Insecure FileZilla FTP Program

I manage several web sites, among them WordPress-based. And other sites I manage/own are PHP-based. So I often need to transfer files from my laptop to the hosting site. To do that, I use an FTP client program called FileZilla.

At least, I used to.

And the reason for ‘used to’ could be helpful to you.

One of the sites I manage has an intermittent problem with some injected malware. Usually, it is a small bit of code that uses an ‘iframe’ (sort of inserted content on a web page) to hide content that does search click-jacking. That’s when the code displays a search results page, then ‘clicks’ links on the page to earn search-click revenue. The actual search page is not displayed, but the ‘clicking’ happens.

So that injected code gets displayed on every WordPress page on the site. Which means that somehow the WordPress code on the site host is being modified by malware.

It’s not clear how the code gets modified, but one way is by a compromised FTP account. The hacker somehow gets the FTP login and password for a site, then looks at that site for PHP files that can be modified with an insertion of the malware code.

And the only way to figure out that the site has been compromised is to take a look at the page code, which can be quite complex. Or you can look at file dates on the host, but that can take quite a while.

Now, I keep my computer systems current with patches. I do Window patches as soon as they are released. I have Secunia’s PSI program which automatically patches my non-MS programs. I’ve got a good anti-virus program.  And I use strong passwords everywhere.

But even these good security practices can be bypassed with a ‘zero-day’ attack. And that’s what I think happened. Some malware got into my system somehow. And this particular bit of malware tries to compromise my FTP program.

And it turns out that FileZilla, the FTP client on my computer, stores FTP user names and passwords in a clear-text file in an easily accessed location.

What. The. ???!!!

Why would they do that?

Yes, the program is open-source, so someone can easily figure out where the FTP user/passwords are stored. But there is no reason not to encrypt the file that contains the passwords.

No reason at all.

It is a major vulnerability. One that the FileZilla developers continue to ignore.

And FileZilla is very popular. Millions of downloads.

Each and every one is vulnerable to malware attack that will get your FTP user credentials.

What. The. ???!!!!

And that’s why FileZilla has been removed from my computer. And banned from any computer I own or manage.

But I still need an FTP client. Yeah, I could do it all manually, but a FTP GUI is just convenient. So I need an alternative.

And that alternative is WinSCP (available here http://winscp.net/eng/index.php ).

It’s pretty easy to use. Has a nice GUI. Allows for multiple FTP site settings. Will save the FTP user credentials. Is open-source, and free (donations accepted).

And has an option to have a ‘master password’, that, if enabled, will encrypt the file that stores your FTP user credentials.

So far, it is working fine, and appears to be a good and secure FTP client.

Which is why WinSCP is on my computer.

And FileZilla isn’t.

I recommend the same conclusion for your computers.

 

(Added 25 May 2012) Note that if you do uninstall FileZilla, the password file is not removed (even after a restart). You will need to remove it manually.

Careful

Windows Update time. Do it.

Then install Secunia’s Personal Software Inspector. Run it. Update as needed.

And you Mac guys. You are not safe from viruses any more. Deal with it.

Saving Your Data

An important part of information security is making your data available, and keeping that data available. Loss of data can be a minor inconvenience, or it can kill your business. And it is not just businesses that need to worry about data loss.

Think of your personal data. All of those pictures on your camera, your phone, your laptop, or your computer. Or even the non-electronic data like printed pictures, slides, important papers, journals — the list is almost endless. Protecting that data from different kinds of loss is important to a business, and to individuals.

And there are lots of ways to back up that data, no matter what it is. On a personal level, you can copy files to CD/DVDs, or to an external hard drive (USB thumb drive, external hard disk). Those are valid solutions. But only if you remember to do them. And then there is the storage issue. Where do you keep these backup copies? Keeping them in the same physical location protects the data — until there is a flood, or a fire, or tornado, or a theft, or … well, the possibilities for data loss have not been fully mitigated.

One of the solutions I have used for a couple of years is an on-line backup service. The service I use is from Carbonite (www.carbonite.com), and costs $59/year for unlimited, automatic on-line backup. Tree important words in that statement. Unlimited backup takes care of all of my files at the same basic cost. Automatic means that I don’t have to worry about doing it. And the third important part is “on-line” — the data is stored off-site in ‘the cloud’.

