News broke yesterday afternoon that a group of hackers had compromised file transfer servers at several leading organizations after obtaining credentials for thousands of FTP sites. According to the report, hackers were even able to upload several malware program files to an FTP server run by the NYT and picked up a list of unencrypted credentials from an internal computer. A big concern there – and in particular for an organization with a large email database like NYT’s – is that those files could be incorporated into malicious links that could be used in spam messages.
My initial reaction: how is FTP security still making headlines in 2014? And secondly: hacks like this are exactly why people are more carefully evaluating their use of file transfer and in some cases, moving away from FTP to other versions of file transfer that more clearly suit their needs.
FTP servers are online repositories where users can upload and download files, and they’re designed to be accessible remotely via login and password. In some FTP set-ups, files remain there unencrypted and susceptible to foul play should credentials be obtained by the bad guys, which is the case here.
Reading deeper into the story, we can glean a few things about the compromised data in the FTP servers:
1) It was unencrypted, and therefore an immediate leak would not require much additional work by hackers. Any organization transferring sensitive data should use encryption while data is in motion and at rest.
2) Once one server gets hacked, others follow – What was hacked was most likely an application that housed the credentials insecurely or maybe a programmer who was working on that application clicked a link that scraped his machine for the passwords. Then the hackers could access new sites using those passwords and so on, and so on.
3) It’s unclear if the data was used for destructive purposes, i.e. the spamming example I mentioned above. Because most FTP servers offer poor reporting and auditing features, it can be difficult to piece back together what the attackers did once inside the FTP.
Additionally, the FTP passwords must have been stored in clear text or encrypted with a sloppy algorithm or lazy key management. This is inexcusable in today’s digital age. These organizations could have salted and hashed its passwords, greatly improving their security.
In summary, there are a few critical steps your business can take to decrease file transfer risk:
1) Make sure to store credential information securely and encrypted with diverse, complex, and numerous keys.
- Only use secure protocols for transfer
- Salt and Hash passwords, never store the actual password
- Disable anonymous access (if allowed at all)
- Require multi-factor authentication (with certificates, smart cards or IP address limits)
2) Check the file’s payload.
- Scan files for viruses and malware on upload
- Limit the file types that can be uploaded (no .htm, .php, .vbs, .exe, etc.)
3) Make sure to have good reporting and auditing of suspicious logins.
- Managed file transfer brings comprehensive reporting and auditing capabilities, well beyond simple FTP
4) Protect your file transfer server
- Frequent penetration tests
- Frequent vulnerability scans
- Static code analysis
- Store files encrypted so they cannot be easily executed in the servers host OS
5) Ensure your teams, all of them, are aware about security and not to click on things from dubious sources. All it takes is one click on one bad link to create a breach.
FTP has been around for more than 40 years, and we continue to see breaches like these on a regular basis. Simply put, companies need to carefully evaluate their systems to make sure their usage of technology maps to their needs. I guess I shouldn’t be surprised that data breaches via FTP still occur today, but more organizations should understand the risks involved, and seek solutions that improve all aspects of file transfer.