The venerable File Transfer Protocol (or FTP) is going away. Kind of. Not really.
In April, the Debian Project announced that it was killing its support of FTP services on November 1. Despite the Debian Project’s announcement, FTP won’t likely be faced with extinction just yet. Created in 1971, FTP has been around more than four decades. During that time, it has become ubiquitous, even if largely overlooked in recent years.
FTP was once considered a cutting-edge solution to a major logistical issue in the early days of computing: the movement of digital files from one location to another. Today we take most file transfers for granted, but sending data from Point A to Point B was much harder 40 years ago. Even relatively small files were routinely stymied by bandwidth constraints that required special tools if you hoped to achieve any measure of reliability. FTP was the solution to that problem. Any business that had gone digital had an FTP server tackling the delivery of mission-critical data.
While there is no telling how many active FTP servers are in existence, there are a lot of servers still in service—and that’s a security problem. The persistence of FTP can probably be attributed to the old saying, “if it ain’t broke, don’t fix it”; but FTP was never designed to be a secure protocol. It is extremely vulnerable to hackers. So businesses should really be asking, “Is FTP the right tool for the job? Is it possible that we might have an FTP server running on our network that we’re unaware of?”
That is why the Debian Project made its decision. The protocol from 1971 doesn’t meet the security needs of 2017. FTP is also inefficient, difficult to configure, and doesn’t support caching or acceleration. It isn’t even close to being as user friendly as tools like cloud-based file sharing, managed file transfer, and other technologies that have long since rendered FTP, as The Register aptly put it, the Forgotten Transfer Protocol.
And yet, FTP persists.
Earlier this year, the FBI issued a warning that FTP servers in use at smaller medical and dental offices were being targeted by hackers. The risk profile made sense: vulnerable legacy technology in use at organizations dealing with sensitive, high-value information. These are small organizations without the technical resources to provide state-of-the-art safeguards. They are also the kinds of organizations you’d expect to find either stubbornly clinging to their trusty FTP server—or completely unaware that they were using one.
FTP (and its vulnerabilities) are also turning up in some other interesting places.
About the same time that Debian Project announced it was ending support of FTP, security researchers from Carnegie Mellon University demonstrated that they were able to hack into and disable a quadcopter drone in part because of the presence of FTP in the design.
More recently, premium cable television network HBO was hacked. This resulted in the embarrassing leak of unaired Game of Thrones episodes, among many other shows. The security issues were tied to the likely use of FTP by third-party contractors involved in the popular show’s production.
In an interview with the gaming and entertainment news site Polygon, security expert Alex Heid described the current state of FTP:
“Using an FTP goes back to the beginning of the internet,” Heid said. “It’s not a very secure method; it’s old, but it’s also simple, which makes the process of transferring something very easy. There might not be any password in place! Once an attacker has that, they can essentially log in to the entire network. If a hacker gets into your network with an authenticated credentials that they have now stolen and they’re routing the traffic through an IP address, then it doesn’t really flag to security firms as an attack since it’s an authorized login.”
Whether you are involved with the handling of intellectual property for a blockbuster entertainment franchise, managing the transfer of sensitive and highly regulated medical or financial data, or simply want to share photos of your latest vacation with friends, there are more secure options designed to meet those specific needs.
The Debian Project’s decision to end support of FTP is the right move. Even though that deadline will soon be past, it does not mean FTP is dead. To the contrary, FTP will be with us for years to come. With that in mind, and in consideration of the risks, take the time to inventory the tools your organization is using to transfer and manage your valuable data. Rather than leaving unused tools to be forgotten, why not update those transfer protocols instead to something more secure?
This is a Security Bloggers Network syndicated blog post authored by Greg Hoffer. Read the original post at: RSA Conference Blog