Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password (bleepingcomputer.com)

Posted by msmash on Wednesday July 11, 2018 @04:03AM from the how-about-that dept.

New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.

81 of 128 comments (clear)

Min score:

Reason:

Sort:

Never attribute to malice by Anonymous Coward · 2018-07-11 04:10 · Score: 1

Which can easily be explained by stupidity.
This is one of those times.
1. Re:Never attribute to malice by bobbied · 2018-07-11 04:16 · Score: 2
  
  Lowest bidder perhaps?
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Never attribute to malice by b0s0z0ku · 2018-07-11 04:17 · Score: 3, Insightful
  
  Netgear routers is one thing - using them as NAS servers for sensitive data is a whole other special kind of stupid.
3. Re:Never attribute to malice by MightyMartian · 2018-07-11 04:41 · Score: 5, Informative
  
  The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
4. Re:Never attribute to malice by bobbied · 2018-07-11 04:41 · Score: 2
  
  No offence to the military.. But they are not generally staffed with the cream of the crop down where things are getting fixed.
  The standard joke for Military Aircraft goes like this.. They are designed by PHD's, Flown by college graduates, and maintained by high school dropouts.
  I can tell you that the intelligence of your average flight line maintainer isn't going to be anything to write home about. Some of them can think, but most just blindly follow the diagnostic trees provided by the PHD's who built the system they are maintaining. And yes, I've dealt with this personally.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
5. Re:Never attribute to malice by Moryath · 2018-07-11 05:16 · Score: 1
  
  You just explained most military things. Even worse when it comes to anything that could have an off-the-shelf version. My grandpa used to explain it this way - in WW2, the ironic battle cry among the troops was "remember boys, your guns were made by the lowest bidder."
6. Re:Never attribute to malice by CaptainDork · 2018-07-11 05:49 · Score: 1, Interesting
  
  I'm insulted.
  Unlike you, I was a high school graduate who joined the Navy in 1965.
  I went to 10 months, 8 hour days of school at NAS Memphis studying electronics.
  After being in the field a year, I went back to NAS Memphis for another 10 months, 8 hour days of advanced training.
  From NAS Jax, I went to schools at NAS Key West on radars, altimeters, magnetometers, airborne anti-submarine computers, radios, sonobouys, sonar transponders, and a bunch of other shit.
  I did 9 years, serving alongside some very smart, dedicated individuals, both in the air groups and ship's company aboard air craft carriers; enlisted and officer.
  When discussing the military, your remarks would be better posed as a questions.
  
  --
  It little behooves the best of us to comment on the rest of us.
7. Re:Never attribute to malice by currently_awake · 2018-07-11 06:08 · Score: 1
  
  If the military hired PHD's to maintain their equipment the payroll budget would tripple. The less the military spends on stuff, the more combat missions they can accomplish.
8. Re:Never attribute to malice by Anonymous Coward · 2018-07-11 06:11 · Score: 3, Funny
  
  They didn't have NAS back in 1965. It was the early 1980s before any such concept was even developed. Don't be lying to us.
9. Re:Never attribute to malice by rally2xs · 2018-07-11 06:13 · Score: 1
  
  Because they don't want it to cost nearly 2 Trillion a year, which it might if they contracted for custom routers that were not available commercially.
10. Re:Never attribute to malice by bobbied · 2018-07-11 07:16 · Score: 2
  
  You obviously are one of the ones who can think... I've run into flight line personnel who when though all the same schools you claim and came out not knowing how to measure current coming from a DC power supply on the test bench. I'm talking about folks who did the schools and completed their enlistments fixing airplanes. I've also been responsible for producing automated test equipment for squadrons to test avionics with. I can attest with assurance that if something requires a bit of thought and understanding by the flight line, they are unlikely to figure it out.
  I've seen many cases where the fault trees clearly would have worked if followed and times where lacking understanding of what the callout was actually saying (say a short to ground fault) caused a pile of unnecessary stuff to get done when a bit of looking at the blackened traces and bent pins would have been in order. There truly are some idiots on the flight line who don't engage the brain and don't have enough experience to fix much of anything, though they've had all the necessary training to be qualified to throw black boxes at the aircraft until it happened to work.
  I've also seen the good folks who actually understood what they where working on who could just about diagnose the problem by just standing next to the aircraft and watching the BIT run. I've seen these types tell me exactly what two connectors to pull off and which pins to check when specific failures happened.... Loved working with and training these guys/gals who had a clue and engaged their brains, but they where the exceptions.
  Face it, military pay isn't all that competitive and the good technical folks out there are unlikely to accept the working conditions and risks that come with the job if industry is paying more for only 40 hours/week and little risk of not being home in your bed at night. It's not surprising that military maintenance people are not always top in their fields.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
11. Re:Never attribute to malice by ole_timer · 2018-07-11 07:17 · Score: 1
  
  you mean trippple...
  
