Link This | Email this | Blog This | Comments (1)

FTP sites and security

November 11, 2008 Once in a while I encounter a situation that really needs attention. Years ago, when I signed up for Internet service with a local supplier, I discovered that they had not restricted my access to other people’s accounts.

I typed .. (two periods in a row) one day in the directory, and was suddenly at the root of their server. I had access, seemingly, to everyone’s accounts.

I sent a note to the account administrator, who fired back a note saying that what I had done was impossible. So, I sent a note to the owner of the business, who also responded that it was impossible.

Knowing that doing this was illegal and unethical, (but concerned that if I could access all of the accounts, that someone else in their server could access mine) I went into the accounts again, opened the owner’s e-mail folder, opened one e-mail, copied its contents, and sent the message to him as proof that it was not only possible, but that I had compromised their server by typing two periods on my keyboard.

What followed was a fit of rage followed by a fix. Within hours, the owner of the Internet service had the problem solved. The breech was closed, and my access was cut-off. Which meant that others couldn’t access my server or e-mails. Which meant that I was more secure. Which was what I wanted in the first place.

It was a small-scale response similar to that invoked by Cliff Stoll when he wrote The Cukoo’s Egg in 1989. That story is a must-read for anyone who believes that computer systems can’t be hacked. The Defense Dept., whose computers had been compromised by East German (perhaps Russian) spies, denied that it was even possible, and brushed-off Mr. Stoll’s efforts to warn them about his discovery of the cybercrime. It’s a great read.

This past week, while submitting a full-page advertisement for her bank client, my wife (a graphic designer) posted her ad on the local newspaper’s ad server, an FTP site with absolutely no security. She noticed, while in there, that there were ads for other banks, and one for a department store, in the same folder.

She commented to the ad representative that this was dangerous and unprofessional. And she was rebuffed.

She downloaded one of the other bank ads, and was able to open it in InDesign. She could have changed the interest rate they promised on Certificates of Deposit. She could have changed the copy to say that they were giving away free turkeys (or free buffalo); she could have changed anything and everything, and then put the ad back on the server. No one would have been the wiser.

But she didn’t. She instead called the newspaper publisher to advise him that the paper has an unsecure FTP site which exposes them to tremendous risk. He didn’t respond.

The site is still unsecure, and I guess in a small town that’s OK. But, it really isn’t OK, because big crimes can start in small towns, and that one is an open invitation to the nefarious (no, I won’t give you the FTP address!).

How should the newspaper respond to this? They should set-up private folders for each client, which is easy. Or, they can make the FTP receiving folder into a hot folder which moves all incoming files immediately to another – secure – directory on their servers. This is also easy.


There are, I am sure, other services like YouSendIt, but it’s the one I use often, and I think it’s brilliantly engineered.

And, it solves the problems created by unsecure FTP sites.

Posted by Brian Lawler on November 11, 2008 | Comments (1)