Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Off-Site Backup for Home Users

Published: 2006-09-10
Last Updated: 2006-09-10 21:04:42 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

A few musings about off-site backup for home users and the usefulness of TrueCrypt...

Off-site backup hasn't been an issue for many home users. Perhaps this is because most people haven't assembled enough critical digital data to justify the effort of implementing off-site backup. They haven't even set up an on-site backup scheme. Many home users may never have to deal with off-site backup at all, considering the increasing popularity of free ASP services, such as Gmail, Bloglines, and Shutterfly, which manage data on the customer's behalf.

This is different for data power users, whose livelihood depends on the availability of their information. Freelance photographers, musicians, accountants, writers, programmers, and other professionals who maintain important files at home fall in this category. They have a vested interest in performing off-site backup in some manner, and they often do so.

For the longest time my off-site backup scheme involved burning by data into DVDs once in a while, and taking the disks to a friend's house. This scheme wasn't effective because:

  1. Backing up my data was too long. It was a manual process and involved too many DVDs.
  2. I kept forgetting to go through the backup procedure on regular basis. Maybe I was just too lazy.
  3. My off-site data quickly became outdated, because my backups were too infrequent.
When looking for a way to overhaul my off-site backup scheme, I considered a few possibilities:
  1. Network-based off-site backup. This method of backing up data wouldn't require me to fiddle with disks, and lends itself well to automation. The bandwidth to implement this scheme is becoming relatively inexpensive, and off-site data storage costs are decreasing. I didn't choose this method becauseĀ  storage costs were still too high for me, but I think I will want to move to this mechanism in a couple of years. (I'm doing this for my home user persona, so my budget is pretty limited.)
  2. Tape-based off-site backup. Tapes have been the traditional off-site backup mechanism for a while in the corporate world, and have been adopted by some data power users at home. I didn't have enough data to justify investing in a tape drive and I just didn't want to deal with tapes. They would allow me to implement a sophisticated backup scheme, but I wanted something simple, which brought me to the next option...
  3. External hard drive-based off-site backup. External drives are relatively inexpensive and offer high data storage capacity. The largest disk on the market I came across was 750GB. That was way too much for me, plus I wanted a drive with smaller dimensions, so that it would be easy carry it to my off-site location. A laptop form-factor drive with the 180GB capacity fit the bill, although it was more expensive than its desktop form-factor counterpart. I bought the disk enclosure separately from the disk itself to save a few bucks.
Whatever off-site backup scheme suits your needs, be sure to consider how you will protect the data's confidentiality and integrity. Especially if you're shuttling disks from one location to the other, encrypting the disk's contents is something you'll probably want to do. There are many ways to encrypt data nowadays. The utility that appealed to me was TrueCrypt.

TrueCrypt is an open-source program for encrypting disks. It works on Windows and Unix operating systems. It's free and easy to use. It can run off external media without having to go through the installation process. TrueCrypt allows you to create an encrypted volume, either by storing the volume's contents in a file or in a dedicated partition. I selected the latter option.

I split my disk in two partitions. A small non-encrypted partition contained the TrueCrypt program. I formatted the much larger partition using TrueCrypt, so that it would exist as an encrypted volume:



To mount the encrypted volume, use TrueCrypt to select the desired partition and assign the mount point or the drive letter to it. TrueCrypt will prompt you for the password you established when creating the volume:



Once the encrypted volume is mounted, it will be available as a local disk, so you can use any backup or file-copying utilities to populate the partition with data.

Update: In addition to supporting password-only operations, TrueCrypt also allows the user to specify and optionally generate one or more key files. Without the key file, the encrypted volume would be inaccessible. The idea is that the key file would be stored away from the encrypted volume, so that the authorized user needs to present something he knows (the password) and something he has (the key file):



If you'd like to learn more about TrueCrypt, take a look at its documentation and at a December 2005 thread on the Dshield mailing list titled "Requiring a key-pair to mount a volume." There are also a few user testimonies in the comments at Bruce Schneier's blog.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Keywords:
0 comment(s)

Early Discussions of Computer Security in the Media

Published: 2006-09-10
Last Updated: 2006-09-10 19:04:52 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

What's the earliest computer security incident reported in the general media? I was curious.

Now that Google's News Archives Search includes 200 years worth of publications, it's even easier to search printed records without having to go to the library and sift through micro films. Google's archive doesn't include all media records, but I think it is a good indication of the general state of the media's coverage of computer security. [Update: Libraries often offer the ability to search historical records for free without having to deal with micro films, and often without having to visit the library building. See a note at the bottom of this post for more information.]

I performed a search for articles that match "computer" and "security" and examined the results. Here are the earliest incidents I came across:

