Missing password feature now poses a serious security threat

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
antwerp
500 Command not understood
Posts: 5
Joined: 2013-12-03 23:23

Missing password feature now poses a serious security threat

#1 Post by antwerp » 2013-12-03 23:49

A recent security analysis from Kaspersky Lab names FileZilla as one of the vehicles used to propagate the latest Neverquest banking Trojan predicted to become one of the most widely distributed Trojans in the coming months. This could have been prevented with the master password feature.

http://www.securelist.com/en/analysis/2 ... new_threat

I've enjoyed using FileZilla as a preferred FTP client for maintaining web site over the years.

One of its best features is storing password to make efficient use of my time but now storing unprotected passwords poses a serious threat to the security of the Internet as cyber criminals launch new offensives that exploit this feature weakness in FTP clients in order to spread new powerful Trojans via web sites.

I think it's now URGENT to add a master password feature in order to protect not only our own computers but the millions of people who visit the websites we maintain via tools like FileZilla. FileZilla users should also be encouraged to use the new master password feature.

This feature has been requested in the past:

Feature Requests:
* http://trac.filezilla-project.org/ticket/2935
* http://trac.filezilla-project.org/ticket/5251

Implementation Patch offered:
* http://trac.filezilla-project.org/ticket/8173

antwerp
500 Command not understood
Posts: 5
Joined: 2013-12-03 23:23

Re: Missing password feature now poses a serious security th

#2 Post by antwerp » 2013-12-04 00:12

What else can we do?

I don't have the time this week to visit the forums of all the other FTP app developers ... but maybe you do. I think they all require a "feature request" or some form of "nudge" to ask them to secure their password database in some way.

Here's the list ...
  • Far, Far2
  • CuteFTP
  • Ipswitch
  • FlashFXP
  • BulletProof FTP
  • SmartFTP
  • TurboFTP
  • FTP Explorer
  • Frigate3
  • SecureFX
  • FTPRush
  • BitKinex
  • NetDrive
  • LeechFTP
  • FTPGetter
  • ALFTP
  • GlobalDownloader
  • Notepad++
  • FTPInfo
  • NovaFTP
  • FTPVoyager
  • WinFTP
  • DeluxeFTP
  • Staff-FTP
  • FreshFTP
  • BlazeFtp
  • GoFTP
  • 3D-FTP
  • EasyFTP
  • FTPNow
  • FTP Now
  • FTPShell
  • NexusFile
  • FastStoneBrowser
  • FTP Navigator
  • FTP Commander
  • FFFTP
  • COREFTP
  • WebSitePublisher
  • ClassicFTP
  • Fling
  • FTPClient
  • WebDrive
  • LinasFTP
  • PuTTY
  • LeapFTP
  • WindowsCommander
  • TotalCommander
  • FileZilla
  • ExpanDrive
  • AceBIT
  • Robo-FTP
  • WinZip
  • Firefox
  • Thunderbird
  • InternetExplorer

User avatar
botg
Site Admin
Posts: 35504
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Missing password feature now poses a serious security th

#3 Post by botg » 2013-12-04 06:53

You can disable saving of passwords in the settings dialog of FileZilla.

antwerp
500 Command not understood
Posts: 5
Joined: 2013-12-03 23:23

Re: Missing password feature now poses a serious security th

#4 Post by antwerp » 2013-12-06 00:22

Yes you can but that's not the point. The fact remains that most users of FileZilla store password because then the tool is efficient to use. If you're updating web sites all day the last thing you need to slow up the day is keying in or copy/pasting login details every time you make an update. That would drive me nuts and I think most FileZilla users would agree. Storing password is essential for efficient use of this app. Great feature :) . Even if *I* did what you're suggesting by not storing passwords that does not change the fact that most FileZilla users don't and that's all that's needed for your app to assist cyber crime to flourish.

Without encryption of these stored passwords you're opening a very wide door for cyber criminals to spread serious trojans that can affect millions of Internet users who don't even use FileZilla but were just innocent victims of it's poor security. Previous trojans have demonstrated the devastating impact of this "security hole". Just image getting your bank balance or share portfolio wiped out in a day. Your life savings obliterated. This event could destroy your retirement, you could get evicted our of your home, it could even break up your family or marriage. These are real people experiencing serious pain on the other end of this. Please read the posted article to understand how this occurs.

