Using kiosk mode does not solve the problem - i was talking about STORING passwords. There were numerous requests for implementing some encryption over the stored password (this applies both to proxy and FTP passwords), all of which are dismised with the argument that "it is operating system responsibility". This is not true - OS can (and will) protect Filezilla settings file against another user, but it can hardly protect it against another SW executed under the same user. Which is exactly the case of mailicious software.boco wrote:Kiosk mode 1 of Filezilla does exactly that. The only problem for me is that storing passwords is set as default. You could also use Site Manager with logon type 'Interactive'.mmenzer wrote: No, it does not, as long as the worm uses your user's context.
When an appliocation stores passwords, it should take all steps possible to prevent the passwords from getting away.
If it does not, it should at least provide a dialog where the passwords can be entered when needed by the application.
Filezilla FTP proxy stores Windows password in plain text
Moderator: Project members
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-05-06 12:20
- First name: Jana
- Last name: Vasseru
Re: Filezilla FTP proxy stores Windows password in plain text
Re: Filezilla FTP proxy stores Windows password in plain text
And that same malicious software can just sit and wait till you enter your password manually if you get prompted. So nothing gained.Which is exactly the case of mailicious software.
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-05-06 12:20
- First name: Jana
- Last name: Vasseru
Re: Filezilla FTP proxy stores Windows password in plain text
If someone were to write malicious SW to steal FTP passwords, i'm sure he would consider these:botg wrote: And that same malicious software can just sit and wait till you enter your password manually if you get prompted. So nothing gained.
- it is more difficult to write a keylogger then something which reads a text file
- to log a password the SW would need to sit on a machine for hours/days to receive them, reading Filezilla config file leads to fast and easy access to all passwords
- keylogger produces huge ammount of useless data, reading FZ config file gives only wanted data
- keylogger is detectable using AV heuristics (thanks to suspicisous OS calls), reading FZ config is in no way suspicious, thus such malicious software can be detected with only up to date AV definition rules
- by reading FZ config file dozens of FTP passwords can be received at once compared to keylogger which might never catch some (those stored before keylogger was installed)
I see quite a lot of difference here.
Re: Filezilla FTP proxy stores Windows password in plain text
Actually no, keyloggers already exist, very simple code. To read a file you need to know its path in advance. Keylogger = generic, reading files = specific to the known files.- it is more difficult to write a keylogger then something which reads a text file
Malware does not need to get fed. If it gets past your good network administrator it's already hand-crafted towards your network so it'll stay for a lot longer as snakeoil scanners won't be able to find it.- to log a password the SW would need to sit on a machine for hours/days to receive them, reading Filezilla config file leads to fast and easy access to all passwords
Assuming you can type 10 letters every second and do that for 24 hours, uncompressed that's just 864KB, compressed it is a tiny fraction of that. And nobody can type that fast. And if it is generic malware, 800KB is far less than transferring every single file on your system. Useless or not is not of your concern, it can be evaluated after the act.- keylogger produces huge ammount of useless data, reading FZ config file gives only wanted data
Only the cheap ones. Hand-crafted malware disables your scanners. And for malware that is detected by virus scanners, you do not need scanners for, network administator can simply configure things so that your systems are not vulnerable to that malware in the first place.- keylogger is detectable using AV heuristics (thanks to suspicisous OS calls), reading FZ config is in no way suspicious, thus such malicious software can be detected with only up to date AV definition rules
I agree with you on that.- by reading FZ config file dozens of FTP passwords can be received at once compared to keylogger which might never catch some (those stored before keylogger was installed)
-
- 500 Command not understood
- Posts: 2
- Joined: 2009-05-20 08:06
- First name: Christoph
- Last name: Messer
Re: Filezilla FTP proxy stores Windows password in plain text
Hi, I'm just new in this forum, but I followed this topic very interested as guest during the last few weeks.
But now I have to ask how the timetable is to implement the feature "ask for proxy password when needed"
The background for that question is, that I'm working in a company with 30000+ Internet users
and we are looking for a new FTP client for accessing internal FTP servers directly as well as external servers over a proxy.
Filezilla fits very well our needs, but storing the proxy password in clear text is a real K.O. criteria.
As in other companies, OS file encryption is prohibited and no solution for us.
Greetings
But now I have to ask how the timetable is to implement the feature "ask for proxy password when needed"
The background for that question is, that I'm working in a company with 30000+ Internet users
and we are looking for a new FTP client for accessing internal FTP servers directly as well as external servers over a proxy.
Filezilla fits very well our needs, but storing the proxy password in clear text is a real K.O. criteria.
As in other companies, OS file encryption is prohibited and no solution for us.
Greetings
Re: Filezilla FTP proxy stores Windows password in plain text
Why that? It would solve most of your problems.As in other companies, OS file encryption is prohibited and no solution for us.
-
- 500 Command not understood
- Posts: 2
- Joined: 2009-05-20 08:06
- First name: Christoph
- Last name: Messer
Re: Filezilla FTP proxy stores Windows password in plain text
Because the data on businesses PCs always belongs to the company and not to the user.
