Browsed by
Category: Uncategorized

3-2-1 Backup

3-2-1 Backup

Backup is the most basic information security measure.  Whatever else happens, your worst-case, baseline fall back is: restore from a backup and get back to work.  So you always want to make sure your backups are rock-solid.  A rule of thumb for how to ensure that is easily remembered as, 3-2-1.

3-2-1 backup means that you should:

  • Have 3 copies of your data (minimum)
  • Keep backups on at least 2 different media
  • Store at least 1 backup offsite

So you can see that this is not as hard or as involved as it might seem, I can give you an example from real life — from my own desk, my own PC.  I had been using CrashPlan Home for all backups here, but they just announced that the entire Home edition of the product is shutting down over the next year.  The deadline they have given me to get off is mid-January of 2018.

It’s true, I have two things that some home users do not: a second hard disk in my PC and a file server.  But the same effect can be had for anyone with, say, a large USB drive and a network disk like a Seagate Central.  The other thing I need, and that you’ll need, is a cloud storage service.

Backup #1: goes to my second hard disk.  There are many hazards backups protect against.  Probably the most commonly realized one is what we call PEBKAC.  That means, Problem Exists Between Keyboard And Chair.  In other words, this one is for when I am an idiot.  It will not protect me against hardware failure (unless that miraculously spares the one disk drive).  So, in that case, I move on to…

Backup #2: my file server.  This one will be OK even if my entire PC fails.  It’s also the one that I encrypt, because it’s also the source for a file-sync routine that goes to…

Backup #3: my cloud storage provider.  This is the one I will have to count on if the house burns down.  To do this, I chose a storage service that, like DropBox, does a continuous synchronization as its contents are updated.  Once primed, it will update every time the source backup updates.  I selected pCloud for this, because the yearly price for 2TB of storage was the most competitive, while still supporting the essential sync function.

Because I don’t trust the encryption at the file storage service alone, I am using a backup software that provides local encryption.  For the software, I chose Duplicati.  It’s simple, it’s free (but make a donation, if you can!) and it’s open-source.  It also supports a vast array of cloud storage providers, so if I want to switch in the future, I will probably be covered.

3-2-1: make sure you can get a working copy of your data if you need to.  Somewhere!

 

WannaCry Defense

WannaCry Defense

As with all ransomware, the defense is simple:  Backup, backup, backup.  The fresher your backups are, the less work it will be to reconstruct your data and the less temptation you will feel to pay the criminals.

Backup, backup, backup.

Microsoft is blaming the NSA, and the NSA is blaming Microsoft.  A pox on both their houses.

Backup, backup, backup.

Anti-virus can’t help you until they catch up, and can’t help you again once it starts to mutate.

Backup, backup, backup.

Someone found a “kill switch”. By accident.  Uh-huh.
Trust that, do you?

Backup, backup, backup.

Another B Sides

Another B Sides

Rochester B Sides is always fun and enlightening.  The keynote was by @dualcore about techniques that malware writers will use to defeat memory forensics so that their hard work developing payloads is not trashed.

His talk was punctuated with those infamous clips of goats emitting disturbingly human-like screams.  I have no idea why, and I am not even that curious about it.  His talk was still good…

But then he had a slightly longer break while a data harvesting process ran.  And he played this.

Gotta love BSides.

 

 

Here Goes Nothing

Here Goes Nothing

I just got notified that Office 365 is being installed on my work laptop.  I don’t know if I should be looking forward to this, or dreading it.

All things Microsoft have been such a shitshow lately, that I am leaning strongly to the latter.

More on the coming adjustments as they develop.

VPN Time

VPN Time

Between LastPass pooping the bed (again!?) and Congress telling your ISP to spy all they want on you, my recommendations from back in November are now looking mighty thin without including a VPN service, to try to stick one more finger into the dike.

I will plan to do a roundup of decent and non-evil (as far as we can know) VPN services by this weekend.  But you should also start looking for your own.

