Online backup insecure, says Heise

Some online backup services are easily fooled, according to the folks over at Heise security.

An undisclosed Heise employee hacked into some online backup services by intercepting the connection between client and the backup server, bypassing the encryption used. A basic man-in-the-middle attack.

"Attackers can read and even change the data being backed up or restored when it's transmitted over the internet," said the Heise article.

Heise pretended to be the backup server to the client, and the client to the backup server, using fake certificates. For the vulnerable systems, neither client nor server checked the certificates for authenticity, said a source at Heise.

There was no need to hijack the connection, as the client was on a network that Heise controlled, said the source. They added that in the real world, an attacker would either use a Trojan, or attack the router to change the DNS entry for the server to their own IP address.

There was no need to actually forge the certificates by reverse engineering or the like, as the services did not check them, said the source. Heise just generated its own using standard utilities, while the signatures on them were "obviously fake", said the source.