  --
  nothing to see here - move along
12. Re:Never attribute to malice by dgatwood · 2018-07-11 07:41 · Score: 1
  The fact that FTP is being used at all is a big red flag for me. Unless it's sitting inside a fully encrypted tunnel, an FTP password is so trivial to steal even if it isn't an obvious password. There may be a few cases where one has to use FTP, but where I have been forced to use it (old hardware), it's ringfenced like nuts, and I'm not going to have an FTP server open on the Internet, unless it's some sort of publicly available archive where I don't care who downloads off of it.
  The fact that a NAS supports FTP at all is a *giant* red flag, and I'm not just talking about security. It should be somewhere between difficult and impossible to get an FTP server running on a NAS. A web server is superior in every way:
  
  Web servers can be secured with TLS.
  Web servers provide encrypted password transport even if the connection isn't encrypted (digest auth).
  Web servers support continuing a download where you left off, rather than fetching the entire resource.
  Other than for backwards compatibility with legacy systems that can only fetch data via FTP, there is absolutely no reason why anyone should set up an FTP server in this day and age, period. And this has been true for the better part of two decades. We're at the point where the vendors shouldn't even offer it as an option, and you should have to jailbreak the thing first. It should be hard enough that anyone attempting it will immediately recognize that he or she is doing something that he or she shouldn't be doing long before reaching the step where he or she turns on FTP — like three hours before.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
13. Re: Never attribute to malice by c6gunner · 2018-07-11 08:07 · Score: 1
  
  Some of them can think, but most just blindly follow the diagnostic trees provided by the PHD's who built the system they are maintaining.
  That's got nothing to do with the military; it's the aerospace industry in general. Maintenance has to be done as per approved manufacturer defined procedures, otherwise you're in violation of all sorts of airworthiness policies. The days when you could slap together a temporary fix with duct tape and bubblegum are long gone.
  There's still some thought involved in actually knowing the systems and being able to figure out which parts of the "diagnostics trees" are worth following in any given circumstance (or what to do when there aren't any to follow), but that's about it.
14. Re:Never attribute to malice by Anonymous Coward · 2018-07-11 08:45 · Score: 1
  
  It should be somewhere between difficult and impossible to get an FTP server running on a NAS. A web server is superior in every way:
  Web servers can be secured with TLS.
  Web servers provide encrypted password transport even if the connection isn't encrypted (digest auth).
  Web servers support continuing a download where you left off, rather than fetching the entire resource.
  That doesn't quite add up. An FTP server can do all of the things you have listed too.
  FTPS is to FTP what HTTPS is to HTTP, and mostly works the same.
  FTPS protects the command channel and your password using TLS, just as a webserver does.
  FTPS can protect the data channel with SSL as well.
  Both can use the same signed certificates to defer trust of domain name ownership or use self-signed ones if that's good enough.
  The FTP protocol in whole has supported the REST command to restart transfers since the mid 80s, a good 8 years before HTTP existed and another few years until HTTP supported it in the protocol.
  I think you are mistakenly linking "web server" to "https" and "ftp server" to plain old "ftp" without the "S"
  While I agree any NAS maker provided FTP packages should include FTPS out of the box, I would also argue that requirement for a web server as well, requiring HTTPS out of the box.
  Just using a "web server" as you defined it can just as easily mean http only and no https, which not only isn't superior, but is equally as bad of a thing to do in this context.
15. Re: Never attribute to malice by bobbied · 2018-07-11 08:56 · Score: 1
  
  I said "blindly" following the diagnostic tree. Such trees MUST assume single faults or they would be impossible to write. Multiple faults can send the fault isolation down the wrong path and lead to ineffective repairs. In such cases I've seen multiple attempts to "fix" the issue multiple times using exactly the same repair as if doing the same thing twice in a row will fix it the second time. Forget looking at that connector you just removed, twice now...
  Sometimes, the source of the issue is blatantly obvious if you step back and consider how the system works and what the problem report is saying and I've seen techs plodding down the diagnostic trees which obviously didn't matter. Oh hey, what's that black place on this connector mean? Or why did the breaker blow when that got plugged in? A bent pin maybe? No, I've got to walk down the whole diagnostic tree and only do that inspection when instructed.
  In the military's case, at least for the aircraft I worked on, the goal was to get the aircraft to pass the BIT and address all the gripes that remain unchecked by the BIT... Or get that black box to pass the "GO" tests so we can throw it on the aircraft that's down waiting for that box...
  I don't know much about commercial aircraft maintenance, but I imagine that the issue is following the procedures outlined by the manufacturer for determining if a part is serviceable and following the recommended replacement procedures. I don't see how fault isolation needs a "you have to diagnose the issue this way" process that's required by regulations (i.e. fault trees are not required to be followed). Fault trees are by nature error prone and full of holes in real life because they can only isolate faults assuming single failures. If failures only happened alone, that would be great, problem is faults often happen in groups, even unrelated faults.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
16. Re:Never attribute to malice by The-Ixian · 2018-07-11 09:27 · Score: 1
  
  +1 informative
  
  --
  My eyes reflect the stars and a smile lights up my face.
17. Re:Never attribute to malice by CaptainDork · 2018-07-11 10:05 · Score: 1
  
  Thanks.
  
  --
  It little behooves the best of us to comment on the rest of us.
18. Re:Never attribute to malice by dgatwood · 2018-07-11 10:06 · Score: 2
  
  FTPS is to FTP what HTTPS is to HTTP, and mostly works the same.
  FTPS is not nearly as broadly supported as FTP or HTTP, last I checked. In particular, unless things have changed in the last couple of years, Internet Explorer et al do not support FTPS, which makes the protocol basically DOA in a real-world environment.
  You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari. So basically, between that and the lack of FTPS in Internet Explorer, FTP is an absolute train wreck of half-supported functionality. By contrast, both TLS and download continuation work out-of-the-box with HTTP/HTTPS in all major browsers.
  
