Hackers Sweep Up FTP Credentials For the New York Times, UNICEF and 7,000 Others

← Back to Stories (view on slashdot.org)

Hackers Sweep Up FTP Credentials For the New York Times, UNICEF and 7,000 Others

Posted by Soulskill on Friday February 14, 2014 @01:47AM from the out-of-sight-out-of-mind dept.

SpacemanukBEJY.53u writes "Alex Holden of Hold Security has come forward with a significant find: a 7,000-strong list of FTP sites run by a variety of companies, complete with login credentials. The affected companies include The New York Times and UNICEF. The hackers have uploaded malicious PHP scripts in some cases, perhaps as a launch pad for further attacks. The passwords for the FTP applications are complex and not default ones, indicating the hackers may have other malware installed on people's systems in those organizations."

51 comments

Min score:

Reason:

Sort:

A standard multi-layer attack by Opportunist · 2014-02-14 01:50 · Score: 4, Interesting

Pretty common today, I am kinda surprised this is news.
Basically what happens is that you get a few passwords, fire them against some servers that you know or assume the person it belongs to has some kind of access to (people routinely reuse passwords), if you get access to some webpage, slip in some code that loads malware to infect everyone visiting the webpage, rinse and repeat.
It would be interesting to model the "spread" of this way of password gathering. I wouldn't be surprised if it would show similar patterns to the spread of a (RL) infection.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:A standard multi-layer attack by xxxJonBoyxxx · 2014-02-14 03:13 · Score: 3, Informative
  
  As a "pen tester"... Since FTP servers aren't often monitored as closely as higher-profile web applications, but are still often tied into a company's AD or other common credential store, they're often a great resource to use if you want to harvest some high-value credentials before you go on site. (I like to use this:
  http://www.filetransferconsult... for that.)
2. Re:A standard multi-layer attack by Opportunist · 2014-02-14 03:31 · Score: 3, Interesting
  
  Too true. Actually it's scary how neglected a lot of "secondary resources" like FTP servers are in terms of security. You'll often find some outside pointing FTP or other "odd protocol" servers at some companies that have not been updated for ages.
  The story behind those servers is usually that they were required for some project ages ago when a business partner insisted in using some "odd" protocol, they haphazardly set it up (usually done by an admin who went down a "how-to for dummies", not because he is stupid but usually because he lacks the time he'd have to invest into learning the ins and outs of the server to set it up properly), fiddled with it until it kinda-sorta worked and let them transfer whatever data they had to move. Then the server gets forgotten and is left running because "they don't cost anything","we might need it again one day and it took so long to get it running" and "they don't contain any valuable data".
  Well, no valuable data besides the credentials of its users.
  This works well for a line of services aside of FTP servers. The more obscure and the less widely used, the higher your chance to find some exploit for it (if you need an exploit at all because, as stated above, the admin more likely than not left out a critical security step).
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:A standard multi-layer attack by Anonymous Coward · 2014-02-14 03:52 · Score: 0
  
  As a "pen tester" you sir use crappy SK tools.
4. Re:A standard multi-layer attack by Anonymous Coward · 2014-02-14 04:45 · Score: 0
  
  I know this scenario all too well.
  Came on board to a company and found some past admin had a plain-text FTP server running on the same server that was hosting client's e-commerce sites / credit card orders. Thought, well that shouldn't be there. So I turned it off. Upper management came out of the wood work to complain that they could no longer upload files to the web server through Internet Explorer...
  It took about a year of tracking people down and getting them switched over to using drop box. Turned out everyone was just sharing the same account, so we had no idea who had access or how many people were actually using the server. Every time we thought we had caught all the FTP users and turned it off we would discover yet another. And trying to convince management of the security issues was like talking to the wind.
5. Re:A standard multi-layer attack by mlts · 2014-02-14 05:03 · Score: 1
  
  I've not understood why the FTP servers at least had some sanity checks on them, if unencrypted FTP has to be used:
  1: If the server is used by business "A" to feed business "B" data to their server, then business "B"'s FTP server should have TCP wrappers installed/configured, and business "A"' should consider using a static IP address for outgoing stuff. This won't help much with authentication, but passwords cannot be brute forced if the server doesn't allow connections in the first place.
  2: Even better, both business "A" and business "B" should have their routers do tunneling so the FTP server can sit on a DMZ and not be exposed to the raw Internet.
6. Re:A standard multi-layer attack by Opportunist · 2014-02-14 05:13 · Score: 1
  
  Write a little memo, tell them of the (criminal) implications and that it's now their problem to make a decision.
  Trust me. You'll have one VERY quickly.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:A standard multi-layer attack by Anonymous Coward · 2014-02-14 07:43 · Score: 1
  
  Yep, you'll get your decision from them. Their decision will be that they no longer need you.
8. Re:A standard multi-layer attack by Anonymous Coward · 2014-02-14 10:06 · Score: 0
  
