2008-12-04

The dangers of proliferation of shared FTP accounts

In a medium sized education organization which shall remain anonymous; FTP and windows file sharing is the file transport of choice for distributing small reports and data chunks. For a long time when a ftp account was needed the person would simply call up the first person who maintained a server that came to mind and had one created. The new ftp account was then fed into a script on the database server (mainframe or AS/400) which then once a day/month/year it spit out a report and uploaded it to the server where (someone/something/every one) picked it up and either loaded it into a different script, or dumped it into a spread sheet, did their business then deleted it and went to lunch.

This has gone on for decades with out some one pointing out that there is something wrong with this process.

Let me count the ways this is wrong:
1. It's not encrypted.
Packet sniffers are very easy to implement even on a switched LAN.
2. There is no way to prove that the remote host is what it says it is.
Server spoofing via DNS or Denial of Service.
3. Access control (in this case) isn't managed.
Static user names and passwords being passed in the clear.
4. Proliferation of potentially sensitive data
Just about every industry is required by law to protect certain kinds of data.
5. Use of old and un-maintainable server for warehousing information.
No warranty, use of old 3rd party software which is unmaintained, End-of-life OS.
It's potential for being 0wned is pretty high.
6. Total disregard of Intranet and Internet facing status of server.

Why? You ask has this issue been allowed to even occur?

Reason #1 Impending retirement. Why would some one who is retiring in 5 or so years would want to learn something new? Ftp and windows file sharing is well known. Ftp has been used on open systems since their inception so everybody supports it. (I mean the standard supports 7 bit file transfers, from the time when bits were expensive, really when is the last time you NEEDED to transfer something using 7 bits as opposed to 8bits?).

Reason #2 Bypassing the chain of command. Why follow protocol and make an official request when you can call the person maintaining the server and have them do it for you.

Reason #3 Maintainers versus dedicated IT staff. In most small and medium organizations, they cant afford dedicated IT staff so they give the position to some one who already does something else. The problem is that the person just puts out fires and performs maintenance. They don't keep up on industry issues and so long as the server limps along everything is fine.

Conclusion:
Because the chain of command is bypassed the Network Administrator isn't aware of it. And the only way he or she will find out about it is either an audit, if it fails or if the server is totally Pwned and now is now selling generic Viagra. Should the latter be the case, a pile of finger pointing ensues and you can guess the rest.

Alternatives:

The solution is finding a suitable replacement technology which is secure and possesses controls on access and availability yet is similar to an existing process so you take advantage of the users existing habits instead of putting them into an uncomfortable situation of learning some "NEW" computer process.

  1. Pre configuring the email client to use encryption. Email is one of those skills that every one knows or should know.
  2. Implement Ftp over SSL on a managed file server .(Windows, Linux, Novell ...etc) Most of them have some form of secure drive mapping or mounting which is done transparently to the user. This really is the best choice because most modern server platforms possess some form of auditing features which allow you to track access to resources and or files.
  3. Secure web application for reports and data. Automate the process and load it into a database then generate the reports on a web page or make it available as a download. A well designed web system can contain all of the controls to keep data safe. Surfing the web is a national pastime, provided you make a usable web interface.
Perhaps in conjunction with...
  1. Controlling movement of data. Prevention of use of external storage devices.
  2. Encrypting file contents using authentication. Smart cards, public/private keys, hardware keys...etc
Information security is not about being perfectly secure, it's about maintaining a good balance of security vs. usability.

blog comments powered by Disqus