  FTPS protects the command channel and your password using TLS, just as a webserver does.
  Web servers also support digest authentication, which keeps the password secure against all but an exact replay of the request, even over unencrypted channels. AFAIK, there's nothing equivalent in FTP, unless you count Kerberos (shudder), which is even less broadly supported than FTPS.
  
  While I agree any NAS maker provided FTP packages should include FTPS out of the box, I would also argue that requirement for a web server as well, requiring HTTPS out of the box.
  Another big difference is that people naturally assume that anything you put on a web server can be seen by anybody. The password authentication inherent in FTP creates a false sense of security, which makes the non-TLS version even more problematic than it otherwise might be.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
19. Re:Never attribute to malice by CaptainDork · 2018-07-11 10:11 · Score: 1
  
  I will sing you the Navy Hymn: "Him, him, fuck him."
  NAS Jax (for instance):
  
  On October 15, 1940, Naval Air Station Jacksonville was officially commissioned, and became the first part of the Jacksonville Navy complex that would eventually include NAS Cecil Field and Naval Station Mayport, as well as numerous naval auxiliary air stations and outlying fields in northeast Florida.
  
  --
  It little behooves the best of us to comment on the rest of us.
20. Re:Never attribute to malice by CaptainDork · 2018-07-11 10:41 · Score: 1
  
  I can only speak of the world I lived in.
  Incompetent people washed out of school. Only 10% of us made it all the way through, both times.
  Those were the only personnel on the flight deck or on the tarmac.
  I never met anyone of any skill who was not fully qualified, whether they were loading ordinance, fixing engines or avionics, electrical systems, or dragging aircraft around or fighting fires or serving chow or keeping the fucking ship clean.
  The only goofballs I ever met were rookie ensigns and they were green and well out of harm's (and our) way.
  
  --
  It little behooves the best of us to comment on the rest of us.
21. Re:Never attribute to malice by drinkypoo · 2018-07-11 11:42 · Score: 1
  
  You are technically correct that FTP has a resume command. Unfortunately, last I checked, Apple's URL handling infrastructure didn't support it, which AFAIK means neither does Safari.
  So just another case where Apple does the wrong thing, so what? Those crop up all the time, they aren't an indictment against the protocol.
  The one and only reason not to use FTP (in the form of FTPS) is that users will have to download a client. You could use an actual FTP server locked down to prevent no transfers to transmit a URL to prospective users where they could get such a client, but it's probably easier overall to just not bother, and use a solution that lets them use their browser — even if it is badly broken.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
22. Re:Never attribute to malice by AHuxley · 2018-07-11 14:07 · Score: 1
  
  Its not a problem. The US mil likes its contractors so most work is done in plain text. So every contractor gets a fair and equal bid on any US work offered.
  So the entire US gov is wide open internally so all the contractors can bid for and keep working.
  Start adding encryption to every part of the US gov and mil and then contractors feel locked out.
  The contractors contact political leaders and demand access for their products and services.
  So any good encryption within the US gov is removed and contractors can then understand what is ready to accept their bids.
  
  Security in the US gov/mil is just as interesting when it comes to encryption.
  The US gov likes to watch data moving along networks. Who is doing what, when and how much. What data is getting searched for, moved, requested, saved. Thats easy when its all plain text and using simple computer commands.
  No spy is going to use US encryption to hide for such long term gov/mil tracking.
  The final part is the level of computer education of US gov workers in 2018.
  Having to find encryption keys, require the new key, get approved for a key for a set time is a lot of new work for people with other work to do.
  A lot of new people get hired on demographics only not their merit and for having advanced computer skills.
  So moving a lot of plain text data around is a better way of getting work done with that gov/mil work force.
  More encryption just adds to more problems trying to get support to allow access to a network/system for a set time.
  
  The final part is the way the US gov responds to security problems. The US likes to study what another nation, person is doing deep in secure US networks in real time.
  What the spy is searching for and what project names they know of. What bait networks full of fictional projects they avoid and what they know to look for.
  A very open and simple computer system allows spies deep in the US gov/mil to be tracked in real time by very advanced US security systems.
  Too much encryption would slow such tracking of all workers in the US gov/mil down. Their away from work computer use too.
  When a spy knows their computer system is locked down, cant be used, is tracked and encrypted they will ask people for information.
  The CIA and FBI cant fill the US gov with their over educated undercover staff waiting for a spy conversation to start.
  The new smart people placed as counter surveillance would get noticed for their level of education and ability to work.
  Better to have the spy search a computer network so their deep spying can be detected in real time.
  
  Thats US method of bait that caught so many spies looking up projects they had no access to deep in US networks.
  
  Until smarter nations just had a really simple idea. Copy out entire US database structures. All of it. Dont search, don't stay, don't look. Copy it all.
  The US networks are not big on encryption as every user is approved and in a secure location so the network is trusted... for a text search
  US computer security is designed for approved workers at desks in the 1970's with computer systems secure on site/base/fort.
  The rather good idea was that US intelligence officials need total access to all data in real time to look for a hint of the next Tet Offensive https://en.wikipedia.org/wiki/...
  So the US army gets the intelligence support it needs faster as all gathered information can be seen by experts. Wide open database access to approved people up and down many secret US networks. So contractors can search collected intelligence without requesting 100 of keys.
  
