The Associated Press is running a story on how they discovered an extensive number of sensitive but unclassified military documents kept on unsecured FTP servers. Both government and contractor systems were found to allow anonymous access to goodies like project schematics, facility security information, building plans, and geological survey data. Some of the responses by the guilty parties are both hilarious and frightening. My favorite quote from the article [emphasis added]:
A spokeswoman for contractor SRA International Inc., where the AP found a document the Defense Department said could let hackers access military computer networks, said the company wasn't concerned because the unclassified file was on an FTP site that's not indexed by Internet search engines. "The only way you could find it is by an awful lot of investigation."
Yeah, it's really no big deal, you never see port scanning or worms checking for anonymous FTP out on the Internet - it's far too much work. If the system isn't indexed on Google, no one will ever find it.
When I first started doing this kind of work, I couldn't believe how many high-profile clients had no grip on their Internet presence or systems therein. I eventually came to realize that it's a widespread problem, made even more problematic when companies have to track both in-house and outsourced systems and hosting. Every external penetration test we perform is preceded by a footprinting phase, where we identify the client's IP ranges and ensure we have approval to test them. Nine times out of ten, they end up shocked at what we discover. Clients often have no clue whether certain address ranges are actually theirs, never-mind what systems are on them or what services they run.
As much as I love tracking the bleeding edge in vulnerabilities and attack techniques, articles like this are a good reminder of how important it is to keep perspective, and recognize that many organizations are still struggling with the most fundamental aspects of IT security.
Oh, and one take-away question...why the hell were these FTP servers discovered by the Associated Press, and not agencies' own vulnerability scans or penetration tests? Either they're not being performed, or the people doing them are incompetent. Neither would surprise me.
