GermanWiper isn’t ransomware. It’s worse than that

A big thank you to our sponsors, Recorded Future. Recorded Future arms threat analysts, security operators, and incident responders to rapidly connect the dots and reveal unknown threats. Their patented technology automatically collects and analyzes threat intelligence from technical, open, and dark web sources.

Why?

To provide invaluable context for faster human analysis and real-time integration with your existing security systems. Sign up to their Cyber Daily newsletter and get the latest insights from Recorded Future at recordedfuture.com/intel.

Whoa, whoa.

Did you just get a bit rude? Is that how you're going to plan to make this show more exciting?

Sorry, what did we already say? Bit rude? How was I a bit rude?

Okay, maybe I misunderstood. I'm so glad I'm editing this one.

Smashing Security, Episode 43: Backups: A Necessary Evil with Carole Theriault and Graham Cluley. Hello and welcome to Episode 43 of Smashing Security. Smashing Security for the 21st of September, 2017. I'm here, my name's Graham Cluley, and I'm joined by my good chum and co-host, Carole Theriault. Hello, Carole.

Hello, Graham.

Hi there. And we are here today for a very special splinter episode.

Buckle your seatbelts, people.

Indeed. And we are joined by a special guest returning to the show, Maria Varmazis. Hello, Maria. Hi. Hello.

Aw.

I imagine life has changed for you a lot since you last appeared on the show.

Oh, the fan mail just comes flooding in and I just don't know what to do. You're welcome. Yes. You're welcome, really. My life is forever changed. It's been so amazing.

I bet you can hardly leave your house now.

The hordes of paparazzi.

Exactly. You know, it's so annoying.

It's just a thing.

We should have warned you beforehand.

Well, I'm now dealing with the fallout of my last appearance and things will never be the same.

Well, let me tell you, if we don't make this topic interesting, you may get rid of your paparazzi because this is gonna be a hard one to keep entertaining.

It's gonna be a hard one to keep entertaining. What we're gonna talk about today in this special splinter episode is we're gonna talk about backups.

Oh boy.

Backups in your home, backups maybe in your small office. We're not gonna look at enterprise backups as such, but it's more sort of how you're gonna deal with your personal computer and devices and keeping those backed up. And my question for you, and by that I mean you two, have you got a backup?

Many, many, many. Yes.

Too few.

Oh, hello. Let's focus on Carole.

Interesting.

No, I'm not gonna be revealing lots of, you know, my backup schedule, okay? Live on air.

Intimate details.

So this is gonna be a really interesting show for me. I know that you guys are both backup wars.

Okay.

What?

So, well, you know.

For the record, you can never have too many, maybe?

Exactly.

I wish I had more backup than I do. I never feel like I'm truly secure in my backing up.

Call me a backup, Hall. You make me feel like I'm Tina Turner singing Private Dancer. It's my private backup, my backup for money. I don't do backups for money. I do this for free. I do it because I just think it's a jolly good idea to have a backup and to make sure that that backup is secure as well. And that if I need it, I can get back up and running as quickly as possible. So I think the first thing is backups are great, but in many cases people haven't done a backup recently enough. So you'll come across someone who's maybe accidentally overwritten some of their data or they've had a hard disk failure or maybe they've been hit by something like ransomware and you say to them, have you got a backup? And they go, well, I did one last October or something like that. And that's a backup which is older than six months or something.

I have been that person.

Really?

I have been that person. Sorry, I didn't lose my data, but I'm the person who, you know, sometimes in the past I've had months go in between backups.

Really? So my first rule of backups is you have to, as much as possible, remove the human element. Because if you're relying on yourself or somebody else to manually do the backup, it ain't going to happen. You're sitting in front of a computer device, right? Which is really good at remembering to do things and doing things on a schedule. Okay, the computers screw up things all the time. But if it's a boring, mundane task, which frankly doing a backup is a boring, mundane task, if it's something which will be easy to forget, then get your computer to do it on a schedule instead.