  It all worked so well until everything just gets copied out. Encryption would have been a good idea, not fast new networks and all the plain text.
  Now all US security experts are sure of is that data gets copied to a device in a secure US building.
  No what was searched, not who searched. Only that it was all copied out.
  
  --
  Domestic spying is now "Benign Information Gathering"
23. Re:Never attribute to malice by dgatwood · 2018-07-11 15:10 · Score: 1
  
  So just another case where Apple does the wrong thing, so what? Those crop up all the time, they aren't an indictment against the protocol.
  Apple AND Microsoft, in different ways. This is a strong hint that the industry as a whole abandoned the protocol a long time ago.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
24. Re:Never attribute to malice by CaptainDork · 2018-07-12 02:40 · Score: 1
  
  I appreciate your civility.
  My use of jargon without explanation contributed.
  
  --
  It little behooves the best of us to comment on the rest of us.
25. Re:Never attribute to malice by stoatwblr · 2018-07-12 10:34 · Score: 1
  
  "Incompetent people washed out of school. Only 10% of us made it all the way through, both times."
  That was then, this is now.
wow - just wow by ole_timer · 2018-07-11 04:13 · Score: 2

who has netgear equipment anymore? who allows default passwords anymore? wow

--
nothing to see here - move along
1. Re: wow - just wow by Anonymous Coward · 2018-07-11 04:25 · Score: 1
  
  As bad as both of those things mentioned are, the REAL offence is that they are using the horrific unencrypted plain FTP protocol.
  It's a terrible protocol, not just as regard security but even at a functional level it's a completely fucked up protocol that just needs to die.
  I also call bullshit on anyone who claims "major" performance issues using say SSH, which can be highly tuned with the HPN-SSH patches to get wire speed.
2. Re:wow - just wow by BlueStrat · 2018-07-11 04:36 · Score: 3, Interesting
  
  who has netgear equipment anymore? who allows default passwords anymore? wow
  Yes, but let's make this all about the "hacker" and ignore anything to do with holding any US military or politicians responsible for making the breach possible. After all, cases like that of Lauri Love show that the go-to response by the US government for these sorts of situations is "kill the messenger!" whenever government incompetence and corruption are exposed, and this behavior is not limited to Left or Right. It's natural human behavior that's amplified and given power by having a too-powerful central government
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
3. Re:wow - just wow by cyberchondriac · 2018-07-11 05:41 · Score: 1
  
  Strat
  -ocaster?
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
4. Re:wow - just wow by BlueStrat · 2018-07-11 06:22 · Score: 1
  
  Strat
  
  -ocaster?
  Yes, although I don't own and play *only* Stratocasters they are my usual "go-to" instrument. Also, the "Blue" in "BlueStrat" is not referring to a color, as any guitar I pick up is automatically "blue". ;-)
  You'll also notice, looking at my posting history, that my posts happen at wildly random times, often at oh-dark-thirty local time. The life of a working musician. It doesn't get any easier with age, either!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
5. Re:wow - just wow by cyberchondriac · 2018-07-11 06:37 · Score: 1
  
  I remember those days ..play 'til 3am, get up for work at 7:30am, Wed and Thurs.. by Saturday night, I was a zombie. Fortunately that gig was only once every 4 to 6 weeks. That was years ago, I couldn't do that now, I'm definitely too old. Strats are great, mine is aztec gold, but I have a collection of all types.
  
  --
  
  Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
6. Re:wow - just wow by Obfuscant · 2018-07-11 06:46 · Score: 1
  
  ... ignore anything to do with holding any US military or politicians responsible for making the breach possible.
  Do the attempts at making everything Trump's fault never end? How is it a politician's fault, ANY politician's fault, if some military IT person forgot to change a password on an unused protocol before attaching a router to the network? How is not not the fault of the person attaching the router to the net, AND the Captain whose computer was broken into using that access?
  There is a later comment about "comment deployment". It's not /. fault for that one, although an editor should have caught that. The entire article is poorly written. For example, we learn therein that "MQ-9 Reaper drones are some of the most drones around ..." Perhaps the original author thinks the word "common" is too common to use in common writing and it needs to be changed or removed?
  Yes, FTP is an old protocol. It is insecure. BUT, simple tools are often the correct tools. Do you have data you need to share with a lot of people? Anonymous FTP is a good way to do that. Who cares if you can scan packets to get the password "ftp" from an anonymous session, or that you can packet scan to get the data? You can get the data from the source!
  FTP is not a blanket "shut it off" protocol. It is a "manage it properly or you'll have problems" protocol. Are there any protocols that aren't?
7. Re:wow - just wow by drinkypoo · 2018-07-11 11:10 · Score: 2
  
  Anonymous FTP doesn't provide support for partial retransmission
  What? Since when? You have to be a schmuck to support resuming anonymous uploads, but you can even do that!
  
  You get the same overall behavior as FTP, but you gain the ability to pause downloads, the ability to secure those downloads if you want to (with TLS), the ability to have passwords that are not sent in the clear, etc.
  You can do all of that with FTP, too. FTP already permits resuming downloads, FTPS is already FTP with TLS, and already protects your password.
  It's probably still smarter to use a web interface, but not because FTP can't be secured. It's only because users will have to download a secure FTP client, and they already have a web browser.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:wow - just wow by Obfuscant · 2018-07-11 12:35 · Score: 1
  
  unless the data is very small (in which case you should probably just paste it into an email).
  You see, you assume you know the problem that FTP is solving, and you really don't. I have no intention of forcing people to send me an email asking for some data, nor do I intend on wasting my time sending them emails with all the data they want. You can come to my FTP site at any time, night or day, and get the data you want immediately, and you don't have to wait for me to see your email and have time to respond. Isn't that a Good Thing?
  I don't really care whether or not FTP supports "partial retransmission". If your connection is so bad that it stops half-way through something, well, that's your problem, and you can just re-ask for the data. Neither my server nor I care if you ask for the same thing twice.
  
