R.I.P. FTP 359
from the and-good-riddance-to-ye dept.
On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.
I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".
Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:
The majority of web site compromises happen because of:
- Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
- Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
- Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
- Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.
I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:
I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html
I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.
When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.
But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:
[Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.
Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:
One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.
I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.
So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.
In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:
- Go to the "Hosting" menu and pick "My Hosting Account."
- Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
- In Hosting Control Center, click to expand the "Settings" options.
- In the "Settings" control panel, click the "SSH" icon.
- You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
-
You will then see a page which says:
Current Hosting Account Status: Pending Account Change
Your request to enable SSH is being processed. This upgrade may take up to 24 hours.
In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)
If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.
Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:
-
Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.
-
Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.
-
Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.
When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).
Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.
So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.
That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.
What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)
Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.
WebDav (Score:5, Informative)
How to secure WebDav
http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication [howtoforge.com]
FTPS (Score:5, Informative)
It's unfortunate that FTPS still seems to be widely unknown. FTPS is an extension of the FTP protocol which secures the control & data channels with TLS. It's standardized in RFC 4217.
Restricting users to their home directory is much easier with FTPS than with SSH. The latter requires you to setup a chroot jail for each user. At least OpenSSH has built-in chroot support that allows you to specify a chroot environment for each user via /etc/passwd.
Many FTP clients and servers support the FTPS protocol, for example:
* FileZilla
* curl (and curlftpfs)
* lftp
Servers:
* vsftpd (can enforce encrypted FTP)
SFTP support is still spotty .... (Score:3, Informative)
Switching from FTP to SFTP on the server side is great, in theory, but it's really only a trivial task for people running Unix type operating systems.
SSH isn't an integral part of most Windows operating systems, and nearly all of the well-regarded, commercial FTP servers for Windows have no SFTP support in them.
(I understand the Serv-U FTPD for Windows does support it, but it's an exception to the rule.)
I recently ran into this at my workplace. We've run the commercial WFTPD product (from Texas Imperial software) for years, but I had to get rid of it when our bank started requiring SFTP connections to send us electronic scans of daily check deposits.
FTP isn't going anywhere (Score:5, Informative)
Its an amazingly simple protocol, lightweight, and easy to setup and administrate. Concerned about security? Tunnel it with SSH. I think there is a packaged app out there somewhere (sftp?), but really, I tunnel all insecure protocols with SSH, using an incredibly simple, yet powerful app (putty).
Not just unknown, incompatible (Score:5, Informative)
I have tried to set up an FTPS site.
Even with vsftpd, I was unable to configure it with settings that allowed it to connect with more than 1 different type of client at a time. So far as I can tell, there are a half-dozen different implementation of FTPS out there, none of which are able to interoperate properly.
SFTP is much more standard and well-supported, and more or less just works, and there are various tutorials out there for setting it up.
Dan Aris
Re:Authentication goes both ways. (Score:3, Informative)
Most SSH clients will verify that you are connecting to the _same_ server as last time. However they can not verify the actual identity of that server.
(Well, server with the same key as last time you connected to that domain name or IP, but close enough)
Re:Users can't tell the difference (Score:5, Informative)
Re:FTP isn't going anywhere (Score:1, Informative)
SFTP is not FTP tunneled over SSH, it's a protocol for file transfer which is not based on FTP in any way. In fact, due to its dual connection nature, FTP is not trivial to tunnel over SSH. And since SFTP exists and is built in SSH servers, its a waste of time to try to tunnel FTP over SSH.
Re:FTPS (Score:3, Informative)
I have to disagree. I have no problem connecting from behind NAT to a my FTP daemon on the public internet. I run vsftpd with forced TLS encryption for both control and data channels.
Re:It doesn't matter (Score:2, Informative)
And it looks like the article also missed your point, since it says how intercepting packets in public internet is not the problem, but infecting your machine to sniff them from the source.
Re:Amusingly.. (Score:5, Informative)
Rsync.
Re:FTPS (Score:5, Informative)
How does one break out of chroot [linuxsecurity.com]?
Chroot can clearly add to security if used correctly.
Re:Amusingly.. (Score:5, Informative)
Given the fact that most websites will be hosted on a Linux box ...
That makes it easier. Most Linux systems I have installed in past years don't have ftpd preinstalled.
On security note, default configs of ftpds found in Fedora, SUSE and Debian are [censored] insecure: they allow anonymous to access anything on hard drive while rejecting (even over SSL) valid users.
