Opinion

Secure FTP - Shadow Sites

The corporate website isn't the only online asset that needs securing. What are you storing on your FTP server?

By William Cook

July 01, 2004 — CSO — Like websites, FTP sites are accessible via the Internet. File transfer protocol servers provide information to the public, vendors and customers; and they serve as an online office for a company. But unlike websites, FTP sites are often used for storing and transmitting large company files that are too cumbersome for the website. And they frequently have poor security controls.

This problem has lead to company claims that competitors have violated the Computer Fraud and Abuse Act (CFAA) and state trade secret laws by improperly accessing information from their FTP servers. Typically, the claim is that a competitor went to the FTP site and misappropriated "outgoing" files (such as customer mailing lists, an advertising campaign or Beta software) or "incoming" files (such as communications from customers). Much of this information is very sensitivethink crown jewels. But, since "victim" companies often fail to adequately secure their FTP site, by leaving it open for any anonymous user to access, it is legally considered to be public domain. If "inadequate protection" is found, then your lost proprietary information cannot form the basis of a CFAA or trade secret theft allegation.

Security experts note that securing an FTP site and limiting access to particular files is actually a fairly trivial matter. However, it must be done correctly to avoid giving public access to everybody on the Internet. The problem develops when poor security controls and oversights result in sensitive company information being placed on the site by the marketing department or IT staff members. Some companies have carelessly posted customer lists and even password files on the outgoing, "public" sections of the site. There are often outgoing folders on FTPs that are publicly accessible, enabling any anonymous user to log in with an anonymous account and download files from the FTP site.

Take, for example, a mistakenly posted customer mailing list: Once it's posted, its value drops for purposes of both criminal and civil prosecution. It's difficult to see how a meaningful damage claim could be made in the absence of the customer mailing list. Moreover, customer mailing lists (even if adequately protected) have a very short shelf life since the advent of the Internet. In DoubleClick v. Henderson, the court held that DoubleClick's prevalent claim of trade secret misappropriation by two former employees was sufficient enough to support an injunction precluding the defendants from forming their own such company or selling Web advertising for a period of six months. However, the court declined to grant the injunction for a full year, saying that within six months the defendants' knowledge of the plaintiff's activities will have "evaporated," given the constant flux of the Web advertising business.