FTP security hole

Particularly in the early days of marketing construction collaboration technology solutions, we used to get occasional suggestions that online solutions were unnecessary as “our IT department has set up an FTP site for us to manage all that file-sharing”. Hopefully, those days are long gone, but for any construction businesses that may still be contemplating reliance on File Transfer Protocol, there is a sobering warning in several IT publications this week.

Computer Weekly, for example, reports Hackers resell web server security credentials of thousands of companies (the same story is also covered in ComputerWorld). US web security firm Finjan discovered an illegal database containing more than 8,700 stolen FTP server credentials including usernames, passwords and server addresses belonging to companies from around the world and including some whose websites are among the world’s top 100 domains. It seems anyone can purchase those credentials and use them to launch malicious attacks against the compromised systems.

Interestingly, the stolen details were being marketed at an online auction site for stolen data, using an eBay-like trading interface to value the the stolen accounts in terms of the country where the server is located and the Google page ranking of the compromised server. Finjan’s Yuval Ben-Itzhak described it as an evolution in the application of Software-as-a-Service, with cybercriminals using the SaaS business model to market malware to other underworld figures. (See Malware writers exploring Software as a Service model; Hackers Use SaaS To Auction FTP Passwords, Inject Code)

Permanent link to this article: http://extranetevolution.com/2008/02/ftp-security-ho/

1 comment

    • Dina Walters on 29 February 2008 at 3:55 pm

    In a meeting earlier this week a frustrated Livelink Workflows user suggested that perhaps we’d be better off with an FTP site. He wasn’t joking. Too bad it’s not safe!

Comments have been disabled.