This makes sense if you imagine what happens if the user is not available by an accident,
but the data he encrypted is businesses critical. So encryption without storing a master key
is prohibited. The password is different. Not knowing this doesn't prevent a admin reading the data.
But knowing it will allow someone to log on as someone else and doing bad stuff under this identity.
That's it.
Regards
This makes sense if you imagine what happens if the user is not available by an accident,
but the data he encrypted is businesses critical. So encryption without storing a master key
is prohibited. The password is different. Not knowing this doesn't prevent a admin reading the data.
But knowing it will allow someone to log on as someone else and doing bad stuff under this identity.
That's it.
Regards
-
- 500 Command not understood
- Posts: 4
- Joined: 2009-05-06 12:20
- First name: Jana
- Last name: Vasseru
Re: Filezilla FTP proxy stores Windows password in plain text
You are trying to proove that every security can be broken. Right. I know that.botg wrote:Actually no, keyloggers already exist, very simple code. To read a file you need to know its path in advance. Keylogger = generic, reading files = specific to the known files.- it is more difficult to write a keylogger then something which reads a text file
... snip ...
Only the cheap ones. Hand-crafted malware disables your scanners. And for malware that is detected by virus scanners, you do not need scanners for, network administator can simply configure things so that your systems are not vulnerable to that malware in the first place.
I'm trying to say that storing plaintext passwords in a config file is like having a house with no doors to the back garden.
You tell me that is should use FS encryption - which i agree is fine solution concerning the house front door. Howerver it does not help anyhow to secure the back garden door.
Again - there is no such thing as unbreakable security, security is about creating obstacles to the intruder.
Regards,
Jana
-
- 504 Command not implemented
- Posts: 7
- Joined: 2007-10-06 22:19
Re: Filezilla FTP proxy stores Windows password in plain text
I love filezilla and filezilla server
use them both
There has been a recent significant significant uptick in webservers servers being exploited and javascript or iframes being inserted in every html file on the server. the culprit is believed to be malware that harvests FTP passwords and sends them to hackers than then run further scripts to infect servers. Filezilla may be a source of the passwords.
The discussion here is great but Im not interested in Fort Knox security - you dont need fort knox to avoid being a target - just like the security on your house or your car - it doesn't have to be impenetrable - it simply has to be better than your neighbor. yes if you lock the door they can break the window BUT in may cases - most cases they DONT they simply keep walking the parking lot looking or an open door.
In this case the bad guys are not going to spend a great deal of time banging on any particular file, client machine or server - they want the EASY scores. The open text passwords are EASY scores. http://blog.trendmicro.com/stolen-ftp-c ... ar-attack/
In this case some security of ANY kind would slow down the exploits that are occurring. Would it be 100% no but it would help. As was discussed a key logger only gets the passwords I used between the time I was infected and the machine was detected and cleaned, not EVERY password ever entered.
The vast majority of Computers are PCs. The VAST majority of them are Home editions. They cant do EFS.
use them both
There has been a recent significant significant uptick in webservers servers being exploited and javascript or iframes being inserted in every html file on the server. the culprit is believed to be malware that harvests FTP passwords and sends them to hackers than then run further scripts to infect servers. Filezilla may be a source of the passwords.
The discussion here is great but Im not interested in Fort Knox security - you dont need fort knox to avoid being a target - just like the security on your house or your car - it doesn't have to be impenetrable - it simply has to be better than your neighbor. yes if you lock the door they can break the window BUT in may cases - most cases they DONT they simply keep walking the parking lot looking or an open door.
In this case the bad guys are not going to spend a great deal of time banging on any particular file, client machine or server - they want the EASY scores. The open text passwords are EASY scores. http://blog.trendmicro.com/stolen-ftp-c ... ar-attack/
In this case some security of ANY kind would slow down the exploits that are occurring. Would it be 100% no but it would help. As was discussed a key logger only gets the passwords I used between the time I was infected and the machine was detected and cleaned, not EVERY password ever entered.
The vast majority of Computers are PCs. The VAST majority of them are Home editions. They cant do EFS.
being a dick to being helpful all in one post... and back ag
Even if he did put an "obstacle" in it wouldn't be hard to find out how to reverse it.. he said it probably 1,000+ times all ready, FileZilla is open source.jana.vasseru wrote:Again - there is no such thing as unbreakable security, security is about creating obstacles to the intruder.
The only way you will get any effect/semi-effect security is if you implement it yourself... because then you will have a unique way of protection...
If you respond, "Well, I don't know how to do any programmng.." Answer: shit even if you half-ass know dos commands(look them up for a refresher course) simply write a batch file(.bat) to copy any files which can/do contain passwords in them to a random folder(or just take them all), then delete the orignal files from the filezilla folder.. to hell with it.
Here is exactly what I am talking about:
Code from 'blah.bat' I made..
