Hello, hello, and welcome to Smashing Security episode 123. My name is Carole Theriault.

And I'm Graham Cluley.

Did you hear that? That is the gorgeously gobby Graham Cluley, and the poor little sausage has a little throat problem. Don't you, Clue?

Just a little one, yeah. It's like someone's stolen my data, but they've stolen my voice instead.

Is your neck all wrapped up in a big towel and you've got lavender stuffed into your pants and stuff?

There's always a slight whiff of lavender about me anyway, but yeah, I've got a little bit more than normal.

So why don't you walk us through exactly what happened here?

Do I have to?

I was kidding.

Scrap that, scrap that.

So as you can see, folks, recording this week is going to be rather difficult.

No, I think we should do it. Let's just go ahead.

You know what the doctor said, just shut up. So we have made the unbelievable decision to air a previously aired Splinter episode. Would you stop talking? It's a golden oldie all about backups. Now, unless my partner in podland does not get better, we will be back next week with an illustrious guest and some witty banter about the latest cyber snafus. And before we go, a huge thanks to this week's sponsors, LastPass and MetaCompliance. These guys help us give you the show for free. And thank you guys for listening and supporting us, even when one of us fails us all.

Shh. Smashing Security, episode 123, Backups: A Necessary Evil, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security. My name's Graham Cluley, and I'm joined by my good chum and co-host, Carole Theriault. Hello, Carole.

Hello, Graham.

Hi there. And we are here today for a very special Splinter episode.

Buckle your seatbelts, people.

Indeed.

And we are joined by a special guest returning to the show, Maria Varmazis. Hello, Maria. I imagine life has changed for you a lot since you last appeared on the show.

Oh, the fan mail just comes flooding in and I just don't know what to do.

You're welcome.

Yes.

You're welcome, Maria.

My life is forever changed.

It's been so amazing.

I bet you can hardly leave your house now.

The hordes of paparazzi.

Exactly. So annoying. We should have warned you beforehand.

Well, I'm now dealing with the fallout of my last appearance and things will never be the same.

Well, let me tell you, if we don't make this topic interesting, you may get rid of your paparazzi because this is going to be a hard one to keep entertaining.

It's going to be a hard one to keep entertaining.

Ransomware, or ransomware lockdown, I trust LastPass Enterprise to remember it for me. Because it's so long, so complex, and so unique, I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you. Check out LastPass Enterprise at lastpass.com/smashing. MetaCompliance, the security e-learning experts, make learning best practice engaging and fun through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.

What we're going to talk about today in this special Splinter episode is we're going to talk about backups. Oh boy. Backups in your home, backups maybe in your small office. We're not going to look at enterprise backups as such, but it's more sort of how you're going to deal with your personal computer and devices and keeping those backed up. And my question for you, and by that I mean you two, do you have a backup?

Many, many, many. Yes.

Too few.

You've all— Hello, let's focus on Carole.

Interesting.

No, I'm not going to be revealing lots of my backup schedule, okay, live on air.

Intimate details.

So this is going to be a really interesting show for me. I know that you guys are both backup tours.

What?

Well, you know.

For the record, you can never have too many, maybe?

Exactly.

I wish I had more backups than I do. I never feel I'm fully secure in my backing upness.

Call me a backup, Paul. You make me feel I'm Tina Turner singing Private Dancer. It's my private backup. I back up for money. I don't do backups for money. I do this for free. I do it because I just think it's a jolly good idea to have a backup and to make sure that that backup is secure as well. And that if I need it, I can get back up and running as quickly as possible. So I think the first thing is backups are great, but in many cases people haven't done a backup recently enough. So you'll come across someone who's maybe accidentally overwritten some of their data, or they've had a hard disk failure, or maybe they've been hit by something ransomware. And you say to them, have you got a backup? And they go, well, I did one last October or something. And that's, you know, a backup which is older than 6 months or something.

I have been that person.

Really?

I have been that person.

So what's— what happened? How did you lose your data?

Sorry, I didn't lose my data, but I'm the person who, you know, sometimes in the past I've had months go in between backups.

