• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Possible security flaw in Norton Cloud back-up.

I have a multiple machine "Norton Security with Internet BackUp" license. I've installed it on my own personal Win7 machine as well as the machines or my familly members and my exployees. Yesterday, while preparing an old WinXP machine to be available to train an employee in the use of Excel, I was very alarmed to see listed, when going to "My Computer",  under "computer, " a Norton "Drive" with the name of my personal Win7 machine. It was listed just like an external USB drive. Furthermore, I was able to navigate through the directory and recover a file shown in a directory.  My concern was, could my files be seen from the other machines that I had similarly set up. Unfortunately, I did not capture a screen image, and today, the next day, I"ve been unable to replicate the situation, but I know what I saw was real.

Norton's tech, in a text chat session, insists no one can view my backed up files without first having log into my account. Yet, on a machine connected via WiFi to my open network, I was able to view my personal information.

Now it is possible that the machine was not powered down between when I enterred my Norton user name, password, and PIN (sent to my cell telephone), but I'm certain that I had Windows restart the machine.  I have never before or since seen the Nortion-Cloud-Backup listed as a "drive," connected to the computer.   However, even had I not re-started the machine, I would expect Norton to warn me that I needed to restart to prevent access to the cloud back up.

Should I be concerned?

Replies

Kudos0

Re: Possible security flaw in Norton Cloud back-up.

While you can see the names of files on the Norton Backup Drive, you cannot open them unless you are signed into your Norton Account.  Also you must be logged into Windows as an Administrator to see the Norton Backup Drive.  If you are allowing someone to use a computer on which you have information stored, it is always a good idea to password protect your accounts and create a new non-administrator account for the new user.

Kudos0

Re: Possible security flaw in Norton Cloud back-up.

I don't necessarily agree with Norton Fighter25. I've since been able to recreate the situation I described, and there still appears to be potential privacy issues.

I load Norton Internet Security w/ backup on the computers of my family and the people that work for me. To load Norton onto a computer, I must log into my Norton account and provide password and second-means verification code.  As best I can tell, once I do that, using that machine, I can view any of the files that have been backed up from other machines WITHOUT entering a another password. Hence, if I was to load the program on an employees machine, not log out, and leave the machine on for the employee to use, that employee could then look at my personal files. Hence, there should be a log out warnimg as part of the install instructions.

Now for the Norton back-up feature to be useful, I need to be able to use it to back up the files on each employee's machine.  Further it appears, that once an initial backup has been established for a given machine, no password is required to update the backup. Hence, consider the scenario where: (1)  I install Norton on an employees machine, (2) I do an initial backup, and then (3) after logging off, I release the machine to the employee.  At a later date, the employee, prompted by Norton pop-up window, selects the option to update his back-up.  My initial test indicate he need not provide a password. He'd need password to access the back-up, but he doesn't need password to update.   However, if I'm correct, I as the account owner can log onto the master Norton account and read the contents of the back-up of the employees machine without the knowledge or specific consent of the employee. 

QUESTION .. Am I correct?

Kudos1 Stats

Re: Possible security flaw in Norton Cloud back-up.

WindsurferLA:

I don't necessarily agree with Norton Fighter25. I've since been able to recreate the situation I described, and there still appears to be potential privacy issues.

I load Norton Internet Security w/ backup on the computers of my family and the people that work for me. To load Norton onto a computer, I must log into my Norton account and provide password and second-means verification code.  As best I can tell, once I do that, using that machine, I can view any of the files that have been backed up from other machines WITHOUT entering a another password. Hence, if I was to load the program on an employees machine, not log out, and leave the machine on for the employee to use, that employee could then look at my personal files. Hence, there should be a log out warnimg as part of the install instructions.

Using IT best practice, you do not leave your computer in a business setting without locking the screen. In your case, you should not allow regular users to use an admin account. Set up a non admin account for other users to avoid what you describe. They will not be able to look at the backups if they are using a non admin account.

Now for the Norton back-up feature to be useful, I need to be able to use it to back up the files on each employee's machine. 

One thing to remember is that the online storage is shared among all users and all computers on your subscription. If you are backing up to the Norton online storage included with your product you only have a total of 25GB unless you purchase more. You could backup to a local computer or NAS on your network without this restriction.

Further it appears, that once an initial backup has been established for a given machine, no password is required to update the backup.

You would need to be using your admin account to set up the initial backup on each machine. After that, just let the users use the non admin account you created above. 

Hence, consider the scenario where: (1)  I install Norton on an employees machine, (2) I do an initial backup, and then (3) after logging off, I release the machine to the employee.  At a later date, the employee, prompted by Norton pop-up window, selects the option to update his back-up.  My initial test indicate he need not provide a password. He'd need password to access the back-up, but he doesn't need password to update.  

Starting a backup is the only action a non admin user can do. Norton usually does not prompt to do a backup. When you set up the backup, it defaults to automatic backups with no user intervention needed. They still cannot make any changes to what is backed up.

However, if I'm correct, I as the account owner can log onto the master Norton account and read the contents of the back-up of the employees machine without the knowledge or specific consent of the employee. 

You could log into   https://nobu.backup.com/session/new  with your Norton Account details. and you would be able to see all the backups from all machines on your account. Or you could log in locally on each machine with the admin account and check the backup files.

QUESTION .. Am I correct?

 The bottom line is that there is no a security risk with the Norton backup if you use proper business procedures and never allow employees to use a Windows admin account. 

Things happen. Export/Backup your Norton Password Manager data.

This thread is closed from further comment. Please visit the forum to start a new thread.