April 4, 2021

Almost free cloud backup

If you're sold on having a full cloud backup of all your data -- and you should be -- but you find the cloud backup services I suggested a bit pricey, there might be an "almost free" option you could use.  It depends, though, on your having access to a lot of space on a cloud storage service like Google Drive, OneDrive, Drobox, iCloud Drive, etc.  You might have this already, say, if you subscribe to Microsoft 365.

This solution will give you as much retention as you want of old file versions and deleted files, and will let you do point-in-time restores.

Here are the pieces of the solution:

  1. A Sync.com Free plan account, which gives you 5 GB for free (and more if you refer other people to the service).
  2. A cloud storage services (as noted above) with enough space for your entire backup. (You'll actually need somewhat more space given the versioning.)
  3. The SyncBackSE backup software, about CAD $62 one-time

Here is what you do:

  1. Divide your files logically -- in your head -- into two piles: Sensitive and Non-Sensitive.
    • Sensitive files are ones that you think need end-to-end encryption (E2EE).
    • Non-Sensitive files are ones that don't need E2EE.
  2. Then separate your files physically -- on your drive -- so that each high-level folder (say, the top level folders under your Documents folder or your Photos folder) contains either Sensitive files or Non-Sensitive files but not both.
    • Sensitive files are limited to the 5 GB or 6 GB or whatever in your Sync.com plan.
    • Non-Sensitive files are limited to whatever you have in your cloud storage plan.
  3. Buy SyncBackSE software (see above).
  4. Configure SyncBackSE to automatically and daily do this:
    • Back up all Sensitive folders to the Sync.com folder, using Versioning
    • Back up all Non-Sensitive folders to the OneDrive folder, using Versioning
If you want to get a bit fancier, you could use SyncBackSE's AES encryption abilities to encrypt files before writing them to the Non-Sensitive cloud storage. Then you don't really need Sync.com.

If you use this referral link to sign up for Sync.com, you'll get an extra 1 GB of storage.  (I will too, but I have no need for any more space.)



March 31, 2021

World Backup Day, and suggestions

Today is World Backup Day.  A CBC story.

Data backup is really important so here are a few suggestions:

  1. Ensure that all your important data is backed up to at least one and ideally to two different "places", at least one of which is in the cloud.
  2. For files that live on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  3. If you have files that live in the cloud, you need at least one backup too, which could be on your computer or an external drive.
  4. Manual backup can work if you're diligent, but automated regular backup is much better.
  5. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least, say, a year, supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and only back up files you place in the single fixed folder.
  6. For sensitive data consider using a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  7. For local backups (e.g., to external drives) you probably want to ensure that the data is encrypted.  (But then also ensure that your computer's drive is encrypted.  Windows 10 Home doesn't do that and Windows 10 Pro doesn't do it by default; if an someone steals your computer they'll get all your data.)
  8. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos, is automatically backed up to the cloud.

March 30, 2021

Browser extensions for privacy and security

This New York Times article lists my favorite three browser extensions for security and privacy:

Tools to Protect Your Digital Privacy

They are:

  1. uBlock Origin
  2. Privacy Badger, and
  3. HTTPS Everywhere.

There is one additional benefit of uBlock Origin not mentioned in the article, namely that advertising can contain or lead you to malware, aka, malvertising. 

March 9, 2021

How to follow blogs

Chances are that you've run across at least a few blogs or news websites that you find interesting -- maybe even this blog!  You'd love to read their new posts but you know you'll never remember to check the websites regularly.  What do to?

It's pretty easy, actually.  Use either of these services to subscribe to your favorite sites:

NewsBlur, my favorite, has a very nice free tier.

Using them is straightforward: you subscribe to the feeds to you want to follow, then you only have to remember to go to the NewsBlur or Feedly website every few days or so.  They will show you in one place any new content from the sites you follow.

Subscribing to a website/blog's feed is usually simple.  For NewsBlur, click the "+" icon in the bottom left and paste in the website URL.  For example, for this blog, you would paste this:

https://www.gsharratt.com

Alternatively, you can paste the URL of the feed into NewsBlur (and you'll have to do this if the website URL doesn't work).  You can often find the feed URL by viewing the page source of the website's main page and searching for "rss" or "atom".  For this blog, for instance, the feed URL is:

https://www.gsharratt.com/feeds/posts/default?alt=rss

For websites that have multiple feeds, it's best to use the feed URL.  Websites with more than one feed will usually provide a page listing all the feeds.  Find the one you want, copy its URL, and paste it into NewsBlur.