Really? So my first rule of backups is you have to, as much as possible, remove the human element. Because if you're relying on yourself or somebody else to manually do the backup, it ain't going to happen.

Hmm.

You're sitting in front of a computer device, right? Which is really good. At remembering to do things and doing things on a schedule. Okay, the computers screw up things all the time, but if it's a boring, mundane task, which frankly doing a backup is a boring, mundane task, if it's something which will be easy to forget, then get your computer to do it on a schedule instead.

I think that's actually really good advice because a lot of people, me included, have put off doing a backup, a manual backup, because it slows everything down just a bit and you're like, I'll do it later, I'll do it when I'm finished doing my work, and then you forget.

Well, yeah, a lot of people do say backups slow things down. And I think the initial backup can be a lengthy process, can't it? Because when you haven't got any previous backup, if you're backing up your entire hard drive or all the files in your user folder or something like that, then that may take a while to put onto a device or upload to the cloud or wherever it is. And we'll get into the different places maybe you should back up. Once you've done that, then you begin to get into sort of incremental backups where the backup may only be a backup of what has changed since the last full backup instead.

Unless you're like me and let months go between backups and then that incremental backup is massive.

Exactly. Thank you, Maria.

And then it becomes a snowballing problem. I'm just awful about it.

First of all, let's talk about why we actually need these kind of backups and then we get into sort of different things that we can do to do them. As I said, accidents happen. So I used to be a computer programmer. I remember way, way back, 25 years or whatever, when I was programming on a computer which didn't even have a hard drive. I was saving my source code onto floppy disks.

Well done, Grandpa.

I'm glad you said it.

And floppy disks obviously are not the most reliable storage format, and they're notoriously bad sectors and things like that. So I would have piles and piles of floppy disks and I'd be so paranoid I was going to lose my work that I'd save it on this floppy disk, but then I'd have another floppy disk, which was a different color or labeled with something else. And I'd have all these different versions and archives of past versions of my source code.

And I know how organized you are as well, so that just must have—

So they were just sitting on your desk basically, right?

Yeah, no, like a pile.

It would have been literally strewn everywhere.

Strewn around me like I was one of these people who hoards inside their house, just like mountains of floppy disks everywhere. But that was kind of what it was like because I had nowhere else to put these things. You didn't have USB drives, you didn't have anything else, so you had to use this kind of medium. But I knew that a floppy disk on its own wasn't reliable, and so I'd have multiple floppy disks. And that's one of the first things which I think you need to recognize is that there is this danger that you will have an accident. You will accidentally maybe make a mistake, or you will delete a file, or you will change some code, and you want to move back in time.

Yeah, or you've had a virus threat, for example, or someone's stolen your data.

Or your house burns down.

Or your house burns down, exactly.

So these are the other threats. There's the physical damage which can happen if your house gets flooded or if you suffer a fire or something like that.

Cat pukes on your disks, whatever.

Right.

That has never happened to me. That's why I would never mention it.

So something like that happens and you want to get your data back and it's like, oh no, this has happened. And so this is my sort of second rule is that if you've got a backup, if the only backup you have is inside your house or another drive which is on your desk, that's not really a backup. I mean, yes, it might save you from those sort of accidental deletion of data or something like that.

It's better than nothing.

It is better than nothing. And all of these things are better than nothing. And, you know, if you're going to do something, just do something.

Do it properly, is what you're saying?

Yeah.

So we're talking about people at home, right? This is going to be okay. So what do they have to back up? So I can understand things like photos, email, you know, some files, but just sounds like you won't have to back up your entire system. Is that necessary?

Don't need to back up every single file on your hard drive because the operating system itself, you know, maybe you got the CD-ROM or you're able to reinstall it onto another computer. Applications you can reinstall from the original media, or you can download those from the net if you need to. It's the files which actually belong to you, which you created. So it'd be the photographs. You said emails actually, but a lot of people will be using a web-based email system.

That's true.

Although you may still want to back that up. You know, there are arguments for doing that.

Some people still use POP and they download their emails and some people still do that.

