Backups are an important part of keeping your devices secure - as mentioned last episode, backups not only help with lost devices but also let you easily and confidently wipe a compromised computer and get back to work quickly. Liz and Geoffrey take a look at different types of backups, including cloud versus local backups.
- 1:07 - Security news: Twitter engineer recruited by the Saudi government to look at the accounts of dissidents and privacy researchers
- 2:32 - Security news: Google seems to now require manufacturers to install security updates for Android for at least two years
- 3:28 - Security news: Healthcare.gov breach
- 4:15 - Security news: Apple's new privacy portal
- 5:04 - Security news: lock-screen bypass vulnerabilities in iOS 12
- 6:30 - Backup types and scheduling
- 10:07 - File versus image backups
- 12:30 - Local storage, RAID, and encryption
- 16:52 - Apple's Time Machine backups and Windows backups
- 18:37 - Cloud backups
- 20:46 - Ransomware concerns
Show notes & further reading
Built-in backup software
For Mac users, Time Machine is built in and well designed, and supports many options for a backup target. If you're looking for local backups, we'd suggest starting here. In particular, Apple fans with an AirPort router will appreciate that Time Machine lets them plug an external hard drive into their router and back up directly to it without complex setup.
Windows 10 also has built-in backup software - two tools, in fact, the new "File History" tool and the older "Backup and Restore" tool from Windows 7. They work in slightly different ways. Lifehacker has a pretty detailed walkthrough: they recommend using File History for versioned, file-level backups of important directories and Backup and Restore for image-based backups in case something goes very wrong. The Windows tools take a little bit more effort to set up than Time Machine, especially if you want to use a NAS or external drive, but it's still a pretty good choice.
Other than macOS's built-in Time Machine, there aren't any products that either of us use regularly enough to feel comfortable recommending. There are roughly a half-dozen major cloud backup vendors - you can see recent reviews at sites like Wirecutter, Tom's Guide, and PCWorld. If you're looking at slightly older reviews, note that CrashPlan, one of the bigger players, recently shut down their $5/month "CrashPlan for Home" offering - although they are happy to have individuals sign up for their small business plan, which is pricier but still within reason.
Similarly, for local backup devices and software, we'd suggest taking your own look at reviews. Wirecutter actually has an entire article featuring their various backup product recommendations, including external hard disks and NASes, and there are many sites reviewing third-party Windows software for backups. (With software and especially with freeware, we'd caution you to check multiple reviews and make sure the company has a reputation for writing quality software before you install something and entrust it with all your files!)
In the news
The reporting from The New York Times on a "suspected mole inside Twitter" was part of a longer article about Saudi Arabia's influence campaigns on social media, and in particular a "troll farm" aimed at recently-murdered journalist Jamal Khashoggi. There more analysis from The Verge, which links the "troll farm" with a report from last week on a pro-Saudi propaganda botnet.
Jose Rodriguez posted three videos recently on his YouTube channel demonstrating lock screen bypasses, two on iOS 12 and one on iOS 12.0.1. The last one is still unfixed at the time we published this episode, and he's expressed skepticism on Twitter that it will be fixed soon. (Update: The evening after we published this episode, Apple released iOS 12.1 which does fix the third bug.) The videos are in Spanish (there's no narration, but the UI including Siri is in Spanish); YouTuber EverythingApplePro also has a demonstration of the technique with enthusiastic English narration.
You can disable Siri from the lock screen by going to the Siri settings page, but if you don't use Siri and want to completely prevent it from running, there's a way to do this using the Screen Time feature, basically iOS's built-in parental controls-style setting. In the settings app, go to Screen Time, then Content & Privacy Restrictions. Pick a four-digit passcode if you haven't already set up Screen Time (this one doesn't need to be strong, since you're not using it for security, just memorable). Under "Allowed Apps", uncheck "Siri & Dictation." (In older versions of iOS without Screen Time, the Restrictions page is under general settings - but you should be on the latest version of iOS to get other security fixes anyway!)
Geoffrey Thomas (GT): Liz, have you figured out what you're going to be for Halloween?