How does this newsreader magic work?  It makes use of the RSS or Atom feeds that most (but not all) blogs and many other websites publish in parallel with their regular web (html) content.

Once you have subscribed to your favorite blogs and other sites and get in the habit of regularly checking your newsreader, you won't ever want to give it up.

Upcoming talk to Kelowna Chamber of Commerce

My previous blog post has been published in a condensed form on the Kelowna Chamber of Commerce news feed: Blog: How to Address Ransomware, Phishing, & Business Email Compromise.

And I'll speaking on related topics as part of the Chamber's Business Smarts series on March 24.  See here for more information and registration: Business Smarts WEBINAR - Cybersecurity.

---

Update 2021-04-07: You can find a video recording of my March 24 Kelowna Chamber talk here:


March 1, 2021

How to address ransomware, phishing, and BEC

You’ve almost certainly heard of ransomware, phishing, and business email compromise as they are all over the news today.  You probably have a general idea of what they are – enough to be worried -- but how well do you understand the risks they create and how to protect your organization? 

Attackers are looking for the biggest payouts for the lowest effort and risk, and this drives the ever-changing prevalence of threats.  Ransomware is a dominant threat today because it's easier for attackers to commercialize compared to phishing.  Business email compromise is increasing because it can yield bigger payouts for attackers.  This post will discuss the threats of ransomware, phishing, business email compromise, and another one you may not have heard of, a server-side attack.  We'll then dig into what you can do about them.

Four threats

Let's start with the simplest threat, phishing to steal credentials.  Phishing is mostly delivered through email – but there are subtypes for SMS, etc. – and this type of phishing generally aims to fool the recipient into giving up their account credentials – userid and password -- using a fake login page for a cloud service. Using the stolen credentials, the attacker can obviously perform an account takeover of the cloud service account in question, but they will also likely be able to use credential stuffing to take over other accounts owned by that userid.  Credential stuffing means trying the userid/password combination on hundreds of different cloud services, and it works because most people use the same password for many of their accounts.  In other words, most users don't use a unique password per account, as they should. 

Once the attacker takes over one or more accounts, they can make money by many different means, including stealing data from the accounts then reselling the data (e.g., for credit card data) or threatening its disclosure.  (By the way, if personal information is accessed in any way, in most jurisdictions this is a privacy data breach and must be reported to the privacy authority.)

There is a related threat, a server-side attack, that involves an attacker stealing credentials from the cloud service itself instead of its users.  The attacker will break into a cloud service and steal the "passwords file", which contains the userid and the associated, obfuscated (salted and hashed) password for each of the cloud service's users.  The attacker will then perform a cracking operation to de-obfuscate the passwords, and will generally be successful for those users that haven't used a strong password. 

What makes a password "strong"?  It's sufficient length, sufficient randomness, and sufficient character types complexity (the mix of uppercase, lowercase, digits, and symbols).  "Sufficient" is a fuzzy and moving target, but if a password isn't a bare minimum of 12 characters long, doesn't look random, or doesn't use at least three types of characters, it may not be strong enough to resist cracking.  Once passwords are cracked, there are same risks as for phishing, such as account takeover and credential stuffing.

Business email compromise (BEC) requires the most effort for the attacker.  In a typical compromise, the attacker will get access (through one of a variety of means) to an email account for an organization head or financial head and will monitor the email traffic for a while.  Once the attacker understands the organization's financial processes and which employees are involve with financial transfers, they will send a fake email (from a fake account, often with a similar-looking domain name) to an employee requesting a wire transfer to some outside destination.  If the deception is not detected in time, the attacker will receive the transfer.

The last, and probably most important, threat we'll discuss is ransomware.  This is a type of malware usually delivered through phishing emails (but not the credentials-stealing kind), and it is rapidly surpassing other types of malware and phishing because of its ease of monetization.

For email-based ransomware (and other malware), a user will typically be fooled into executing a file attached to an email or to clicking on a link in an email and downloading a file, resulting in a compromise of their device by the attacker's malware (i.e., malicious software).  Ransomware encrypts the infected computer's files in place and then demands a ransom payment to provide the decryption key; and the ransomware will typically try to spread to other computers in the organization.  If the organization decides to pay the ransom (it's a complex decision) and is very lucky, the key will work; otherwise the data is irretrievably destroyed. 

