Mike Linksvayer wrote:
> Michael Lorrey wrote:
> > I figured out the other day how WS_FTP encrypts its passwords in its INI
> > file, which is rather weak and a major weakness for anyone using this FTP
> > client to transfer files. Essentially, the encryption works like this: each
> > letter of the password is converted to its hexadecimal value. Then one hex
> > digit is added to the letters hex value based on its position in the
> > password, starting with 0 for the letter in the first position.
> >
> > So, while you may only FTP encrypted files to an FTP site, by using a weak
> > password encryption like this a hacker could easily sniff out your password
> > and then use the FTP site with impunity in YOUR name.
>
> ftp passwords are sent as cleartext between the client and server,
> so ws_ftp's .ini settings obfuscation does nothing to help or hinder
> someone who wants your password, unless that someone has access to
> your ws_ftp .ini file.
Which is also rather easy for users on internet connected LANs or WANs. A common practice to break into a system is to spoof yourself as an authorized device by assuming its IP address when it is offline. Once you are in you then have a login to get by, which is no big deal, as most desk drivers at companies which have no centrally controlled password system typically just use their name with no password, or their name as the user and their name as the password, or first and last, etc. Once you are in, you can copy the ws_ftp.ini file you can find on every drive the user you are spoofing has access to.
Right now I have implemented a patch to prevent this sort of thing from happening on the network here, but I doubt that many small businesses know or care about it at this point.
Mike Lorrey