Computerworld

FBI warns of attacks on anonymous FTP servers

Breaches of servers in medical offices can yield personal and medical records for criminal use

The FBI warns that attackers are targeting vulnerable FTP servers used by small medical and dental offices as a way to obtain medical records and other sensitive personal information.

While the dangers of placing sensitive data on these servers is well known, smaller businesses may not have the expertise or motivation to upgrade.

The attackers can use the stolen data to harass, intimidate and blackmail these businesses, the FBI says, and may also include using the stolen information to commit fraud.

The attackers could also write to the servers in order to store malware and launch attacks, the FBI says.

The remedy is to remove any personally identifiable information or protected health information from these servers and replace FTP with something more secure.

Anonymous FTP is called that because it requires no authentication in order to access files on the server. It’s recommended that these servers host only public files. “The anonymous extension of FTP allows a user to authenticate to the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address,” the FBI says.

HIPAA protects PHI and subjects violators to fines. PII is also protected under privacy laws and regulations, and violations can result in fines as well.

The cost of a data breach that compromises PII and PHI would likely be much more than the cost of replacing it with something more secure, such as SFTP or FTPS, says Peter Merkulov, vice president of technology and alliances for Globalscape, which offers file transfer services and support.

“It’s a really old protocol,” he says. “Even using it in not-anonymous mode is dangerous.” He says it’s not seen that much anymore, but when he runs across it it is usually an implementation deployed years ago and has never been upgraded. In larger organizations old deployments may still be in place but forgotten and never taken down.

Despite this, the FBI cites 2015 research that says 1 million FTP servers were configured to allow anonymous access. Merkulov speculates the FBI warning stems from discovery of FTP exploitation in a case it is working on.

Getting rid of anonymous FTP is pretty straightforward, he says, requiring just minutes of setting changes on the server. Depending on the types of client software used to access the servers, the process could be more complicated, requiring set-up of credentials and accounts.