Yeah, some people are doing that. And, you know, there are services available if you want to back up your Gmail, for instance. You may want to back up your contact details, your calendar perhaps. You may have databases, you may have Word documents. I think maybe for the typical home user though, the most critical thing which you want to back up are probably things which are completely irreplaceable, which would be things like, for instance, legal documents, things like—

Photos, videos, yeah, tax returns.

Absolutely, family photographs. The number of times when people will be going to data recovery firms saying, look, I've had a hard drive crash or something's gone wrong and I can no longer get the photos of my kid.

Do you know what? You just have reminded me. So I don't know if this is probably about 5 years ago, we were robbed at our house. One of the things they took was my laptop with all our pictures on it. You know, we had just got married, da da da. Just by absolute chance, the week before, my other half had backed up all the pictures.

Wow. Well done.

I know. And the music that was on it, just by chance that happened. And I was so grateful because, you know, in that situation, I didn't care at all about the machine. I just cared about having those.

It's all about the files. Yeah, I'm the family archivist for— I'm the family IT person and the family archivist. So I am responsible not just for the files on my computer, but my mother's computer. And I'm also the person that saves all the photos and the videos that we've had transferred and taken from film and upgraded onto digital. And last year when my father passed away, it became another additional thing of oh my gosh, if we lose all this stuff, that's what's left of our memories of my dad that are in photos and video. So I have to make sure that this stuff is backed up really, really well. Otherwise, I'm responsible if something goes wrong. It's been my mission to figure out a better solution. And admittedly, I don't have a great one. So this is why this episode's really interesting to me.

So a backup to another drive, maybe on your desk or to a NAS system, NAS storage or something inside your home office or something like that is a good idea. But I would argue that it's not a real backup because it is still at risk, although it probably will avoid the accidental deletion or something like that. There are still other risks involved. One of those will be fire or flood. The other risk, however, is ransomware.

Oh yes.

So we have seen destructive malware in the past, but ransomware in recent years has taken off so much. Its whole raison d'être is to attack your most precious files, to lock them up, to make them inaccessible to you. And if you have an accessible drive, a backup drive accessible from your computer, which is infected with ransomware, that ransomware will seek it out and it will encrypt your backup as well.

Oh, that's nasty. That's nasty.

But they're nasty little buggers, aren't they?

They are. That's just mean. But they know how to pull on the heartstrings and they know how to convince you to pay up. For this reason, I think you begin to start thinking, well, for these really important files, we need an offsite backup. We should put our backups at a different physical location. Really?

Because you won't go there every week. You won't remember to take the backup. You were always in a rush because you've got so many things to do in your life, and it just falls by the wayside. You need offsite backups, which are automated. That's my belief.

So the thread I'm picking up here is that people are very undependable and we should just be misanthropists and not trust ourselves or anyone else.

The thing is, though, Graham is all these things, right? Graham would forget to do it every single week and will assume that everyone else in the world has that same issue.

It's a fair assumption for most of us. Let's be real.

I would agree because, yeah, it's a bit tedious. Yeah, the tediousness is a killer.

There's always something better to do, right? There's always a video of some— I don't know if that—

Backing up's pretty fun.

There's always a video of some Irish folks chasing a bat out of their kitchen.

Carole sent me a YouTube video. I can't remember if it was this morning or yesterday. She sent me a video of some Russian— were they Russian kids or something? Anyway, some Eastern European kids from 1969 who were juggling tables on their feet.

Of course.

Link in the show notes if you want to be distracted from doing a backup.

There's always something more interesting, like your phone ringing, and that's why you're not gonna back up your things. Quid pro quo, no.

So.

Done and done.

So I think, yes, backup to a local storage device because, you know, something might, you might have an accident on your computer, you may overwrite the data, you may have some sort of disaster. So backing it up onto another local device is a good idea. And in my personal scenario, what I do, is my computers wake up at like 2 or 3 o'clock in the morning. Any file which has changed gets backed up onto the storage device.

That is pretty sweet, right? That it happens when you're, I guess, asleep in your little bed.

But I know people who turn their computers off, like off, off. And I'm thinking of my mother, but she's not the only one.

