Backup secure enough?

I want to do remote backups and need opinions whether this is secure
enough? Not looking for bomber proof security but at least a decent
security level so the weekend hacker can't open my files.

1. Backup file is 256-bit encrypted
2. Transfer via regular ftp
3. Store on the server used for my web hosting in a password protected
folder

Some of the options I've considered

1. Transfer via SSL ftp transfer: but if the file transferred is
already encrypted, does a SSL transfer add any value?
2. I suspect a password protected web folder can rather easily be
craked, however, the backup file being 256-bit encrypted, how likely /
easily can this be cracked?

Thanks for your feedback!

S

In article <1157724637.200249.147300@b28g2000cwb.googlegroups .com>,
<goglorieux@hotmail.com> wrote:
>I want to do remote backups and need opinions whether this is secure
>enough? Not looking for bomber proof security but at least a decent
>security level so the weekend hacker can't open my files.

>1. Backup file is 256-bit encrypted
>2. Transfer via regular ftp
>3. Store on the server used for my web hosting in a password protected
>folder

>Some of the options I've considered

>1. Transfer via SSL ftp transfer: but if the file transferred is
>already encrypted, does a SSL transfer add any value?

256-bit encrypted doesn't tell us very much about the strength of
the encryption algorithm. If I were to encrypt the backup by xor'ing
blocks of 8 bytes with the string "Not SAFE", then that's a 256 bit
encryption.

There are a lot of encryption schemes that are much easier to attack
if you can get several different examples (each of which has the same
general structure...) SSL negotiates a different encryption key for
each transfer, so if you happen to be using one of those less-strong
encryptions on the backups, transfering via SSL -will- decrease your
risks.

If the encryption scheme is built into the backup program, then you
should be wary. Built-in encryption schemes tend to have
back-doors so that when the customer loses the key they can take
the file to the company and the company can get the data back for them.
Then too in the USA there are requirements related to "Homeland Security",
and there are requirements related to proving you aren't in violation
of securities laws, so companies are under pressure to use a breakable
encryption. And if the company markets the product outside of the US,
Canada, and [only] about 8 other countries, then strong encryption is a
controlled product, so either they have an "export version" or they
use an encryption that isn't stronger than 56 bits effective.

Thus for stronger security, do the encryption yourself, preferably
with an open-source encryption program developed outside of the USA.

goglorieux@hotmail.com wrote:

> 1. Backup file is 256-bit encrypted
AES 256, Serpent-AES, ... nice.

> 2. Transfer via regular ftp
Very dangerous. Clear passwords open your system to the attackers. You
are careful today. What about tomorrow? If your system gets compromised
you are dead. Imagine you are boxing.

> 3. Store on the server used for my web hosting in a password protected folder
Very, very dangerous. First, you want to separate your backups machine
and your web server since a hacker will as a first step attack your web
server, almost by instinct. Try to never give an attacker an advantage.
Even if your data is encrypted, it is more safe to keep it away from
the sharks, because once the encrypted data is stolen the need for an
attacker to steal the encryption key becomes urgent. Secondly, every
time you are asked for a password be skeptical, because passwords, if
not random, are very weak.

> Some of the options I've considered
> 1. Transfer via SSL ftp transfer: but if the file transferred is
> already encrypted, does a SSL transfer add any value?
At least it doesn't hurt.

> 2. I suspect a password protected web folder can rather easily be
> craked, however, the backup file being 256-bit encrypted, how likely /
> easily can this be cracked?
Are you sure you will never decrypt, even temporarily, your data to
this folder? Are you sure an attacker cant get out of this folder once
inside?

Kind regards
Ludovic

Please visit The Henry Madsen Band
http://thehenrymadsenband.atspace.com/

Thanks Walter and Ludovic.

Based on your responses, I guess AES 256 isn't too bad. Wrt to server,
I'll use a different server with SSL ftp enable.

Thanks very much for your input.

Regards,

S

Ludovic Joly a écrit :

> goglorieux@hotmail.com wrote:
>
> > 1. Backup file is 256-bit encrypted
> AES 256, Serpent-AES, ... nice.
>
> > 2. Transfer via regular ftp
> Very dangerous. Clear passwords open your system to the attackers. You
> are careful today. What about tomorrow? If your system gets compromised
> you are dead. Imagine you are boxing.
>
> > 3. Store on the server used for my web hosting in a password protectedfolder
> Very, very dangerous. First, you want to separate your backups machine
> and your web server since a hacker will as a first step attack your web
> server, almost by instinct. Try to never give an attacker an advantage.
> Even if your data is encrypted, it is more safe to keep it away from
> the sharks, because once the encrypted data is stolen the need for an
> attacker to steal the encryption key becomes urgent. Secondly, every
> time you are asked for a password be skeptical, because passwords, if
> not random, are very weak.
>
> > Some of the options I've considered
> > 1. Transfer via SSL ftp transfer: but if the file transferred is
> > already encrypted, does a SSL transfer add any value?
> At least it doesn't hurt.
>
> > 2. I suspect a password protected web folder can rather easily be
> > craked, however, the backup file being 256-bit encrypted, how likely /
> > easily can this be cracked?
> Are you sure you will never decrypt, even temporarily, your data to
> this folder? Are you sure an attacker cant get out of this folder once
> inside?
>
> Kind regards
> Ludovic
>
> Please visit The Henry Madsen Band
> http://thehenrymadsenband.atspace.com/

On Mon, Sep 11, 2006 at 05:54:28AM -0700, goglorieux@hotmail.com wrote:
> Thanks Walter and Ludovic.
>
> Based on your responses, I guess AES 256 isn't too bad. Wrt to server,
> I'll use a different server with SSL ftp enable.
>
> Thanks very much for your input.
>
If you're looking for decent security level, choosing aes 256( probably
cbc, or ctr, rather then ecb) you should reflect on way you store your
backup encryption keys or even salt/seed file - that's the weakest point.


- Lukasz Sztachanski


--
0x01A3E654 // 7832 E59C B733 9E6F CB54 6327 DFC1 161E 01A3 E654
*new keys*
http://entropy.pl
http://entropy.pl/?blog