Posts Tagged Secure FTP

Message Queues and Network Shares Added to Managed File Transfer Solution

Posted by on Monday, 28 February, 2011

The new 3.5 release of GoAnywhere Director is now available with more features to help organizations automate, secure and manage file transfers.

In this new release, GoAnywhere Director provides simpler access to files and folders on Network Shares. It can also connect to enterprise Message Queues (e.g. WebSphere MQ) for better integration with customer applications. The new version also includes “File Monitors” which can be used to easily scan for new, modified and/or deleted files in targeted folders. Additionally, this release includes the ability to auto-resume file transfers if FTP and secure FTP connections are broken.

In addition, better High Availability (HA) capabilities allow GoAnywhere Director to store configurations in customer database systems including SQL Server, MySQL and DB2 for IBM I (iSeries). This allows customers to manage and replicate this data using in-house database and HA tools.

I’ll say it again, that of all the tools I have purchased over 28 years in I.T. GoAnywhere Director is my favorite! ~ Don McIntyre, Kansas City, Missouri School District

Read the press release  > >

Bob Luebbe

Bob Luebbe has worked in the IT field since 1985. During his career, he has worked in a wide variety of roles including software development, project management, consulting and architecting large-scale applications. Bob has been with Linoma Software since 1994 and is currently serving its Chief Architect. His main focus for the last several years has been developing technologies to help organizations to automate and secure their file transfers, as well as to protect data at rest through encryption and key management.

More Posts - Website

Are You Confident Your FTP Credentials Are Secure?

Posted by on Monday, 6 December, 2010

Nesting Dolls to Wormholes

Do You Know Where Your FTP Credentials Are?

FTP Security WormholeA security researcher named Chris Larson happened onto a curious website last September that had been serving some malicious-looking exe files. While poking around, he wrote in his blog, “I came across an ‘unlocked door’ on the malicious Web site and took a look inside.” Treading like an adventurer in Alice’s Wonderland, Larson discovered that this little doorway opened into a world of potential hurt for companies around the world.

There was a strange, oddly-sized GIF file that, with further poking, revealed a hidden payload. The GIF, when poked, revealed four text files. Little by little, their contents spilled out, until, finally it revealed a dark criminal archive. The files contained the login credentials of more than 100,000 FTP sites.

It was an unbelievable discovery, like a Russian nesting doll, that – when unpacked – opened a veritable wormhole to FTP sites around the world: Domain names, User IDs, and Passwords.

Nearly two thousand of these FTP credentials were the domain credentials from one particular site that claimed to Web-host nearly two hundred thousand separate FTP sites. Another file contained a hundred thousand credentials from a variety of unrelated individual sites. Using this archive of FTP credentials, the thief (or thieves) could penetrate, inspect, and selectively harvest the information contained within stored files that users had transferred between their workstations and their corporate computers.

How this archive was assembled and hidden demonstrates how the network of thieves profits and expands. Larson noticed a duplication of a small percentage of the FTP credentials. This seems to indicate that the archive was probably robotically created by a virus or Trojan.

Larson had discovered an actual retail operation that gathers FTP credentials, and then sells those credentials – like a retail mailing list — throughout the underworld to anyone who can pay the price. The archive, in its hidden GIF packaging, appears to be the actual product. Such an archive would be valuable to identity thieves with its hidden payload. In this state, it was ready to be transmitted to other thieves, running beneath the radar of security network packet sniffers.

This begs the question: “Do you know where your company’s FTP credentials are stored?” If your company is using a managed file transfer (MFT) suite like Linoma’s GoAnywhere, you already know the answer.

The best MFT suites manage the access to FTP, centralize the file transfer process, and secure the credentials that are communicated between hosts. By using a MFT suite, IT can institute rules by which file transfer credentials are organized, encrypt the transfers themselves, and log every transfer activity. User credentials to other servers are also centralized and secured, and the connection rules that your business partners use can be managed to ensure that user ids and passwords regularly updated.

Chris Larsen uncovered a secret world in which the doors to our systems – and our business partner’s systems – are sold as simple commodities, available to anyone who can pay the price. It’s like a toyshop where your company’s FTP credentials are displayed like exotic dolls, nested within a GIF wrapping: a GIF that promises to keep on giving.

Isn’t it time to do something about it?

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Transferring Large Files over the Internet? A Few Managed File Transfer Recommendations

Posted by on Monday, 29 November, 2010

Internet File TransfersRecent posts on this blog have outlined reasons to consider installing a file transfer system that will help streamline productivity and secure the transfer of sensitive documents. We understand that selecting a product can be time consuming. To help you make the most educated decision here are a few more helpful suggestions to consider when selecting a managed file transfer solution.

