What happens if laptop stolen?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

We've had a really great question from Dave which he's agreed for us to share.
----
Hi

I have been using Buddy Backup for some time now.
I was wondering, If my PC/Laptop is stolen and the person who stole it removes the Back up program from the PC/Laptop.
Will
 this not delete all my backups from my friends PC's before I get the 
chance to restore my files or will they be safe until I get a new PC?

Also could we have a Password setting to change or remove Back Up sets.

Regards Dave.
Summary of our response:

The answer is yes and no...!

So
 basically, in order to tell your buddies to remove your backups, 
BuddyBackup has to prove it's you using a password. This is even true 
during the uninstall process.

Your password is kept in a file in your user directory (e.g. "C:\Users\USERNAME\AppData\Local\BuddyBackup").
 In order to make BuddyBackup tell all your buddies to remove your 
backups, the attacker  therefore needs access to that file. By default, 
files in your user directory are not accessible to other people. So, if 
your Windows is protected with a decent password (and it really should 
be), then it makes it harder, though not impossible for the attacker to 
remove your backups, because Windows won't usually let him read that 
file.

However, this current system won't stop a determined attacker who 
knows what they're doing. Just for everyone's sanity I'm not going to 
explain exactly how they might go about doing this, but it is possible.

So, to summarise, if you have a good Windows password then it's hard
 for a casual attacker to do this, though by no means impossible.

If
 you're running Windows 7 Professional, Ultimate or Enterprise, there is
 a workaround, however, that can make this very secure. The 
workaround basically uses Windows' built in Encryption File System:

1. Press Windows+R   (as in the Windows "Start" key on your keyboard at the same time as the "r" key)
2. Type in:

XP: C:\Documents and Settings\USERNAME\Local Settings\Application Data

Vista/7: C:\Users\USERNAME\AppData\Local

3. Press enter
4. Right click on the "BuddyBackup" folder and choose "Properties"
5. Click "Advanced"
6. Click "Encrypt contents to secure data"

7. Click "OK"
8. Click "Apply Changes to this Folder Only" (IMPORTANT)
9. Click "OK".

Step
 8 is important as encrypting files slows some things down, and you only
 really want to encrypt the data files. This solution, again, requires 
that your account be locked with a decent password.

For other users, the options are a bit more limited. You could use a
 hard drive encryption system such as TrueCrypt (open source) or 
BitLocker (Windows, though again only some versions of Windows 7). Actually this is a good idea anyway - I mean if you're laptop is stolen and it has credit card details, passwords and personal information on it, then losing your BuddyBackup details is probably the least of your worries!

We
 could try and improve this actually in BuddyBackup. For example, a 
simple solution would be to simply ask the user for his password at 
startup and not save it in the user file! We've always avoided this 
because it seemed like it would be a pain to have to re-enter every time
 you login. There are also some things that Windows provides us to 
encrypt data against your user password, which is probably the way to do
 this. I'll make sure we look into it. 

Anyway, great question and thanks for using BuddyBackup.

John

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
John Members Profile Find Members Posts Visit Members Homepage Admin Group Head of development Joined: 02/May/2006 Location: United Kingdom Status: Offline Points: 203	Post Options Post Reply Quote John Report Post Thanks(0) Quote Reply Topic: What happens if laptop stolen? Posted: 12/July/2011 at 1:11pm
	We've had a really great question from Dave which he's agreed for us to share. ---- Hi I have been using Buddy Backup for some time now. I was wondering, If my PC/Laptop is stolen and the person who stole it removes the Back up program from the PC/Laptop. Will this not delete all my backups from my friends PC's before I get the chance to restore my files or will they be safe until I get a new PC? Also could we have a Password setting to change or remove Back Up sets. Regards Dave. Summary of our response: The answer is yes and no...! So basically, in order to tell your buddies to remove your backups, BuddyBackup has to prove it's you using a password. This is even true during the uninstall process. Your password is kept in a file in your user directory (e.g. "C:\Users\USERNAME\AppData\ Local\BuddyBackup"). In order to make BuddyBackup tell all your buddies to remove your backups, the attacker therefore needs access to that file. By default, files in your user directory are not accessible to other people. So, if your Windows is protected with a decent password (and it really should be), then it makes it harder, though not impossible for the attacker to remove your backups, because Windows won't usually let him read that file. However, this current system won't stop a determined attacker who knows what they're doing. Just for everyone's sanity I'm not going to explain exactly how they might go about doing this, but it is possible. So, to summarise, if you have a good Windows password then it's hard for a casual attacker to do this, though by no means impossible. If you're running Windows 7 Professional, Ultimate or Enterprise, there is a workaround, however, that can make this very secure. The workaround basically uses Windows' built in Encryption File System: 1. Press Windows+R (as in the Windows "Start" key on your keyboard at the same time as the "r" key) 2. Type in: XP: C:\Documents and Settings\USERNAME\Local Settings\Application Data Vista/7: C:\Users\USERNAME\AppData\Local 3. Press enter 4. Right click on the "BuddyBackup" folder and choose "Properties" 5. Click "Advanced" 6. Click "Encrypt contents to secure data" 7. Click "OK" 8. Click "Apply Changes to this Folder Only" (IMPORTANT) 9. Click "OK". Step 8 is important as encrypting files slows some things down, and you only really want to encrypt the data files. This solution, again, requires that your account be locked with a decent password. For other users, the options are a bit more limited. You could use a hard drive encryption system such as TrueCrypt (open source) or BitLocker (Windows, though again only some versions of Windows 7). Actually this is a good idea anyway - I mean if you're laptop is stolen and it has credit card details, passwords and personal information on it, then losing your BuddyBackup details is probably the least of your worries! We could try and improve this actually in BuddyBackup. For example, a simple solution would be to simply ask the user for his password at startup and not save it in the user file! We've always avoided this because it seemed like it would be a pain to have to re-enter every time you login. There are also some things that Windows provides us to encrypt data against your user password, which is probably the way to do this. I'll make sure we look into it. Anyway, great question and thanks for using BuddyBackup. John

