Look what the guys in Heise managed to do….
I’m in the trade, so I am biased, but this is too big not to comment on. Researchers at Heise (publishers of German IT magazine c’t) have cracked the security in several online backup platforms, including Ahsay OBM wide open using MITM (Man-In-The-Middle) attacks. You’ve probably never heard of Ahsay but if you’re a in the market for online backup you’ve probably tried it. They sell it as a “white label” product, so the service provider just puts their logo on the splash screen and the end user is none the wiser. They’ve got over 30 resellers in Ireland alone, including local brand names such as Blacknight, Datahaven, Hosting 365, PFH, ServeCentric and Strencom.
There are two elements to online security: data encryption and identity verification. If your data encryption is good enough it doesn’t matter who gets hold of your data. Being sure you’re sending the data to the right server adds to the security. Online backup typically deploys two layers of encryption: the data is encrypted using a key, and then the data is transmitted through an SSL tunnel that encrypts everything again. The SSL tunnel uses a digital certificate to verify the server is who it says it is. These certificates are issued by a trusted source, (Thawte, Verisign, Geotrust etc.) and provide the sender with a key to encrypt the traffic (the public key). Data encrypted with a public key can only be decrypted with a matching private key, and vice-versa. Only the owner of the certificate has the private key.
Software on the user’s end should throw up a big fat warning if the certificate isn’t issued by one of these trusted sources. Unlike Carbonite and Mozy, Ahsay doesn’t throw up a warning and just sends the data anyway. A determined individual can create their own certificate and keys and trick your PC into mis-routing your backup to their server (DNS cache poisoning is easier than you think). This gets them through the first layer; the SSL tunnel. They then have access to the username and password (which are transmitted unencrypted, because the SSL tunnel should be secure enough). This in itself isn’t a huge deal except for one thing…… To make things simple Ahsay’s default behaviour is to use the password as the data encryption key! They can then log in to your account and download all your data and decrypt it with your key. Carbonite & Mozy also use the same password/key shortcut but at least Mozy throws up a warning and Carbonite refuses to go any further if the key isn’t genuine.
By gary | 11. Aug 2008 | Internet, Software, Storage, Technology | 3 Comments »
Gary,
I think you have your story all wrong. I wrote a blog commenting on this attempted Man-In-The-Middle attack back in May and I was happy to report that Carbonite WAS NOT one of the companies that was vulnerable to the attack. Only Carbonite and Mozy were unable to be compromised. Carbonite did not send any data, but instead displayed an error message that did not let the hackers at Heise into our system. Since your inaccurate blog posting threatens the reputation of our business, would you please correct the factual errors in your story?
I’d be happy to answer any questions you have on this topic. Please feel free to contact me at david.friend(at)carbonite.com.
Sincerely,
David Friend
CEO, Carbonite, Inc.
Hi David,
Mea culpa. I misread the Heise article. The blog post has been amended. Note to self: stop posting blog articles just before I hit the sack!
Gary,
Much appreciated. Thank you!
David