Yeah, you know, and I'm actually— that's a good point. I know a lot of people that turn off Wi-Fi throughout their house in the evening as well.

Yeah, they're trying to be either eco-friendly or they just don't want to have somebody working on their Wi-Fi when they're not using it or, you know, all sorts of various reasons. So then you have to figure out when is a good time for you to schedule this. And it has to be time when you yourself are also active.

If you haven't got a computer which will sort of automatically wake up and do those sort of things from sort of a sleep mode, then yes, it has to be scheduled at a different time. I'm sure there are programs out there which will detect, "Oh, you're not doing anything between these hours, therefore I'm going to slowly start backing up to the drive." But that means I've always got something. In fact, the particular system which I use, it basically clones the drive so that I've got a bootable drive.

That's cool.

If my hard drive inside my computer completely fails, I've got another drive which is at most 24 hours out of date and that I can boot up from. Because for me, the thing about backups is not just getting your data back, it's about getting up and running again as soon as possible because it's going to affect my business.

Yes, exactly. But if you're talking to people from a home capacity, do you really feel that that many backups is actually required? Because I don't.

What's the harm, right? If the software is only backing up stuff which has changed, what's the harm in it kicking off at midnight or whenever? And just doing a very quick update of whatever has changed. Why not do it?

I don't think we should back up our crap. We should just back up the stuff we really want to keep.

Oh, but you can be selective, right? You can choose the directories. You can say, okay.

So you could say just pictures, just any videos that may have changed, any letters I've updated, whatever. Exactly.

Yeah, that's the approach

Yeah.

But then it makes it a lot faster.

Right. Yeah, exactly. Choose those kind of things rather than—

A blanket, you know, update everything.

Operating system libraries and all those sort of things, which you're not interested in or applications, no worries. Do it, do that way if you want to.

I take personally.

So I guess what you're saying is the first question people should ask themselves is what would really upset you if you lost it?

Yes.

Right? Number one, write a list of that. Then number two, how often are you backing these up, if at all? And what's your plan B if, you know, there's a fire or you have a cyberattack or whatever?

Yep.

Yeah. Okay.

Okay. So now I've got this backup daily, which is happening inside my office onto another drive, and that's all tickety-boo. You could do it onto a stick if you really wanted to, and then you could take it with you. You also want to consider things like encryption, obviously, and your hard drive should be encrypted, yadda yadda, that's a whole different debate.

That is important though. If you do a cloud service, especially if you're using a third party or you want to back up, you want, and you want to protect that data, encryption is the layer you need, right?

Yes. I think we're talking more today about safety rather than security. If you get the sort of the subtle difference there, it's more about—

I think I'm capable of this. Thank you.

Oh my.

But yeah, generally, generally with cloud services, my advice is you want to encrypt the data before you put it into the cloud service. There are some cloud services which obviously are making a living, have made a business out of working out what information they can learn about you and the potential for them to sell marketing data and so forth and do things like that. Some cloud services aren't interested in that, but some are interested in that. So my general rule is that if I'm putting anything sensitive into the cloud, it's going to be encrypted before it gets transmitted to the cloud.

Yeah, I think that's a really good point. Really good point.

Can we go back to the idea of encrypting your local drives for a second? Because I actually don't do that and I feel really bad about this. Like, I don't do that. I'm not saying it's a good idea, but I don't.

You mean your local drives on your hard drive at home?

Yeah. Hey, look, it's really easy to do. And it doesn't actually take that long. You know, you could set it off running, do a backup first, just in case, obviously, in case it screws up. It's probably more important on laptops than it is on desktop computers, because a laptop, you're taking to a restaurant, you're taking out to other people's work.

Fair enough. Yep.

Your computer at home, the primary risk there, of course, is if you get burgled, like Ro was. The other thing you can do is you can create little encrypted vaults. You can shove the sensitive files if you wish. So even if you don't want to, I can't imagine why you wouldn't want to encrypt your entire hard drive, but if you didn't for any reason.

Laziness, just pure laziness. I'm just so lazy. And I'm just in the confessional right now going, oh my God, I don't do any of these things. And I really should, I should. This is my job, you know? I should be doing these things, but I don't because I'm lazy.