I think that's actually really good advice because a lot of people, me included, have put off doing a backup, a manual backup, because you know it slows everything down just a bit and you're, I'll do it later, I'll do it when I'm finished doing my work, and then you forget.

Well, yeah, a lot of people do say backups slow things down. And I think the initial backup can be a lengthy process, can't it? Because when you haven't got any previous backup, if you're backing up your entire hard drive or all the files in your user folder or something like that, then that may take a while to put onto a device or upload to the cloud or wherever it is. And we'll get into the different places maybe you should back up. Once you've done that, then you begin to get into incremental backups where the backup may only be a backup of what has changed since the last full backup instead.

Unless you're like me and let months go between backups and then that incremental backup is massive.

Exactly. Thank you, Maria.

And then it becomes a snowballing problem. I'm just awful about it.

First of all, let's talk about why we actually need these kinds of backups and then we'll get into different things that we can do to do them. As I said, accidents happen. So I used to be a computer programmer. I remember way, way back, you know, 25 years or whatever, when I was programming on a computer which didn't even have a hard drive. I was saving my source code onto floppy disks.

Well done, Grandpa.

I'm glad you said it.

And floppy disks obviously are not the most reliable storage format, and they're notoriously bad sectors and things like that. So what happened? So I would have piles and piles of floppy disks, and I'd be so paranoid I was going to lose my work that I'd save it on this floppy disk, but then I'd have another floppy disk, which was a different color or labeled with something else. How did you And I'd have all these different versions and archives of past versions of my source code.

And I know how organized you are as well, so that just must have—

lose your data?

So they're just sitting on your desk basically, right?

Yeah, no, like a pile.

It would have been literal strewn everywhere.

Strewn around me like I was one of these people who hoards inside their house, you know, just like mountains of floppy disks everywhere. But that was kind of what it was like because I had nowhere else to put these things. You didn't have USB drives. You didn't have anything else. So you had to use this kind of medium. But I knew that a floppy disk on its own wasn't reliable, and so I'd have multiple floppy disks. And that's one of the first things which I think you need to recognize is that there is this danger that you will have an accident. You will accidentally maybe make a mistake, or you will delete a file, or you will change some code, and you want to move back in time.

Yeah, or you've had a virus threat, for example, or someone's stolen your data.

Or your house burns down.

Or your house burns down, exactly.

So these are the other threats. There's the physical damage which can happen if your house gets flooded or if you suffer a fire or something like that.

Cat pukes on your disks, whatever.

Right.

That has never happened to me. That's why I would never mention it.

So something like that happens and you want to get your data back and it's like, oh no, this has happened. And so this is my sort of second rule is that if you've got a backup, if the only backup you have is inside your house or another drive which is on your desk, that's not really a backup. I mean, yes, it might recover, it might save you from those sort of accidental deletion of data or something like that.

It's better than nothing.

It is better than nothing. And all of these things are better than nothing. And, you know, if you're going to do something, just do something.

Do it properly, is what you're saying?

Yeah.

So we're talking about people at home, right? This is going to be okay. So what do they have to back up? So I can understand things like photos, email, you know, some files, but just sounds like you won't have to back up your entire system. Is that necessary?

Don't need to back up every single file on your hard drive because the operating itself, you know, maybe you got the CD-ROM or you're able to reinstall it onto another computer. Applications you can reinstall from the original media or you can download those from the net if you need to. It's the files which actually belong to you, which you created. So it'd be the photographs. Yeah, it will be— you said the emails actually, but a lot of people will be using a web-based email system.

That's true.

Although you may still want to back that up. You know, there are arguments for doing that.

Some people still use POP and they download their emails and some people still do that.

Yeah, some people are doing that. And you know, there are services available if you want to back up your Gmail, for instance. You may want to back up your contacts details, your calendar perhaps. You may have databases, you may have Word documents. I think maybe for the typical home user though, the most critical thing which you want to back up are probably things which are completely irreplaceable, which would be things like, for instance, legal documents, things like—

Photos, videos, yeah, tax returns.

