Is My Managed File Transfer Software Secure?

In a recent LinkedIn thread, Steve Thompson of Humana suggested that managed file transfer (MFT) vendors whose applications were cracked and used in a cyber attack would need to have “serious talks with their insurance carrier(s).”  Unfortunately, it may be easier to hack a managed file transfer application than you might think. Let’s pick on […]

Could Managed File Transfer Have Prevented the Target Credit Card Breach?

December’s Target credit card breach attracted my attention because it used FTP to send files from an “exfiltration” server at Target to criminals. Could managed file transfer (MFT) have prevented the attackers from sending (via “exfiltration“) Target’s sensitive data? The Target Hack Depended on File Transfer The Target attack was complex and required both skill […]

Managing SFTP Keys for Automated Access

Is the New IETF Draft a Best Practice or Shameless Plug? When does an IETF draft read like a vendor’s white paper?  When it’s the new “Managing SSH Keys for Automated Access” document by SSH Communications’s Tatu Ylonen. The Case for “Shameless Plug” SSH Communication’s venerable Tectia SSH solution is mentioned by name 6 times […]

Secure Coding: How to Avoid Accellion’s Password Reset Vulnerability

In a previous article I looked at a bug in Accellion’s code that allowed users to hijack each other user’s accounts by resetting each other’s passwords. (The bug was found and fixed in March 2012.) This article digs into the design flaw that led to the bug and how you can avoid the same error […]

Low and Slow Brute Force FTP Scanner

LowAndSlow is a free utility that attempts “low and slow” brute force sign-ons against a selected FTP server, FTPS server, or SFTP server. LowAndSlow works off a list of usernames and a list of passwords, and waits a configurable number of seconds between each attempt.  If the delay is set to 0 or 1, LowAndSlow […]

What does the SSL/TLS BEAST exploit mean for my web-based file transfer application?

Researchers have discovered a serious vulnerability in TLS v1.0 and SSL v3.0 that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser. This vulnerability can be exploited using a new cookie-based technique called “BEAST” (“Browser Exploit Against SSL/TLS”) that takes advantage of block-oriented cipher implementation such as AES and […]

Dealing with your annual Sterling Commerce renewal

So, it’s September* and you’re dealing with yet another six-figure Sterling Commerce maintenance renewal. This is the time of year many of you will call, hoping to swap out your Connect:Direct (C:D) or Gentran Integration Suite (GIS) systems as fast as humanly possible. First, the good news: management loves projects with high ROIs, and replacing […]

How do Managed File Transfer and eDiscovery relate?

With eDiscovery costs of $30,000 or more per trial, smart companies are now taking a closer look at the files that pass through their managed file transfer systems. As the name implies, “managed” file transfer adds a layer of monitoring and non-repudiation that “unmanaged” file transfers using email, plain old FTP or web-based file send […]

Where does managed file transfer automation help the most?

Ipswitch’s MOVEit Central, Linoma Software’s GoAnywhere Director and Flux all provide strong and unique approaches to managed file transfer automation, but we often field a question of a different kind: “OK, I’m convinced that you have the technology to cover my needs, but what should I tackle first?“ For once we turn to outside assistance […]

How does WS_FTP Server store passwords?

Like many server applications, Ipswitch WS_FTP Server doesn’t store actual passwords or even encrypted passwords.  Instead, it stores cryptographic hashes that represent the original passwords. To figure out which cryptographic hash a particular server uses, an easy way is to take the original password, say “a1sd2d3”, and use an online hash calculator to figure out […]