infiltrator25 Members Profile Find Members Posts Visit Members Homepage Pro Buddy Joined: 19/May/2010 Status: Offline Points: 13	Post Options Post Reply Quote infiltrator25 Report Post Thanks(0) Quote Reply Posted: 16/July/2011 at 5:51pm
	I agree with both sides here: 1. User should have Windows-level security or even hard drive level security (via TrueCrypt or another application) if this is really a concern. 2. BuddyBackup's security needs to be increased. The concern here being that a kid or another legitimate user of your computer (or even computer technician) could accidentally mess up your backups. The solution being: Require user login to BB before any adjustments can be made to the backup sets. Keep in mind: 1. This will affect explorer integration (right-click and add/remove from BB) 2. This should be an option. Remember password? y/n 3. The DEFAULT setting should be to require login. But all CURRENT users should not be changed (otherwise I'm going to have to get in touch with about 10 not-so-computer-savvy users and get them fixed up). 4. The new "install as service" ability should NOT be the only answer to "Remember my password". The GUI should be capable of being accessed without a password (if this option was set) or you could choose to install as service to do backups, and then prompt password on GUI startup. 5. If prompting for password is set, backups should still continue regardless of being logged in or not. Password should only be needed to make changes. Conclusion: The necessity of this feature is minimal (in my opinion), though should be implemented eventually.

Amber Computers Members Profile Find Members Posts Ultra Buddy Joined: 24/June/2011 Location: United Kingdom Status: Offline Points: 73	Post Options Post Reply Quote Amber Computers Report Post Thanks(0) Quote Reply Posted: 28/April/2012 at 1:05pm
	Hello, I would like to add to this topic as I think Dave and infiltrator25 have made some very important points. Stolen equipment scenario I think this scenario is something that BB must fundamentally be able to guard against. A strong selling point for any online backup system is that customers can still retrieve their data, even if their equipment is stolen. If I understand correctly, BB is still venerable here. The only practical way I can think of to guard against this scenario, is for BB to incorporate some sort of retention policy that can only be set on the Buddy the data is being stored on. That way if the Buddy receives an instruction to delete all files, significant percentage of or remove the Buddy completely, BB should present an opportunity to the person storing the data to check with the actual person that this is what they want. For those with multiple Buddies maybe there needs to be a ‘Master’ buddy selected to perform this role. Ultimately BB itself must work in such a way as to protect the user in this scenario. Passwords, encryption or 3rd party products should only be considered as additional precautions a user can take. I would be weary of other encryption used outside of BB in case this unintentionally prevents accessing restored files (though I am certainly no expert in this area). A nice-to-have would be a mechanism for reporting if equipment is stolen via a webpage so appropriate action could be taken. Unauthorised or accidental changes I agree that access to the GUI should always be allowed and that backups should run. However for those providing a backup service I differ in respect that I think the option of password protecting settings is a must. If I understand BB correctly, I am currently reliant upon my customers not fiddling with settings and cannot prevent an individual customer increasing the amount of data they backup to me. I really need the option of being in full control of what a customer can and cannot do. Customers should still be able to change what is backed up and retrieve files without needing the ‘settings’ password. I very nice-to-have would be the ability of globally & individually controlling customer settings via a webpage. Regards Paul

John Members Profile Find Members Posts Visit Members Homepage Admin Group Head of development Joined: 02/May/2006 Location: United Kingdom Status: Offline Points: 203	Post Options Post Reply Quote John Report Post Thanks(0) Quote Reply Posted: 29/April/2012 at 2:06pm
	Paul makes some good points here. One option is to make BB peers keep backups for, say, 30 days even when instructed to delete them, so you can always get them back in a malicious attack (would also be useful for accidental deletion). I still think that it's probably the user's responsibility to encrypt their laptop (for example using BitLocker or equivalent). Remember if they have access to BuddyBackup on that computer, then they probably have access to EVERYTHING. So, if they were particularly minded, they could use your e-mail or instant messaging to email your buddies to say "hey don't worry about this". I'm not minimising the fact that BB could do better to protect users here, but just saying that worrying about an attacker malicously deleting your backups seems less important when then have access to your e-mail, web history and possibly even credit cards! Good points though. John

Amber Computers Members Profile Find Members Posts Ultra Buddy Joined: 24/June/2011 Location: United Kingdom Status: Offline Points: 73	Post Options Post Reply Quote Amber Computers Report Post Thanks(0) Quote Reply Posted: 05/May/2012 at 5:27pm
	Hello, I agree responsibility is split here; encrypting a laptop, protecting passwords and the consequences if a laptop is stolen should be the end users responsibility. Ensuring that data can be retrieved should be BBs responsibility. If BB could incorporate a 30 day peer side retention policy that would be fantastic! This would negate the need to re-upload a file/folder if it is accidently deselected from the ‘Choose Backup’ menu and provide an opportunity to deal with the ‘stolen equipment’ scenario. The end user should report if equipment is stolen, but any additional automated notification system would be beneficial. A telephone call to the end user can always negate any "hey don't worry about this" attempts. I will submit a Feature Request. Thanks to Dave for raising an important topic. Regards Paul