Three Reasons Why NYT Can’t Afford to Use FTP

Share this story:Tweet about this on Twitter11Share on LinkedIn0Share on Google+0Share on Facebook3

crime scene no keyboardNews broke yesterday afternoon that a group of hackers had compromised file transfer servers at several leading organizations after obtaining credentials for thousands of FTP sites. According to the report, hackers were even able to upload several malware program files to an FTP server run by the NYT and picked up a list of unencrypted credentials from an internal computer. A big concern there – and in particular for an organization with a large email database like NYT’s – is that those files could be incorporated into malicious links that could be used in spam messages.

My initial reaction: how is FTP security still making headlines in 2014? And secondly: hacks like this are exactly why people are more carefully evaluating their use of file transfer and in some cases, moving away from FTP to other versions of file transfer that more clearly suit their needs.

FTP servers are online repositories where users can upload and download files, and they’re designed to be accessible remotely via login and password. In some FTP set-ups, files remain there unencrypted and susceptible to foul play should credentials be obtained by the bad guys, which is the case here.

Reading deeper into the story, we can glean a few things about the compromised data in the FTP servers:

1) It was unencrypted, and therefore an immediate leak would not require much additional work by hackers. Any organization transferring sensitive data should use encryption while data is in motion and at rest.

2) Once one server gets hacked, others follow  – What was hacked was most likely an application that housed the credentials insecurely or maybe a programmer who was working on that application clicked a link that scraped his machine for the passwords.  Then the hackers could access new sites using those passwords and so on, and so on.

3) It’s unclear if the data was used for destructive purposes, i.e. the spamming example I mentioned above. Because most FTP servers offer poor reporting and auditing features, it can be difficult to piece back together what the attackers did once inside the FTP.

Additionally, the FTP passwords must have been stored in clear text or encrypted with a sloppy algorithm or lazy key management. This is inexcusable in today’s digital age. These organizations could have salted and hashed its passwords, greatly improving their security.

In summary, there are a few critical steps your business can take to decrease file transfer risk:

1)      Make sure to store credential information securely and encrypted with diverse, complex, and numerous keys.

  • Only use secure protocols for transfer
  • Salt and Hash passwords, never store the actual password
  • Disable anonymous access (if allowed at all)
  • Require multi-factor authentication (with certificates, smart cards or IP address limits)

2)      Check the file’s payload.

  • Scan files for viruses and malware on upload
  • Limit the file types that can be uploaded (no .htm, .php, .vbs, .exe, etc.)

3)      Make sure to have good reporting and auditing of suspicious logins.

4)      Protect your file transfer server

  • Frequent penetration tests
  • Frequent vulnerability scans
  • Static code analysis
  • Store files encrypted so they cannot be easily executed in the servers host OS

5)      Ensure your teams, all of them, are aware about security and not to click on things from dubious sources. All it takes is one click on one bad link to create a breach.

FTP has been around for more than 40 years, and we continue to see breaches like these on a regular basis. Simply put, companies need to carefully evaluate their systems to make sure their usage of technology maps to their needs. I guess I shouldn’t be surprised that data breaches via FTP still occur today, but more organizations should understand the risks involved, and seek solutions that improve all aspects of file transfer.

This entry was posted in Data Breach, File Security, Managed File Transfer. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Leave a Reply

  • Subscribe to the Blog

  • Recent Posts

  • Ken Allen

    Ken is currently the Director of Product Marketing for Ipswitch File Transfer and is responsible for all product messaging, positioning and marketing content around the product portfolio. Prior to joining Ipswitch, Ken was the Director of Product Marketing at Metalogix, one of the largest Microsoft SharePoint ISVs. Ken was responsible for all marketing activity around the Metalogix Replicator product line, including go-to-market research, positioning, content generation, and program strategy. Before Metalogix, Ken was the Director of Marketing at Axceler, where he led the company’s global strategy and marketing efforts including marketing strategy, lead generation, market awareness, competitive positioning and branding. Prior to Axceler, Ken led the product marketing team for the managed hosting business at Computer Sciences Corporation. Ken’s past experience also includes IBM, ATG, and Lotus Development Corporation. Ken holds a BA in mathematics / computer science from Hamilton College and an MBA in strategic marketing from the University of Southern California, Marshall School of Business.