ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Ransomware deleted TSM backups from node

2015-02-02 13:46:12
Subject: Re: [ADSM-L] Ransomware deleted TSM backups from node
From: Zoltan Forray <zforray AT VCU DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 2 Feb 2015 13:44:02 -0500 
Same goes for Oracle and Notes backups.  They manage their own backups so
no way to get around this.  Same goes for PASSWORDACCESS GENERATE - AFAIK
can't schedule backups without it....

On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider AT ussco DOT com>
wrote:

> Roger,
>
> According to my TSM Data Protection for SQL 6.4 manual, servers that run
> TDP for SQL require backdelete authority.  I don't know how to get around
> this problem.
>
> Jim Schneider
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf 
> Of
> Roger Deschner
> Sent: Friday, January 30, 2015 7:40 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: [ADSM-L] Ransomware deleted TSM backups from node
>
> I'm not sure there's anything that can be done about this, but take it as
> a warning anyway.
>
> A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
> They encrypted all files on the node, and left a ransom note.
>
> The node owner called me because they were having trouble restoring their
> files from TSM using a point-in-time restore. The files were gone!
> Apparently this villian located which backup program was installed, found
> it was TSM, and issued actual dsmc delete backup commands, which they were
> allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack
> vector is not limited to TSM; it would work with any backup program that
> the villian can figure out how to use.
>
> I have moved this node to a domain that includes VEREXISTS=NOLIMIT
> VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
> while our data security people investigate.
>
> I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
> prevent a hacker from deleting backups. Anybody got a better idea?
>
> Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT 
> edu
> =================== ALL YUOR BASE ARE BELONG TO US!! ===================
>
> **********************************************************************
> Information contained in this e-mail message and in any attachments
> thereto is confidential. If you are not the intended recipient, please
> destroy this message, delete any copies held on your systems, notify the
> sender immediately, and refrain from using or disclosing all or any part of
> its content to any other person.
>



--
*Zoltan Forray*
TSM Software & Hardware Administrator
BigBro / Hobbit / Xymon Administrator
Virginia Commonwealth University
UCC/Office of Technology Services
zforray AT vcu DOT edu - 804-828-4807
Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more details
visit http://infosecurity.vcu.edu/phishing.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Schneider, Jim
Next by Date:  Re: [ADSM-L] upgrading from 6.2.5 server, Zoltan Forray
Previous by Thread:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Schneider, Jim
Next by Thread:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Marcel Anthonijsz
Indexes:  [Date] [Thread] [Top] [All Lists]