Tuesday, February 02, 2010

Online backup – the security problem (it’s not the encryption)

Here’s how you lose everything.

First, someone gets control of your email account. It might be a security vulnerability, or a password attack (note: “tigger”, “angel” and “soccer” are not wise choices), or a password reset, or an inside job.

They then sell your email to someone who takes a look, and finds a backup report from, say, CrashPlan. They then reset your CrashPlan password:

Please submit your email address. Afterward you will receive an email with a link that will reset your password and securely display the new password to you. The provided link will only work for one hour.

Now they have access to everything you’ve backed up.

CrashPlan talks about their 128-bit Blowfish encryption (standard) or 448-bit CrashPlan+ encryption and how robust that is. As Schneier used to point out before he was overwhelmed by the boredom of it, this is rather besides the point. Their use of the industry standard “password reset by email” process means they’ve built a solid steel door on a house made of rice paper.

It’s not just CrashPlan of course. Google is little better. This reset problem is just one aspect of how broken passwords are (don’t get me started on “security questions”. Please.)

CrashPlan also offers a “data password” that encrypts at the client side. So even if someone gets control of your online backup they can’t actually do anything with the data.

Except … Well, CrashPlan’s FAQ dodges around this, but since the encryption is client side they can’t make any changes to whatever you’ve already backed up. So if you want to add, or change, your data password you have to wipe your online backup and start over. If you change it, but don’t start over, you better keep your old and new password since data may be encrypted with one or the other. In my home a full family CrashPlan offline backup takes about 4 weeks, so this is not a trivial change.

Note that I’m using CrashPlan as my example here because they’re the best in the offline consumer backup business, and they are the only offline backup plan I’ve considered. They just have the usual problem with their password reset procedure.

How could CrashPlan make the best of a bad situation? Well, in the unlikely event that they read this, they can research higher quality reset procedures (not #$!$!$ security questions). Those reset procedures often involve two factor authentication procedures, such as the procedure myOpenID almost got right. They involve more expense, so it would be reasonable to for CrashPlan to charge extra for a higher quality security service. They really don’t need more encryption, they need better reset controls.

In the meanwhile this problem has tipped me away, for now, from using offline backup. I’ll continue to rely on physical drive rotation for offline security and I may make use of CrashPlan’s (free, unfortunately – I distrust the longevity of free things) ‘backup to friend plan.

Update 2/4/10: For more on CrashPlan.

Update 5/17/10: Matthew Dornquast of ChrashPlan replies in comments.

7 comments:

Dan said...

I actually have several TrueCrypt volumes that I then backup online ... I don't trust Mozyhome's encryption method...

Anonymous said...

You don't have to secure your key with your account password, check the settings menu in the Crashplan software. You have the option of securing the key with a private password or using your own private key. These methods have no recovery procedure via email as crashplan have no knowledge of the password.

John Gordon said...

I recall knowing of that option, but I believe there was a reason I rejected it. Can't recall why, might have been the limitations associated with encryption were a problem.

I wasn't worried about losing the password though, I'm good with that.

Matthew Dornquast said...

Gordon,

From the beginning you tried using us, we've offered 3 methods of securing your data. All three are defined on the settings screen in detail if you push the ? button.

1)Account password, ok security, very user friendly
2)Secret you only know
3)Large key you only know.

You're right in that 1 can be a security risk if your email account is not secure. However most people use this mode and for good reason: They don't want to risk loosing their backups if they forget or loose their password. It's as simple as that. A decision everyone needs to make: Which is worse? Looser security or loosing your backup? Put simply, this model is as secure as your email account is. I think for many folks, this is sufficient. I personally use it and sleep well at night.

Now for mode 2- a secret data password. You've assumed something that isn't true. You can change your data password anytime. The change is almost instant at all locations. Why? Because we're not changing your key - we're changing the combination on the vault that holds your key. The updated locked key is moved in real time. No waiting

Mode 3 - is a bear - I don't think you or I would bother with that. You would have to start over.. it's only for the most paranoid.

So if I read you right, you don't like the idea that your "settings" are only as secure as your email account security. Might I make a suggestion? Create an anonymous email account that doesn't lead back to crashplan. It should meet your needs and give you what you want.

1. Create a completely new gmail account without any personally identifiable information related to you. Use an extremely secure password.
2. Create crashplan account using this email and turn off email reporting. Also opt out of any email notifications from crashplan. Elevate your security to mode 2- so there is no risk of data access through password reset.
3. Configure client to send backup reports via twitter. This can be your mobile phone, which is way cooler than email anyway. :)

I think it's a lot of work to avoid the theoretical story of loosing control (read access) of your email box to someone who actually wants to read your mail and install crashplan. How did you loose control of it in the first place? Is google hacked? Any good company these days doesn't store passwords anywhere. They'd litter ally have to modify the google's cloud code to allow them to monitor the contents of your box, read the email.. you get the idea. If they're actually after you, isn't it easier to break into your house? :) Are you using ondisk encryption for everything? :)

PS>Another option, although it's more expensive, is to buy crashplan pro. You're now building your own cloud, and you don't even have to use email accounts as identifier.

John Gordon said...

Matthew,

Thanks for responding. I updated my post to note your response, so readers would know to review it.

Have you updated the CrashPlan FAQ to include your security suggestions? If I could read them in context it would clarify them for me. I don't get the difference between a secret only I know and a password. If you mean a "secret question" please read Schneier on "secret questions".

I'd like to see CrashPlan offer, perhaps for an additional fee, a more secure approach to password resets.

Incidentally, why doesn't CrashPlan have an uninstaller?

Martin said...

I wish Matthew Dornquast would answer your last question. On the other hand, you don't offer comment subscriptions, so maybe Matthew Dornquast doesn't even know about your last question.

JGF said...

There's a comment subscribe button on top right of screen Martin -- Blogger supplied.

Today, as I write this, I see there's a new "email f/u comments option" below this comment box ...