Absolutely, family photographs. The number of times when people will be going to data recovery firms saying, "Look, I've had a hard drive crash or something's gone wrong and I can no longer get the photos of my kid." Do you know what?

You just have reminded me. So I don't know if this is probably about five years ago, we were robbed at our house. One of the things they took was my laptop with all our pictures on it. You know, we had just got married, da da da. Just by absolute chance, the week before, my other half had backed up all the pictures.

Well done.

I know. And the music that was on it, just by chance that happened. And I was so grateful because, you know, in that situation, I didn't care at all about the machine. I just cared about having those.

It's all about the files. Yeah, I'm the family archivist for—I'm the family IT person and the family archivist. So I'm responsible not just for the files on my computer, but my mother's computer. And I'm also the person that saves all the photos and the videos that we've had transferred and taken from film and upgraded onto digital. And last year when my father passed away, it became another additional thing of oh my gosh, if we lose all this stuff, that's what's left of our memories of my dad that are, you know, in photos and video. So I have to make sure that this stuff is backed up really, really well. Otherwise, you know, I'm responsible if something goes wrong. Been my mission to figure out a better solution. And admittedly, I don't have a great one. So this is why this episode's really interesting.

So a backup to another drive, maybe on your desk or to a NAS system, NAS storage or something inside your home office or something like that. It's a good idea, but I would argue that it's not a real backup because it is still at risk. Although it probably will avoid the accidental deletion or something like that, there are still other risks involved. One of those will be fire or flood. The other risk, however, is ransomware.

Oh yes.

So we have seen destructive malware in the past, but ransomware in recent years has taken off so much. Its whole raison d'être is to attack your most precious files, to lock them up, to make them inaccessible to you. And if you have an accessible drive, a backup drive accessible from your computer, which is infected with ransomware, that ransomware will seek it out and it will encrypt your backup as well.

Oh, that's nasty. That's nasty.

But they're nasty little buggers, aren't they?

They are. That's just mean. But they know how to pull on the heartstrings and they know how to convince you to pay up. For this reason, I think you begin to start thinking, well, for these really important files, we need an offsite backup. Really?

Because you won't go there every week. You won't remember to take the backup. You were always in a rush because you got so many things to do in your life and it just falls by the wayside. You need offsite backups which are automated. That's my belief.

So the thread I'm picking up here is that people are very undependable and we should just be misanthropists and not trust ourselves or anyone else.

The thing is though, Graham is all these things, right? Graham would forget to do it every single week and will assume that everyone else in the world has that same issue.

It's a fair assumption for most of us, let's be real.

I would agree because yeah, it's a bit tedious. Yeah, the tediousness, that's a killer.

There's always something better to do, right? There's always a video of some—

Oh no, backing up's pretty fun.

There's always a video of some Irish folks chasing a bat out of their kitchen.

Carole sent me a YouTube video.

I can't remember if it was this morning or yesterday. She sent me a video of some Russian— were they Russian kids or something? Anyway, some Eastern European kids from 1969 who were juggling tables on their feet.

Of course.

Link in the show notes if you want to be distracted from doing a backup.

There's always something more interesting, your phone ringing, and that's why you're not going to back up your things. Quid pro quo. No.

So—

Done and done.

So I think, yes, back up to a local storage device because, you know, something might— you might have an accident on your computer, you may overwrite the data, you may have some sort of disaster. So backing up onto another local device is a good idea. And in my personal scenario, what I do is my computers wake up at 2 or 3 o'clock in the morning. Any file which has changed gets backed up onto the storage device.

That is pretty sweet, right? That it happens when you're, I guess, asleep in your little bed.

But I know people who turn their computers off, off, off. And I'm thinking of my mother, but she's not the only one.

Yeah, you know, and I'm actually— that's a good point.

I know a lot of people that turn off Wi-Fi throughout their house in the evening as they're trying to be either eco-friendly or they just don't want to have somebody working on their Wi-Fi when they're not using it or, you know, all sorts of various reasons. So then you have to figure out when is a good time for you to schedule this. And it has to be time when you yourself are also active.