Liz Denys (LD): I have! I'm going to be Doctor Who!
GT: Oh, because time travel is awesome?
LD: That's certainly part of it!
GT: I wish I could time travel.
LD: You could time travel through your computer's history if you made regular backups!
GT: Oh, yeah. Backups can be a lifesaver when you needed to see how a file looked a few weeks ago and you want to go back in time.
LD: Or if you're computer gets infected with nasty malware, and you're having trouble getting rid of all of it.
GT: Right, you can just restore from an older backup!
LD: So, Geoffrey, what are you going to be for Halloween?
GT: I wasn't sure, but I think I'll carry a microphone and an external hard drive around and tell people I'm a backup singer.
Intro music plays.
LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,
GT: and I'm Geoffrey Thomas, and we're your hosts.
LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.
GT: In every episode, we tackle a typical security concern or walk you through a recent incident.
Intro music fades out.
LD: There's some unusual news about Twitter privacy recently. The New York Times reported that in 2015, a senior engineer at Twitter had been recruited by the Saudi government to look at the accounts of dissidents and privacy researchers.
GT: This employee was a site reliability engineer, which is a position that I've interviewed for at several companies. They test your technical skills and of course they do a background check, but there's really very little to test whether you're the sort of person who's going to go access private data. Or whether you're fine now but you're going to be "groomed," as the Times puts it, after you're hired. And by the nature of the work, site reliability engineers need pretty unrestricted access to the systems they're responsible for, to debug unexpected problems.
LD: According to the Times, they weren't able to determine whether he passed data on to the Saudi government, but they ended up firing him and sending notices to the people whose accounts he accessed. This included people who worked for the Tor Project, a worldwide system of proxies for privacy and censorship circumvention, as well as other privacy researchers, journalists, and similar folks.
GT: You might have heard about these notices before - Google has similar ones. They say that they suspect a "state-sponsored attacker" of trying to break into your account, and it's a sign that you should beef up your account security in a hurry.
LD: Except in this case, because the threat was from inside Twitter, no amount of strong passwords or two-factor authentication could have helped.
GT: I guess it's a good reminder that, however much you trust a big company as a whole, it's still made up of a lot of people with a lot of different personal motivations.
LD: The Verge got their hands on a contract between Google and an Android manufacturer, and it seems that Google's now requiring manufacturers to install security updates for Android for at least two years.
GT: The rules apply to phones with a hundred thousand devices sold or more. Starting this past July, manufacturers were required to apply security updates to 75% of those devices, and that goes up to 100% in January.
LD: Updates must cover bugs found within the last 90 days - which is still a pretty long time, but it's a lot better than what most Android phones have been delivering for a while.
GT: This is a massive security improvement for lower-end Android devices. As we discussed in our episode "Comparing Android and iOS security", Apple's devices tend to get security updates for four or five years, but even two years was unusually high for all but the most expensive Android phones.
LD: Google has been discussing improvements in their requirements for manufacturers, but the leaked contract provides concrete details, and they sound like a meaningful step forwards.
GT: Recently the government agency behind Healthcare.gov announced that files on 75,000 people had been breached. These files originated from the system that supports you signing up for insurance on an insurer's website, where it redirects you through Healthcare.gov to confirm eligibility.
LD: The latest news is that they believe that no banking or confidential health information was leaked, but enough personal information was accessed to leave people at risk of identity theft.
GT: I guess in the modern world with everything computerized, these sorts of things happen. You should use unique passwords on each website in case of a password breach, but there's so much more data at risk, too.
LD: The agency will offer free credit monitoring services to people affected. This is getting outside the realm of personal digital security, but there are steps you can take to be proactive like checking your credit reports periodically, and it's worth looking those up.
GT: In better privacy news, Apple has a new privacy portal that lets you download all the data associated with your Apple ID from a single page, and also deactivate or delete your account if you want.
LD: This came out of a GDPR requirement, but it's now available for people in the US and some other countries, too.
GT: I went there because I'm curious what they have - I have an iPhone, but I use iCloud for almost nothing - and they said it will take up to seven days to give me a download link.
