If it's not broke...
See title. Just because it's old, doesn't mean it doesn't work. And with very much less overhead than sending big files via HTTP.
Though granted, a restricted-access FTP site should really be sFTP.
A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers. The miscreant behind the attack on the internet-facing file store tried to sell access to the infiltrated system to other crims on Christmas Day, we're told. Hold Security – which this year has …
"should be living on the DMZ"
Should be on A DMZ, not THE DMZ. Why should my FTP server be anywhere near the web server or mail server? Modern firewall design allows individual dirty networks for services so why only have a single big dirty network playground for hackers? The fewer systems they can access from the compromised one the less likely it is they will spread to the internal networks.
I also hate the term DMZ since the dirtiest network after internet is often the internal client one, and DMZ sits next to the internal networks rather than between them and internet these days so DMZ is very outdated.
Many top-notch computer scientists and hackers have some kind of autistic spectrum disorder. It's one of those weird conditions that in milder cases can actually be beneficial if your job involves systems analysis and design. Not so much if it involves a lot of customer-facing work.
Though I do have to wonder exactly which one of the buttload of comments up there you were replying to?
Yup, nothing wrong with FTP if you ask me. It's simple, robust and can be made as secure as a remote connection can be. Certainly the method of choice for the Beeb's field reporters, safer and more robust than pretty much anything more "current", bar sFTP (which ain't that "current" itself, if a good 20 years younger).
"safer and more robust than pretty much anything more "current""
There is also FTPS which predates SFTP by a few years while using the actual FTP protocol and daemons. Of course, the protocol isn't what the problem was here, it was a software bug leading to rights escalation and so could just as easily affect SCP/SFTP. It's less likely that anyone would find the bugs in the FTP/S daemon these days when compared to SFTP due to lower usage but if someone wants your system there is usually a way.
> There is also FTPS
I don't usually consider FTPS a separate protocol; it's still FTP
> a software bug leading to rights escalation and so could just as easily affect SCP/SFTP.
Indeed. Especially SCP, which is known to be vulnerable (which is why most "scp" clients actually use SFTP under the hood).
The problem with the "If its not broke, don't fit it" attitude is that, when it infects management, it is used as an excuse to deny or delay all preventative maintenance, patching, and so on. Resulting in, eventually, system failures and security breaches due to outdated, bugged, and vulnerable versions of software or sub-optimal configuration. Management would often prefer to have failures they can blame on software bugs or attackers to having a failed modification or patch being blamed on their own department.
Yes, FTP is a relatively lightweight and efficient protocol, but you still need to keep up with the patching and improve security (such as switching to sFTP or FTPS as you mentioned).
The problem with the "If its not broke, don't fit it" attitude
And when the Damagement have the desire to fix everything regardless of whether it's broke, we end up with the Windows 8 UI. The problem is in how to educate the bosses enough that they understand what "maintenance" is without going batshit crazy on "new". Or worse, "better because it's newer".
I wonder if they'll be getting advice from Spencer Kelly on this? After all somebody working on his program was quite willing to pay for botnet access when it suited them.
http://news.bbc.co.uk/1/hi/programmes/click_online/7938201.stm
Incidentally just because you hadn't stolen anything when breaking into a house doesn't mean you didn't commit a crime.
IMO the BBC staff involved ought to have been paid far more attention by the police in regards to unauthorised access to systems (computer misuse act 1990). That they didn't then use such potentially illegal access for even more illegal purposes is irrelevant in my opinion.
It's this thing called investigative journalism, a bit like where you buy drugs off drug dealer then pretend to want bigger, to find out who supplied him.
It's murky, but sometimes lines have to be crossed for the better good.
still if you prefer you news to consist of this weeks talentless bimbo spouting her opinions on twitter, feel free.
Except that paying criminals in this case didn't serve any investigative purpose whatsoever. Botnets and how they function were already well known. What they were trying to explain could have easily been put into words without handing over cash to crooks.
This is no different to a reporter paying somebody to break into a house to show how easy it is but not steal anything. I'm sure that they would argue that no harm was done but the home owner would still feel violated and the reporter would still be in trouble with the police.
Why should it be any different with the online world?
I thought the server where they post their stories had been broken into a long time ago. How else can we explain the BBC pushing Twitter use so hard? It must be someone from Twitter modifying nearly every story to get some positive mention for the company. The peak came around the Olympics so I'd suggest looking at the logs from around that time.
The only other explanation is bribery but that can't possibly be true.
"The only other explanation is bribery but that can't possibly be true."
While I reckon your suggestion is a good one I am sure there might be some other possibilities for the paranoid - has the Beeb been under instruction to promote social media firms that oblige snoopy government perhaps?
(I suspect it is probably nothing more than rampant over-enthusiasm for communicating with viewers / listeners coupled with an institutional deep lack of understanding of technical and business issues but that is much less fun).