Unfortunately, raw FTP still rules when you need a high bandwidth. With SCP/SFTP I get consistently 4-5 times lower transfer speeds compared to FTP. It doesn't matter much if one transfers megabytes. But SCP/SFTP becomes a pain when one needs to upload dozens/hundreds megabyte. 'tar cf - . | ssh tar xf -' trick speed things up, but not always available.
As for how you would get around this if using a Windows/IIS server I wouldn't have the first clue and my advice would probably be along the lines of "get a man's operating system and stop using asp"!
IIRC, M$ stack uses WebDAV over HTTPS for such stuff. Abomination had spared me, thus do not have any performance numbers.
Re:Amusingly.. (Score:4, Informative)
rsync can freaking use ssh, rsh, or its own daemon connection. Using an rsync:// or an rsh connection is freaking insecure. But freaking-a, rsync over ssh freaking rocks.
Re:FTP isn't going anywhere (Score:1, Informative)
FTP is actually not that simple to administer, in some ways. FTP is constantly creating new TCP connections for each directory listing or file transfer, and the new connections have a different destination port than your original connection. This fact makes FTP difficult to proxy.
For example, this dialogue could occur in an FTP session:
Client: PASV (Request PASV mode)
Server: 227 OK (192,168,1,1,123,456) (I'm listening on a new port at 192.168.1.1:31944) (because 31944 == 1238 + 456)
So your proxy software would have to see and understand this exchange, and begin proxying port 31944 also. Your proxy has to be "FTP-aware." If you were using putty to proxy your FTP control connection, this new connection would not use the SSH tunnel, and you probably wouldn't even notice.
The alternative would be to use PORT mode, which requires a new connection from the *server to the client,* with the obvious security risks and firewall/NAT problems that implies.
Yes, FTP is a silly protocol, but it dates from simpler times when NAT didn't exist and security wasn't the huge problem it is today. Daniel J. Bernstein wrote a good mid-level description of FTP at http://cr.yp.to/ftp.html .
-D
Re:Misconception about crypto in article (Score:2, Informative)
Bzzzt! Fail.
That only works on the *server* side. TFA is talking about the *client* software which saves the password for you so you don't have to enter it every time. There is no possible way for the client software to provide the correct password to the server unless it can obtain it, either by decrypting its stored password or by querying the user. So, no, a one-way hash is not usable in that circumstance.
Re:It doesn't matter (Score:3, Informative)
T
Re:Amusingly.. (Score:3, Informative)
SCP is 4-5 times slower than FTP? What kind of CPU do you have?
I am easily able to saturate a 100Mbit link using a core2 system thats a couple of years old now... Even on a 1Gbit link i think the disk is the bottleneck moreso than the encryption these days.. Yes it uses a lot more cpu, but it isn't any slower.
Perhaps you are using an extremely poor implementation of SCP?
Re:Amusingly.. (Score:3, Informative)
A tar trick? At least add Z, z, or j to the commands: tar cjf - . | ssh tar xjf -. Or, simpler, try rsync -avz --delete -e "ssh -l webhostuser" . myhost.org:. The bz2 compression (j option for tar) probably has better compression, but rsync compresses some things that tar can't (see rsync's man page).
Re:All you need to know: (Score:3, Informative)
Exactly. A reinstall of your operating system is your best bet. While you will obviously have to copy the files back over you should be able to scan the files before/during copying. The files will only reinfect upon launching them generally not upon copying them (some old DOS systems excluded).
Re:It doesn't matter (Score:2, Informative)
In your universe, it's really 'far more trivial' to support dozens of different FTP and SCP programs, and/or to keystoke log and magically decide when someone's typing their username and password (And then somehow figure out what site they connected to?)...
Seriously, at this point so many people are missing the point, that I'm bemoaning the collective lack of intelligence on this site. Sniffing an FTP connection is MUCH easier than decoding obfuscated passwords and monitoring thousands of keystrokes.
Re:Amusingly.. (Score:3, Informative)
Actually, what I saw in the summary, for that which I read before I gave up, was that he suspected malware had intercepted his password. It's kinda silly having a packet sniffer listening to all passing traffic, when all they really needed to do was look in common places for stored passwords, and have a keystroke logger intercept interesting things. The later two I've seen quite a bit. The first, not so often.
