Pssst! Want some hot FTP logins? (and not just a good idea)

GET IT Blogwatch: in which Russian bad guys might be selling the password to your FTP server. Not to mention a USB typing speedometer...

USER Jaikumar Vijayan broke the story:

A fresh discovery by security vendor Finjan Inc. provides yet another example of how easy it is becoming for almost anyone to find the tools needed to break into, infect or steal data from corporate Web sites ... It has uncovered an illegal database containing more than 8,700 stolen File Transfer Protocol server credentials including usernames, passwords and server addresses ... A trading interface on the server hosting the illegal database allows purchasers to buy FTP server credentials ... The database is being hosted on a server in Hong Kong, though all of its contents are in Russian. more

APPE Joel Hruska adds:

The business of writing, buying, and selling malware has become increasingly commercial over the past few years, but [this] sheds light on just how mainstream the crimeware business has gone ... The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase ... Potential buyers were able to log into the malicious server hosting the data-gathering service and evaluate any given web site's size and Google Page Rank to decide whether or not the site's FTP information was worth purchasing or not. more

PASS Richard Stiennon advises: [That's enough FTP jokes -Ed.]

According to ComputerWorld coverage Finjan is publicizing a source in Hong Kong they have discovered that offers to sell access to hacked ftp servers. The idea is that a malware purveyor or phisher would want ftp access with admin credentials so they can quickly and easily upload their wares to the web sites served by the ftp service ... There have been sites in the past that allowed you to execute a “ping of death” against any site, or a ping storm or whatever, just type in the IP or URL and watch what happens. So nothing new there. The “new” is the financial model. Selling access piecemeal. Kind of Hacking 2.0. The simple warning to administrators: Use ftp over secure shell (SSH) to update your servers. more

Jonathan Gatrell has another idea:

Secure File Transfer, often referred to as Managed File Transfer (MFT), is deploying encryption at the session level to ensure usernames and password are visibile in “clear-text” over the internet. Many scripts and basic FTP clients may not support certificate based encryption and without a VPN these credentials could be at risk for who ever would like to “sniff” packets. Other MFT options would be on of the ASx variants (AS1=SMTP, AS2 = HTTPS, AS3 = FTP over SSL), these capabilites are essentially not just session level encryption, but also payload encryption with non-repudiation capabilities. more

The very wonderful Kelly Jackson Higgins has this angle:

One interesting twist to this operation: The bad guys behind the scam inadvertently tipped their hand to Finjan while trying to make their code undetectable. Finjan researchers about a month ago noticed someone submitting the same URL over and over to its URL analysis page that checks for malicious code. more

Ed Dickson thinks of the consequenses:

Is the Corporate World under attack by hackers? ... Government domains have been allegedly compromised, also ... this continues the scary trend of crimeware for sale, which enables not very technical criminals to commit fairly technical crimes at will ... Besides the fact that (in theory at least) sensitive information can be stolen from some of these sites, a visitor can be compromised when visiting a “trusted site.” ... compromised sites, once publicized might face ... a loss of trust in their brand, and as seen recently, potential litigation. more

QUIT And finally...

• Desktop USB WPM Speedometer – The Dashboard Styled Gadget For Touch Typists [hat tip: Technabob]

Buffer overflow:

• Tech Trader Daily: Dell Q4 Revs, EPS Come In Light; Stock Falls After Hours
• Kristen Nicole: LinkedIn Vs. Facebook: Who Profiles Better?
• Coding Horror: I Repeat: Do Not Listen to Your Users
• The Old New Thing : Why are process and thread IDs multiples of four?
• Techdirt: Isn't It Better To Keep Smart Foreign Workers In The US Than Sending Them Home To Compete?
• Pito’s Blog: Two examples of great Web 2.0 by USA government

Other Computerworld bloggers:

• Seth Weintraub: Changewave shows that iPhone has opportunity in the enterprise
• Thomas Hoffman: IT Labor: A Tale of Two Cities
• Angela Gunn: Breaking the bank, specifically yours
• Mark Hall: White House CIO lacks credibility
• Preston Gralla: More dirt in the Vista 'junk PC' lawsuit
• Michael R. Farnum: 103,000 doctors info exposed
• Preston Gralla: Yahoo: Microsoft takeover bid is killing us!
• Douglas Schweitzer: Web site security is key!
• Shark Tank: The hard way
• Shark Bait: Customer Disservice

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You too can pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Microsoft 2008 launch happens, heroically (and pop babel)
• Apple announces shiny, "new" laptops (and 2008 decided)
• Adobe floats AIR for RIAs (and tweeting plants)