  • Easy to learn and easy to use – The managed file transfer (MFT) system you choose should have an intuitive interface that can be learned quickly. No programming skills should be required. If it isn’t easy to use, end-users and non-IT personnel will shy away from using it.
  • Audit trails – The secure file transfer solution should produce comprehensive audit trails of all file transfer activity and support SYSLOG feeds to a central logging server.
  • Produces alerts – An automated file transfer solution should be able to send you email alerts or texts instantly when problems occur.
  • Password security – The managed file service you choose should not show password values on any screens or logs. Encrypts all passwords that are stored.
  • Remote access – The file transfer product allows for remote administration and monitoring of file transfers, preferably through the browser.
  • Web site transfers – The file transfer solution needs the ability to support HTTP and HTTPS protocols for transferring data.

A managed file transfer solution can not only save your department time, but it can also save you money. A comprehensive solution will enable you to complete menial tasks and allow your department to concentrate on the larger picture.

Did I mention we have a managed file transfer product…GoAnywhere? GoAnywhere allows organizations to secure and automate the exchange of data with their trading partners, customers, employees and internal systems. Still not sure what you are looking for? We offer a free product trial and we would be happy to schedule a demo to go over how GoAnywhere can help your company.

Related Blog Post: Top 10 Managed File Transfer Considerations

Bob Luebbe

Bob Luebbe has worked in the IT field since 1985. During his career, he has worked in a wide variety of roles including software development, project management, consulting and architecting large-scale applications. Bob has been with Linoma Software since 1994 and is currently serving its Chief Architect. His main focus for the last several years has been developing technologies to help organizations to automate and secure their file transfers, as well as to protect data at rest through encryption and key management.

More Posts - Website

FTP Server Security Flaw Discovered

Posted by on Monday, 1 November, 2010

We know that FTP has security issues that are based upon its aging design. But a new flaw, discovered by Maksymilian Arciemowicz, is creating new concerns. This new flaw is calling into question the underlying code-base implemented by literally thousands of FTP server applications.

The flaw resides in several C code libraries that call the glob() function. “Globbing” is a pervasive function that permits the use of wildcard patterns to identify file names. It’s one of the most commonly used processes in transferring large numbers of files with FTP: Instead of individually selecting files, a user may select a folder or a group of files based upon a common string. The common use of *.doc or *.* are examples.

The flaw discovered by Arciemowicz relates to a feature added to C libraries in 2001.  That feature – called GLOB_LIMIT – was designed to limit the amount of memory used during transfer. Because GLOB_LIMIT is not effective, it potentially allows a system’s main memory to be flooded when processing certain patterns and this may, depending on the hardware used, cause the system to become very slow, cease to respond or even crash as a result.

Of course, crashing an FTP server can then permit other security violations to take place – not only on the server side. For instance, a hung FTP server that is in the midst of a conversation with a client can leave the client’s data in the open. This represents a serious potential security hole for the client software itself.

In most servers, the function is implemented via libc, but some vendors have integrated the globbing feature directly into their products, with an option in the configuration settings for it to be disabled. Arciemowicz said that OpenBSD 4.7, NetBSD 5.0.2, FreeBSD 7.3 / 8.1, Oracle Sun Solaris 10 and GNU Libc (glibc) are affected. FTP and SFTP servers all tend to support globbing, so it’s important to either disable globbing in the configuration of the server side, and/or to contact the software vendor about the use of this underlying function to discuss how to the function.

GoAnywhere does not have this issue as it does not use C or the GLOB_LIMIT. GoAnywhere Services is a secure file server that allows trading partners (both internal and external) to securely connect to your system and exchange files within a fully managed and audited solution. Popular file transfer and encryption standards are supported without the need for proprietary client software.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Who Insures the Insurer?

Posted by on Monday, 2 August, 2010

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  It’s one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised?  As absurd as it may seem at first glance, it’s really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record.  This would mean that Anthem Blue Cross’s breach last month created a liability as great as $40M.

Moreover, there’s a ripple effect to organizations that do business with insurance companies that suffer such an information security breach.  Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission.  Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers.  And by the time these organizations realize their vulnerability, it’s often too late.  These companies are often performing these FTP transfers below the radar of their IT departments.  How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left “in the open” on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it’s subject to theft or secondary security flaws. Insurance agents – whose jobs are to facilitate the processing of the data with their insurance providers – can also suffer from such breaches. The loss of an agent’s laptop – through theft, accident, or routine use of USB thumb-drives – poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database.  Linoma’s CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company’s information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual’s personal computer.  By removing FTP access to the data by any employee’s PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring.  Linoma’s GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution.  But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs?  The real answer is IT itself.  And helping IT achieve a better result will be the subject of this blog over the next few months.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website