Increasingly, though, ransomware does more than encryption: it will send a copy of the victim's data to the attacker's server before encrypting it, and the attacker will additionally (and maybe on more than one occasion) threaten to publicly release the data if the ransom is not paid.  Whereas a data backup is a good recovery mechanism for ransomware's encryption, there really is no way to mitigate a public release of data, which makes victims more willing to pay.  (Note that both cases would generally be considered privacy data breaches if personal data is involved.)

Mitigations

If we analyze the four threats in detail and look at how to mitigate the resulting risks – i.e., prevent them, reduce their effect, or recover from them -- it turns out that we need two different sets of mitigations, aka security controls:

  • controls that address the primary risks of account takeover and credential stuffing, and financial loss for BEC – let's call this Type 1; and
  • controls that address the primary risks of device compromise (by malware) and destruction of data – we'll call this Type 2.

Mapping these risks to the four threats above:

  • Type 1 controls are for credentials-stealing phishing, business email compromise, and credentials-stealing server-side attacks; and
  • Type 2 controls are for malware and ransomware.

Both types are also mitigating a variety of secondary risks, including financial loss and theft or exposure of data.

The controls

So what are these two amazing sets of security controls?  They are for the most part the basic set of security controls that security professionals call "security hygiene" – fundamental security controls that every organization should implement as a matter of course before getting into anything fancier. 

The Type 1 controls are focused mainly on protecting credentials:

  • user security awareness training;
  • the proper use of passwords: mainly ensuring they are strong and unique;
  • the use of a password manager: as the best way of properly managing passwords;
  • the proper use of the password manager, including using it to autofill login pages: whereas a user can be phished by a fake login page, a password manager will notice the fake page's incorrect domain name and will refuse to autofill the credentials into that page;
  • use of two-factor authentication (2FA)/multi-factor authentication (MFA): as a second line of defense on an account in case the account's password is compromised; and
  • for BEC in particular, setting up a proper verification process for financial transactions, such as through the use of out-of-band verification like a phone call or walking over to talk to the sender: to catch fraudulent requests.

The Type 2 controls are targeted mainly at spam and malware:

  • user security awareness training;
  • the use of an email anti-spam/malware filter: to stop phishing emails before they reach users; and
  • security hardening of devices, especially computers, by locking down operating system (OS) security-related settings and the use of antimalware ("antivirus") and anti-ransomware software or, for larger organizations, endpoint protection software/services: to prevent malware from successfully running if a user falls for it;
  • the use of data backup, to a cloud backup service or a local backup drive, or ideally to both: to recover from the destruction of data by ransomware.

User security awareness training is listed first for both type of controls because it's usually the most important control that organizations can put in place.  Properly trained employees could forestall many risks even in the absence of many technical security controls (such as password managers, 2FA, spam filters, hardening, antimalware, etc.) – but conversely, the best technical security controls can be bypassed or rendered ineffective by unaware employees. 

All organizations should properly train their employees on security (and privacy) risks – starting as soon as possible and then at least annually.  They should also choose the right mix of technical security controls to fit their organization, risk tolerance, and budget.  Every single organization, though, should have all the Type 1 and Type 2 security controls listed above as a minimum.

For more

This has been only a brief introduction to some common cybersecurity threats that most organization face, and to how to start addressing them.  If you want to learn more – and I strongly encourage you to do so – there is no shortage of information available.  Most everything you might want to know is on the Internet, so you can do a web search for any of the terms in this post.  You can also read some of my other blog posts; see my blog map for an index of useful posts. 

February 18, 2021

Password manager comparison: LastPass vs. Bitwarden

The March 16, 2021 severe change to LastPass Free (see here) shakes up the password manager choices a bit.

Both LastPass and Bitwarden have multiple tiers, and, of course, the functionality doesn't exactly line up between the similarly-named tiers.  The table below should help you decide which tier of which password manager meets your needs.   I haven't shown LastPass Free because the new limitation make the Free tier essentially unusable for the vast majority of users.

Unless you badly want a free service and think you'll stay there a long time, I suggest looking only at the Premium and Family(ies) tiers.  The main deciding factor between the two Premium tiers is probably the differences in the sharing features.