  • The earliest computer-aided fraud: National City Bank of Minneapolis, 1966
  • The earliest external intrusion: Federal Energy Administration, 1977
  • The earliest large-scale identity theft breach: TRW Inc., June 1984
The earliest reported fraud incident involving a computer seems to date back to 1966, according the a December 1972 article in the Time Magazine:
Minneapolis Programmer Milo Arthur Bennett, whose firm handled computer work for the National City Bank of Minneapolis, programmed the computer in 1966 to ignore an overdraft in his own account at the bank.
This article highlighted the increasing profitability of computer crimes. It explained that a "handful of keypunch crooks have already thought of some ingenious ways to defraud the Brain, with varying results." The text also mentioned the following incident, which was motivated by the desire to use someone else's computer for monetary gain.
Palo Alto Programmer Hugh Jeffrey Ward learned, from customers of a computer firm in Oakland, code numbers that enabled him to give orders to the firm's computer. ... He told the Oakland computer to print out a program for plotting complex aerospace data in graph form. ... His company presumably planned to market the program, which was valued at $12,000 or more, to the Oakland firm's own customers. ...
Five years later, in August 1977, the Time Magazine published an article that included the earliest mention of an external computer intrusions I could find:
The conviction of one man, accused of stealing confidential information from a Federal Energy Administration computer in Maryland, was possible only because the thief had dialed into a system from his office a few miles away in Virginia.
Another intrusion mentioned in the article occurred at an identified company and involved brute-force password guessing. The article also mentioned the challenge of striking the right balance between security and usability:
One computer, protected by a five-digit code number, was illegally entered in minutes when the thief ordered the computer to begin trying every one of the 100,000 possible combinations. But tighter security would cost both money and time. Says Robert Courtney of I.B.M. "If you're running thousands of transactions a day, you don't want to spend ten seconds or so every time arguing with the computer about who you are."
After a multi-year gap, the next computer security mention I found dates to 1981. A June 1981 article in the New York Times describes how an employee misused a computer to set up a race-track betting system:
His activities were uncovered by the school board's auditor general, who turned the case over to a specialist in computer security for the city's Department ... The arrested programmer 'was described by a New York City investigator as ''a good employee"' ... [Note: This article excerpt was indexed by Google.]
Two years later, in August 1983, an external intrusion caught the public's eye in a way that it hasn't earlier. Multiple media articles described a computer security break-in to the Los Alamos National Laboratory. The intruders were youths, apparently inspired by the War Games movie. Here are a few excerpts from the articles that discussed this incident:
The apparent electronic penetration of an unclassified computer in a nuclear weapons laboratory by a group of young people was not a threat to national security, telecommunication experts said today. But they said the incident illustrated the extraordinary difficulty of guaranteeing the security of any information ...

"There's no security in it or nothing. ... Los Alamos has a computer connected to TELENET, a computer communications network" ...

Officials at the Los Alamos National Laboratory in Los Alamos, N.M., said no classified data had been uncovered by the computer users, who reached a lab computer by telephone from Milwaukee. ...

The Security Pacific National Bank of Los Angeles computer also was entered, apparently by the same young people, but no one's account was affected ...
This incident was a big deal because it demonstrated the importance of computer security to the general public. The sentiment is expressed by an August 1983 article in the New York Times:
Corporate executives and telecommunications experts said yesterday that the recent breach of computer security at the Los Alamos National Laboratory in New Mexico had renewed fears about entrusting proprietary information to data networks that are easily accessible by telephone. ...

Most companies are reluctant to discuss their computer security systems, or even acknowledge the extent to which they are dependent on computer systems ... [Note: This article excerpt was indexed by Google.]
Such factors highlighted the need for commercial computer security products. About a month after the Los Alamos incident, a September 1983 article in the Miami Herald described Datacryptor, which sounds like the first commercial VPN product I came across:
Racal-Milgo, a Miami computer company, thinks its $2,000 black box may be just the answer for businesses worried about computer crime. The Datacryptor, as the device is known, is an electronic scrambler that turns sensitive computer talk into undecipherable gibberish. But even the Datacryptor isn't immune to computer crime.
A New York Times article, published the same month, noted that "the market for computer security software is booming," according to the article excerpt indexed by Google.

Another article, dated to October 1983 and published by the New York Times, introduced the readers to the role of a computer security specialist. The article was titled "New Breed of Workers: Computer Watchdogs" and contained the following description:
Processing manager for a major corporation suddenly notices unusual levels of activity on his company's computer. He investigates, and discovers that the system has been tampered with over telephone lines. Corporate panic follows as company officials try to determine what was disclosed, what was damaged and how vulnerable their ...
Update: An ISC reader shared with me an ad for a Computer Security Manager position, published by the New York Times in November 1970. "Starting salary $15,000 to $20,000 range." (Thanks, Gary!)

If you're wondering when the first identity theft-related breach caught the media's eye, look no further than June 1984. A security breach at credit-reporting agency led to the disclosure of a password used to protect credit reports. Here are a few excerpts from the articles that described the incident:
A password that could permit access to the credit histories of 90 million people was stolen and posted on an electronic bulletin board, TRW Information Systems said yesterday. ...

Through the theft of a code, the credit ratings of the 90 million people tracked by TRW Inc. were used by credit-card thieves armed with home computers, offering the potential to cash in on other people's credit, company officials said yesterday. "We found out about that code a couple weeks ago, and the code is no longer valid," said Geri Schanz of TRW's Information Services Division ...

Computer raiders used a stolen access code to tap into the files of the nation's largest credit rating bureau for more than a year but company officials say the "hackers" could not have altered the records. TRW Information Services, whose computers hold credit ratings and other records on 90 million people, said yesterday the raiders could have used information from the files to fraudulently obtain credit cards.

The subsequent years lead to a surge in computer use, the emergence of the Internet, and the shaping of the computer security landscape as we know it today.

Update: If you're interested in searching through historic news archives, keep in mind that Google is not the only way to do this. As an ISC reader pointed out, many libraries offer thousands of full text archived articles for free without having to go to the library and wade through microfilm. This capacity is described in the Forbes article "Google Isn't Everything". Also, the ResourceShelf site offers an in-depth look at Google's News Archives Search, and provides pointers to other sources of historic news records.

-- Lenny

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com

Keywords: history
0 comment(s)
Diary Archives