  These people are idiots. So are UNICEF admins and NYT admins and a few other major news papers' admins. Listen, the Unicef site has had the same db injection bug for YEARS now, same goes for NYT ..shit i alerted the world bank about their idiotic access injection...in 2008.. it's still there. Nothing to see here. Circulating password lists lord knows how many has used and abused is not particularly hacker. Can we PLEASE start calling these folks for what they are? Criminals, spies, etc. There are many names, hacker is not one of them. Please stop giving us a bad name by comparing us to ...that. Let me make it clear: Especially government systems are poorly maintained, however the only ones dumb enough to fuck with them are the people who don't know better.
  PS. The easiest way to steals someone l/p and will and has been for ages, ASN/1 prefix poisoning in BGP. NSA adopted this. Mudge warned congress in '98 about it.
9. Re:A standard multi-layer attack by Opportunist · 2014-02-16 01:35 · Score: 1
  
  In this case I have another addressee for the memo...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Useless Article by Anonymous Coward · 2014-02-14 01:53 · Score: 1

How does one check to see if they are on this list?
1. Re:Useless Article by alen · 2014-02-14 01:58 · Score: 1
  
  you pay this guy money
2. Re:Useless Article by X0563511 · 2014-02-14 02:02 · Score: 1
  
  "Hey! We found this thing! It's pretty dangerous, so we can't tell you any more."
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
3. Re:Useless Article by Virtucon · 2014-02-14 02:28 · Score: 1
  
  "Uh you're doing it wrong." FTFY
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
Beta! by ArsenneLupin · 2014-02-14 01:58 · Score: 0, Troll

(n/t)
Related to malicious filezilla? by chalkyj · 2014-02-14 01:58 · Score: 5, Insightful

http://it.slashdot.org/story/1... May be related to something like this.
vsftpd, anyone ? by vikingpower · 2014-02-14 02:07 · Score: 1

I mean hey, design for security *does* exist, after all.

--
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
1. Re:vsftpd, anyone ? by Gerald · 2014-02-14 03:27 · Score: 1
  
  vsftpd is great but it can't fix a terrible protocol.
Leaked passwords in FTP? by gmuslera · 2014-02-14 02:13 · Score: 1

Who will know that that kind of things would be possible in a protocol where login credentials are transfered in plain text.
1. Re:Leaked passwords in FTP? by Viol8 · 2014-02-14 02:20 · Score: 1
  
  "ftp" is usually synonymous with sftp these days, though of course if you use 12345 or similar as your password you might as well just tie a print out of all your important data to a dogs tail and let it run through a town centre for all the good public-private key encryption will do you.
2. Re:Leaked passwords in FTP? by gmuslera · 2014-02-14 02:42 · Score: 1
  
  While people take them as synonymous will think that one is as safe as the other will keep using the "wrong" one. From the article can't tell if any, most or all were plain, old, legacy ftp instead of sftp.
3. Re:Leaked passwords in FTP? by mlts · 2014-02-14 03:16 · Score: 2
  
  I've seen some confusion about the term sftp:
  1: It can mean FTP over SSL/TLS.
  2: It can mean creating a SSH tunnel, then using "plain old" FTP [1].
  3: It can mean using ssh's file transport protocol which has nothing to do with the old FTP method.
  [1]: This is harder than it looks with even passive FTP, especially with Windows boxes.
  When I see "sftp", I think the ssh facility, but I always try to make sure it is clear what I'm meaning.
  Maybe I'm just naive, but if one is using SSH or FTP over the Internet, shouldn't it be par for the course to use public key authentication, perhaps with a two factor system as backup? That way, if a SSH server gets compromised, there are no passwords for an attacker to steal. This is just basic stuff, like configuring your Exchange server to not relay every message sent to it.
Guess they didnt do a Beta by Anonymous Coward · 2014-02-14 02:17 · Score: -1

Cause they would of have died before. BETA fuckeerss
"Credentials" by Anonymous Coward · 2014-02-14 02:20 · Score: -1

Is that what they are calling a user ID and password these days? "Credentials"?
lol
(I know, I know, in the computer "science" profession, that term has specific meaning. Still, there is a certain douchiness about this usage which I find nauseating).
1. Re:"Credentials" by Sockatume · 2014-02-14 02:29 · Score: 4, Funny
  
  Finds comp sci terminology nauseating, uses term "douchiness".
  