And that's— if you haven't got a computer which will sort of automatically wake up and do those sort of things from sort of a sleep mode, then yes, it has to be scheduled at a different time. I'm sure there are programs out there which will detect, oh, you're not doing anything between these hours, therefore I'm going to slowly start backing up to the drive. But that means I've always got something. In fact, the particular system which I use, it basically clones the drive so that I've got a bootable drive.

That's cool.

If my hard drive inside my computer completely fails, I've got another drive which is at most 24 hours out of date and that I can boot up from. Because for me, the thing about backups is not just getting your data back, it's about getting up and running again as soon as possible because it's going to affect my business.

Yes, exactly. But if you're talking to people from a home capacity, do you really feel that that many backups is actually required? Because I don't.

What's the harm, right? If the software is only backing up stuff which has changed, what's the harm in it kicking off at midnight or whenever? And just doing a very quick update of whatever has changed. Why not do it?

I don't think we should back up our crap. We should just back up the stuff we really want to keep.

Oh, but you can be selective, right? You can choose the directories. You can say, okay.

So you could say just pictures, just any videos that may have changed, any letters I've updated, whatever.

Exactly. Yeah, that's the approach I take personally. Yeah.

But then it makes it a lot faster.

Right. Yeah, exactly. Choose those kind of things rather than—

A blanket, you know, update everything.

Operating system libraries and all those sort of things, which you're not interested in our applications. No worries. Do it, do that way if you want to.

So I guess what you're saying is the first question people should ask themselves is what would really upset you if you lost it?

Yes.

Right? Number one, write a list of that. Then number two, how often are you backing these up, if at all? And what's your plan B if, you know, there's a fire or you have a cyberattack or whatever?

Yep.

Yeah. Okay.

Okay. So now I've got this backup daily, which is happening inside my office onto another drive, and that's all tickety-boo. You could do it onto a USB stick if you really wanted to, and then you could take it with you. You also want to consider things like encryption, obviously, and your hard drive should be encrypted, yadda yadda. That's a whole different debate.

That is important though. If you do do a cloud service, especially if you're using a third party or you want to back up, you want, and you want to protect that data, encryption is the layer you need, right?

Yes. I think we're talking more today about safety rather than security. If you get the sort of the subtle difference there, it's more about—

I think I'm kidding.

Oh yes.

Thank you.

Oh my.

But yeah, generally with cloud services, my advice is you want to encrypt the data before you put it into the cloud service. There are some cloud services which obviously are making a living, have made a business out of working out what information they can learn about you and the potential for them to sell marketing data and so forth and do things like that. Some cloud services don't, aren't interested in that, but some are interested in that. So my general rule is that if I'm putting anything sensitive into the cloud, it's going to be encrypted before it gets transmitted to the cloud.

Yeah, I think that's a really good point. Really good point.

Can we go back to the idea of encrypting your local drives for a second? Because I actually don't do that and I feel really bad about this. I don't do that. I'm not saying it's a good idea, but I don't.

You mean your local drives on your hard drive at home?

Fair enough. Yep.

Your computer at home, the primary risk there, of course, is if you get burgled like Ro was. The other thing you can do is you can create little encrypted vaults. You can shove the sensitive files if you wish. So even if you don't want, I can't imagine why you wouldn't want to encrypt your entire hard drive, but if you didn't for any reason.

Laziness, just pure laziness. I'm just so lazy. And I'm just in the confessional right now going, oh my God, I don't do any of these things.

Yeah. Hey, look, it's really easy to do.

And I really should, I should, this is my job, you know? I should be doing these things, but I don't because I'm lazy.

And it doesn't actually take that long. You know, you could set it off running, do a backup first, just in case, obviously, in case it screws up.

I know. I hear you. I think I'm exactly the same. And Graham, you have to understand that I think Maria and I represent more people than you do.

Okay, I'm not ridiculing you. I'm sort of gently encouraging. It's probably more important on laptops than it is on desktop computers, because a laptop, you're taking to a restaurant, you're taking out to other people's work.

