Re: Filezilla a security risk

To: debian-user@lists.debian.org
Subject: Re: Filezilla a security risk
From: Camaleón <noelamac@gmail.com>
Date: Fri, 29 Jun 2012 15:13:13 +0000 (UTC)
Message-id: <[🔎] jskgm9$68h$11@dough.gmane.org>
References: <[🔎] CA+AKB6E1FfRCNbV6PimAvdvUfoBKuo7rgLsbaCR_7tgtuZdw5A@mail.gmail.com> <[🔎] jshqlo$no$5@dough.gmane.org> <[🔎] 4FECA6FB.7090606@eisenbits.com> <[🔎] jsie79$no$18@dough.gmane.org> <[🔎] 4FECE810.4030101@concepts-and-training.de> <[🔎] jskc6a$68h$4@dough.gmane.org> <[🔎] 4FEDBF4D.6040905@concepts-and-training.de>

On Fri, 29 Jun 2012 16:44:29 +0200, Denis Witt wrote:

> On 29.06.2012 15:56, Camaleón wrote:
> 
>>> The ONLY reason why Linux based systems hasn't got such a problem with
>>> malware is that there are not enough Desktop machines to make this a
>>> good target. Often enough there are security holes which allow you to
>>> take control over the entire machine. And that's fine as it is complex
>>> software.
> 
>> True, but what's your point here?
> 
> The point is that software can't be 100% secure. So when possible it is
> a good idea to have more than one security layer. 

Even if that extra layer is of no help because you leave your computer 
open and accessible to anyone? Then you're wasting your time and your 
computer resources, security has to sit between useful and effectiveness, 
otherwise you're losing the battle.

> A bug in Apache my cause someone to get access to you FileZilla
> -Settings. 

I wonder how that can happen... 

> At the moment this would be a big problem, if the file is encrypted the
> problem is still there but you have some additional time to change your
> passwords. Good thing.

Good thing for a corner case. But the bad thing here is that someone can 
access your Filezilla settings from you Apache, though.

>> Should my Debian system becomes cracked or infected by any kind of
>> treat I would worry more about my usual files and not the settings for
>> Filezilla. I mean, nothing new here, security is a "multi-edged" sword.
> 
> Really? I would more worry about the remote servers listed in my
> FileZilla-Config (if there are any), because they might belong to
> customers, friends, etc. I might get worried about my Backups as I want
> to restore my compromised system.

You change the password for your FTP user accounts and that's all. Gee, I 
wonder in what way users are using their linux systems that don't store 
any important data on them, only for multimedia playing? :-P

>>> But if you can easily add some more security layers without loosing
>>> too much performance and/or usability you should always do that.
> 
>> Maybe... but you'll get a false impression of protection that can be
>> even more nocive as you'll relax your security notion.
> 
> Humans are making mistakes, a false impression of protection may lend
> you to such mistakes, this is true. That's one reason why we don't run
> background Virus-Checks on our machines (mails are being scanned and you
> can do on demand checks for USB media, etc.).

I do check the files I donwload from the web, regardless they are going 
to be opened from windows or linux, e-mails are also scanned by means of 
ClamAV and USB keys are not anutomatically mounted thus can be also 
easily analyzed first.

And I do all of the above because I came from Windows first, I have the 
steps burned in fire in my brain :-)

> But it is easy to tell users that all files from those medias may be
> evil. It's much harder to tell them that their programs might store
> sensible data in a way that isn't secure. At least this is much harder
> than for the FileZilla guys to store passwords encrypted.

Curiously enough is not only Filezilla who takes the path for not 
encrypting the user credentials so there has to be a reason in behind for 
that to happen so often...

Anyway, aren't most of us still using plain pop3 and smtp connections 
with no message encryption at all? Who are we blaming? >;-)

>>> Storing unhashed and unsalted or unencrypted passwords is simply
>>> stupid. Ask the guys at last.fm. ;)
> 
>> Again, there are files in my servers (e.g., ssl keys) and also my Mutt
> 
> SSL/SSH Keys should have a password or should be stored in some kind of
> encrypted container.

IIRC you have to remove the password so Apache can make use of it so 
finally the security relies on the file perms (only root can read it).

>> configuration file (that holds my e-mail account password) which are
>> stored in cleartext. So...?
> 
> Pretty stupid isn't it? ;) 

You tell me :-)

> An encrypted container wouldn't help a lot here, because I assume your
> MUA is running most of the day, right? So the container has to be open 
all the time and any malware could read
> the file.

In my case it is launched on demand. My main MUA is Thunderbird.

>> Do you want us to remove the ethernet cord? ;-)
> 
> Would be a nice thing from a security point of view, that's why I
> mentioned comfort and performance. :)

There's still dangerous USB flash drives and the always evil CD/DVD and 
floppy disks... you never know.

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: Filezilla a security risk
  - From: Denis Witt <denis.witt@concepts-and-training.de>

References:
- Filezilla a security risk
  - From: francis picabia <fpicabia@gmail.com>
- Re: Filezilla a security risk
  - From: Camaleón <noelamac@gmail.com>
- Re: Filezilla a security risk
  - From: Stanisław Findeisen <stf.list.debian.user@eisenbits.com>
- Re: Filezilla a security risk
  - From: Camaleón <noelamac@gmail.com>
- Re: Filezilla a security risk
  - From: Denis Witt <denis.witt@concepts-and-training.de>
- Re: Filezilla a security risk
  - From: Camaleón <noelamac@gmail.com>
- Re: Filezilla a security risk
  - From: Denis Witt <denis.witt@concepts-and-training.de>

Prev by Date: Re: Bridging eth0/br0 & NetworkManager - can they coexist?
Next by Date: Re: Filezilla a security risk
Previous by thread: Re: Filezilla a security risk
Next by thread: Re: Filezilla a security risk
Index(es):
- Date
- Thread