  It is far better to turn on directory listings in a web server and drop the files on a web server.
  
  You don' t know the problem being solved, so you don't get to define "better". No, turning on directory listings is a security hole, so the web server I run does not have that enabled. It does have a custom view of any directories I offer, which means I can create a much more user friendly way of seeing what is there. I find the standard index display to be really awful at showing data. It's been so long since I had it turned on that I don't recall for sure, but I seem to remember one thing it does is truncate file names -- which makes it hard to figure out what is what.
  
  It really is.
  The fact you don't know how to control it, or what it can be used for, doesn't make your statement a fact. If you know how to run an FTP server you can do so quite safely.
  
  So basically, if you still need to install twenty-year-old versions of Red Hat Linux
  I've found no need to do that. I have no idea why you think this is relevant to a discussion about the use of FTP. I can't remember ever using FTP to install an OS.
  
  In fact, I would say it is worse than a "blanket 'shut it off' protocol". It's more like a "kill it with fire" protocol at this point.
  Well, you are free to have your own opinion, but making sound like it is a fact isn't convincing me. If you don't want to use it, that's fine. Denying that it has any use is simply arrogant.
9. Re:wow - just wow by AHuxley · 2018-07-11 13:31 · Score: 1
  
  The US mil and its contractors.
  
  --
  Domestic spying is now "Benign Information Gathering"
10. Re:wow - just wow by dgatwood · 2018-07-11 16:50 · Score: 1
  
  To be pedantic, FTPS is not really FTP. If you really want to support an FTPS-only solution, go for it, but since it isn't broadly supported, there's no reason to bother. And the unencrypted protocol is generally a bad idea by its very nature (authentication in the clear).
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
11. Re:wow - just wow by dgatwood · 2018-07-11 17:03 · Score: 1
  
  You see, you assume you know the problem that FTP is solving, and you really don't. I have no intention of forcing people to send me an email asking for some data, nor do I intend on wasting my time sending them emails with all the data they want. You can come to my FTP site at any time, night or day, and get the data you want immediately, and you don't have to wait for me to see your email and have time to respond. Isn't that a Good Thing?
  You can come to my website and get the same thing, and it is secured by TLS. The problem that FTP solves is better solved by other protocols. Even better, you can get nice, neat pages that organize the data in interesting ways, charts and graphs that support the data, and links to other websites that provide corroborating info. Heck, you might even be able to get a table that can sort itself when you click on the table columns....
  
  You don' t know the problem being solved, so you don't get to define "better". No, turning on directory listings is a security hole, so the web server I run does not have that enabled.
  WAT?
  If showing the directory listing via HTTP is insecure, then it is just as insecure to show it over FTP. Given that you can turn on directory listings on a per-directory-subtree basis, that logic just doesn't hold up, barring some bizarre bug in which you can somehow get the option behavior of one directory to apply to another (which would be a *colossal* security bug, and the directory listing aspect would be the least of your worries at that point).
  Turning off directory listings for security is roughly the computer security equivalent of painting over the name on your mailbox to keep people from breaking into your house.... :-)
  
  I've found no need to do that. I have no idea why you think this is relevant to a discussion about the use of FTP. I can't remember ever using FTP to install an OS.
  That's because your user ID is about 40,000 too high to remember it.
  
  In fact, I would say it is worse than a "blanket 'shut it off' protocol". It's more like a "kill it with fire" protocol at this point.
  Well, you are free to have your own opinion, but making sound like it is a fact isn't convincing me. If you don't want to use it, that's fine. Denying that it has any use is simply arrogant.
  And continuing to argue that it has some meaningful use when more modern solutions do the exact same job better is simply silly.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:wow - just wow by BlueStrat · 2018-07-11 19:29 · Score: 1
  
  Well met, fellow string-slinger! I'm older now, too. I play mostly festivals, fairs, casinos, and similar types of gigs where the bookings can be spread out and planned to minimize stress, which helps tremendously. It does often mean medium-long trips and odd times for my comings and goings. It's still a hell of a lot of work and energy expenditure for someone north of 60 and not in the greatest of health. But after all, "players play".
  Play on!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
13. Re:wow - just wow by ole_timer · 2018-07-12 03:37 · Score: 1
  
  are you guessing or do you know? someone is "not so smart"
  
  --
  nothing to see here - move along
14. Re:wow - just wow by AHuxley · 2018-07-12 03:53 · Score: 1
  
  Large amounts of data has walked before. No encryption, plain text, internet connected. The people interested don't even try to search for projects when they get deep into "secure" US networks. They have the internal network freedom to copy it all out.
  US investigators seem fixated on watching what "bad" people want to do when in US mil/gov/contractor networks.
  Like a search term used could be total bait, real, a fake project, a term a spy had seen.
  So US investigators wait and see what happens as networks get accessed. They then watch as data just gets copied out in real time.
  The idea that its not 1978, 1982. The data is on a big tape that will be found in a bag, car search at the gate. So all network use has to be on the network as it cant be copied.
  
