Roger,
According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP
for SQL require backdelete authority. I don't know how to get around this
problem.
Jim Schneider
-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of
Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node
I'm not sure there's anything that can be done about this, but take it as a
warning anyway.
A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.
The node owner called me because they were having trouble restoring their files
from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found it
was TSM, and issued actual dsmc delete backup commands, which they were allowed
to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not
limited to TSM; it would work with any backup program that the villian can
figure out how to use.
I have moved this node to a domain that includes VEREXISTS=NOLIMIT
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while
our data security people investigate.
I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
prevent a hacker from deleting backups. Anybody got a better idea?
Roger Deschner University of Illinois at Chicago rogerd AT uic DOT edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================
**********************************************************************
Information contained in this e-mail message and in any attachments thereto is
confidential. If you are not the intended recipient, please destroy this
message, delete any copies held on your systems, notify the sender immediately,
and refrain from using or disclosing all or any part of its content to any
other person.
|