Friday, March 31, 2017

Cyber-Criminals targeting Anonymous FTP Servers

Last week the FBI issued a warning that cyber-criminals are actively targeting FTP servers used by medical and dental organizations. Their goal is to steal publicly-identifiable information. The purpose, according to the FBI site, is to ‘intimidate, harass, and blackmail business owners.’

So what is FTP?  It is one of the original protocols of ARPAnet and the early Internet. Its purpose was file transfer. It was developed to allow researchers to transfer data from local, insecure (likely University) computers to secure military computers for computation.  FTP would likely also be used to return results to the local computer for final formatting and publication. This was in the 1970’s and 80’s.

Seriously, there is little reason to run an FTP server today. The Word Wide Web can often serve files better.  In the few cases where it is necessary, administrators should ensure that ‘anonymous’ access is not enabled. FTP comes standard with any version of Linux/Unix – but in the vast majority of uses it is not needed.  Admins of networks and systems for health-care providers are advised to check their networks to ensure that anonymous FTP is not enabled.

The typical home user is not likely to use FTP for file sharing when there are better alternatives.  There are, however, home FTP servers – I have used them.  I find BOX, or some cloud-based variant, to be more convenient and safer. If you wanted to, for example, share documents or pictures with family members. Don't forget to encrypt important files just in case.

Still, users may want to ask their doctor or dentist if they have heard about this. Never hurts to ask, and it is their diligence, or lack of it, that we need to worry about.

No comments:

Post a Comment