Unsecured FTPs

Cubswin · #1 08-29-2007, 11:20 PM

Quick questions. Does an unsecured FTP pose any sort of security risk besides the content of the file that's being FTPed?

Thanks in advance!

kerowo · #2 08-29-2007, 11:26 PM

Probably depends on the security of the FTP server software you are using. It's a way into your system so it isn't going to be as secure as not having that port open on your machine. You are probably better off finding a file serving place on the web and letting them host it.

nuclear500 · #3 08-29-2007, 11:29 PM

By unsecured I assume you mean plain FTP and not FTP secured behind SSH?

All traffic, including login information (passwords etc) travel across the wire in plain text....

Cubswin · #4 08-29-2007, 11:35 PM

Thanks for the response.

Let me clarify the situation a little more. I am pulling a file down from one vendor's FTP server and putting it on another vendors FTP server. The computer I am operating is on network that should be very secure as I work for a large association with tons of IT people. The content of the document I am moving does not contain any personal information and is unusable to anyone other than me and the receiving vendor. Basically, someone I work with is being a nit about the unsecured FTP (he is a not about many things) and saying this file should be sent FTPS. Assuming our IT department does their due diligence to secure our network, does this unsecured FTP pose any risk?

Cubswin · #5 08-29-2007, 11:38 PM

I am pulling the file down FTP with SSH and uploading it with FTP.

nuclear500 · #6 08-29-2007, 11:48 PM

Technically yes. Realistically? Not so much.

If you aren't under the requirements of HIPPA or SOX then you wouldn't need to worry about it. They are more worried that the FTP transaction is plain text, so it can be captured on the wire at any point between vendor A and vendor B.

Cubswin · #7 08-29-2007, 11:55 PM

So in layman's terms, the only compromise is to the content of the data and not to the network? Sorry if this seems very basic... this is all new to me. Thanks again for the help!

nuclear500 · #8 08-30-2007, 12:03 AM

Correct, the network is not in any kind of 'danger' You are opening an outgoing socket, not opening an incoming socket to the Internet.

It would take some really crazy [censored] to reverse an outgoing socket into accepting incoming.

kerowo · #9 08-30-2007, 08:00 AM

Tell the nit to write a business justification for requiring your customer to do a project to upgrade their FTP servers. Then ask him to document any known cases where the client of an FTP server was hacked into while uploading to the server. Then tell him his kung fu is weak sauce and steal his red stapler.