If I had to guess, Rivendell uses the same user/pass for all SAMBA shares. This
simplifies administration. All the ransomware would need to do Is scan the host
for shares and attach.
So, it complicates your administration but there really needs to be a limited
account for traffic and scheduling that only allows r/w from those shares and
explicitly denies access to the audio share.
Just my $0.02.
On 12/14/21, 10:11 AM, "rivendell-dev-boun...@lists.rivendellaudio.org on
behalf of Rob Landry" <rivendell-dev-boun...@lists.rivendellaudio.org on behalf
of 41001...@interpring.com> wrote:
On Fri, 10 Dec 2021, Jake Tremper wrote:
> 2) Network segregation. An infection on the business side is awful and
> hard to recover from. An infection on the business side that jumps and
> wipes out the on-air machines is catastrophic. Isolated VLANs, when
> implemented properly, help greatly in this area.
The problem, unfortunately, is that a traffic machine has to be able to
write a log file to the automation, and read aired log files from it for
electronic reconciliation.
Traffic machines are typically on the office network, and are used for
things like email.
Music scheduling software typically also runs on an office machine.
Programming people are forever getting songs and syndicated shows off the
Internet to add to the audio library.
Both of these are potential malware vectors into an automation systems.
The question is: even if someone exploits Samba to drop something onto a
Rivendell machine, it goes into a Samba-writable folder, not /var/snd. How
did they leverage that into access to other folders?
Rob
--
Не думай что всё пропели,
Что бури все отгремели;
Готовься к великой цели,
А слава тебя найдёт.
> and, not directly related to this one, but a good concept:
>
> 3) Untested backups are not backups. Test your backups periodically and
> verify that you can actually recover from them.
>
> On Fri, Dec 10, 2021 at 12:42 PM Tim Camp <t...@dotcom1.net> wrote:
> Greetings,
> This past Sunday morning our four station had a cyber attack.
> They gained access through a windows server that we use for traffic
> and bookkeeping.
> Through this connection they exploited samba to place ssh keys on many
> of our linux machines and erased all files on the control room pc's
> and erased /var/snd on our nfs server.
>
> They encrypted the windows server for ransome and just erased the
> linux machines they got access to.
>
> Trying to rebuild four radio stations from the ground up.
> We had backup on several drives but they were on the network so they
> got them as well.
>
> One issue if someone can help me with.
> I have recompiled rivendell on two control rooms and everything works
> except no audio and no meters, Carts act like they are playing but no
> output. I'm sure I have overlooked something, I've been up for days.
>
> Warning to all that Samba is a weak spot.
>
> Tim Camp
> WZEW-FM
> Mobile, Al.
>
>
>
>
>
> _______________________________________________
> Rivendell-dev mailing list
> Rivendell-dev@lists.rivendellaudio.org
> http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
>
>
>
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