LD: Yeah, same for me. They say it's a security feature, to make sure it's actually you requesting the data, which is great - we talked last episode about how some of these GDPR data download buttons have the risk that someone who breaks into your account might run off with all your data in just one click.
GT: They emailed both my regular email and backup email to let me know that the request was happening, so hopefully if my Apple ID had been stolen, I would have seen at least one of these emails and been able to cancel it.
LD: A little less good Apple privacy news: researcher Jose Rodriguez discovered three lock-screen bypass vulnerabilities in iOS 12, which let you view the phone's address book and photo album without unlocking it. One of them still works in iOS 12.0.1.
GT: The videos are pretty fascinating - basically the trick is to use Siri, Apple's voice-based assistant, to enable VoiceOver and accessibility mode. iOS intentionally lets you do a couple of restricted things from a lock screen, like text someone back who's calling you. But if you use accessibility mode, you can seemingly access restricted parts of the interface, like attaching photos to the text message. A workaround for now is to disable Siri from the lock screen. In the Settings app, there's an option in the "Siri & Search" menu to do that. Since the only way to enable accessibility mode with the phone locked is to ask for Siri to turn on VoiceOver, this prevents the lockscreen bypass vulnerability from working.
LD: I'm pretty paranoid, and honestly, I've never enjoyed having a voice assistant for my phone anyway, so I've just kept Siri off entirely. To completely turn off Siri, not just turn of how and when to launch Siri, you can go to the "Restrictions" part of Settings, which is now under Screen Time - you can disable Siri entirely there and prevent it from running at all.
GT: That makes sense. Siri's gotten increasingly powerful in recent versions of iOS, so if you don't use it, you might as well reduce your attack surface.
Interlude music plays.
GT: Last episode, we talked about a bunch of nasty things someone with physical access to your computer could do, and how it's difficult to detect what that attacker did, even if you knew they did something.
LD: If an attacker has gotten into your system because they had physical access or maybe you suspect you've gotten malware or ransomware, you can't assume you'll track down everything that's been affected. The safest way to recover is to abandon what you have and restore from backup. We'll talk more about avoiding malware in our next episode when we talk about operating systems and software in more depth.
GT: Backups are also really handy to have on hand in case you lose your laptop or your computer suffers from a hardware problem and you need to get to files you can't get to anymore. They also make switching to a new computer a lot easier.
LD: Yeah! Availability is a pretty important consideration in security. If you don't have a computer, you'd technically be "secure", but that's a rather impractical way to be secure.
GT: There's a handful of different ways to do backups, and a few main things to consider when deciding how to backup your computers and files.
LD: When people talk about backups, they might mean a variety of things. The simplest version of a backup is just a single second copy of all your files.
GT: Okay, I have to admit something. I don't actually do regular backups of all my files, but like now that we've researched this episode I think I really need to start. But I have been keeping a second copy of my most important files - like my tax returns, pay statements, personal projects I'm working on like blog posts and code I'm writing - in a separate place.
LD: You just do this all manually?
GT: Yeah, when I'm done with filing taxes I make sure to save a PDF to my downloads directory and also copyt that to a cloud storage service. But it doesn't cover everything - and I did have an old laptop's hard drive die recently - so I'm starting to think about keeping a copy of everything.
LD: Yeah, keeping a single copy of all your files can be be really helpful if your hard drive fails and you can't access anything, but a simple copy of the contents of your hard drive isn't so helpful if you've made this copy after you've already deleted something you later realized you still needed.
GT: Or if you figure out you've had malware on your computer for a while, and your backup copy was made after your computer got infected.
LD: A better backup system will do versioned backups - instead of just having a single copy whenever you make it, a versioned backup system will allow you to recover from multiple points in time when it's made snapshots of your files.
GT: Under the hood, most versioned backup systems aren't just copying over everything every time it creates a backup - there's no real need to create multiple copies of the files that haven't changed - and versioning backups are going to figure that out for you.
