Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security Technology

Hackers Sweep Up FTP Credentials For the New York Times, UNICEF and 7,000 Others 51

Posted by Soulskill
from the out-of-sight-out-of-mind dept.
SpacemanukBEJY.53u writes "Alex Holden of Hold Security has come forward with a significant find: a 7,000-strong list of FTP sites run by a variety of companies, complete with login credentials. The affected companies include The New York Times and UNICEF. The hackers have uploaded malicious PHP scripts in some cases, perhaps as a launch pad for further attacks. The passwords for the FTP applications are complex and not default ones, indicating the hackers may have other malware installed on people's systems in those organizations."
This discussion has been archived. No new comments can be posted.

Hackers Sweep Up FTP Credentials For the New York Times, UNICEF and 7,000 Others

Comments Filter:
  • Incomplete summary (Score:5, Informative)

    by sootman (158191) on Friday February 14, 2014 @09:24AM (#46245127) Homepage Journal

    The summary was missing a couple important words. I've added them below:

    The passwords for the FTP applications, which are transmitted unencrypted because that's just how FTP is and it doesnt matter if your password is "kjasdfkljlYSU87fyue847thIP&SH&&CDFO$Wfhi7qe4h5fo78aegh4fai7oshc7o8vae4hf84" or "correct horse battery staple" because a third-grader could sniff the traffic with decade-old tools, are complex and not default ones

  • by xxxJonBoyxxx (565205) on Friday February 14, 2014 @10:13AM (#46245751)

    As a "pen tester"... Since FTP servers aren't often monitored as closely as higher-profile web applications, but are still often tied into a company's AD or other common credential store, they're often a great resource to use if you want to harvest some high-value credentials before you go on site. (I like to use this:
    http://www.filetransferconsult... [filetransf...ulting.com] for that.)

Real Users never know what they want, but they always know when your program doesn't deliver it.

Working...