Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Make a backup, secured?


  • Please log in to reply
13 replies to this topic

#1 TheoV

TheoV

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 24 November 2015 - 05:14 PM

Ok, just seen another user with a CTB encryption on his pc. No backup, all data gone :( .

Now i am wondering... as an administrator, i am making backups on a regular base. But: the backups are on my own machine, on a second hard drive. That means, that an infection with a program like CTB locker will (most probably) encrypt all of my backup copies as well. An offline backup (backup on a disk, not connected to my computer) would be perfect for this, but then i would have to connect this disk every time i need to make a backup.

This brings me to my main question: does anyone know of a method to make a "protected" backup? What i mean by that: does anyone know of a method to secure a backup in such a way that a virus or anything alike is unable to access / delete / modify it?

 

Thanks for your input!

Kind regards,

Theo Verkoelen.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 25 November 2015 - 12:17 PM

You could encrypt your second disk (full disk encryption) with a tool like TrueCrypt/VeraCrypt.

And then only mount the disk when you make a backup, and unmount it after the backup is completed.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 TheoV

TheoV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 25 November 2015 - 03:42 PM

Hi Didier,

 

Thanks for your input. That certainly would stop anybody trying to look at / modify my data.

In the meantime, i've been thinking: can a virus bypass the windows security? What do you make of the following solution?

 

1. Make a backup directory, and create a standard windows account which has access (deny access attribute to all other users, even admins and other systemaccounts)

2. Use a normal tool to backup, and use the "Runas" command to start this tool

 

This way, i have a fairly "standard" way of backing up data, and i could implement this tooling for many of my home customers, without having to go into an in depth explanation of why i encrypt, mount and unmount disks. My default tool of choice for backing up (Cobian backup) even has an "impersonation" setting in the advanced tab, which supports running under different credentials.

 

Kind reagrds,

Theo Verkoelen



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 26 November 2015 - 02:01 PM

What do you mean with home customers? You said you ran as an admin and that the backups were on your own machine, so that's why I didn't propose a solution with ACLs.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 TheoV

TheoV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 27 November 2015 - 04:08 PM

Hi Didier,

 

Maybe i should explain a bit more.... In daily life, i am a computer service technician at a multinational in Venlo (yes, i live near the Belgian border). Needless to say, that with your knowledge of computers and its environment, you get not only questions from your employer, but from your family, friends, their friends and so on. So, next to my job, i grounded my own firm, helping people at home with their computer problems.

So, for my own computer i need a secure thrustworthy way of backing up my data, guarding me against all kinds of mishaps. This solution can include all kinds of technical terms, ACL's, encryption, FTP, Cloud, offline storage etc. included. On the other hand i try to find a solution that i can easily reproduce when i am at one of my customers, because (a lack of) a good backup is one of the things that most people tend to forget.

 

Thanks for helping me out on this one!

 

Kind regards,

Theo Verkoelen



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 27 November 2015 - 05:22 PM

Hi Theo,

 

OK, I understand now.

My recommendation: ACLs for non-admins and encryption for admins.

Reason: when a (malicious) program runs with admin rights, it can bypass ACLs. By taking ownership, or using the backup & restore privileges, ...

 

Met vriendelijke groeten,

 

Didier


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 TheoV

TheoV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 29 November 2015 - 12:59 PM

Hi Didier,

 

Thnx for your reply... you're right; when a vrius runs under admin privileges (as is the case with most accounts in our home-pc's), there is little windows can do to stop it.. So i need encryption to secure my data. And, if possible, store my backups offline. Have to think of a good way to implement this with my customers (most of them don't have multiple disks in their machines). So i might have to implement the "external harddisk as backup strategy" after all

 

Ook jij de groeten :-)

 

Thnx!

Theo.



#8 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:01:59 PM

Posted 29 November 2015 - 01:10 PM

I have two computers each with a 2nd internal HD.  After cloning HD0 onto HD1, I go into CTL-PNL --> Device Manager --> Disk Drives, ;your second HD should have the option to Disable.  If so, Disable.  That will take your 2nd HD offline during any and all Windows operations. Now, if you boot certain usb sticks or DVDs, the 2nd HD will be visible to almost all of such tools.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:59 PM

Posted 29 November 2015 - 01:52 PM

If you choose for the external harddisk option, there's the following option (for dekstops, not for laptops, it's not practical for laptops):

 

You buy a HD docking station with a power switch and an internal harddisk. You put the harddisk in the HD docking station, and connect the HD docking station to the desktop computer.

You set the harddisk up for backups, and then you instruct your clients to power on the HD docking station to do a backup, and then power it off again.

The docking station should only be powered on for backups.

 

This way they can leave the backup harddisk connected to the computer, and have only to operate the power switch.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 TheoV

TheoV
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 01 December 2015 - 02:54 PM

Getting more and more usable solutions :-) Keep it up, you guys! You're doing great!

 

Thnx a lot!

Theo Verkoelen.



#11 cyberSAR

cyberSAR

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 01 December 2015 - 04:35 PM

I've been using RemoveDrive and RestartSrDev from http://www.uwe-sieber.de/drivetools_e.html as a pre and post backup event to my usb drive. Works well and I don't have to be at the machine during or after backups to unplug or power off the drive.



#12 CaffeinatedTech

CaffeinatedTech

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 03 December 2015 - 08:10 AM

I've been considering this myself.  I'm also a field tech and see data loss quite a lot.

 

I tend to steer away from anything that the user has to do themselves like plugging and unplugging drives.  They eventually stop doing it, or damage the drives in their travels.  I like to make things as automated as possible.  The fact that these encrypting ransomwares seek out other drives and network shares makes this a little more complex.

 

I was playing around with accessing drives using the volume name and removing the drive letter.  I had some success with Acronis, but it was not fully reliable.  Most other backup tools won't even look at a destination unless it has a drive letter.  You could even script mounting and un-mounting volumes with the mountvol command and pre and post commands in your backup program.  However I was also worried that the infection could just get smarter and enumerate the drives and access them directly the same way I was anyway.

 

I'm liking cyberSAR's solution using those drive tools to automate the eject and restart of USB drives.  You'd need a login script to eject those drives when you power up the machine, or a restart would leave them vulnerable half the day.



#13 cyberSAR

cyberSAR

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 03 December 2015 - 08:24 AM

CaffeinatedTech you are correct. I run a task on restart to remove the drive. I run the same batch file I use for the post backup event. I have it setup on quite a few machines since Cryptolocker reared its ugly head and have not had any issues using various brands of USB drives.



#14 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:01:59 PM

Posted 13 December 2015 - 09:27 PM

Mods, would this thread be easier to follow in: Backup, Imaging, and Disk Management Software ?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users