With Carbonite, everything is automatic. I install the software on one computer at home (they have a multiple-computer plan also). I designate the folders to back up. The Carbonite software automatically copies my files to their servers, over my Interwebs connection, and does it with a minimal impact on my other on-line activities. If I make a change to a file, that changed file is added to the backup list.

And it is all done automatically. It meets the requirements for keeping my backups current; the files are available if I need them; and I don’t have to remember to do anything.

But what about the multiple computers around your house? You may have a couple of laptops or  desktops at your house. How do you keep all of your computers backed up?

With Carbonite,  you have to pay for one yearly subscription ($59) for every computer you back up. If you have multiple computers at home, that can start getting expensive. A bit of adjustment on your end will fix that.

In my case, the desktop computer downstairs is Carbonited. That computer, plus our two laptops, are all networked together. So a process of copying data from laptops to desktop gets our laptop files as part of the Carbonite backup. That’s done with the free Microsoft SyncToy, which syncs the files from laptop to desktop.  It’s pretty fast (much faster than a straight copy command), since it only works on files that have changed.

So my important personal data is backed up with Carbonite. There are other services that perform similar functions; some have better pricing for multiple computers. But my data is safe from a local (home) disaster, and it is mostly hands-free.

Poor Kenneth

Got this in my email today:

Hi,

Just writing to let you know our trip to Madrid, Spain has been a mess. We were having a great time until last night when we got mugged and lost all my cash,credit card cellphone It has been a scary experience, I was hit at the back of my neck with a club. Anyway, I’m still alive and that’s whats important. I’m financially strapped right now and need your help. I need you to loan me some $$, I’ll refund it to you as soon as i arrive home.Write me back so i can tell you how to get it to me.

Regards, Kenneth

This is quite sad. Poor Kenneth. Stuck in a foreign country, no cash, no credit cards, so he can’t get home. I should send him some money to help out.

Except I don’t know a Kenneth. Even if I did (and this scam sometimes is from a name you recognize), not a good practice to send money to someone without verification. Unless you don’t care if you ever see that money again.

These types of messages might come to you from you “cousin” or “granddaughter”, and might include information that seems valid. But it is a scam.

Be careful out there!

On-Line Banking Attacks

Reports in a couple places about some really sneaky attacks if you do on-line banking. The attacks will steal your credit card info (with your help), make unauthorized charges, then remove those charges from your on-line statements. Pretty clever, actually.

Here’s a couple of links about this: http://redtape.msnbc.msn.com/_news/2012/01/06/9986119-new-virus-raids-your-bank-account-but-you-wont-notice and http://nakedsecurity.sophos.com/2012/01/05/spyeye-bank-trojan-hides-its-fraud-footprint/ .

Your defense? Those four things we mentioned here http://cellarweb.com/securitydawg/?p=56 : Windows updates, application updates, anti-virus updates, not browsing as an administrator. Those would be a great start.

…and we’re back …

Not that anyone has noticed, but this place has been like <sound of crickets>. Let’s see if we can rectify that situation.

Changes in store for this place. The ‘look’ will be tweaked, so expect those changes. Content will appear more regularly, with any luck.

We’ll post things about computer security that catch our eyes. It might just be a short sentence with a link to someone else’s site. But more content, more often. At least, that’s our plan.

In the meantime, four things to do:

1) Install all Windows updates. Set it up to install automatically.

2) Update your antivirus regularly. At the very least, use Microsoft Security Essentials (at www.microsoft.com/protect ) . Good program, catches most problems, low footprint/effect on your system

3) Update your applications. I recommend Secunia PSI program. Go to www.secunia.com . It’s free, and will keep your applications current. That’s important, as more exploits are aiming for your programs, not the operating system.

4) When wanding around the Interwebs, log on with a limited (non-administrative account). That will help protect agains malware attacks.

Do these four things, and your computer will be protected from the most common problems.

More later … and, with any luck, more often.

Internet Still Working After Conficker "Threat"

Noticing that the Internet is still working after the big ‘Conficker attack on 4/1/09.

But there are lots of computers with the Conficker malware, as shown by this map http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution from the Conficker Working Group.

That group also has a quick test for checking if you are infected is this Conficker “Eye Chart” http://www.confickerworkinggroup.org/infection_test/cfeyechart.html , which uses graphic images from web sites that are blocked by Conficker. A good quick test to see if you are infected with Conficker.