No, I hear you. I think I'm exactly the same. And Graham, you have to understand that I think Maria and I represent more people than you do, you know.

Okay, I'm not ridiculing you, I'm sort of gently encouraging.

I hope you are not. I'm just saying, just shaming us.

Shame, shame, shame.

You know, it's just, it's your passwords and the encryptions and the backing up and the security software and the firewalls.

Once it's set up, then the computer handles everything. You know what my personality is like, right? I'm a complete ass, right?

I'm not arguing.

I'm not arguing. But the computer does it all for me. Once it's set up, I don't have to worry anymore.

Okay, I have an idea. Why don't you come over to my house and set all mine up?

Will you make dinner?

Yes, I will make you dinner.

I would sort that out for you.

Okay.

That'd be fun.

Can you fly over to Boston then and do it for me next?

I mean, I know in theory how to do these things.

But I guess in my mind, if the more of these things that I set up, the harder it is for me to check my backups to make sure they're actually working.

Oh yes. Yeah, that's a really good point.

I'm way less worried about being burgled than just losing my— just generally not being able to access my files. So when I weigh those risks, I'm just need accessibility to be number one, not to try to justify my choices in life.

No, no, but I think I agree with you. I agree with you. I think these are really, really big things that people ask themselves, you know. And it's great to hear Graham go, and you should do this and you should do that. But there's the reality of it here too.

So can I go to my solution for offsite backups now? Having said, I think it's useless taking your hard drive around to Auntie Jean every week and saying, can you put this in your fireproof safe or something like that, right? But just don't think it's going to happen. I think probably for most people, some sort of cloud backup solution is a good idea. There are some very consumer-friendly solutions which will do this, little programs which will run in the background and again will only back up the files which have changed, and then if you have any kind of disaster, it could be a hardware disaster, it could be that you've overwritten a file, I find myself using online backup restoration all the time. Because I'll have been doing a little bit of coding on my website or something, or I've deleted a file which I then realized, ah, damn, that file I had 6 weeks ago, I really need it now, and I've put it into the trash can. I can go to my online backup and it will dig it out for me.

Yeah. Hmm.

I could use my local backups as well, obviously for that purpose. I just personally find the online backup software I'm using easier to use and to search for, so I use that. If I was doing a restoration of all of my data, then yes, I'd use the online off-site backup. I'll tell you, I've been using one for years called CrashPlan. It just runs in the background and never bothers me, and it tells me that, you know, it last did a backup 2 minutes ago.

Isn't CrashPlan not available though for home users anymore? Ransomware or something?

Well, this is really one of the things which sort of made me think we should talk about backup. So CrashPlan, just a couple of weeks ago, put out this message to their home user customers saying they're no longer going to be selling the consumer version. If you want to keep with them, you have to upgrade to the small business version at least, which does cost more money. And they've suggested that you could switch to some alternatives. And the one which they've sort of partnered with is an alternative called Carbonite, which doesn't do exactly what CrashPlan did.

No, it does not.

Doesn't suit everyone. There's other ones out there, Backblaze, Mozy, Cloudberry, which will use a variety of cloud drive services as your storage space if you wanted to as well. Personally, I've decided, you know what, I'm going to stick with CrashPlan because I know it works.

And you have a business at home as well.

To be honest, I probably should have been buying the small business version from the beginning, right? Rather than the personal one. Yeah. Duh.

Okay, Maria, let's make a plan here. You and I are going to get off our backsides and sort out our backups.

Ideally, once you've set this up, it shouldn't require really any user interaction, right? It should just work. But the concern which you have obviously is that some of these solutions can get expensive, particularly when you end up being responsible for lots of different computers as well. Now there is a solution which is— well, there's a few solutions which are less expensive. There's the Cloudberry solution, which is just a one-time purchase of a piece of software which then uses your other cloud drive services, your Google Drive, your OneDrive, your Dropbox, and can use that space to put a backup into.

Yeah.

