FTP Versus SFTP

I just finished doing a major cleanup of several web sites I own and manage.  An intruder released what is known as a ‘black hole exploit kit’ into my account.  The kit proceeded to modify all the web pages with a little piece of code intended to wreak havoc on the computers of people surfing my web sites.  I was warned by a few users with good anti-virus programs in place, but the questions remained . . ‘How did this happen and how can I prevent it from happening in the future?’

I called my hosting provider and had the good fortune of speaking with a support technician named Nathan.  Nathan confirmed that I had been hacked and helped me with the file cleanup required.  He asked what programs I used to upload files to my web sites.  I listed for him the ones I had used before and he said those were all fine as long as I used SFTP as opposed to FTP.  FTP stands for File Transfer Protocol while SFTP stands for Secured File Transfer Protocol.  Immediately, I knew what the problem was.  I was positive that I was using FTP to transfer files.  Nathan explained that the user ID and password used to initiate an FTP session were not encrypted and could be stripped by network sniffers. Nathan helped me setup SFTP logins for my hosting account.  He assured me that if I used SFTP to upload files, the user ID and password would be encrypted during transfer.

Nathan had saved the day, but I still felt naïve about the whole process.  I had assumed that creating a user ID and password to protect my file transfers would be enough.  Nathan explained that there was a way to secure an FTP login, but that most people were not aware of it.  I asked why the hosting company still offered FTP if it was so unsafe and he said there were some users who still needed this simple method of file transfer.  Nathan was giving me the company line.  I felt the hosting company should have been more proactive in getting this message across.  Unfortunately, many other hosting companies still provide an unprotected FTP login for their users.  It seems like everyone is sticking their head in the sand on this one.  I also have to point the finger at myself.  Since the incident, I am finding more and more articles warning of this exact same problem and how it can be easily fixed.

Here is an instance where I protected myself with a user ID and password, but I wasn’t really protected at all.  I have now become a bit paranoid.  I still like my hosting company and want to give Nathan kudos for his customer service skills.  However, in the future, I will trust but verify any services provided by vendors I work with.

Bring Your Own Device

In this age of smartphones and tablets, mobile computing is becoming more and more prevalent.  If I can do both my personal and work related activities from one device, I can be more productive.  Many  companies recognize this as an advantage for them and encourage their employees to ‘Bring Your Own Device’ or BYOD.  You, the owner of the device, can work the way that is most convenient for you.  Everything you need is on one computing device and you can respond quickly to messages whether they are of a personal or business nature.  Your employer saves money by not having to buy a computer for you and by not having to acquire as much software for the company in general.  Most of the software needed by the average employee is already on the newer smartphones and tablets.  This appears to be a win-win situation.

Upon further review, there is a big problem with this approach and most companies haven’t even scratched the surface regarding an acceptable solution.  When you buy a device for your personal use, you will likely employ a password to protect your personal data from the prying eyes of others.  Most of us are more concerned that our device will be stolen rather than worry about the data that is on it.  Businesses, on the other hand, have legal and fiduciary responsibilities to protect the sensitive company data that is on computing devices.  They need to encrypt the data and in some cases, they need a method to wipe the data if they feel it has fallen into the wrong hands.  If they know the data is protected, they will make little or no effort to recover the computing device and will write it off as a business expense.  It seems to me that individuals and companies have divergent goals regarding the use of one single smartphone.

You may surmise that this issue can be easily taken care of by compartmentalizing personal data and business data.  If my employer wants to encrypt and wipe data belonging to the company, that is fine by me.  Just don’t touch any of my personal information!  In theory, this solution works.  In practice, the operating systems for the popular smartphones and tablets are not built to support such compartmentalization.  For example, I cannot currently install two copies of Evernote on my tablet and expect to use one for business and one for personal use.   Even if I could, there are no tools available to help my employer target only specific data sets for encryption and wipe.

If my employer insists on putting a solution on MY tablet that could result in the loss of MY personal information, I am less inclined to use it in the work environment.  That is a lose-lose situation.  Hence, many large companies are pressuring the smartphone and tablet makers to provide a better solution.  Initial attempts miss the mark.  One vendor segments the drive on your tablet into two areas, one for business and one for personal use.  You can toggle back and forth between the areas depending upon your need.  However, since you still cannot install more than one copy of an application on the device, you must use hybrid applications in the business area.  These applications are feature scarce and require a learning curve for most employees.  Another solution makes use of a virtual machine (VM) on the device.  This shows some promise, but is not easy for the end user to understand and use.  In all likelihood, a VM solution will eventually win out, but it will require that Android and iOS device makers make some concessions in the BYOD arena.

BYOD is here to stay.  Security is the chief issue with this concept and until it is properly addressed, there will be a business loophole.  Device makers must make an effort to understand the new culture they have created and make the necessary adjustments to let people and businesses work the way they want to.

Multi-Factor Authentication Alternatives

I’ve posted a few articles in this blog about the need for passwords, the problems with passwords, and the alternatives to passwords.  In the end, it looks like passwords are here to stay.  What can be done to make them stronger and more effective in protecting the end user?  One method that has been in place for years now is multi-factor authentication.  From our friends at Wikipedia:

Multi-factor authentication is as an approach to security authentication, which requires that the user of a system provide more than one form of verification in order to prove their identity and allow access to the system.  Multi-factor authentication takes advantage of a combination of several factors of authentication.  Three major factors include verification by something a user knows (such as a password), something the user has (such as a smart card or a security token), and something the user is (such as the use of biometrics). Due to their increased complexity, authentication systems using a multi-factor configuration are harder to compromise than ones using a single factor.”

Logically, multi-factor authentication is more secure since any potential thief will have to acquire two or more items instead of just your password.  Most of you have probably been exposed to various methods of multi-factor authentication in the past, but here are some examples I have run across:

  • One of my banks requires my user ID and password combination, but they also want me to verify that the picture they show me on the web site is one that I selected during my account setup.
  • I used to work at a large hi-tech company in the Silicon Valley as part of their Treasury department.  One of the banks we dealt with provided us with a smart card that generated a new four-digit number code every five minutes.  The number code served as our password into the bank’s system, but the code was dependent upon the time at which we attempted to login.
  • In my travels, I have run across companies who use fingerprint authentication to grant access to systems.  Small hardware devices plugged into your computer are taught to recognize your thumb print and use that as the method by which you login. When fingerprint authentication fails, a traditional password is the backup plan.
  • With tablet use becoming more prevalent, the use of fingers on the screen is in wider use.  Windows 8 allows for a ‘swipe’ method of authentication.  You choose a picture and a series of finger swipes from points on the picture to create your authentication. When the swipe pattern is forgotten by the user, a traditional password is the backup plan.
  • Physical device authentication has seen a surge in popularity lately.  I may set up my account on one computer, but several weeks later, I try to access my account from another computer.  Companies with a higher standard of security will recognize that this is a computer you do not normally use.  They make take the authentication beyond a simple user ID and password and ask some of the security questions you set up when you created your account.
  • Another security method gaining acceptance is to require the end user to respond to an email before gaining entry to the web site.  In the past, this was usually reserved for resetting passwords, but recently, some businesses are requiring that you respond to the email each time.  Their thought process is that it is unlikely the thief has compromised both your web site password and your email account.

Of course, there are more multi-factor authentication methods out there, but this should give you a good flavor.  Are they overkill?  My answer would be ‘yes’ and ‘no’.  A simple user ID and password is probably sufficient for buying a book from Barnes and Noble as long as I haven’t stored my credit card information online.  However, a multi-factor solution is better for banks and web sites containing my personal information.  Health care facilities and government entities should require multi-factor authentication.