LD: Once you're getting more than just a single snapshot out of your backup system, there's a question of how often you should be backing up. Ideally, your backups will happen on an automatic schedule, so you don't have to worry about remembering to backup your computer.
GT: Then there's the question of how frequently you should be making backups. Maybe you want them once a month, a week, every night, or maybe you want what's called "continuous backups", where any time you create a new file or modify an existing file, your backup software immediately backs it up. Continuous backups are probably overkill for most people, but if you're working on something important, you might want to proactively make a backup copy as you go.
LD: My normal backups run every day, so after we record this podcast, I immediately backup our sessions, just in case anything goes really wrong during editing and I haven't made that nightly backup yet.
GT: Often, backup systems will keep backups at a mix of frequencies - maybe they'll keep a daily backup for the last week, weekly backups for the last month, and monthly backups for a few months before that.
LD: Generally, backups run in the background and a good backup program will only be copying over new and changed things, so doing backups more frequently won't really slow you down. In fact, each backup takes less time, so it's easier to fit them in.
GT: This is a pretty good setup for recovery - you have a lot of recent backups to choose from if you discover something wrong with your computer, so you can probably find one that isn't missing too many recent files, but is missing whatever went wrong.
LD: There are also two main types of backups - file backups and what's known as image backups. File backups are just what they sound like, a backup of files you create. They're really useful for keeping extra copies of projects you work on or for things like vacation photos. Image backups aren't about photos: they make a full snapshot of your hard drive - files, programs, configurations, everything.
GT: One thing to note is that image backups are identical copies of everything on your disk. As we discussed last episode, you can often retrieve deleted files that haven't been overwritten yet, because file systems generally don't actually zero out the contents of deleted files, they just mark the space as free to reuse. So an image backup, which is an exact image of your disk, might contain bits of files that you thought were deleted.
LD: It's not reliable enough if you want to recover deleted files - you should keep backups for longer if you actually want to be able to restore files you deleted in the past. But if you want the file gone, keep in mind that image backups will cause you to have more copies of that file around - some of them that are kind of subtle to find. We'll talk more about securing your backups shortly, but it is important to keep the tradeoff in mind.
GT: That's also true of file-based backups. If you have something you want deleted, remember that there's a copy of it in your older file-based backups if you're doing versioned backups, which is another reason to keep your backups secure regardless of what type of backups you're doing.
LD: It's often harder to see individual files when you're making image backups, though some systems make this easier than others. But if you need to recover your computer or switch to a new one, image backups make life a lot easier - you can just restore everything from them instead of having to reinstall programs or reconfigure operating system settings.
GT: If you have a lot of customizations to your computer or use a lot of programs, image backups are really helpful for recovery.
LD: Even if you don't think things are that complicated, having them saves a lot of time if, say, your hard drive dies like my laptop's did right around when we started this podcast. I am always surprised by how easy it can be to restore a new drive from your old setup with image backups.
GT: Yeah! But you don't use only image backups, right, Liz?
LD: Right, I like to have image backups of my laptop so that I can do this, but a lot of my work takes up a lot of disk space - especially now that we're doing a podcast and those uncompressed raw files are really large - so I don't actually have all of my projects on my laptop, which means they don't all get backed up with my laptop's image-based backups. I store older projects and photos on a network attached storage device, which is essentially a bunch of external hard drives with some extra bells and whistles, and then I back that up to the cloud.
GT: It's good to think about a combination of backups for your different needs - things you want to access regularly versus long term storage of things you don't want to lose but don't necessarily want to keep on your main computer. Which brings us to different places you could store your backups. The main options are physically somewhere else in your house - either on an external hard drive or a network attached storage device - or in the cloud.
LD: Let's talk a little about storage options that aren't in the cloud first. An external hard drive is probably the simplest to set up, but unless you're attaching it to your home wifi router, which may or may not be very straightforward, you're going to have to remember to plug it into your computer to do your backups.
GT: This might not be too frustrating if your computer always stays plugged in in one place, like a desktop or if you just never happen to move your laptop, but if you don't regularly connect to your external drive, you're not going to get the regular backups you desire.
