FTP and email standards
FTP passwords are always sent in the clear. It's in the standard. Most large ISPs use FTP by default and few have secure alternatives. Most consumers tend to use and rely on passwords being sent in the clear. There is nothing wrong with passwords being in the clear if you trust the networks between the two endpoints.
Fasthosts mentioned a network intrusion so someone was probably sniffing packets and collecting passwords. You can see how easy this is by loading up something like Etherreal on your own computer and having a look at the packets going in and out of your computer. I am sure that around 95% of the readers here (if they look hard enough) will see their passwords coming and going in the clear.
At Keen Computers we don't allow our hosting customers to have FTP accounts. Customers have to use secure FTP instead. This involves the use of certificates and software like WinSCP. We have been using this technology for more than three years now. It adds to our support costs, but it increases security. We also force the use of HTTPS for the control panels - more certificates.
We have recently implemented secure email and are testing this with a small number of users. It has taken us hundreds of hours of testing to get to this point. This again requires yet more certificates and greater customer support and education which is expensive. So I am guessing that it will take a year or two for us to migrate all of our customers onto secure email.
Fasthosts is not necessarily the company to blame here. Some of the fault lies with Microsoft and the other developers of the software in use at Fasthosts. (With windows web server 2003 for instance, only basic FTP is available and additional software has to be purchased and/or installed into the servers to add the security.)
The hosting market is very competitive and profits are almost non-existent so customers get what they want. End users want to use FTP because almost all the relevant end user applications use or support FTP. This is why web companies are still using old fashioned protocols like FTP. If the large ISPs stopped using FTP they would loose 50% of their customers overnight and would have to spend millions on support - they cannot afford either of these options.
Fasthosts are correct to say that unencrypted passwords are standard / normal etc - they will be until everyone stops using FTP. Perhaps this incident will help move the industry towards secure FTP. (Microsoft have a good opportunity to change things because they have a new server operating system in beta.)
I am not naive enough to think we are totally secure at Keen Computers because at any time, I am aware of half a dozen or more weaknesses in the security of our systems (and hence the security of every other hosting company too.) Finding an ideal solution to them is not yet possible, too expensive or just not practicable. The security experts around the world are constantly working on the problems and discussing new ideas though. Eventually, new solutions are formulated, new applications are developed, new procedures are laid out and new standards agreed upon - and so every now and again we have the ability to raise our security to a higher level.
The number and types of threats against all of us are increasing all the time. Every single computer in existence at the moment is insecure - it's just that we don't always know how they are insecure or we don't want to pay the additional costs. The safest form of hosting would be a managed dedicated server - but they cost around £50 per month. Most people though will take the risk, save the planet and go for shared hosting instead.
A lot of the security problems today are all about trust - hence the certificates with everything to define who and what can we trust. Things get very political very quickly and anyone too paranoid ends up trusting nobody. We have to trust the suppliers, the developers, Microsoft, the network engineers, the sysadmins and even the users - but at the same time we have to keep up the pressure and encourage them to do better. In the past, there was too much trust, malware didn't exist and we all thought every program could be trusted to play by the rules - those days are long gone.
Anthony Knee
CTO, Keen Computers