Ignoring this serious security issue is simply unethical and irresponsible. I personally think it's on par with Oracle not patching security holes in Java as it has the same effect. Please fix! Internet security depends on your action on this matter. I'm happy to code review the security patch if that would assist you. I've completed some post grad studies in security and cryptography and been employed as an application security consultant at various times.

How Neverquest spreads ...

Image

User avatar
botg
Site Admin
Posts: 35504
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Missing password feature now poses a serious security th

#5 Post by botg » 2013-12-06 07:26

How is the computer becoming infected in the first place?

Let's assume there's a master password. What happens if your computer is infected? The malware waits until you connect to a server, intercepts your master passwords and then also has access to the passwords "protected" using the master password. The malware needs to be a bit more patient, but the end result is the same, your bank account is empty.

You need to prevent the infection from happening in the first place. (Just say NO to Java, Flash and Acrobat to avoid the vast majority of malware)

antwerp
500 Command not understood
Posts: 5
Joined: 2013-12-03 23:23

Re: Missing password feature now poses a serious security th

#6 Post by antwerp » 2013-12-06 14:11

> How is the computer becoming infected in the first place?

> You need to prevent the infection from happening in the first place.
> (Just say NO to Java, Flash and Acrobat to avoid the vast majority of malware)

Yes absolutely ... but we all know that a percentage won't head this or may not even understand how/why to disable these.

> Let's assume there's a master password. What happens if your computer is infected?
> The malware waits until you connect to a server, intercepts your master passwords
> and then also has access to the passwords "protected" using the master password.
> The malware needs to be a bit more patient, but the end result is the same, your bank account is empty.

Actually not just *my* bank account - but also all my web site visitors.

However what having encrypted passwords does do is it significantly slows the rapid multiplication factor that having unsecured FTP password database allows. For a FileZilla user, this delay may be long enough for me to notice other infection symptoms before I use my FTP client app. For example, I may noticed that there are new processes running or that my bank account is empty (!) or that my anti-virus system has been disabled or maybe even long enough for the anti-virus product to get upgraded to detect the new threat before I use FileZilla.

In contrast, without the master password, the virus can *immediately and automatically* begin infecting all my web site visitors as well as me and then replicate this infection exponentially very rapidly. The key to this rapid replication is the ease of access to means to immediately spread once a system is compromised.

In theory, once your system is compromised you're shields are all down - but in practice each defense although penetrable is worth having as it will stop a percentage of threats. For example, it now means that the virus writer has to prepare a much more complex key logger, FTP password extraction and custom decryption procedure and then repeat this for each FTP client app that uses secured passwords. Because the virus now must also wait for me to use the FTP app, we've significantly slowed the replication process and the probability of compromise ... so I say it's worth doing. We can't save everyone but we can save many and they are worth saving.

With each software developer in the replication cycle doing our bit (browser developers, email and FTP client apps, anti-virus products, computer educators) we protect a significant number of people to make it worthwhile. It's a team effort. In other words; disable Java, Flash and Acrobat in browsers is now just as important as encrypting FTP account passwords. Each plays a part in reducing the threat.

I'd also add that just adding the master password feature is not sufficient. You need to also educate your users.
If you wanted to, there also alternatives ways to enter a password that reduce the risk of key logger attacks.

User avatar
botg
Site Admin
Posts: 35504
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Missing password feature now poses a serious security th

#7 Post by botg » 2013-12-07 14:19

With each software developer in the replication cycle doing our bit (browser developers, email and FTP client apps, anti-virus products, computer educators) we protect a significant number of people to make it worthwhile. It's a team effort. In other words; disable Java, Flash and Acrobat in browsers is now just as important as encrypting FTP account passwords. Each plays a part in reducing the threat.
And this is why you're being prompted whether you want to store passwords in the first place, as encrypting passwords doesn't go far enough.

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#8 Post by ftpper » 2013-12-16 23:32

antwerp wrote:If you're updating web sites all day the last thing you need to slow up the day is keying in or copy/pasting login details every time you make an update.
Personally I take the approach of never allowing FileZilla (or any similar software) to save passwords. In other words, I prefer the inconvenience of entering passwords to the security risk of saving them permanently.