LD: Instead of physically plugging into an external hard drive, you could attach the drive to your wireless network, either directly, which is especially easy if you have a Mac and one of Apple's routers, or through what I mentioned earlier, a network attached storage, or a NAS for short.
GT: There's a handful of consumer grade NAS devices that are pretty easy to set up, but they're a lot more expensive than just a hard drive. On the other hand, they usually will allow you to set up a RAID, which stands for a redundant array of independent disks. RAID allows you to use multiple smaller capacity, cheaper disk drives and create a single entity that acts like a larger, more expensive and more reliable disk drive. There are different RAID configurations: usually, they allow one or more of the smaller disks to die without losing data.
LD: If you use one of those configurations and one of those drives fails, you still will be able to recover your data from the other drives or re-expand to the original configuration with that built-in protection against a drive failure, but it isn't backup. Those sorts of RAID setups are kind of like tires on trucks. Big trucks have more than just two wheels and more than just two tires on every axle, which helps them safely carry their large loads. If one tire starts to go flat, the load will still be supported by the extra wheels' tires, but this doesn't protect against all possible problems for the truck - if the truck gets hit in an accident, the load might get lost because of that collision. RAID is similar - the protection against a drive failure helps, but isn't the same as having a separate backup because something with the whole RAID could go wrong.
GT: With either external hard drives or a NAS, if something horrible happens in your apartment, like a fire, you won't have another backup. Storing stuff in the cloud, like on Dropbox or Google Drive or another dedicated cloud backup product, will help protect you from that.
LD: Putting your data in the cloud has some risks - if the service gets breached, what you put there could get exposed. Instead of just having the risks of someone getting physical access to your computer and its backup hard drives, like we talked about last episode, you're vulnerable if the service you used gets breached.
GT: Or to software bugs like that time Dropbox accidentally made passwords optional for four hours. There's definitely trade offs with storing things in the cloud.
LD: You can increase your protection against both a physical attacks and cloud weaknesses by encrypting them with a strong key, just like we talked about for your computer itself last episode
GT: If you're backing up a computer that does hardware disk encryption, like a PC with a TPM chip, backup software probably wouldn't be making backups with that same hardware protection. You'll probably want to make sure your backups are also encrypted in case someone gets your backup drives.
LD: Also, it wouldn't be a particularly effective backup if it needed that hardware chip to unlock them - if you lost your computer or the chip got damaged, you'd completely lose access. One thing to keep in mind is that taking the drive out and making an image copy of that drive would be making a backup that needed the chip to unlock. If you're using an automatic software backups system from within your operating system, this won't be an issue, but it's worth knowing that you can't just plug the drive in elsewhere and make a copy and get a backup you'll be able to decrypt.
GT: As a reminder, you still should be concerned about the same issues with software-based encrypted backups as with software-based full disk encryption for your main drive, like we talked about last episode. If someone compromises the computer you use to access your backups, like by installing a keylogger, you should be concerned about attackers getting access to your strong decryption key.
LD: We'll talk about specific backup systems after a quick break.
Interlude music plays.
LD: Since I use a Mac, I use the built in software, Time Machine, to do backups of my laptop. It's pretty nice, and has straightforward support for external backups, encryption, and keeping old versions of files around.
GT: Windows 10 also has built-in backup software, but it's a little less nicely designed. You've got to do a few more things by hand and there's nothing out-of-the-box for backing up to a NAS. But it is installed by default and free, so it's not a bad place to start.
LD: I actually end up doing a bunch of customized things in Time Machine anyway. As mentioned before, some of my projects, like this podcast, take up a lot of disk space until they're done, and I like to keep the in progress work. So I'm a firm believer that I want regular, automatic backups of the things I use daily - my laptop with my current projects - as well as regular but less frequent backups of things I want longer term - the rest of my projects, photos, mp3s. I'm kind of old school, and I still mostly use mp3s.
GT: So how do you split backups between projects and other files? Do you have them on a different schedule or something?