Then they should assume the worst, that every single corner of the bbc was hacked and copied. That's what any responsible com poo any has to do. Ironically BBC raped Sony for their worst case reporting of their hack. Karma at work. BBC had lost all your logos and passwords, nothing was encrypted, I'm just filling in the blanks with my own made up bullshit, the same as they did then....
The service part of Siemens was bought out by Atos.
There are many parts of BBC IT outsourced to Atos (BBC Desktop for example) but much is run in house as well by BBC Technology / Tech Ops (most of the web based services and as noted above, BBC Worldwide).
There will probably be much finger pointing as there often is with these things. That's if there was any serious threat. A "stepping stone" it may have been, but into what exactly? And let's face it, the Beeb is just a media organisation, not a bank or a holder of huge amounts of important personal data.
Maybe someone could have done us a favour and taken Radio 1 off the air.
It's pretty safe to say that the BBC have enormous amounts of personal data.
Given the prevalence of password reuse, they hold plenty of concern even if you only think in terms of email/password pairs. That said, I do see your point. Anybody with best practices in mind when watching “World's Craziest Fools," is fine.
*nips off to change some passwords*
The 1337day site has an exploit for sale which claims to be for ProFTPD 3.3.3g and quotes the BBC FTP site. Some of their exploits for sale have been a bit dubious in the past so rather than it being a new ProFTPD vulnerability it may just be instructions on a misconfiguration of that particular server.
Always have loved the simplicity and stability of FTP personally and added secure SSL functionality has been available for years on many clients/servers. FxP'ing between servers still happens!
Is this A/C actually Eadon?
It's a clever plan, pretend to be such a rabid Windows fanbouy, that it makes all windows users look like dickheads, therefore making Linux users, by default look cool and rebellious.
In reality, most of us that have finished puberty, realised a long time ago, you use what you are happy with and accept all OS's / kernels / software has flaws.
99/100 is users that are the biggest issue, not the software.
Eadon? Haven’t seen his posts in a while... Is he real? Or just a puppet account the Reg uses to get the Reg some more posts/traffic?
And you have a wonderful philosophy. Use the best tool for the job and remember that nothing is perfect! I wish some of my colleagues could grasp this concept.
Have a pint, and celebrate the New Year!
I still prefer to use FTP to my own server that I pay for the 100Gb space on and not have to rely on a 3rd party to look after my files. When the files are downloaded I can delete them. It is only me with the access.
For seven years I was uploading photo galleries via FTP, it was a lot more straight forward except for when I had to take stuff down.
Many of our clients still use ftp to send data to us every few minutes throughout the day (Gas Industry). This is all over Europe and beyond not just in the UK so FTP is very far from dead. As for the attack itself, shocker, an FTP account where the username and password are sent in plain text was compromised (although it seems the attacker here had it even easier). That is why an FTP box just does FTP and sits out on its own in the DMZ and only has the required ports open to the outside (in other words was SSH available to the Outside). I do also wonder if they restrict user accounts, I only allow 3rd parties FTP and FTPS access (and that FTPS access is not run by my SSH daemon either), they have no shell so would have to find a vulnerability in order to elevate themselves somehow. Even if they did compromise the box, it wouldn't help them much here as it has no access to anything else. I live under the assumption I have been hacked or will be, makes it much easier to manage risk. I hope the BBC do the same.
They use a pretty convoluted aspera based ingest system for almost everything important, content wise anyway.
That said, the bbc is a loose collection of individuals who basically hate each other and are allowed to operate as virtually separate companies.
There are hundreds of FTP servers operating internally and externally for various puropses, getting files on and off the system for engineering purposes, providing logs to suppliers for support, just the usual mash up.
They use a broad range of operating systems ranging from windows 3.11 all the way up to win8 and a whole host of x like systems. Nothing gets patched, in case the patch upsets some of the unsupported 15 year old mission critical software that Dave from FM&T wrote in 1999.
I swear, only a few years ago, I looked after ceefax that has only just been switched off, when asked to find out why it kept falling over, I found the servers in a cupboard and they were a rag tag assortment of 386's the occasional Pentium 1 and, well, you can imagine the rest.
They do take perimeter network security reasonably seriously though so I very much doubt that this FTP server will have made an easy stepping stone into the rest of the network.
Many years ago (about 1999/2000) I was called in to deal with a hack via FTP which defaced ITN's web ste. That was a Solaris box to - a Sun E450.
It wasn't a technically difficult hack though. FTP was world available, the username was ITN and the password ITN. This account had root privilege. Doh!
Had an account exec a few years ago that bragged about being able to FTP from his desktop. He used the built-in support in his browser as the FTP tool and regularly posted to the server. Tried to get the FTP access shut down, but since he was higher in the food chain, my concerns were overlooked. He's now a VP of Digital at an advertising agency. I'd be willing to guess he's still using FTP through his browser.
I love it when Hackers try to get access to my FTP server.
They always try 'root' or 'admin'. As if I'd be so stupid.
I also change the welcome message so they think it's an ancient Server running ancient code.
BBC IT staff in charge of their Server needs to be flogged or user who left their login at a cybercafe needs strung up? :)