Your online backup software should NEVER, for any reason, answer inbound connection requests from the Internet. That’s what spyware does. That’s what Trojans do. That’s how computer networks become compromised, and that’s how private data is made public.
This is why I am deeply concerned about an online backup software product in my market space. I won’t mention their name, at least not yet. I want to give them an opportunity to fix this gigantic security hole first. If they fix it, I will report it here. Here’s a hint: It’s not my software, RBackup or Mercury. I guess you figured that out, though.
The offending software almost silently installs the Apache Web Server on all end users’ computers. The end users don’t usually know it is there, and even many Service Providers don’t know it is there.
Apache is the most common web server on the planet (because it is free) and it is also the most commonly ATTACKED (by hackers) web server on the planet. In my opinion, and that of other experts, this is a serious security concern.
Apache exploits and hacks are posted all over the Internet. Do a Google search for “apache exploits” to see what I mean. There are thousands, and more are discovered almost weekly and posted on the Internet. A team of developers constantly evaluates threats and writes patches for Apache, trying to stay one step ahead of the hackers.
To make it even easier for the hackers, Apache is Open Source software. The hackers always have full access to its source code, so they have a huge head start. Anyone can download it here. Apache will never be safe for use in Online Backup client software.
As an Online Backup Service Provider, I do not want to constantly monitor Apache patches and have responsibility for upgrading all my clients whenever the Apache team fixes something. That sounds like a tech support nightmare to me.
Following are a few links you can click to test your computer to see if you have this software installed. If you click any of these links and get a response in your browser, your computer is vulnerable, and you should uninstall the software immediately.
http://localhost:6060/
http://127.0.0.1:6060/
http://localhost
http://127.0.0.1
The Apache Web Server is a SERVER. Its mission in life is to answer incoming requests from the Internet and do what it is asked. It should NEVER be installed on an Online Backup customer’s computer under any circumstances.
As an Online Backup Provider, the last thing you need is a security breach – or even the remote prospect of one. Software on your customers’ computers should NEVER be able to answer an inbound request from the Internet.
If you are an Online Backup Service Provider and you install an Apache Web Server on your customers’ networks without notifying them of the potential security risks, you might be held legally liable for any damages. If you don’t know if the software you are using installs the Apache Web Server, ask your vendor. While you’re talking to him, ask him WHY! I cannot dream up ANY good reason for it that is worth the massive risk.
The Apache Web Server is a nice piece of work, when used as it was intended to be used, as an Internet Web Server. If you are reading my blog at http://blog.remote-backup.com you are using my Apache Web Server. I love this thing. BUT I would NEVER expose one of my clients to the Internet the way Apache allows you to scroll through my blog. Imagine someone being able to look through your personal files, downloading and viewing what they want, like you can with my blog.
The last time I reported something like this I was accused of “FUD Tactics.” (FUD is an acronym for Fear Uncertainty and Doubt. Yes, I had to look it up.) But this isn’t a “tactic” at all. I simply do not want to see my industry hurt by a massive and public data breach caused by any Online Backup software.
This is why I am deeply concerned about an online backup software product in my market space. I won’t mention their name, at least not yet. I want to give them an opportunity to fix this gigantic security hole first. If they fix it, I will report it here. Here’s a hint: It’s not my software, RBackup or Mercury. I guess you figured that out, though.
The offending software almost silently installs the Apache Web Server on all end users’ computers. The end users don’t usually know it is there, and even many Service Providers don’t know it is there.
Apache is the most common web server on the planet (because it is free) and it is also the most commonly ATTACKED (by hackers) web server on the planet. In my opinion, and that of other experts, this is a serious security concern.
Apache exploits and hacks are posted all over the Internet. Do a Google search for “apache exploits” to see what I mean. There are thousands, and more are discovered almost weekly and posted on the Internet. A team of developers constantly evaluates threats and writes patches for Apache, trying to stay one step ahead of the hackers.
To make it even easier for the hackers, Apache is Open Source software. The hackers always have full access to its source code, so they have a huge head start. Anyone can download it here. Apache will never be safe for use in Online Backup client software.
As an Online Backup Service Provider, I do not want to constantly monitor Apache patches and have responsibility for upgrading all my clients whenever the Apache team fixes something. That sounds like a tech support nightmare to me.
Following are a few links you can click to test your computer to see if you have this software installed. If you click any of these links and get a response in your browser, your computer is vulnerable, and you should uninstall the software immediately.
http://localhost:6060/
http://127.0.0.1:6060/
http://localhost
http://127.0.0.1
The Apache Web Server is a SERVER. Its mission in life is to answer incoming requests from the Internet and do what it is asked. It should NEVER be installed on an Online Backup customer’s computer under any circumstances.
As an Online Backup Provider, the last thing you need is a security breach – or even the remote prospect of one. Software on your customers’ computers should NEVER be able to answer an inbound request from the Internet.
If you are an Online Backup Service Provider and you install an Apache Web Server on your customers’ networks without notifying them of the potential security risks, you might be held legally liable for any damages. If you don’t know if the software you are using installs the Apache Web Server, ask your vendor. While you’re talking to him, ask him WHY! I cannot dream up ANY good reason for it that is worth the massive risk.
The Apache Web Server is a nice piece of work, when used as it was intended to be used, as an Internet Web Server. If you are reading my blog at http://blog.remote-backup.com you are using my Apache Web Server. I love this thing. BUT I would NEVER expose one of my clients to the Internet the way Apache allows you to scroll through my blog. Imagine someone being able to look through your personal files, downloading and viewing what they want, like you can with my blog.
The last time I reported something like this I was accused of “FUD Tactics.” (FUD is an acronym for Fear Uncertainty and Doubt. Yes, I had to look it up.) But this isn’t a “tactic” at all. I simply do not want to see my industry hurt by a massive and public data breach caused by any Online Backup software.
No comments:
Post a Comment