  --
  Domestic spying is now "Benign Information Gathering"
15. Re:wow - just wow by drinkypoo · 2018-07-12 04:00 · Score: 1
  
  To be pedantic, FTPS is not really FTP.
  To be pedantic, FTPS is exactly FTP with TLS and SSL. It is so much that, that you can actually connect with just FTP and then elevate to FTPS.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
16. Re:wow - just wow by pnutjam · 2018-07-12 04:46 · Score: 1
  
  Your responding to someone who thinks a network installation of an OS is esoteric. I just installed OpenSUSE 15.0 via a pxe boot and http server, could have used an ftp site, but ugh... I install Windows similarly all the time also.
  
  but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.
  
  --
  Cheap storage VM.
17. Re:wow - just wow by ole_timer · 2018-07-12 05:22 · Score: 1
  
  information can be gained from seeing what they are looking for. there used to be a joke that the Chinese are so persistent looking for our five year plan and the Russians are trying to disrupt it.
  
  --
  nothing to see here - move along
18. Re:wow - just wow by Obfuscant · 2018-07-12 07:27 · Score: 1
  
  Your responding to someone who thinks a network installation of an OS is esoteric.
  
  What yanked your chain to make this idiotic statement? I install over the network ALL THE TIME, unless I've got a DVD. I just have never used FTP to do it. Not once.
  
  I just installed OpenSUSE 15.0 via a pxe boot and http server, could have used an ftp site,
  PXE and HTTP is not FTP, and I'm glad what you can do.
  
  but good job pointing out how stupid his post is to anyone who doesn't catch that red flag.
  You created a convenient red flag out of your straw man misinterpretation of what I said, and decided to make this personal. Thanks for the gumball, Popeye.
19. Re:wow - just wow by pnutjam · 2018-07-12 11:04 · Score: 1
  
  As evinced above, http and ftp serve the same purpose. Although, http is a clearly better choice.
  
  Note, this page has mirrors using both http and ftp.
  
  --
  Cheap storage VM.
20. Re:wow - just wow by Obfuscant · 2018-07-12 11:50 · Score: 1
  
  As evinced above, http and ftp serve the same purpose. Although, http is a clearly better choice.
  As evinced above, they often serve different purposes, and when that happens FTP can be the better choice. Is it really so far beyond comprehension that different protocols might have different uses that you cannot begin to imagine it even when differences are pointed out?
  
  Note, this page has mirrors using both http and ftp.
  This corrects your ridiculous claim that I find network installs to be "esoteric" exactly how? It proves that FTP has no use at all exactly how?
21. Re:wow - just wow by AHuxley · 2018-07-12 13:15 · Score: 1
  
  Re "information can be gained from seeing what they are looking for."
  The US networks are so fast, so open, not encrypted.
  The only way to get caught is to stop and type in a set of terms, questions, project names.
  The massive movement of data from and to a contractor is not see as something thats not "normal" as the entire network is thought to be secure by design.
  That only cleared people and projects could ever be on an internet connected mil/gov network with no encryption.
  Entering strange names and terms to search with is quickly detected. Thats the human side of security the USA spend big on.
  The US networks are set to find spies looking into projects they have no clearances for not stopping approved contractors moving any data for projects.
  Anyone in the network is an approved contractor by default.
  
  --
  Domestic spying is now "Benign Information Gathering"
22. Re:wow - just wow by pnutjam · 2018-07-12 23:49 · Score: 1
  
  Well, if your FTP site has been around for 20 or 30 years, like most of these, I can understand why you keep it around. Otherwise, it's a protocol that should be discouraged.
  
  --
  Cheap storage VM.
Netgear router as FTP server? by b0s0z0ku · 2018-07-11 04:15 · Score: 1

They were using Netgear routers with USB-attached drives as FTP servers instead of ... real server hardware? Something seems missing here.
1. Re:Netgear router as FTP server? by bobbied · 2018-07-11 04:20 · Score: 1
  
  Yea, they went with the lowest bidder..
  Actually, this is likely just ignorance coupled with "get the mission done" motives that had some PFC showing up with his home router and a USB drive to put the documents in a conveniently available place so they are easy to find so they could get the work done.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Netgear router as FTP server? by MightyMartian · 2018-07-11 04:43 · Score: 2
  
  I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
3. Re:Netgear router as FTP server? by dissy · 2018-07-11 06:59 · Score: 1
  
  I sure hope they didn't pay much, because that's so far below the lowest common denominator of modern IT services that the only thing I can think of is that some amateur BBS operator from the mid-90s accidentally fell into an icy lake, his frozen body was found a few years ago, was resuscitated and went into the business of responding to Federal government procurements, with all the knowledge and ability an amateur BBS operator from the mid-90s could bring to 21st century IT.
  Please begin your xmodem transfer now. CCC...C...C...
  On an unrelated side note, is it cold in here for anyone else? and where did all the Blind Melon CDs go?
The data itself... by b0s0z0ku · 2018-07-11 04:19 · Score: 1

It was stupid to host it with a default FTP password, but the data itself doesn't actually appear all that sensitive. Survival, repair, and operation manuals are officially classified, but a lot of the info is in the public domain as well.
Just because something is officially classified doesn't mean it isn't also an open secret.
1. Re:The data itself... by b0s0z0ku · 2018-07-11 04:30 · Score: 2
  