Feature/Area

LastPass Premium

LastPass Families

Bitwarden Free

Bitwarden Premium

Bitwarden Family

Cost

USD $36

USD $48

$0

USD $10

USD $40

Ease of use

Good

Not as good

Not as good

File attachments

1 GB

0 GB

1 GB

Sharing

Individual items: Unlimited sharing with any number of users

Folders: 1, with any number of users

Individual items: Unlimited sharing with any number of users

Folders: 1, with any numbers of users; unlimited within family

Folders: 1, with only 1 other user

Folders: 1, with only 1 other user

Folders: unlimited within family

Vault security check-up

Yes

No

Yes

2FA for itself

Yes

Yes

Yes

Authenticator feature

Yes

No

No

Yes

Emergency Access

Yes

No

Yes

Account recovery

Powerful (e.g., locally-stored OTPs)

Weaker

Weaker

Replacement for LastPass Free password manager

Starting March 16, LastPass's Free plan password manager will be essentially unusable; see here for more details.  Only users that don't have a computer (i.e., have only phones and/or tablets) will find this new limitation of LastPass Free acceptable; everyone else will need to move to something else.

I have recommended LastPass Free for years but that's not going to work now.  If you're looking for a free replacement for LastPass Free, and you care about security and privacy, Bitwarden Free looks like the best bet.  If you search you'll find a huge number of glowing reviews on the web.  It's not too hard to export your vault from LastPass and import it to Bitwarden.

However, if you're happy with LastPass, consider staying with it and upgrading to LastPass Premium, for USD $36 a year.  In addition to more powerful sharing, 1 GB of file storage (instead of 50 MB), more 2FA options, and tech support, you'll get the feature that I recommend everyone make use of: Emergency Access.

Bitwarden Premium, USD $10/year, also has an Emergency Access feature.

It doesn't matter which you use -- LastPass or Bitwarden or something else -- but it's essential that you use a password manager, and use it properly.  See my blog post on this

---

Update 2021-03-16: If you're part of a family or have a small group of like-minded friends, the LastPass Families or Bitwarden Families plans can save you a lot of money.

February 15, 2021

Winter hiking equipment

If you're going to be hiking in the winter -- in a place with snow like British Columbia -- you really need good traction devices.  For general-purpose hiking, microspikes are definitely the way to go.

You can't go wrong with these two models, both of while I use all the time:

1. Hillsound Trail Crampon

https://www.hillsound.ca/collections/traction-devices/products/trail-crampon

REI has them but also check out https://www.google.com/shopping

2. Kahtoola MICROspikes Footwear Traction

https://kahtoola.com/product/microspikes/

MEC has them

The Hillsound have 1/2" spikes while the Kahtoola have 3/8" spikes.  If I had to pick one, it would be the Hillsound.

In the Okanagan winter hiking is usually on a mixture of snow, ice, and dirt and rocks.  I happily used Yaktrax Pro in Vancouver for years but as I soon as I moved to the Okanagan they failed, because the rubber was quickly ground down by the dirt and rocks.  In retrospect, microspikes would have been better than Yaktrax in Vancouver too.

February 3, 2021

Local backup for professionals and organizations

My previous post talked about backup in general and cloud backup in particular.  I promised that my next post would finish by covering local backup.  Here it is.

First, the "why".  Recall that my previous post recommended you start by backing up your data files to the cloud.  Assuming that you're doing this, why would you also want to back up locally, that is to an external drive of some kind in the same room or building as your computer?

There are several excellent reasons:

  1. You need a second backup because one is not enough.  As mentioned in my previous post, a key tenet of information security is defense in depth. When applied to backup, this means having at least two backups of your data, in case something goes wrong with one of them.  You should start with a cloud backup, so you second backup should be a local backup.
  2. With a local backup you have the flexibility to set your own retention policy.  Your cloud backup may keep deleted files and old file versions for, say, only six months or a year, but with a local backup you can easily keep them for several years or even forever if you have a large enough external drive.
  3. Your local backup could be an external drive sitting by your desk, but you have other options too.  You could use a small portable drive or a flash drive and store it most of the time in your fire safe, or you could have two drives and swap them weekly or monthly between being attached to your computer and being in the fire safe, hidden in your home, or in a safety deposit box.  The sky's the limit on the possibilities.
  4. A very secure cloud backup is at least $100 a month -- every month, forever -- but a nice external drive can be purchased for $200 and will last for many years.  You can't dispense entirely with the cloud backup, but if you're price conscious you can use a less expensive (and less secure) cloud backup if you also have a local backup that you take care of well.
  5. If you need to restore a lot of data from your backup – perhaps your entire computer's worth – a local restore will likely be a lot faster than a cloud restore.  And a large cloud restore might use up enough of your monthly ISP data budget to cost you money, whereas a local restore is always going to be free.
  6. Finally, backing up locally offers a type of backup that is usually not done for a cloud backup: a system image backup.  A data backup, or files backup, includes just a user's files, but a system image backup is a backup of a computer's entire main drive, including the user's files, application software and settings, and the operating system.  Due to its size, it's usually not practical to transfer a system image backup to the cloud – but it's very easy to store it on a local drive.  Having a system image backup is not essential, but it's a much faster way to recover from a major computer failure.  Without a system image backup, recovery means reinstalling the OS and all applications, configuring (including hardening) the OS, configuring all applications, and restoring the user's data; whereas with a system image backup, it's a single restore operation that does everything in one step.

