ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Ransomware deleted TSM backups from node

2015-02-03 08:20:44
Subject: Re: [ADSM-L] Ransomware deleted TSM backups from node
From: Zoltan Forray <zforray AT VCU DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 3 Feb 2015 08:18:11 -0500 
A good idea but for us, most of our backups/archives on Oracle systems are
done manually/system managed, not TSM server scheduled.  Plus you have no
realistic idea of how long the backup could run.  We have Notes backups
that run 10-days!

On Mon, Feb 2, 2015 at 5:54 PM, Marcel Anthonijsz <marcel AT anthonijsz DOT net>
wrote:

> Can Schedule an admin schedule around the Oracle/Notes backup window to
> enable/disable BACKDEL=YES/NO.
>
> It is not an ideal situation, but decreases the risk. And if you configured
> these nodes with specific nodenames (like you should) the malware could not
> get to those clients.
> Or they should scan the host for all available TSM OPT files and act from
> these...
>
> 2015-02-02 19:44 GMT+01:00 Zoltan Forray <zforray AT vcu DOT edu>:
>
> > Same goes for Oracle and Notes backups.  They manage their own backups so
> > no way to get around this.  Same goes for PASSWORDACCESS GENERATE - AFAIK
> > can't schedule backups without it....
> >
> > On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider AT ussco DOT 
> > com>
> > wrote:
> >
> > > Roger,
> > >
> > > According to my TSM Data Protection for SQL 6.4 manual, servers that
> run
> > > TDP for SQL require backdelete authority.  I don't know how to get
> around
> > > this problem.
> > >
> > > Jim Schneider
> > >
> > > -----Original Message-----
> > > From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On 
> > > Behalf
> Of
> > > Roger Deschner
> > > Sent: Friday, January 30, 2015 7:40 PM
> > > To: ADSM-L AT VM.MARIST DOT EDU
> > > Subject: [ADSM-L] Ransomware deleted TSM backups from node
> > >
> > > I'm not sure there's anything that can be done about this, but take it
> as
> > > a warning anyway.
> > >
> > > A Windows 7 desktop node here was attacked by CryptoWare 3.0
> ransomware.
> > > They encrypted all files on the node, and left a ransom note.
> > >
> > > The node owner called me because they were having trouble restoring
> their
> > > files from TSM using a point-in-time restore. The files were gone!
> > > Apparently this villian located which backup program was installed,
> found
> > > it was TSM, and issued actual dsmc delete backup commands, which they
> > were
> > > allowed to do since PASSWORDACCESS GENERATE was in effect. So this
> attack
> > > vector is not limited to TSM; it would work with any backup program
> that
> > > the villian can figure out how to use.
> > >
> > > I have moved this node to a domain that includes VEREXISTS=NOLIMIT
> > > VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy
> Group,
> > > while our data security people investigate.
> > >
> > > I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO
> to
> > > prevent a hacker from deleting backups. Anybody got a better idea?
> > >
> > > Roger Deschner      University of Illinois at Chicago
> rogerd AT uic DOT edu
> > > =================== ALL YUOR BASE ARE BELONG TO US!!
> ===================
> > >
> > > **********************************************************************
> > > Information contained in this e-mail message and in any attachments
> > > thereto is confidential. If you are not the intended recipient, please
> > > destroy this message, delete any copies held on your systems, notify
> the
> > > sender immediately, and refrain from using or disclosing all or any
> part
> > of
> > > its content to any other person.
> > >
> >
> >
> >
> > --
> > *Zoltan Forray*
> > TSM Software & Hardware Administrator
> > BigBro / Hobbit / Xymon Administrator
> > Virginia Commonwealth University
> > UCC/Office of Technology Services
> > zforray AT vcu DOT edu - 804-828-4807
> > Don't be a phishing victim - VCU and other reputable organizations will
> > never use email to request that you reply with your password, social
> > security number or confidential personal information. For more details
> > visit http://infosecurity.vcu.edu/phishing.html
> >
>
>
>
> --
> Kind Regards, Groetje,
>
> Marcel Anthonijsz
> T: +31(0)299-776768
> M:+31(0)6-53421341
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray AT vcu DOT edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] 7.1.1 TDP for Exchange 2010 backup Task Details not updated?, Del Hoobler
Next by Date:  [ADSM-L] size of objects in the backups table, Rhodes, Richard L.
Previous by Thread:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Marcel Anthonijsz
Next by Thread:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Remco Post
Indexes:  [Date] [Thread] [Top] [All Lists]