  Exactly.
  My point is that "classified" makes for good headlines, but there was likely little to no real damage done.
2. Re:The data itself... by freeze128 · 2018-07-11 04:50 · Score: 4, Funny
  
  They have a manual that describes tactics for the deployment of COMMENTS? Slashdot could really use that...
A few issues... by chipperdog · 2018-07-11 04:20 · Score: 4, Insightful

A Netgear consumer router is being used as a firewall for networks containing military secrets? Not what I would have expected, I usually use more robust firewalls on network I maintain. A default password was left in place for a router on a secure network....FTP configuration from outside was left enabled on router...Against most acceptable security practices for any network The USAF didn't do regular nmap scans and pentests of their networks from various points around the world that would have found this opening...They didn't regularly check sites like Shodan to see what shows for their networks... I do these regularly for networks I maintain...
1. Re:A few issues... by dinfinity · 2018-07-11 06:13 · Score: 1
  
  I'm going to guess that calling them 'military secrets' or 'sensitive military documents' is simply wrong. These are probably really old, outdated or just not that interesting.
FTP? Not SFTP? by whitroth · 2018-07-11 04:23 · Score: 1

Someone(s) need to be fired. ftp has been on the TURN IT OFF LAST YEAR list for something like 10 years. (And I'm speaking as a sr. Linux sysadmin).
The low cost is because ... by CaptainDork · 2018-07-11 04:24 · Score: 1

... the information is so WWII.
Tanks?
The predator thing is intriguing, though.
More importantly, the military dropped the ball by being negligent.

--
It little behooves the best of us to comment on the rest of us.
1. Re:The low cost is because ... by CaptainDork · 2018-07-11 04:48 · Score: 1
  
  This breach has nothing to do with the crappiness or non-crappiness of the router.
  It's about enabling a protocol without changing the default password.
  
  --
  It little behooves the best of us to comment on the rest of us.
This NEVER happens in industry.... by bobbied · 2018-07-11 04:32 · Score: 1

NOT!
I worked at a company where the CFO insisted on having his own wireless access point in his office and refused to allow any kind of network encryption. He didn't even change the default SSID, just plugged the router into the wall, no keys, no passwords, nothing. His office was on the 5th floor and we where less than a block away from a MAJOR technical college's dorms so you can bet the students where more than able to connect any time.
The router was found by the network security folks and the port turned off at the switch, but the CFO pitched a fit when it stopped working and moving it to another drop didn't fix it. Had the network guys in his office being called on the carpet. Even after the risks where explained, he didn't care and demanded it be turned back on. So he got it back and the rest of us enjoyed free WiFi on our smart devices as it worked great from the coffee machine.
Stupid stuff happens everywhere.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
comment deployment tactics by gnunick · 2018-07-11 04:34 · Score: 1

...describing comment deployment tactics for improvised explosive device (IED)...
Dang. I sure hope no one figures out how to implement such comment deployments here at slashdot!

--
I have no special gift, I am only passionately curious. --Albert Einstein
compulsion by bugs2squash · 2018-07-11 04:48 · Score: 4, Insightful

Hacker Steals Military Docs Because Someone Didn't Change a Default FTP Password
Should read Hacker Steals military docs because she's a sleazeball
The lack of a proper password helped her commit the crime, it didn't compel it, she could of instead just told the authorities about the screwup

--
Nullius in verba
Into the Breach by PopeRatzo · 2018-07-11 04:49 · Score: 1, Insightful

Well, Trump said he'd run the government like a business. He just didn't mention that the business was Equifax.

--
You are welcome on my lawn.
read the story before commenting by ole_timer · 2018-07-11 04:56 · Score: 1

they used a default ftp password to pivot to a workstation that they then used to get the manuals...

--
nothing to see here - move along
Just the fact it was FTP says it all by pgmrdlm · 2018-07-11 05:19 · Score: 1

Seriously, who use's FTP still?

--
Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
1. Re:Just the fact it was FTP says it all by will_die · 2018-07-11 06:46 · Score: 1
  
  HP corporation still uses it for downloading patches, drivers, documentation, etc
  
  ftp://ftp.hp.com
2. Re:Just the fact it was FTP says it all by Obfuscant · 2018-07-11 06:52 · Score: 1
  
  Seriously, who use's FTP still?
  Anyone who realizes that a simple protocol to do a simple task that doesn't require much security at all is the right protocol. I've had an FTP server for such use in place for more than two decades. Yes, for some things there are better ways, but for this job FTP is perfect.
dale gribble aka Rusty Shackleford did it by Joe_Dragon · 2018-07-11 05:23 · Score: 1

dale gribble aka Rusty Shackleford did it
1. Re:dale gribble aka Rusty Shackleford did it by ooshna · 2018-07-11 09:13 · Score: 1
  
  Who is this Dale Gribble you speak of?
pyle! why did you just get what the guy at best bu by Joe_Dragon · 2018-07-11 05:25 · Score: 1

pyle! why did you just get what the guy at best buy said was the best?
I'm disappointed ... by angel'o'sphere · 2018-07-11 05:39 · Score: 1

... I was hoping to find the password here, so I can fix my Abraham tank myself :(

--
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Why even have a default password? by Bryansix · 2018-07-11 07:24 · Score: 1

Why would this service even have a default password? Just disable the service until a password is set via the admin page.
They did not learn from Gary McKinnon by Alain+Williams · 2018-07-11 07:55 · Score: 1

who some 17 years ago cracked USA military computers. He wrote a Perl script and looked for blank and default passwords. Not resetting passwords once is stupid; twice is criminal and the penalty should be a dishonourable discharge and loss of pension -- for those at the top of the military; but I expect that, as usual, they will blame a few lowly techies.
"Steals" by diamondmagic · 2018-07-11 10:58 · Score: 1

steals
Copying isn't stealing.