Encryption

In my previous post I listed three backup-specific requirements: sufficient confidentiality, sufficiently long retention, and support for point-in-time restore.  These of course apply to local backups too, and you may want to reread that part of my previous post before continuing on here.  Local backup software typically provides sufficient retention and a point-in-time restore, but confidentiality needs more discussion.

For a local backup, confidentiality means encrypting the external drive, and this can be done by the backup software and/or the operating system.  All backup software provides encryption, but encryption in the backup software that comes with many backup drives may not be sufficiently well implemented and secure.  If your computer's OS has the ability to encrypt external drives, use it; in this case you don't need to use the encryption feature of the backup software.  

If your OS can't encrypt external drives, you're probably on Windows 10 Home, in which case your computer's main drive is not encrypted either.  This is a bad situation and you should upgrade to Windows 10 Pro, which will give you the BitLocker feature.  BitLocker gives you the ability to encrypt not only your computer's main drive but also any external drive, such as the one you're going to use for backup.  

If for some reason you decide not to use the OS to encrypt your backup drive, you have four choices:

  1. don't encrypt the backup drive – not a good idea unless the data is not sensitive
  2. use the encryption built into the backup software that came with your backup drive – easy but not recommended, as discussed above
  3. use the encryption built into third-party backup software – a good choice, see below
  4. use quality third-party encryption software like VeraCrypt to encrypt the backup drive – a great choice

Whether you're using the OS, third-party software, or your backup software to encrypt the drive, make sure you store the encryption password in your password manager

Backup software

What backup software to use?  Let's talk about data backup first.  You can use the backup feature built into your computer's OS or you can use third-party software.  Here are some good choices:

  • Windows 10 File History – Don't use the older "Backup and Restore (Windows 7)" feature
  • macOS Time Machine – If you have a Mac
  • CrashPlan – It's a (great) cloud backup service, but it also allows backup up to a local drive.
  • Macrium Reflect Home Edition – It's primarily (great) system image backup software, but it also supports backing up just data files.
  • SyncBackSE – It's pure backup software that works very nicely.  You need the SE version (not the Free version) in order to get the critical Versioning feature.

CrashPlan, Reflect, and SyncBackSE will all do a good job of encrypting your backup, if you so configure them.

You could also use the backup software, if any, that comes with your external drive to perform your backup.  It's generally best, though, as discussed above, if you don't use the software's encryption capabilities.

For system image backup, here are some good choices:

  • On Windows, there is no good system image backup feature built in. (Don't use "Backup and Restore (Windows 7)": it's old and crotchety and even Microsoft recommends using third-party system image backup software instead.  Definitely don't try it if you use BitLocker.)
  • macOS Time Machine – If you have a Mac
  • Macrium Reflect Home Edition – Very nice software that supports BitLocker well
  • Acronis True Image – People seem to like it, but I recommend you stay away from it if you use BitLocker.

Backup drives

Finally, we get to the bottom level of the stack: the backup drive hardware.  You have many choices, including desktop backup drives, portable backup drives, and flash drives.  Desktop and portable drives used to always be hard disk drives (HDDs) but solid-state drives (SSDs) are now starting to appear at reasonable prices.  Flash drives, which are essentially small and slow SSDs, are now available for reasonable prices up to 512 GB, and would be useful if you want to hide your backup drive.

You should obviously buy a drive that has an interface that your computer supports.  USB is the most common, but pay attention to the physical connector and the USB version number.

Speed is not that important for a backup drive but size does matter.  You can never have enough backup storage, and right now the sweet spot seems to be about 8 TB for HDDs, which are currently the best choice for most people.

WD (Western Digital) and Seagate are respected brand names in HDDs.

Parting words

As mentioned above you absolutely should have more than one backup because things always go wrong.  My last post suggested that you add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup.  How far down the list you go depends on how important your data is and how paranoid you are.

A final recommendation: make sure you occasionally do a test restore of all your backups, both local and cloud.  Otherwise you might discover – just when you need it the most -- that your fail-safe has failed and can't be restored from.