One thing you can do right away that’s easy and free, is start using OpenDNS for your address lookups.  ISP spying on users always begins with DNS, so the first thing I always do is get the heck off the ISP’s DNS and on to OpenDNS or Google’s.

More on this topic later, I promise.

Passwords Again

Passwords Again

In the wake of this week’s issues with LastPass, I see today’s brilliant Saturday Morning Breakfast Cereal takes up the topic.

The trick to passwords is to just reset them every time you need to log in

The hovertext for this cartoon is, “The trick to passwords is to just reset them every time you need to log in”.  Which is kind of an interesting idea, and one that I would like to consider from a security point of view, because I hear it proposed in less jocular contexts than this one.

The standard model of a password is that it’s the “something you know” among the three factors considered for authentication: something you know, something you have and something you are (i.e., biometrics).  Using a second factor greatly improves the overall security, and I recommend it regardless of what else you decide about this.

If instead of recording or remembering your password to every site, you simply use the password reset function, have you improved the safety of your authentication to that site?  Before you adopted this strategy, your main points of weakness were the manager providing storage of your very-complex password, or the too-simple password  you chose so your would not need a manager.  Now, at least, you have a really complex password (right?  RIGHT?), and you’re not storing it anywhere.

But now your main point of weakness is your email account.  Which is probably also vulnerable to the manager providing storage of your very-complex password, or the too-simple password  you chose so your would not need a manager.  Not only have you simply shifted the same exact issue, you have concentrated it into the single resource that affords access to all your other resources.  It takes an already vulnerable situation and makes it a single point of failure for your entire online life.

Until we can get rid of passwords completely, somehow, I’m afraid there are not many shortcuts available.  So: make a strong password you can remember.  Use it to secure your password manager.  And, enable a second factor for every site that offers the option.

 

LastPass Ouch

LastPass Ouch

Woke this morning to the news that my password manager of choice, LastPass, had a bug that (for the first time I can recall), put the passwords in the vault at risk.

In the linked article, Tavis Ormandy suggests dumping LastPass and going to another password manager.   But to me that’s like when it starts to rain (no lightning) and you run under a tree.  Eventually the rain works through the leaves, so now you go run for a different tree.  Well, duh!  The rain has worked through all the leaves on all the trees.

There’s no reason to think my passwords are more or less safe elsewhere.

And oh by the way as of this writing, LastPass has pushed a fix.

 

Vault 7

Vault 7

Everyone has been asking me about the new CIA hacks revealed this week by Wikileaks.

Will your cellphone be spying on you for the government?  How about your Samsung smart TV?

My bit of advice for you is this:  Get into a password manager.  Stop using social media for all your communication with everyone.  Change the default passwords on your gadgets.  Run a goddam backup.

When all that’s done, then you’re allowed to worry about the CIA.

#infosec
#toughlove

 

Real Security is Boring

Real Security is Boring

Anyone who thinks that they want to go into Information Security for the excitement has been watching way too many of those dramatic TV shows where they throw around the prefix “cyber-” too much.  Then the slick-dressed hero, the pudgy bearded guy and the gothy teen prodigy huddle around a laptop while the giant red LED Countdown Clock of Doom makes its way toward this week’s digital Armageddon, brought to you by Travelocity.

This is how I look at work.    Exactly… never.

What a big ol’ bucket of Nope!  I could never take the stress.  Real security work looks boring.  Tracking threats, applying mitigation, then watching with satisfaction as… nothing happens.

If I have trained my user community right, every backup is running.  Nobody is clicking on dodgy email links or attachments.  Every password is unique and strong.  It’s stored in a password manager, and fortified by two-factor authentication.

It only looks boring, and it’s much easier on my blood pressure.

 

Cyberwar

Cyberwar

I’m really enjoying Cyberwar on the Viceland network.  It’s rare to see this level of reporting on information security issues.  Usually, in media, it’s “HACKERS! BAAAD!  BE AFRAID!  BUY WINDOZE!”

But this is being done by a crew who recognize that there’s more to it than that.

Here, check out a recent episode:

https://youtu.be/UPXctbdBth0