--
Wonder what the public key field is for?
1. Re:"Steals" by DaveV1.0 · 2018-07-12 00:06 · Score: 1
  
  Then you wouldn't mind if I copied all your personal information and used it, yes? Copied your car keys and title and then sold them to the highest bidder?
  
  --
  There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
2. Re:"Steals" by diamondmagic · 2018-07-12 07:34 · Score: 1
  
  Copying car keys to steal the car would be theft.
  Copying the title to try to take ownership would be fraud.
  Copying a work of art to sell it as your own would is called infringement.
  These are already illegal without needing to criminalize copying per se.
  
  --
  Wonder what the public key field is for?
Noooo by DaveV1.0 · 2018-07-12 00:05 · Score: 1

The hacker was able to steal the documents because of the password.
The hacker stole the documents because the hacker is a piece of shit.

--
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Wow yourself by Obfuscant · 2018-07-12 08:45 · Score: 1

Even better, you can get nice, neat pages that organize the data in interesting ways, charts and graphs that support the data, and links to other websites that provide corroborating info.
I know what you can get through web pages. I have web pages that do that. I ALSO have FTP for users who don't need ANY of that, they just want the data. You're stuck on form over substance. "Look how pretty my web page is. Isn't my data organized in an interesting way? You can click on a table column and it will sort it for you. And look, I'll plot it for you the way I want to plot it." I'm talking about substance. "Here's a data file ... you can do with it what you want. You want to sort it, go ahead. You want to plot it? Be my guest."
I'm fighting this problem with an outfit that has gone whole hog into fancy THREDS servers for their data. I need to get their data for production use here. That means "automated", in case you don't understand what that is. You can't do that using wget, because the link for the data is hidden under three levels of other web links. I had to get the top level HTML, parse the links for the next level, get that HTML, parse the links, wash, rinse repeat. And THEN they changed the structure. Oh, the web pages were beautiful. Drop down menus to select the date range, a map to draw a bounding box to pick which sensor you wanted, plots of summary data. All great -- for interactive, transient users. I could spend ten minutes drilling down to finally reach the raw data I needed, but automating it was impossible.
This fancy server replaced a simple FTP server that allowed one call to ncftp in a cron script to download exactly what was wanted. I didn't need to log in, it was anonymous FTP. I didn't care if I couldn't restart a transfer mid-file. If it failed, I just did it again. No, I mean the script did it again for me. I didn't even care if someone could packet sniff and copy the data in transit. Yes, because it wasn't TLS or SSL protected, a MITM could try injecting bogus data or malware, but over the decades of doing this that never once happened. Injecting malware would be useless -- if the data wasn't in the format that my software expected it would whine about it to me, not try to execute it to see what it was.
For THIS USE, to solve THIS PROBLEM, FTP is the CLEAR winner for "better".
I guess you also missed the fact that I also run web servers to access the same, and different, data. I know all about the wonderful things you are lecturing me about, and I know when it is correct to do that and when it is correct to have just a simple interface for simple things.

That's because your user ID is about 40,000 too high to remember it.
Oh, now it's a personal attack based on /. UID. Here's a free clue for the moron: UID is based on when someone joins slashdot, not when someone started using computers.
You want a history? My first Linux was slackware 0.9 on 35 (I think it was) 3.5" floppies, and I was doing VMS/Ultrix/SunOS for a very long time before that. I used to install network nodes using vampire taps for the MAU, and thought it was great when 10base2 came out. My first web server was a CERN server, back when Mosaic was new. I also had gopher and WAIS servers in operation when they were new, and had to deal with the idiots running veronica before I had to deal with the ones doing unrestricted web crawling. In all that time, I have never used FTP to install an OS, because FTP isn't about installing an OS, it's a FILE TRANSFER PROTOCOL. When I needed to install an OS, it was from a tape, or more recently from a DVD. When it's a net install image on the DVD, it's from a web server, not FTP.
Tell me again how my UID is too high to know the past.

If showing the directory listing via HTTP is insecure, then it is just as insecure to show it over FTP.
You really don't understand the difference between how an FTP server wo
FFS, 20+ years of Insecure setups by stoatwblr · 2018-07-12 10:58 · Score: 1

I kept running into problematic non-secured systems in the 1990s which turned out to be on military or other sensitive sites
In one case script kiddies had taken up residence on a NASA computer which was being used for command/control of the original Mars pathfinder/soujurner rover.
Back then, DISA was pretty good about getting them fixed when notified, but they didn't scan for them.
NASA learned from the soujourner (and a couple of other) experiences and now has pretty good security practices, including preemptive scanning for vulnerabilities inside their networks.
Fast forward 20+ years and the same problems keep cropping up with minor variations in the US MIlitary network - and DISA _STILL_ isn't scanning for anything, on top of that, they stopped being approachable by 3rd parties about problems not long after 9/11 (which has made reporting detected infestations nearly impossible)