Code: Select all
cd %ProgramFiles%\Yellow Stars
xcopy *.* "%APPDATA%\FileZilla"
del *.* /Q
"%ProgramFiles%\FileZilla FTP Client\filezilla.exe"
cd %APPDATA%\FileZilla
xcopy *.* "C:\Program Files\Yellow Stars\"
del *.* /Q
1. Open notepad
2. Copy and paste all the code into notepad
3. File->Save As make_a_random_name.bat (SAVE IT IN A RANDOM LOCATION AND MAKE IT A RANDOM NAME WRITE BOTH DOWN OR REMEMBER THEM YOU WILL NEED THEM)
4. Change the line 'cd %ProgramFiles%\Yellow Stars' to a random directory of your choice(prefered empty/new dir some where)
5. Change the line 'xcopy *.* "C:\Program Files\Yellow Stars\"' to the same directory as in step 4.
6. Right Click FileZilla icon on desktop -> properties
7. Change the 'target' to point at the the batch file you created earlier(thats why I told you to remember it or write it down)
8. Change 'start in' to point at the folder that contains the batch file
9. Double Click FileZilla icon (or right click open)
Here is why/how this is works:
- You are the one randomly hiding the files it is not a 'standard code' in an open source program
- Every time FileZilla is opened and closed the needed files are moved (ONLY IF YOU USE THE ICON YOU EDITED)
- E.T. PHONE HOME!
Additional Technique: The 'RENAME' command can also be used to add in more randomization/hiding.
Of course... there are downfalls to the above mentioned.. no Im not going to say them.
You want more protection create your own cipher functions and implement them... then the malware makers won't have easy access to the your passwords because they won't have a fucking clue how to decipher them.
Re: Filezilla FTP proxy stores Windows password in plain text
Some recent malware inspects FTP traffic, it doesn't read config files.
-
- 500 Command not understood
- Posts: 1
- Joined: 2009-07-14 16:16
- First name: c
- Last name: scalia
Re: Filezilla FTP proxy stores Windows password in plain text
So the bottom line is the password is going to stay clear text? I think this is what everyone wants to know. Then we can move on. Thanks.
Re: Filezilla FTP proxy stores Windows password in plain text
We recently had a security issue, passwords were easily retrieved from these clear text files with a virus and used to inject code on websites...I'm sure we are not alone. We have several layers of protection... but the pc was still infected. It happens... everywhere. We had to scan the pc with 6 different popular virus scanning products before the virus was found.
All this discussion/debate in the forum shouldn't be necessary, once someone pointed out the issue of cleartext passwords, it should have been taken seriously and corrected... defending this as "as designed" or "you got bigger problems if someone got your passwords" is really disturbing for so many reasos.
I, too, want to know if/what Filezilla plans to do.
All this discussion/debate in the forum shouldn't be necessary, once someone pointed out the issue of cleartext passwords, it should have been taken seriously and corrected... defending this as "as designed" or "you got bigger problems if someone got your passwords" is really disturbing for so many reasos.
I, too, want to know if/what Filezilla plans to do.
-
- 504 Command not implemented
- Posts: 7
- Joined: 2007-10-06 22:19
Re: Filezilla FTP proxy stores Windows password in plain text
The issue really isnt what the people here can or will do to secure or not store their passwords - this group is likely moire technical than the average Joe and less likely to be exploited
The issue is the popularity of Filezilla and the number of my customers on my server that are running it. Yes I can turn on SFTP - but that doesnt help if the passwords are being stolen from the xml file. I cant force them all to run a Pro version of windows and encrypt the appdata/filezilla folder. I can ask them to use another product though
People bitch about the security of windows but for years its been better IF the updates are applied on time. Eventually Microsoft built in auto updates and then later turned auto updates on by default. None of which would have been needed if the users kept things secure on their own. The reality is that they dont so MS made is MUCH easier by automating it.
Not a great analogy but .....
The issue is the popularity of Filezilla and the number of my customers on my server that are running it. Yes I can turn on SFTP - but that doesnt help if the passwords are being stolen from the xml file. I cant force them all to run a Pro version of windows and encrypt the appdata/filezilla folder. I can ask them to use another product though
People bitch about the security of windows but for years its been better IF the updates are applied on time. Eventually Microsoft built in auto updates and then later turned auto updates on by default. None of which would have been needed if the users kept things secure on their own. The reality is that they dont so MS made is MUCH easier by automating it.
Not a great analogy but .....
-
- 226 Transfer OK
- Posts: 392
- Joined: 2008-12-30 10:30
- First name: John
- Last name: Ratliff
- Location: In a small white padded room.
Re: Filezilla FTP proxy stores Windows password in plain text
I don't know why this thread is constantly revived. botg has made his position quite clear.
BTW: Anyone seen this? I thought it was interesting. http://it.slashdot.org/story/09/07/13/142210/RIP-FTP
BTW: Anyone seen this? I thought it was interesting. http://it.slashdot.org/story/09/07/13/142210/RIP-FTP
http://jdrrant.blogspot.com/ - CODEpendent Blog