  --
  No kidding!!! What do you say at this point?
where is the leak? by Anonymous Coward · 2014-02-14 02:21 · Score: 1

Just because the passwords were leaked does _not necessarily_ mean that plaintext passwords enabled it. There are multiple attack scenarios that exist that would have just as easily compromised SSH passwords.
1. Re:where is the leak? by gmuslera · 2014-02-14 02:45 · Score: 3, Insightful
  
  But if is plaintext it don't need to be a very complex one. That the report is for ftp servers and no ssh/enterprise/etc servers points in that direction, Occam's razor sometimes is right.
Incomplete summary by sootman · 2014-02-14 02:24 · Score: 5, Informative

The summary was missing a couple important words. I've added them below:
The passwords for the FTP applications, which are transmitted unencrypted because that's just how FTP is and it doesnt matter if your password is "kjasdfkljlYSU87fyue847thIP&SH&&CDFO$Wfhi7qe4h5fo78aegh4fai7oshc7o8vae4hf84" or "correct horse battery staple" because a third-grader could sniff the traffic with decade-old tools, are complex and not default ones

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1. Re:Incomplete summary by Anonymous Coward · 2014-02-14 02:35 · Score: 1
  
  So, your password is "correct horse battery staple"?
2. Re:Incomplete summary by Danathar · 2014-02-14 03:00 · Score: 1
  
  FTP is only plaintext if it's FTP without encryption.
  Technically you can still use FTP with SSL which is called FTPS. (although I like to use SFTP which also technically is a totally different monster)
3. Re:Incomplete summary by Anonymous Coward · 2014-02-14 05:54 · Score: 0
  
  FTP is only plaintext if it's FTP without encryption.
  Technically you can still use FTP with SSL which is called FTPS. (although I like to use SFTP which also technically is a totally different monster)
  Today, FTP with SSL is known as a web portal for 99.999% of companies out there. They wouldn't bother slapping lipstick on a pig.
4. Re:Incomplete summary by Anonymous Coward · 2014-02-14 06:38 · Score: 1
  
  FTP is only plaintext if it's FTP without encryption.
  Technically you can still use FTP with SSL which is called FTPS. (although I like to use SFTP which also technically is a totally different monster)
  Today, FTP with SSL is known as a web portal for 99.999% of companies out there. They wouldn't bother slapping lipstick on a pig.
  So they slapped makeup, eyeshadow, and blush on the pig, and called it a "web portal" instead?
FTP still? by Virtucon · 2014-02-14 02:27 · Score: 2, Insightful

Wow, I guess we are back in the 70s..

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:FTP still? by Anonymous Coward · 2014-02-14 03:41 · Score: 1
  
  There are still gopher servers out there
  http://wt.gopherite.org/
2. Re:FTP still? by Bogtha · 2014-02-14 03:58 · Score: 2
  
  In case anybody thinks you are exaggerating: FTP was designed back in 1971. These companies are using a protocol with terrible security because it wasn't designed to be used on the public Internet - because the Internet wasn't even invented back then.
  Anybody who seriously suggests FTP in this day and age needs to be told in no uncertain terms that this is an obsolete, pain in the arse protocol that should have died a long time ago.
  
  --
  Bogtha Bogtha Bogtha
3. Re:FTP still? by dejanc · 2014-02-14 04:25 · Score: 1
  
  While I don't know what's NY Times' excuse, Cpanel, which powers a lot of servers on the internet still relies heavily on FTP. And Cpanel, while primarily designed to manage shared hosting, is not limited to shared hosts only, many people choose to have it installed on their VPS or dedicated server.
  
  For many web developers, process of deployment is still uploading via FTP, which is both insecure and inconvenient, but I see it very often.
4. Re:FTP still? by cyborg_monkey · 2014-02-14 05:41 · Score: -1
  
  You have no idea what you're talking about.
5. Re:FTP still? by WuphonsReach · 2014-02-17 05:44 · Score: 1
  
  FTP is fine for suitable purposes, which limits it to:
  
  Anonymous upload directory (where downloads are prohibited), and anonymous downloads (public dissemination of information). Being a lowest common denominator, your clients don't need special software to push files to the uploads directory or to download files.
  
  But beyond that, you should be using HTTPS pages or SCP or something else...
  
  --
  Wolde you bothe eate your cake, and have your cake?
filezilla by taikedz · 2014-02-14 02:29 · Score: 3, Interesting

Wonder if this could be related to the rogue filezilla....?

--
-- "Simplicity is prerequisite for reliability." --Dijkstra
Ads With Sound? by Anonymous Coward · 2014-02-14 02:31 · Score: -1

Holy crap - even classic /. is playing ads with auto-play sound? When will the insanity end? Did someone turn off the common sense filter over there?
1. Re:Ads With Sound? by Anonymous Coward · 2014-02-14 02:38 · Score: -1
  
  I don't see any ads.
  Apparently you are too stupid to use the Internets.
2. Re:Ads With Sound? by Anonymous Coward · 2014-02-14 02:56 · Score: 1
  
  It's not stupidity. There are advertisements in Slashdot.
  You are probably just logged in and have enabled the "Disable Advertising" checkbox.
3. Re:Ads With Sound? by Anonymous Coward · 2014-02-14 05:10 · Score: 1
  
  Yes, you're probably right. When I typed in www.slashdot.org, and subsequently heard an auto advertisement coming out of my speakers, and a video playing in the lower right hand corner of the browser window, that was clearly my fault. We all know that every visitor gets the exact some advertisements. I will stop using the "Internets" as you refer to them.
4. Re:Ads With Sound? by RobertLTux · 2014-02-14 07:19 · Score: 1
  
  Did you know that Adblock Plus is available for all of FireFox Chrome and MSIE?? With the proper settings you see like almost NO ADS.
  
