Beware Online Backup Software Running ANY Web Server

Online Backup Software should be the most secure software on your computer, the LEAST of your worries. Your online backup software is responsible for securing your most important files, sending them offsite to a secure server, where NOBODY can view them.

Rob Cosgrove

Rob Cosgrove, CEO Remote Backup Systems

Your online backup software should NEVER, for any reason, answer inbound connection requests from the Internet. That’s what spyware does. That’s what Trojans do. That’s how computer networks become compromised, and that’s how private data is made public.

This is why I am deeply concerned about an online backup software product in my market space. I won’t mention their name, at least not yet. I want to give them an opportunity to fix this gigantic security hole first. If they fix it, I will report it here. Here’s a hint: It’s not my software, RBackup or Mercury. I guess you figured that out, though.

The offending software almost silently installs the Apache Web Server on all end users’ computers. The end users don’t usually know it is there, and even many Service Providers don’t know it is there.

Note: 21 June, 2013: The offending company has replaced the Apache web server with another web server of dubious origin. Apache was out of date and unsupported, but at least it had a respected pedigree. Nobody knows what’s in there now, but we know it is less well supported than Apache, and it still has all the pitfalls of any web server. It will answer inbound connections – a huge problem for security.

Apache is the most common web server on the planet (because it is free) and it is also the most commonly ATTACKED (by hackers) web server on the planet. In my opinion, and that of other experts, this is a serious security concern.

Apache exploits and hacks are posted all over the Internet. Do a Google search for “apache exploits” to see what I mean. There are thousands, and more are discovered almost weekly and posted on the Internet. A team of developers constantly evaluates threats and writes patches for Apache, trying to stay one step ahead of the hackers.

To make it even easier for the hackers, Apache is Open Source software. The hackers always have full access to its source code, so they have a huge head start. Anyone can download it here. No web server will ever be safe for use in Online Backup client software.

As an Online Backup Service Provider, I do not want to constantly monitor Apache patches and have responsibility for upgrading all my clients whenever the Apache team fixes something. That sounds like a tech support nightmare to me.

Following are a few links you can click to test your computer to see if you have this software installed. If you click any of these links and get a response in your browser, your computer is vulnerable, and you should uninstall the software immediately.

http://localhost:6060/
http://127.0.0.1:6060/
http://localhost
http://127.0.0.1

A Web Server is a SERVER. Its mission in life is to answer incoming requests from the Internet and do what it is asked. It should NEVER be installed on an Online Backup customer’s computer under any circumstances.

As an Online Backup Provider, the last thing you need is a security breach – or even the remote prospect of one. Software on your customers’ computers should NEVER be able to answer an inbound request from the Internet.

If you are an Online Backup Service Provider and you install a Web Server on your customers’ networks without notifying them of the potential security risks, you might be held legally liable for any damages. If you don’t know if the software you are using installs a Web Server, ask your vendor. While you’re talking to him, ask him WHY! I cannot dream up ANY good reason for it that is worth the massive risk.

The Apache Web Server is a nice piece of work, when used as it was intended to be used, as an Internet Web Server. If you are reading my blog at http://blog.remote-backup.com you are using my Apache Web Server. I love this thing. BUT I would NEVER expose one of my clients to the Internet the way Apache allows you to scroll through my blog. Imagine someone being able to look through your personal files, downloading and viewing what they want, like you can with my blog.

The last time I reported something like this I was accused of  “FUD Tactics.” (FUD is an acronym for Fear Uncertainty and Doubt. Yes, I had to look it up.) But this isn’t a “tactic” at all. I simply do not want to see my industry hurt by a massive and public data breach caused by any Online Backup software.

Note: Just after I finished this blog entry, I found a ZDNet Australia article, Apache bug prompts update advice discovered by IT security company Sense of Security. They discovered a serious bug in Apache’s HTTP web server, which could allow a remote attacker to gain complete control of a database. This article was published ten days ago.

“The vulnerability means that you can take complete control of the web server remotely with system privileges” which is the highest privilege on Windows,” Sense of Security spokesperson Jason Edelstein told ZDNet.com.au. “An attacker could gain access to, modify and take away data.”

Now I ask you – Did your Online Backup vendor notify you about this major bug in their software? Did they issue an emergency patch to fix it, as they should? I have just downloaded their Client software to see if they have updated to the latest Apache release, 2.2.15, which contains a fix for this vulnerability.

WOW! It’s even worse than I thought. This software installed a two year old version of Apache, v 2.0.63.200. This version of Apache was released on 19 January 2008. Since version 2.0.63, the Apache team has issued more than five hundred (500) patches, thirty-seven (37) of them critical Security Patches, NOT ONE of which are included in this software package.

(Change Log 1) (Chage Log 2)

So, since this offending Online Backup software has not been updated in 2 years, it has more than 500 bugs, and at least 37 critical security issues. Why haven’t they notified their Partners of these serious security problems and offered patches to fix them?

I am now going to do as everyone should – uninstall this dangerous crap ASAP!

Rob Cosgrove is the President of Remote Backup Systems, founder of the Online Backup Industry, and a vocal advocate for maintaining the highest standards in Online Backup software. His latest book, the Online Backup Guide for Service Providers: How to Start and Operate an Online Backup Service, is available online now, and on Amazon.com and bookstores after April 30, 2010.

About The Author

Avatar
Steve Roberts / http://remote-backup.com

Steve Roberts is VP of Engineering at Remote Backup Systems (http://remote-backup.com), developers of the RBackup Online Backup software platform, providing software powering more than 9,500 Service Providers in 65 countries since 1987.