it not be a good idea to make it illegal to have a front door that does not have up-to-date Goldilocks(tm) security lock installed?"
No it does not. Yet more government legislation on things they don't understand, can't control and wouldn't know how to check.
Course, it would be great for the few AV vendors. They could rack up the prices in a jiffy, then call you at home at the end of the year for a "mandatory renewal" ... or else. Cops could also pay a visit, find a non-up-to-date AV, pack away your electronics, GSM, TV and Tivo at gunpoint, then check at leisure for compromising pictures of random children or official buildings that you took for possible "terrorist planning".
Shite, I'm giving the Met ideas here.
No, i think you've slightly missed the point...
It depends what's on the ftp sites that they have logins for. If it's access into the web server host to upload web pages then it would be pretty serious as the websites could be modified to download trojans onto people's machines. If it's upload access to any area where the public would be able to download files from then again it could be serious (downloading bogus patches from a compromised AV site for example).
ftp.bbc.co.uk has anonymous login.
You can access the /etc/passwd file. But of course not /etc/shadow
But using FTP. Jesus christ. Are these guys retarded?
If your going to use it. At least restrict it to intranet IP's
Even tho this isnt secure at all.
RE: Slightly Misleading Article
Why would home users have FTP access to these types of places?
@Rob - LInux isnt secure from being infected... It can run code. End of story.
Have you really researched your facts here, Reg ? All these organisations (well the ones I know about) publish FTP *download* credentials to customers. Sometimes for beta software, sometimes for subscription access. I used to have Sophos access in my former job and we have BBC FTP access where I am now for obtaining commercial subscription video content. FTP is still quite widely used for these purposes.
Obviously it shouldn't be - even https with basic auth is more secure than FTP - but it is, and not necessarily very insecure as long as you don' mind your beta software being copied.
My money would be on compromised machines in other organisations spilling the passworded beans for users' read-only passwords to these sites.
Incidentally we too have an FTP site (well sort of), but it can only be accessed by sftp, with public key login. Passworded access is disabled.
John you at least normally do some critical analysis and investigation of these vendor press releases, what has happened ?
Why do people even have FTP enabled anyway? I can understand a personal website, but a major corporation? Where I work, there is absolutely no write access to the Web Servers (FORMS and SQL input excepted), all website updates are done by logging into the the web server cluster and copying hte new content from a secured file server.
And to Rob Beard, Doesn't matter what OS you use, the issue is that the websites could be used to HOST malware, and last I checked Apache can still have FTP enabled on it.
FTP is still commonly used for low-security file downloads. It's possible that the FTP passwords for many of those high-security web sites just lets you download high resolution press materials and reseller tech support documents. It's not public but it's hardly a win to have it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