LD: My Time Machine backups run every day when I'm on my home wifi network because I have it going to a NAS on that network, and I love how automatic that is. The NAS has tons of storage space, but I use some of that for my more manual project backups, too. I've allocated my Time Machine backups 150 percent as much space as my laptop's hard drive because that happens to get me about 3 months of backups, which is more than enough for recovering things if I have an issue. A lot of my current projects will actually get backed up in the Time Machine, so it's not exactly a split. But I also make sure to manually put them on this NAS, so that when it's outside of that three month period, they're still around.
GT: If you use a Chromebook, it encourages you to keep all your files on Google Drive, and it comes down to how much you trust that to be a solid backup. You might also consider copying those files somewhere else in the cloud or onto hard drives in your home.
LD: Cloud backups in general like Google Drive, Dropbox, and iCloud are really convenient and easy to use with minimal setup, so even if you're using a more conventional desktop or laptop than a Chromebook, it could be a good option if you're primarily concerned with backing up files.
GT: I make sure that all my important documents like tax returns are stored in two places: a Google Drive account that's separate from my usual account, and another cloud storage service called rsync.net that's basically really convenient for Linux nerds and really inconvenient for anyone else. I've decided for myself that I'm not extremely concerned about these records being private and I mostly just want them available, so I don't store them encrypted - I trust these companies to run these systems securely. It may or may not be the right choice, but it seems to work for me.
LD: Of course, as we mentioned earlier, there are some inherent risks to having your files in the cloud, but cloud storage is probably the easiest to configure offsite backup for most people, especially when all you need to do is make sure you get into the habit of putting your files in the right folder on your computer.
GT: There's also a bunch of dedicated online backup services, which don't necessarily provide fancy online access or two-way sync like Dropbox and Google Drive and those sorts of things but are a way to get your files backed up in the cloud. They generally come with software that's easy to use to set up scheduled backups, and a few of them even support encrypting your backups on your computer before you send them over, so the cloud service doesn't have access to your files.
LD: If you get a NAS to do backups to another drive in your home, it usually comes with software you can use to set it up. Some of them also have integration with cloud storage services, so you can do backups to the NAS and then tell your NAS to make another backup of some of all or your files to a cloud service, which gives you a lot more protection, but also a little more risk.
GT: Like with many security things, your ideal setup is very personal to your needs and use patterns, and you should make sure to pick something that integrates well into your workflow, and ideally is automatic so you don't have to think about it.
LD: Also, backups are only useful if they're working, so even if your backups are on an automatic schedule, you should check them regularly to make sure that they're still happening.
GT: We're not suggesting you restore from backup regularly - that's a hassle and to be truly safe, you'd probably want to make a second backup first - but you should definitely make sure your backups are happening and they have recent files from time to time.
LD: Oh, there's one other good reason to have regular backups. You might have heard of "ransomware" - software that maliciously encrypts all your files, and then holds the encryption key hostage until you pay the ransom.
GT: It's one of the most frustrating types of malware you can get. The original attack was a few years ago and called itself CryptoLocker. Since the files are actually encrypted, there was no way to restore them without paying the ransom - and paying the ransom worked, so people did that and it encouraged a lot of copycat attacks.
LD: If you've got backups you trust, then you can just wipe your computer and restore from them. The British National Health Service got caught without backups when they were hit by WannaCry, a newer ransomware attack, last year. Don't be like them.
GT: There is one thing to keep in mind: ransomware tends to find every file it can access. So if you've got an external hard drive you leave plugged in all the time, it's at risk too. If you're using Windows's built-in backups or something else that just copies to a regular hard drive, it is, unfortunately, a good idea to disconnect your drive when you're not making backups. It's a pain, but you need your backups to be a separate system.
LD: Of course, the way to avoid this is to just not let malware onto your machine in the first place. We'll talk about threats from malware and how to keep your computer's software safe in our next episode.
GT: Until next time - happy Halloween, and don't let your files turn into ghosts!
Outro music plays.
LD: Loose Leaf Security is produced by me, Liz Denys.
GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.
LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.
GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.
Outro music fades out.