Re: Ransomware deleted TSM backups from node
A good idea but for us, most of our backups/archives on Oracle systems are done manually/system managed, not TSM server scheduled. Plus you have no realistic idea of how long the backup could run. We have Notes backups that run 10-days! On Mon, Feb 2, 2015 at 5:54 PM, Marcel Anthonijsz mar...@anthonijsz.net wrote: Can Schedule an admin schedule around the Oracle/Notes backup window to enable/disable BACKDEL=YES/NO. It is not an ideal situation, but decreases the risk. And if you configured these nodes with specific nodenames (like you should) the malware could not get to those clients. Or they should scan the host for all available TSM OPT files and act from these... 2015-02-02 19:44 GMT+01:00 Zoltan Forray zfor...@vcu.edu: Same goes for Oracle and Notes backups. They manage their own backups so no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK can't schedule backups without it On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim jschnei...@ussco.com wrote: Roger, According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem. Jim Schneider -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Roger Deschner Sent: Friday, January 30, 2015 7:40 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Ransomware deleted TSM backups from node I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! === ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- *Zoltan Forray* TSM Software Hardware Administrator BigBro / Hobbit / Xymon Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- Kind Regards, Groetje, Marcel Anthonijsz T: +31(0)299-776768 M:+31(0)6-53421341 -- *Zoltan Forray* TSM Software Hardware Administrator BigBro / Hobbit / Xymon Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Ransomware deleted TSM backups from node
Can Schedule an admin schedule around the Oracle/Notes backup window to enable/disable BACKDEL=YES/NO. It is not an ideal situation, but decreases the risk. And if you configured these nodes with specific nodenames (like you should) the malware could not get to those clients. Or they should scan the host for all available TSM OPT files and act from these... 2015-02-02 19:44 GMT+01:00 Zoltan Forray zfor...@vcu.edu: Same goes for Oracle and Notes backups. They manage their own backups so no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK can't schedule backups without it On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim jschnei...@ussco.com wrote: Roger, According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem. Jim Schneider -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Roger Deschner Sent: Friday, January 30, 2015 7:40 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Ransomware deleted TSM backups from node I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! === ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- *Zoltan Forray* TSM Software Hardware Administrator BigBro / Hobbit / Xymon Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html -- Kind Regards, Groetje, Marcel Anthonijsz T: +31(0)299-776768 M:+31(0)6-53421341
Re: Ransomware deleted TSM backups from node
Op 2 feb. 2015, om 18:44 heeft Schneider, Jim jschnei...@ussco.com het volgende geschreven: Roger, According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem. Mitigated by running the file backup and ‘structured data’ backup as separate nodes so you can at least protect your unstructured data against such ransomware. Jim Schneider -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Roger Deschner Sent: Friday, January 30, 2015 7:40 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Ransomware deleted TSM backups from node I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! === ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622
Re: Ransomware deleted TSM backups from node
Same goes for Oracle and Notes backups. They manage their own backups so no way to get around this. Same goes for PASSWORDACCESS GENERATE - AFAIK can't schedule backups without it On Mon, Feb 2, 2015 at 12:44 PM, Schneider, Jim jschnei...@ussco.com wrote: Roger, According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem. Jim Schneider -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Roger Deschner Sent: Friday, January 30, 2015 7:40 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Ransomware deleted TSM backups from node I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! === ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person. -- *Zoltan Forray* TSM Software Hardware Administrator BigBro / Hobbit / Xymon Administrator Virginia Commonwealth University UCC/Office of Technology Services zfor...@vcu.edu - 804-828-4807 Don't be a phishing victim - VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more details visit http://infosecurity.vcu.edu/phishing.html
Re: Ransomware deleted TSM backups from node
Roger, According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP for SQL require backdelete authority. I don't know how to get around this problem. Jim Schneider -Original Message- From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of Roger Deschner Sent: Friday, January 30, 2015 7:40 PM To: ADSM-L@VM.MARIST.EDU Subject: [ADSM-L] Ransomware deleted TSM backups from node I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! === ** Information contained in this e-mail message and in any attachments thereto is confidential. If you are not the intended recipient, please destroy this message, delete any copies held on your systems, notify the sender immediately, and refrain from using or disclosing all or any part of its content to any other person.
Re: Ransomware deleted TSM backups from node
Op 31 jan. 2015, om 02:40 heeft Roger Deschner rog...@uic.edu het volgende geschreven: I'm not sure there's anything that can be done about this, but take it as a warning anyway. ——8— — I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? — —8— — I’m quite sure that this is the reason (among others) why backdel=n is the default. This is also the very first time that I hear that the bad guys are TSM aware... -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622
Ransomware deleted TSM backups from node
I'm not sure there's anything that can be done about this, but take it as a warning anyway. A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. They encrypted all files on the node, and left a ransom note. The node owner called me because they were having trouble restoring their files from TSM using a point-in-time restore. The files were gone! Apparently this villian located which backup program was installed, found it was TSM, and issued actual dsmc delete backup commands, which they were allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not limited to TSM; it would work with any backup program that the villian can figure out how to use. I have moved this node to a domain that includes VEREXISTS=NOLIMIT VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while our data security people investigate. I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to prevent a hacker from deleting backups. Anybody got a better idea? Roger Deschner University of Illinois at Chicago rog...@uic.edu === ALL YUOR BASE ARE BELONG TO US!! ===