Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Applications / FTP Sites Vulnerable to Breaches
FTP Sites Vulnerable to Data Breaches
FTP Sites Vulnerable to Data Breaches
By Peter Piazza / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
What do the U.S. Army Corps of Engineers and video-game giant Sega have in common? The answer is that both exposed sensitive Relevant Products/Services via their File Transfer Protocol (FTP) sites. While the impact on Sega was only to force the company to release information on a new game earlier than it wanted to, in the former case it could have cost the lives of soldiers in Iraq.

FTP may be a dinosaur these days, but it's being used -- or, perhaps, misused -- regularly by employees who are simply trying to do their jobs, but who lack the adequate tools, according to John Thielens, vice president of technology for Tumbleweed, a vendor of content-security solutions.

Employees Must Fend for Themselves

"When, for whatever reason, employees can't use e-mail -- the typical problem we have today is multimedia attachments where e-mail's not going to work -- they're looking for another solution," Thielens told us. Finding a solution, however, is often left to the user. Thielens noted that one survey showed 42 percent of companies don't tell employees what to do when that situation occurs. What happens then? "People make things up," he said.

FTP is often the solution employees come up with. It's ubiquitous, built into Web browsers so that users don't always even realize they're working with it. But Thielens noted that FTP is often left unsecured, with anonymous access allowed. That's not only a problem that can result in leaking important information to a competitor (or, as in the case of the Army Corps of Engineers situation, to the press). It means there's no audit trail, which can be particularly serious if the company is subject to disclosure laws.

All that's known, Thielens said, is that somebody accessed the site and took the information -- but there's no way to tell who.

Freeware Analysis Tool

Tumbleweed is debuting a freeware program at the upcoming RSA Conference called FTP Analyzer. "What we're trying to do with FTP Analyzer is raise awareness of the use of FTP because it's so ubiquitous," Thielens said. "It's not impossible to use FTP securely, but typically it isn't used safely."

FTP Analyzer is a simple-to-use tool that watches network traffic, looking specifically for FTP traffic. When it sees that traffic, it performs some analysis and provides a brief PDF summary of what it's seen. The product will note user names and passwords that passed by in the clear, as well as filenames.

The tool doesn't go beyond highlighting the extent of FTP usage on a network, Thielens said, but later this year Tumbleweed will roll out more sophisticated tools that will allow users to engage in managed file transfers from within the e-mail environment, with all necessary controls and filters.

In the meantime, good practices and common sense can help prevent problems. "This would include making sure that you're not using anonymous access or some other kind of public access," as well as staying away from shared accounts where credentials can be swapped, Thielens said. He also recommends implementing "file-purging procedures on FTP and other file servers, so even if data is sitting there, it's there for a day or a week, but not forever."

Finally, Thielens advises, "Implement some sort of user ID scrubbing, so that accounts that are disused or eliminated no longer have access."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.