What I would advise against, however, is some people think, oh, I've got these syncing services. I should just sync my hard drive or my documents with Dropbox, which isn't a bad thing to do, and then use that as a backup. And I don't really believe that is a backup.

Why?

Wait, what?

What?

What?

All right, clarify.

Let me clarify. So something like Dropbox, right? You can say, sync my documents so you can then access them on your other computers. And that's all great, right? That all works fine. But I don't think that is a backup. And the reason is that if you get ransomware on one of your computers and encrypts the documents in your Dropbox, then it is going to sync all your encrypted documents to those other devices as well.

Especially if you have sync turned on all the time for incremental sync.

So it comes back to this issue, which I mentioned earlier, of if your backup is accessible from your computer without having to jump through a hoop or something or log into something, then there is the risk that something like ransomware could actually damage it. But another solution, if you want a cheaper solution for cloud backup, is to use cold storage services. And they give you really cheap data buckets which you can stuff your data in. Again, it has to be encrypted. And it does require more nerdiness than maybe some of these consumer products you just turn on on your computer. And the way they make the bulk of their money is if you want to access the data. Because with something like Glacier and the cold storage, you shove data in, but it might take 3 or 5 hours if you want to request a piece of data back, or you may have to spend more money to restore your data. So if you are simply archiving, if you are imagining, well, actually I'm very rarely going to need these backups, but it would be nice to know that they're there, then that could be an option which you want to take up.

Or you could stick with the USB option. If you're at home.

Well, the Amazon Glacier would be great for someone like me who's storing a ton of family photos. I'm not modifying those ever.

Yes, right.

Yeah, because you don't need to access them or go back and forward all the time. You just want to have a second safe place. And but you're going to want to test that backup, Maria.

Yes, because again, that's what keeps me up at night is if I lose all these photos or voice memos or whatnot, that is all on me and I will be shamed by my family. Basically, backing up is a necessary evil.

That's how I see it. Evil though?

Something like Amazon Glacier only costs, I mean, less than half a cent per gigabyte per month. So it's really, really cheap. It obviously gets more expensive if you want to extract, if you want to request data back out of it to retrieve. But it's, you know, for that kind of storage, it's perfect.

So is this actually available for the consumer set? As a non-business, would I be able to use that? So I don't have to be some big fancy schmancy guy to do that.

We're going to put all these links in the show notes as well. So do check that out, guys, if you want to kind of review any of the suggestions, recommendations that we've provided in the show.

We've probably been talking about backups enough. Hopefully we've got everyone thinking about the threats which are out there and how to protect against them. I guess the last thing we should mention is that a backup is a real backup unless you've tested it.

Yeah, yeah, we've talked about that. You have to test your backups.

Yes. So otherwise you'll only find out your backup regime has failed when you least want it to fail, when you want to make sure it absolutely is working.

This isn't fun. I don't think anyone who tries to tell you this is a fun thing to do is lying.

You know what, I'm going to disagree with you. I love setting up little automated systems on my computer to go and do things.

Really?

Again, I look forward to your visit. Don't dilly-dally. My backups need you. My files need you.

Okay. All right. I will pop around and we will sort it out. You might have to get your checkbook out for some of the services, but we'll—

Hey, I'm making dinner. I thought I'm making dinner.

Yeah. But your dinner isn't going to pay for the online backup service, is it? That's coming out of my pocket, is it?

Now mac and cheese it is.

There's nothing wrong with mac and cheese.

You're right there.

On the bombshell that Carole is going to feed me mac and cheese, I think it just about wraps it up for today. If you want to find out more about us, go to smashingsecurity.com. You can buy swag at smashingsecurity.com/store or join us on Facebook at smashingsecurity.com/facebook as well. Thank you very much, Maria, for joining us today. Always a pleasure to have you on.

My pleasure.

And thank you. I love when Maria's on the show. She's a good guest.

I wish this was a more interesting topic to opine on.

Well, you know, I agree. But there we are. I promise I'll get you back on.

Well, maybe, Carole, in a future episode, you can tell the audience just how much fun it was when I came round and set up all your backup regime for you.

Oh, wow.

Hold on to your hats for that, listeners.