  --
  Any person using FTFY or editing my postings agrees to a US$50.00 charge
I simply don't understand by Anonymous Coward · 2014-02-14 04:27 · Score: 1

why people are not using secure comms. No one should be using FTP for anything anymore except maybe internally. All Internet-facing servers and services should, by law, be forced to be encrypted. Enough of this cracking nonsense already. It's the same crap with MS and admin by default out of the box. As an IT guy, 95% of the malware out there could be stopped by not surfing the net with admin privileges. Are we all stupid? SSH, SSL, TLS, IKE, whatever you want to use, just use it already.
1. Re:I simply don't understand by tlhIngan · 2014-02-14 05:37 · Score: 2
  
  why people are not using secure comms. No one should be using FTP for anything anymore except maybe internally. All Internet-facing servers and services should, by law, be forced to be encrypted. Enough of this cracking nonsense already. It's the same crap with MS and admin by default out of the box. As an IT guy, 95% of the malware out there could be stopped by not surfing the net with admin privileges. Are we all stupid? SSH, SSL, TLS, IKE, whatever you want to use, just use it already.
  FTP is used by a lot of companies to send files. In fact, the #1 way to send files is email attachments. Followed by FTP. The first generally gets through, the second is also about the only protocol open by most corporate firewalls for outgoing connections. You can't count on ftps or sftp or ssh. Just ports 21, 80 and 443 being let out on the Internet.
  FTP is a horrible protocol - it's not firewall friendly (even in passive mode), so most firewalls have an application-layer gateway module to handle it.
  But it's also about the only way to get files reliabily sent and received by people in companies. Plus, people normally have to install zero software to do it. Everything else typically requires installation of software which requires going to corporate IT, etc. etc. etc.
2. Re:I simply don't understand by Anonymous Coward · 2014-02-14 06:30 · Score: 1
  
  It you've been infected by credential stealing malware then the protocol doesn't matter.
3. Re: I simply don't understand by Anonymous Coward · 2014-02-14 08:06 · Score: 0
  
  Port 20?
4. Re:I simply don't understand by Obfuscant · 2014-02-14 08:07 · Score: 2
  
  But it's also about the only way to get files reliabily sent and received by people in companies.
  People should use the tools that work. Emailing a 100Mb file to someone is horrible and breaks many mail clients. Emailing a 100Mb file to 100 someones is, well, ridiculous. Sourcing a 100Mb file to anyone who wants it is, well, a very good job for FTP.
  Why not HTTP? I trust my FTP server security more than I do my web server. Not that I don't trust my web server, but one is a relatively simple tool doing something relatively simple, the other is modules this and access that and URLs that do special things ... And I don't trust PUT at all for incoming material.
  Of course, I still use UUCP. It. Just. Works.
5. Re:I simply don't understand by Anonymous Coward · 2014-02-14 12:44 · Score: 0
  
  why people are not using secure comms. No one should be using FTP for anything anymore except maybe internally. All Internet-facing servers and services should, by law, be forced to be encrypted. Enough of this cracking nonsense already. It's the same crap with MS and admin by default out of the box. As an IT guy, 95% of the malware out there could be stopped by not surfing the net with admin privileges. Are we all stupid? SSH, SSL, TLS, IKE, whatever you want to use, just use it already.
  There are often very valid reasons.
  Similar but not the same for HTTP vs HTTPS. Try coding a web server that includes HTTPS or finding a componentised one that can be linked into a library. Coding a limited HTTP client request or server is trivial using standard socket stuff in vanilla C - it's just sockets. And there are good libraries available like curl. Try doing that with HTTPS - whole different story. You'd be crazy to do it from scratch as part of an application, and libraries are expensive if they're available. So if your custom software needs to interact with a web service for example, you end up dumbing it down to HTTP, especially if it's internal.
6. Re:I simply don't understand by mars-nl · 2014-02-14 14:31 · Score: 1
  
  Isn't a firewall supposed to make your network safer? If the firewall prevents you from using SSH/SCP and forces you to use plain text FTP, what is the point of this firewall? I see many people using all kinds of unsafe cloud solutions to avoid NAT and firewalls. It's the wrong solution.