Dec 01 2005

Away from Prying Eyes

FTP, a tool that came of age during the disco era, is still in heavy rotation in offices worldwide. So how can it be paired with encryption to meet the protection demands of today's users?

Companies still using File Transfer Protocol to send files among offices, clients and business partners, beware. Anyone snooping on a network connection can clearly see everything in an FTP file—including its contents, user names, passwords and the directory into which it's going.


FTP is a notoriously insecure technology. It was built in the 1970s when the Internet was a far more open and trusting environment, and hacking was more of an academic pursuit than an illegal business.


So how can a company protect its files if the underlying technology was never intended to ensure privacy or security?


Either encrypt the files or use a safer alternative, say experts such as Stefan Dietrich, software architech and former chief operating officer of e-Vantage Solutions, an electronic-transactions service provider in New York.



There are a number of third-party tools that can embed encryption algorithms into files. The difference between the algorithms is the length of the cipher key. For instance, the Secure Sockets Layer encryption used by standard electronic-commerce sites, such as Amazon and eBay, uses a 128-bit key. Free and unpatented algorithms such as Blowfish use keys that vary in length from 32 to 448 bits. Twofish, another license-free algorithm, uses variable key lengths up to 256 bits. The RSA algorithm, the nearly de facto standard from RSA Security of Bedford, Mass., that's included in a number of popular Web browsers and commercial software products, uses a maximum of 512 bits.


If a company's data are extremely sensitive and confidential, it might opt for an algorithm like PGP, which stands for pretty good privacy and lets users create key lengths up to 4,096 bits. There are freeware versions of the algorithmic code available, and a product as well from PGP of Palo Alto, Calif.


In the Extreme


"If you're really paranoid, you can even use two algorithms together" suggests Gary Morse, professional white-hat hacker and president of Razorpoint Security Technologies in New York.


Morse cautions, however, that there are tradeoffs. The longer the cipher used to encrypt a file, the more CPU cycles are required to encrypt—and decrypt— the file. That may be insignificant when transferring only one or two files at a time. But it could strain the server during a larger task such as a bulk FTP.


Small businesses often find that their large partners dictate the level of encryption. For instance, Tawil Associates, a New York children's clothing manufacturer with 100 employees, works with Disney to produce a branded line of apparel. "When you deal with a company like Disney, they want to keep their copyrighted designs secure," says Jonathan Gleich, Tawil's management information systems director. "So they set up a private network of transferring data using their own encryption."


Disney gave Tawil a plug-in for its Web browser so authorized employees can log on to Disney's private network and pass encrypted files back and forth, securely cloaked from prying eyes.


Experts also recommend using file-transfer technologies that are more secure than FTP. One alternative is the Secure File Transfer Protocol. SFTP is a standard feature of Unix and Mac OS programs and available for free on Microsoft Windows. Other options include the Secure Shell Interface and Protocol (SSH) and the use of a secure copy utility (SCP).


Be a Smart User


If FTP is the tool that makes the most sense for a company's needs, then it just needs to take some necessary precautions and to stay away from anonymous FTP servers that require no passwords or user identity verification, security experts say. Instead, a company should configure its FTP server to compartmentalize users and prevent them from straying into files they have no authority to access.


Morse, whose clients hire him to hack into their systems and disclose vulnerabilities, finds that companies often leave themselves open to FTP directory transversal attacks, where hackers moving freely from one directory to another can download, steal and tamper with files. Most FTP servers have what Morse calls a "jail-mode option" that systems administrators can adjust to control FTP access levels. "When the user logs in, he's put into his own compartmentalized directory," Morse explains. "He can download and upload files but only within his own little world."



CEO takeaway
Choose the level of encryption that matches the sensitivity of the data you're transmitting. If regulatory compliance is a concern, let your level of liability dictate the security level.
Consider your business partners' data as well as your own. If you're safeguarding the exchange of intellectual property—such as patents, strategic business plans and the like—you should apply stringent security measures.
Be smart about the ciphers you use. Your cipher needs to be strong, but also be aware that the use of an extremely complex one might draw the attention of hackers looking for a challenge.
Always monitor your FTP server for suspicious activity, such as known users logging on at odd hours.