Wednesday 3 September 2014

Backing up and restoring devices using the cloud

There's been a fair bit of publicity recently about not having 2 factor authentication when restoring a device from the cloud (specifically,  iCloud) (though at time of writing it's still unclear whether the attack was through 'guessing' the password).

Personally, I wouldn't use any cloud based DEVICE back up (Apple, HTC...). It seems to be asking for trouble (I do back up documents, photos etc which do have two factor authentication available for most cloud services). For device backup I stick with local backups for some devices. For Apple that means using iTunes backup NOT iCloud backup. (Though for some devices I just do a full factory restore from time to time and load the apps I need.  It's good spring cleaning and the documents and data I need I can get to from apps that access cloud storage (can also go into iCloud to delete backups)

There was publicity around the impact of iCloud not supporting 2 factor authentication around May last year when Apple introduced 2fa for other things (I think it was just after the google drive script flaw and a few months after the touchWiz remote takeover hack). Cloud restore of a backup should have some authentication. Obviously,  there's having a decent password (and having strong security q&a eg NOT using your real date of birth,  not providing your real mothers birth name...).  Though none of the devices I have that offer cloud back up and restore directly (including my Android devices) actually claim to support 2fa.
Cloud security is an issue and attacks will continue to increase. The increased convenience of cloud and internet connectivity comes with a few downsides/risks. 'Box' (cloud storage on android, iOS and WP) has a good reputation in the security area and being non platform specific they have a strong vested interest in covering security on different platforms.

I'd definitely recommend that people use 2 factor authentication. Whilst it doesn't cover every aspect it does cover a number of other scenarios. I know lots of people who use Evernote & OneNote for doing lots of notes. Many people use 2fa with OneNote because it's linked to their hotmail account and OneDrive account- and they use 2FA for that. However, most people I know haven't enabled 2fa on Evernote.

For important passcodes etc there's a lot to be said for physically writing them down or using a non connected device like an old Psion organiser! (And for the paranoid using a cypher). 

For anyone interested on security Steve Gibson's Security Now podcast is a great listen: https://www.grc.com/securitynow.htm (and if you're already a listener you probably won't click on the link!)

No comments:

Post a Comment