In working in a few hosting environments, from the admin side, I will say brute force attacks are anything but uncommon. Unfortunately, some people don't believe in upgrading anything ever. Yes, they do exist. So, they'll have 10+ year old unpatched machines without firewalls up on the Internet because "oh, who would find us?" On the same machines, you can see the FTP and SSH logs where people are attempting to brute force their way in.
On machines that I personally have full admin control over, there are limitations to everything, even though it doesn't reflect back to the user. Sure, you can try to brute force your way in. It won't do you much good. But as far as you know, the failure notice from attempt #1 is just as legitimate as #10 and #100,000,000. Little does the aggressive hacker know, nothing beyond #5 was accepted, and his attempt on a live server was propagated to other machines under my control so they can protect themselves.
Back to the original story. It was likely some malware that found auth files, found where the auth information is stored in their Windows registry, or captured the keystrokes. It may have been described in more detail somewhere in that novel that they called a summary, but I failed to read it all before my eyes started to bleed.
Re:Amusingly.. (Score:3, Informative)
Nothing special: Linux to Linux over GB LAN or the internet. CPUs are C2D or AMD X2 or better.
Also note that SCP/SFTP transfer files one by one and the handshake times (especially if you have number of smaller files) dominates over actual file transfer times. That's why I have mentioned the tar trick. FTP for whatever reasons doesn't have the problem.
Been trying to switch users for years (Score:5, Informative)
I'm the founder and main admin of a web hosting company [suso.com] and we've been trying to switch people to SSH/SFTP/SCP for many years. We even put an ultimatum on FTP users back in 2006 that by the end of the year, we'd be turning off FTP. You know what happened? Users backlashed and complained that their old antiquated website software like old versions of Dreamweaver or whatever couldn't do SFTP or SCP even though versions that did had been available for a few years. Also, people who came from other hosting companies too us didn't know about more secure protocols and complained when they had to switch away from their old programs that they liked, even if WinSCP works great. So in the interest of keeping customers, we had to leave it on. We've been pushing SSH since the 90s. And I wrote the # 1 ranked SSH tutorial on the net. So how do you think I feel? Its a really annoying problem and it may take several more years before it completely goes away.
On the other hand, there is one thing that I haven't seen available with SSH and that's the ability to have virtual users and let them be created by the parent user. Maybe there is a trick to make it possible in SCP/SFTP, but there are customers out there who need the ability to have sub users who manage parts of their site and so on. Many FTP servers allow this, but SSH does not. So this is another FTP feature that keeps it going.
And while I'm griping about it, it REALLY doesn't help the situation that WinSCP started supporting FTP.
Re:Amusingly.. (Score:3, Informative)
FTP opens an entire new TCP connect for each file transfered, and is plenty chatty in the command channel while that happens. It's probably not the handshake times that are slowing you down.
More likely it's the relative inefficiency of SFTP on high-latency links -- SFTP has a relatively small transfer and pending request window, which means that with any significant latency you'll spend a lot of time waiting for confirmations instead of actually sending data.
For example, in OpenSSH prior to 4.7 the default limit for outstanding requests was only 16. Since 4.7 the default has been 64, and in both versions you can adjust the limit at runtime with `-R num_requests`. OpenSSH 4.7 also increased the default receive window size, which improves transfer speeds on links with non-trivial latency.
Re:All you need to know: (Score:3, Informative)
Some of the stuff that can be missed by a thorough examination can't be purged through a reinstall.
I'm talking about those nasty buggers that hide in the BIOS chips, and re-infect on OS reinstall.
My (current) computer has never been infected by a virus or any malware - but I'm so anal that I open any possibly dangerous links in Opera, with all plugins disabled, rather than my default browser. (Firefox)
I also type many sites into the address bar in a form that'll go through Google's servers(www.slashdot.org -> "slash dot"), rather than using bookmarks. That way it'll warn me if the site could infect me with something.
Re:FTPS (Score:3, Informative)
Here's something that actually answers my question rather than just repeating its antecedent, in case anyone else has it:
http://www.linux.edu/index.php?option=com_content&task=view&id=45&Itemid=9 [linux.edu]
Re:Been trying to switch users for years (Score:3, Informative)
Tunnelier [bitvise.com] is rather good, includes an FTP bridge. Connect to your ssh server, and it listens on localhost for ftp commands, translates and sends them to your server over ssh. Not only means encryption, but also compression (something I often care more about). Will sit in your system tray and auto reconnect if connection drops, and enable all old ftp-only software to talk to an ssh only server. I talk to everything over it, mysql, imap/smtp, even web traffic can be sped up.