I hope you are not. I'm just saying, it's just your passwords and the encryptions and the backing up and the security software and the firewalls.

Just shaming us. Shame, shame, shame.

Once it's set up, then the computer handles everything. You know what my personality is like, right? I'm a complete ass, right?

I'm not arguing.

But the computer does it all for me. Once it's set up, I don't have to worry anymore.

Okay, I have an idea. Why don't you come over to my house and set all mine up?

And will you make dinner?

Yes, I will make you dinner.

I would sort that out for you.

Okay.

That'd be fun.

Can you fly over to Boston then and do it for me next? I mean, I know in theory how to do these things. But I guess in my mind, if the more of these things that I set up, the harder it is for me to check my backups to make sure they're actually working.

Well, yes.

Yeah, that's a really good point.

I'm way less worried about being burgled than just losing my, just generally not being able to access my file. So when I weigh those risks, I'm like, I just need accessibility to be number one. Not to try to justify my poor choices in life.

No, no, but I think I agree with you. I agree with you. I think these are really, really big things that people ask themselves, and it's great to hear Graham go "you should do this and you should do that." But there's the reality of it here too, right.

My solution for offsite backups now — having said, I think it's useless taking your hard drive around to Auntie Jean every week and saying, "can you put this in your fireproof safe" or something like that, right? I just don't think it's going to happen. I think probably for most people, some sort of cloud backup solution is a good idea. There are some very consumer-friendly solutions which will do this, little programs which will run in the background and will only back up the files which have changed. And then if you have any kind of disaster, it could be a hardware disaster, it could be that you've overwritten a file, I find myself using online backup restoration all the time. Because I'll have been doing a little bit of coding on my website or something, or I've deleted a file which I then realized, "ah, damn, that file I had 6 weeks ago, I really need it now," and I've put it into the trash can. I can go to my online backup and it will dig it out for me.

Yeah.

I could use my local backups as well, obviously for that purpose. I just personally find the online backup software I'm using easier to use and to search for, so I use that. If I was doing a restoration of all of my data, then yes, I'd use the online offsite backup. I'll tell you, I've been using one for years called CrashPlan. It just runs in the background and never bothers me, and it tells me that it last did a backup 2 minutes ago.

Isn't CrashPlan not available though for home users anymore? Or something?

Well, this is really one of the things which made me think we should talk about backup. So CrashPlan, just a couple of weeks ago, put out this message to their home user customers saying they're no longer going to be selling the consumer version. If you want to keep with them, you have to upgrade to the small business version at least, which does cost more money. And they've suggested that you could switch to some alternatives, and the one which they've sort of partnered with is an alternative called Carbonite, which doesn't do exactly what CrashPlan did.

No, it does not.

Doesn't suit everyone. Others out there — there's Backblaze, Mozy, CloudBerry, which will use a variety of cloud drive services as your storage space if you wanted to as well. Personally, I've decided, you know what, I'm going to stick with CrashPlan because I know it works.

Yeah, and you have a business at home as well.

To be honest, I probably should have been buying the small business version from the beginning, rather than the personal one. Yeah, duh.

Okay, Maria, let's make a plan here. You and I are going to get off our backsides and sort out our backups.

Ideally, once you've set this up, it shouldn't require really any user interaction, right? It should just work. But the concern which you have obviously is that some of these solutions can get expensive, particularly when you end up being responsible for lots of different computers as well. Now there is a solution which is — well, there's a few solutions which are less expensive. There's the CloudBerry solution, which is just a one-time purchase of a piece of software, which then uses your other cloud drive services, your Google Drive, your OneDrive, your Dropbox, and can use that space to put a backup into.

Yeah.

What I would advise against, however, is some people think, oh, I've got these syncing services. I should just sync my hard drive or my documents with Dropbox, which isn't a bad thing to do, and then use that as a backup. I don't really believe that is a backup.

Why, wait, what, what? What?

All right, clarify.

