ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Videos
  6. Jobs
  7. Resources
  8. Community

 

ZDNet UK RSS Feeds


Win tech prizes in our Christmas competition

Tom Espiner

View blog's RSS Feed

Security Bullet In

Communiques from the security front, sir

Thursday 29 May 2008, 5:25 PM

Online backup insecure, says Heise

Posted by Tom Espiner

Some online backup services are easily fooled, according to the folks over at Heise security.

An undisclosed Heise employee hacked into some online backup services by intercepting the connection between client and the backup server, bypassing the encryption used. A basic man-in-the-middle attack.

"Attackers can read and even change the data being backed up or restored when it's transmitted over the internet," said the Heise article.

Heise pretended to be the backup server to the client, and the client to the backup server, using fake certificates. For the vulnerable systems, neither client nor server checked the certificates for authenticity, said a source at Heise.

There was no need to hijack the connection,
as the client was on a network that Heise controlled, said the source. They added that in the real world, an attacker would either use a Trojan, or attack the router to change the DNS entry for the server to their own IP address.

There was no need to actually forge the certificates by reverse engineering or the like, as the services did not check them, said the source. Heise just generated its own using standard utilities, while the signatures on them were "obviously fake", said the source.


Next

Previous


Comments on this post
Aliredsox

I think it's important to point out that not ALL online backups were vulnerable to these attacks. The article found that both Carbonite and Mozy were secure and neither allowed the attacks to penetrate the system. You can find Carbonite's CEO blogging about the issue here

Posted by Aliredsox on May 30, 2008 9:49 PM

online backup

Most affected companies have resolved these issues since. This however still highlights the issue of supplier commitment to encryption technology improvements.
Anything below a manual sign off on confidentiality of data is clearly not acceptable. A supplier who expects you to commit by ticking web boxes but who offers no supplier side commitments manually signed as part of a contract clearly has difficulty with doing this for undisclosed reasons.
We at backupanytime were not affected by this breach and we do manually sign off on client confidentiality.
John
http://www.backupanytime.com/whitepaper.htm

Updated by online backup on Sep 15, 2008 10:26 AM