Managed File Transfer and Heartbleed (Also FTP Servers)

The Heartbleed vulnerability in OpenSSL affects many managed file transfer, secure file transfer, FTP server and FTP client technologies.  File Transfer Consulting has compiled a list of vendor and project statements about Heartbleed remediation here. (Long story short, the “Heartbleed” vulnerability allows people to request chunks of memory from target servers.  This memory often contains […]

Is My Managed File Transfer Software Secure?

In a recent LinkedIn thread, Steve Thompson of Humana suggested that managed file transfer (MFT) vendors whose applications were cracked and used in a cyber attack would need to have “serious talks with their insurance carrier(s).”  Unfortunately, it may be easier to hack a managed file transfer application than you might think. Let’s pick on […]

Managing SFTP Keys for Automated Access

Is the New IETF Draft a Best Practice or Shameless Plug? When does an IETF draft read like a vendor’s white paper?  When it’s the new “Managing SSH Keys for Automated Access” document by SSH Communications’s Tatu Ylonen. The Case for “Shameless Plug” SSH Communication’s venerable Tectia SSH solution is mentioned by name 6 times […]

Syslog Test Message Utility

The Syslog Test Message Utility will send UDP-based syslog messages to any Syslog server you choose. It is free software and runs on any Windows operating system that supports .NET 4.0. After specifying the Syslog server hostname and UDP port (port 514 is the default Syslog port), you specify the level (e.g., “Information (6)”), facility […]

Secure Coding: How to Avoid Accellion’s Password Reset Vulnerability

In a previous article I looked at a bug in Accellion’s code that allowed users to hijack each other user’s accounts by resetting each other’s passwords. (The bug was found and fixed in March 2012.) This article digs into the design flaw that led to the bug and how you can avoid the same error […]

Low and Slow Brute Force FTP Scanner

LowAndSlow is a free utility that attempts “low and slow” brute force sign-ons against a selected FTP server, FTPS server, or SFTP server. LowAndSlow works off a list of usernames and a list of passwords, and waits a configurable number of seconds between each attempt.  If the delay is set to 0 or 1, LowAndSlow […]

How to Detect and Prevent “Low and Slow” Brute Force Attacks

Low and slow brute force attacks against FTP servers, SSH servers and WebDAV servers are already happening, so it’s important to learn how to detect and mitigate this increasing threat. “Rapid Fire” vs. “Low and Slow” We’ve all seen script kiddies fire up an SSH session and try 500 root passwords against a server in […]