Let me clarify. So something like Dropbox, right? You can say, sync my documents, so you can then access them on your other computers. And that's all great, right? That all works fine. But I don't think that is a backup. And the reason is that if you get ransomware on one of your computers and encrypts the documents in your Dropbox, then it is going to sync all your encrypted documents to those other devices as well.

Especially if you have sync turned on all the time for incremental syncs.

So it comes back to this issue, which I mentioned earlier, if your backup is accessible from your computer without having to jump through a hoop or something or log into something, then there is the risk that something like ransomware could actually damage it. But another solution, if you want a cheaper solution for cloud backup, is to use cold storage services. And they give you really cheap data buckets which you can stuff your data in. Again, it has to be encrypted. It does require more nerdiness than maybe some of these consumer products you just turn on on your computer. And the way they make the bulk of their money is if you want to access the data. Because with something like Glacier and the cold storage, you shove data in, but it might take 3 or 5 hours if you want to request a piece of data back, or you may have to spend more money to restore your data. So if you're simply archiving, if you're imagining, well, actually I'm very rarely going to need these backups, but it would be nice to know that they're there, then that could be an option which you want to take up.

Or you could stick with the USB. If you're at home.

Well, the Amazon Glacier would be great for someone like me who's storing a ton of family photos. I'm not modifying those ever.

Yes. Right.

Yeah.

Because you don't need to access them or go back and forward all the time. You just want to have a second safe place. But you're going to want to test that backup, Maria.

Yes. Because again, that's what keeps me up at night is if I lose all these photos or voice memos or whatnot, that is all on me and I will be shamed by my family.

Basically backing up is a necessary evil. That's how I see it.

Evil though?

Something like Amazon Glacier only costs, I mean, less than half a cent per gigabyte per month.

Yeah.

So it's really, really cheap. It obviously gets more expensive if you want to extract, if you want to request data back out of it to retrieve. But, it's, you know, for that kind of storage, it's perfect.

So is this actually available for the consumer set? As a non-business, would I be able to use that?

Yes.

Okay. So I don't have to be some big fancy schmancy guy to do that.

We're going to put all these links in the show notes as well. So do check that out, guys, if you want to kind of review any of the suggestions, recommendations that we've provided in the show.

We've probably been talking about backups enough. Hopefully we've got everyone thinking about the threats which are out there and how to protect against them. I guess the last thing we should mention is that a backup isn't a real backup unless you've tested it.

Yeah, we've talked about that. You have to test your backups.

Yes. So otherwise you'll only find out your backup regime has failed when you least want it to fail, when you want to make sure it absolutely is working.

This isn't fun. I don't think anyone who tries to tell you this is a fun thing to do is lying.

You know what? I'm going to disagree with you. I love setting up little automated systems on my computer to go and do things.

Really? Again, I look forward to your visit. Don't dilly-dally. My backups need you. My files need you.

Okay. All right. I will pop around and we will sort it out. You might have to get your checkbook out for some of the services, but we'll—

Hey, I'm making dinner. I thought I'm making dinner.

Yeah. But your dinner isn't going to pay for the online backup service, is it? Oh, that's coming out of my pocket, is it?

Now mac and cheese it is.

There's nothing wrong with mac and cheese.

You're right there.

On the bombshell that Carole is going to feed me mac and cheese, I think it just about wraps it up for today. If you want to find out more about us, go to smashingsecurity.com. You can buy swag at smashingsecurity.com/store or join us on Facebook at smashingsecurity.com/facebook as well. Thank you very much, Maria, for joining us today. Always a pleasure to have you on.

My pleasure.

And thank you. I love when Maria's on the show. She's a good guest.

I wish this was a more interesting topic to opine on.

You know, I agree, but there we are. I promise I'll get you back.

Well, maybe, Carole, in a future episode, you can tell the audience just how much fun it was when I came around and set up all your backup regime for you.

Oh wow.

Yeah.

Hold on to your hats for that, listeners. This episode of Smashing Security is brought to you in part by Recorded Future. Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats. Sign up for free daily threat intelligence updates at recordedfuture.com/intel.