Can Schedule an admin schedule around the Oracle/Notes backup window to
enable/disable BACKDEL=YES/NO.
It is not an ideal situation, but decreases the risk. And if you configured
these nodes with specific nodenames (like you should) the malware could not
get to those clients.
Or they should scan the host for all available TSM OPT files and act from
these...
2015-02-02 19:44 GMT+01:00 Zoltan Forray <zforray AT vcu DOT edu>:
> Same goes for Oracle and Notes backups. They manage their own backups so
> no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK
> can't schedule backups without it....
>
> On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim <jschneider AT ussco DOT com>
> wrote:
>
> > Roger,
> >
> > According to my TSM Data Protection for SQL 6.4 manual, servers that run
> > TDP for SQL require backdelete authority. I don't know how to get around
> > this problem.
> >
> > Jim Schneider
> >
> > -----Original Message-----
> > From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On
> > Behalf Of
> > Roger Deschner
> > Sent: Friday, January 30, 2015 7:40 PM
> > To: ADSM-L AT VM.MARIST DOT EDU
> > Subject: [ADSM-L] Ransomware deleted TSM backups from node
> >
> > I'm not sure there's anything that can be done about this, but take it as
> > a warning anyway.
> >
> > A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
> > They encrypted all files on the node, and left a ransom note.
> >
> > The node owner called me because they were having trouble restoring their
> > files from TSM using a point-in-time restore. The files were gone!
> > Apparently this villian located which backup program was installed, found
> > it was TSM, and issued actual dsmc delete backup commands, which they
> were
> > allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack
> > vector is not limited to TSM; it would work with any backup program that
> > the villian can figure out how to use.
> >
> > I have moved this node to a domain that includes VEREXISTS=NOLIMIT
> > VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
> > while our data security people investigate.
> >
> > I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
> > prevent a hacker from deleting backups. Anybody got a better idea?
> >
> > Roger Deschner University of Illinois at Chicago rogerd AT uic DOT
> > edu
> > =================== ALL YUOR BASE ARE BELONG TO US!! ===================
> >
> > **********************************************************************
> > Information contained in this e-mail message and in any attachments
> > thereto is confidential. If you are not the intended recipient, please
> > destroy this message, delete any copies held on your systems, notify the
> > sender immediately, and refrain from using or disclosing all or any part
> of
> > its content to any other person.
> >
>
>
>
> --
> *Zoltan Forray*
> TSM Software & Hardware Administrator
> BigBro / Hobbit / Xymon Administrator
> Virginia Commonwealth University
> UCC/Office of Technology Services
> zforray AT vcu DOT edu - 804-828-4807
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more details
> visit http://infosecurity.vcu.edu/phishing.html
>
--
Kind Regards, Groetje,
Marcel Anthonijsz
T: +31(0)299-776768
M:+31(0)6-53421341
|
