> Op 2 feb. 2015, om 18:44 heeft Schneider, Jim <jschneider AT USSCO DOT COM>
> het volgende geschreven:
>
> Roger,
>
> According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP
> for SQL require backdelete authority. I don't know how to get around this
> problem.
Mitigated by running the file backup and ‘structured data’ backup as separate
nodes so you can at least protect your unstructured data against such
ransomware.
>
> Jim Schneider
>
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf
> Of Roger Deschner
> Sent: Friday, January 30, 2015 7:40 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: [ADSM-L] Ransomware deleted TSM backups from node
>
> I'm not sure there's anything that can be done about this, but take it as a
> warning anyway.
>
> A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
> They encrypted all files on the node, and left a ransom note.
>
> The node owner called me because they were having trouble restoring their
> files from TSM using a point-in-time restore. The files were gone!
> Apparently this villian located which backup program was installed, found it
> was TSM, and issued actual dsmc delete backup commands, which they were
> allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack
> vector is not limited to TSM; it would work with any backup program that the
> villian can figure out how to use.
>
> I have moved this node to a domain that includes VEREXISTS=NOLIMIT
> VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group,
> while our data security people investigate.
>
> I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to
> prevent a hacker from deleting backups. Anybody got a better idea?
>
> Roger Deschner University of Illinois at Chicago rogerd AT uic DOT
> edu
> =================== ALL YUOR BASE ARE BELONG TO US!! ===================
>
> **********************************************************************
> Information contained in this e-mail message and in any attachments thereto
> is confidential. If you are not the intended recipient, please destroy this
> message, delete any copies held on your systems, notify the sender
> immediately, and refrain from using or disclosing all or any part of its
> content to any other person.
--
Met vriendelijke groeten/Kind Regards,
Remco Post
r.post AT plcs DOT nl
+31 6 248 21 622
|