However is it really too much of a problem to enter the password once after starting FileZilla? It is not as if you have to enter the password every time an update is made. If you want to move the boundary further in the direction of convenience then use "Hibernation". Then you only enter the password once in whatever period you keep hibernating. The malicious party can fish the password out of the hibernation file (Windows) or swap file (Linux) but that is more complex than reading an XML file.

That said, overall I agree with you. If a product has the capability to save a password then it should save it in a secure way.

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#9 Post by ftpper » 2013-12-16 23:34

botg wrote:How is the computer becoming infected in the first place?
It doesn't have to be "infection" i.e. malware. Theft of device is also an issue.

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#10 Post by ftpper » 2013-12-17 00:01

There's another approach that might work here, with the cooperation of FileZilla.

What if the offending configuration is stored on an encrypted "drive"? Then strong encryption can be largely transparent to FileZilla. This approach has something to recommend it since a) every application avoids reinventing the wheel b) many applications are going to invent insecure wheels anyway (strong encryption is best left to the experts).

Exactly what changes might be needed in FileZilla to enable this behaviour I don't know.

The trick would be to ensure that unencrypted access is not available to the user generally.

User avatar
botg
Site Admin
Posts: 35504
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Missing password feature now poses a serious security th

#11 Post by botg » 2013-12-17 07:09

The trick would be to ensure that unencrypted access is not available to the user generally.
The user is not the problem. Malware is. If a normal piece of software has access to the unencrypted data, then malicious software running on the machine has access as well. You need to prevent malware infection in the first place. Against the related problem of unwanted users opening your files, there's full disk encryption.

ftanner
503 Bad sequence of commands
Posts: 20
Joined: 2013-08-07 16:17
First name: Frank
Last name: Tanner

Re: Missing password feature now poses a serious security th

#12 Post by ftanner » 2013-12-17 17:27

Give it up guys....

This has been explained to the author of Filezilla time and time again and he thinks that he is in the right and knows better than everyone else that this is not an issue or anything that he is going to address. People have been requesting this feature for years to no avail. No matter how it is explained to him, he refuses to acknowledge that this is a security failing of his application.

Just like the SourceForge installer mess, he believes that he is just plain smarter than everyone else and has no interest in making his product better or more secure.

All he is interested in doing is pushing the "blame" back on users if there is an issue because he is too lazy to fix it. I say too lazy because I am sure that he has the technical knowledge to fix it. He, however, refuses to.

User avatar
botg
Site Admin
Posts: 35504
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Missing password feature now poses a serious security th

#13 Post by botg » 2013-12-17 19:11

If you don't like saving passwords in plain, you can disable saving of passwords in the settings dialog of FileZilla.

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#14 Post by ftpper » 2013-12-17 22:13

botg wrote:The user is not the problem.
Clearly the user is a component of the problem. Assuming that we are even talking about malware, the malware may be introduced by some kind of Day 0 attack that the user could not reasonably have prevented - or the malware may be introduced by user behaviour that the user should reasonably have known as risky.
Malware is.
Unless it's device theft or other physical device access.
If a normal piece of software has access to the unencrypted data, then malicious software running on the machine has access as well.
Maybe. Maybe not.

{Edit: In support of this claim, the assumption seems to be that malware is running on the computer and either has the same access as the user or full access (root / Administrator). However some Day 0 exploit might involve a bug wherein the attacker cannot execute arbitrary code but can retrieve any file that the user has access to, or indeed any file. This is clearly a case where encrypted configuration with a master password would limit the damage to this one computer while an XML config file containing plaintext passwords can be retrieved and thereby spread the damage to other computers.}

But really "antwerp" already put the argument for why this argument is not in the real world sustainable. The real world is messy, not black and white. In the real world a software change that won't save you with probability 1 is still worthwhile.
You need to prevent malware infection in the first place.
This attitude violates a fundamental principle of security viz. defence in depth. Of course you do your damnedest to prevent malware infection. But you never rely on a single line of defence.
Last edited by ftpper on 2013-12-17 22:43, edited 2 times in total.

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#15 Post by ftpper » 2013-12-17 22:20

ftanner wrote:Give it up guys....
Clearly I am not aware of any "history" on this issue but I am suggesting a compromise solution that would hopefully involve only small changes to FileZilla and would not involve FileZilla getting into the file or disk encryption business.

Post Reply