Conficker is still a threat, since there is no limit to what a bot-controlled computer could be told to do. The map shows that it is still widespread.

But the attention of the anti-malware community will minimize it’s impact, I think. Or at least the details of the next attack will be known.

Is Your Data Safe?

So…where is your data? And what is your backup plan? Is it like Ma.gnolias (a free site to store your web browsing bookmarks)? Who apparently didn’t have a backup plan, as the entire site was hosed by some unknown error (I suspect that their database got corrupted, and backups weren’t’ available). One place for the story here http://blog.wired.com/business/2009/01/magnolia-suffer.html .

Or, in these uncertain economic times, do you have a procedure that disables access when your network administrator is let go? Or are you like the folks at “Fannie Mae” (US govt housing mortgage agency), who told a contractor he was fired, but didn’t revoke his access? Seems that he was a bit miffed at the whole thing, so he put a logic bomb on their servers that would have deleted all their data on all servers. See here: http://www.theregister.co.uk/2009/01/29/fannie_mae_sabotage_averted/ ).

If your company may start downsizing, do you have proper access controls on your data? If you gave an employee two weeks’ notice, could they start deleting files? Or changing some spreadsheet formulas?

Something to think about for your personal data … and your company’s data. Could your company survive a disgruntled employee’s nefarious action on your data?

Looking at other "Free" File Transfer sites that aren’t really free

Some minor fine-tuning on the www.filehurl.com site (my absolutely free unlimited file transfers web site).

There was a comment in a previous post about using another site. So I was curious about it, and looked at the site and compared it to FileHurl.

The other site requires registration (FileHurl doesn’t). It does have free file transfers (like FileHurl), but limits the size of the free transfers (FileHurl has no size limit). It also limits the number of times you can use the “free” transfer (FileHurl has no such limit). It has some paid services that allow unlimited use and size (FileHurl is fully free, although you can voluntarily donate).

The other site may be a bit ‘prettier’. FileHurl is pretty simple. Click one button, fill in one simple form (four or five fields, plus a ‘Browse” button to select the file), and that’s it for sending the file notice.

The recipient gets a simple email with one link. One click for the link, one click to get the file, one click to save the file. That’s pretty simple.

And it is totally free and unlimited, unlike the other place. If you want to check it out, go ahead.

But I think that my FileHurl place is better. It certainly doesn’t have the limitations of other file transfer sites. I haven’t found any that are totally free like FileHurl (but will look at any alternatives that you mention).

Try it out. And let me know what you think. (And a mention on your web site or to places like “Digg” might be nice.)

How to Send Big Files via Email

Ever need to transfer a file to someone, but it was too big for sending via email? There are some sites that do that, but most have a one-time or monthly charge, especially if the files are large. Or they limit the size of the file.

That happens to me sometimes. So I decided to try to create my own file transfer web site. And I think that it is ready for my thousands of readers (well, maybe as many as five) to try out (and to recommend to others).

The concept is quite simple. You fill out a simple form with the email address of the person you want to receive a file. Type in a little message, use a browse button to find the file on your computer, then click one button to send it off. (We call it “Hurling a file”.)

The recipient gets an email message with a special and unique link, along with your message. Click on the link, then click one “Get the File” button to save the file to your computer.

And that’s it! You’ve sent your file to someone else, no size limits, no charges, and it’s simple enough for “Aunt Minnie” to use (at least, that’s our hope). We don’t save the email addresses, and the file is available for just seven days and then goes away.

It’s not a file sharing site, since you only get to send one file that you already own. And it can’t be a spam site, since you have to enter the email addresses manually. We’ve protected it against the evil guys as much as we can, and will monitor things to make sure that the site stays as safe as it can.

And, it’s all free. Although we do have a ‘donate’ button, and hope to get some simple advertising, to help defray expenses.

We (hmm…sounds like a ‘royal we’…) also put some social networking buttons at the bottom of the page to spread the word about the place. It’s a grand experiment, it will be interesting to see if anyone other than me actually goes there.

Oh. Where’s there ? We call it “FileHurl”, and it’s at www.filehurl.com . You’re invited to try it out…and send along any suggestions for improvement.

And tell a friend. The place might even be ready for the “Digg Effect”.