[SecurityRatty] tag: backups

Third-party Exchange Server 2007 backup and restore tools

Thu, 03 Jul 2008 06:12:29 +0000

Streaming and brick-level backups take too long in Exchange Server 2007. Learn about two third-party tools to quickly back up and restore Exchange 2007 data.

Decrypting and Restoring GPcode Encrypted Files

Tue, 01 Jul 2008 04:26:39 +0000

The futile attempt to directly attack the encryption algorithm used by the GPcode ransomware, is prompting Kaspersky Labs to invest in a more pragmatic solutions to the problem, with a new version of the StopGpcode tool released last week. More info :

"It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.

Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached."

As the customer support desk behind GPcode pointed out in an interview, the malware is prone to evolve, and the simplistic file deletion process will be replaced by secure file deletion in order to render all data recovery tols useless, unless of course backups of the affected data are available. They often aren't, and depending on the importance of the files encrypted, the successful ransom is all a matter of the momentum.

"A person, presumably the author of Gpcode, contacted at one of the e-mail addresses left behind by the program stated that future development efforts will likely increase the key size to 4,096 bits, "if AV companies or other (people) crack the current key, but (that's) impossible. The self-proclaimed author, who used the name "Daniel Robertson," also said that other standard techniques to defeat antivirus will be added, including polymorphic encryption, anti-heuristic features and the ability to self propagate, turning the program into a computer virus. It well pays back itself," he said"

There are even more pragmatic approaches to dealing with this problem, next to backups undermining their business model. Try following the virtual money for instance.

Decrease iSeries downtime caused by SAVSYS backup

Wed, 25 Jun 2008 14:17:33 +0000

It is possible to save time on SAVSYS backups on the AS/400. The SAVSYS command requires that your system be in a restrictive state. The only active job in a restrictive state is the system console. IBM has split the SAVSYS command into three parts, the second and third of which can run when the system is fully active.

Alternatives to VCB for VMware backup

Thu, 29 May 2008 10:10:50 +0000

VMware Consolidated Backup (VCB) is an ideal backup method, but only if you have VMware 3.1, shared storage and the required scripts. Learn about alternatives, including block-level incremental backups.

Bankers: Welcome to Our World

Fri, 23 May 2008 21:32:00 +0000

Did you know that readers of this blog had a warning that the world's financial systems were ready to melt down? If you read my July 2007 (one month before the crisis began) post Are the Questions Sound?, you'll remember me disagreeing with a "major Wall Street bank" CISO for calling one of my Three Wise Men (and other security people) "so stupid" for not having the "ﬁve digit accuracy" to assess risk. That degree of arrogance was the warning that the financial sector didn't know what they were talking about.

The next month I posted Economist on the Peril of Models and then Wall Street Clowns and Their Models in September. Now I read a fascinating follow-up in last week's Economist titled Professionally Gloomy. I found these excerpts striking:

[R]isk managers are... aware that they are having to base their decisions on imperfect information. The crisis has underlined not just their importance but also their weaknesses.

Take value-at-risk (VAR), a measure of market risk developed by JPMorgan in the 1980s, which puts a number on the maximum amount of money a bank can expect to lose. VAR is a staple of the risk-management toolkit and is embedded in the new Basel 2 regime on capital adequacy. The trouble is that it is well-nigh useless at predicting catastrophe.

VAR typically estimates how bad things could get using data from the preceding three or four years, so it gets more sanguine the longer things go smoothly. Yet common sense suggests that the risk of a blow-up will increase, not diminish, the farther away one gets from the last one. In other words, VAR is programmed to instil complacency. Moreover, it acts as yet another amplifier when trouble does hit. Episodes of volatility send VAR spiking upwards, which triggers moves to sell, creating further volatility.

The second problem is that VAR captures how bad things can get 99% of the time, but the real trouble is caused by the outlying 1%, the “long tail” of risk. “Risk management is about the stuff you don't know that you don't know,” says Till Guldimann, one of the original architects of VAR. “VAR leads to the illusion that you can quantify all risks and therefore regulate them.” The degree of dislocation in the CDO market has shown how hard it is to quantify risk on these products.

Models still have their place: optimists expect them to be greatly improved now that a big crisis has helpfully provided loads of new data on stressed markets. Even so, there is now likely to be more emphasis on non-statistical ways of thinking about risk. That means being more rigorous about imagining what could go wrong and thinking through the effects...

However, stress-testing has imperfections of its own. For example, it can lead to lots of pointless discussions about the plausibility of particular scenarios. Miles Kennedy of PricewaterhouseCoopers, a consultancy, thinks it is better to start from a given loss ($1 billion, say) and then work backwards to think about what events might lead to that kind of hit.

Nor is stress-testing fail-safe. The unexpected, by definition, cannot be anticipated... (emphasis added)

VAR is one of the measures I am sure the Wall Street clown was invoking while dressing down Dan Geer. Too bad it failed. (If you disagree, read the whole article, and better yet the whole special report... these are just excerpts.)

When the Economist refers to "stress-testing," think "threat modeling," and use the warped sense of that term instead of the better phrase "attack modeling." Picture a room full of people imagining what could happen based on assumptions and fantasy instead of spending the time and resources to gather ground-truth evidence on assets and historical or ongoing attacks. Sound familiar?

The article continues:

Another big challenge for risk managers lies in the treatment of innovative products. New products do not just lack the historic data that feed models. They often also sit outside banks' central risk-management machinery, being run by people on individual spreadsheets until demand for them is proven. That makes it impossible to get an accurate picture of aggregate risk, even if individual risks are being managed well. “We have all the leaves on the tree but not the tree,” is the mournful summary of one risk manager. One solution is to keep new lines of business below certain trading limits until they are fully integrated into the risk system.

Keeping risks to a size that does not inflict intolerable damage if things go awry is another fundamental (some might say banal) lesson...“It is not acceptable [for a division] to have a position that wipes out its own earnings, let alone those of the entire firm.”

However, working out the size of the risks is less easy than it used to be. For one thing, the lines between different types of risk have become hopelessly blurred. Risk-management teams at banks have traditionally been divided into watertight compartments, with some people worrying about credit risk (the chances of default on loans, say), others about market risk (such as sudden price movements) and yet others about operational risks such as IT failures or rogue traders. (emphasis added)

Ok, stick with me here. References to "innovating products" should be easy enough. Think WLANs in the early part of this decade, iPhones now, and so on. Think local groups of users deploying their own gear outside of IT or security influence or knowledge.

For "keeping risks to a size," think about the security principle of isolation. For "the lines between different types of risk," think about unexpected or unplanned interactions between new applications. "I didn't think that opening a hole in our firewall to let DMZ servers do backups would allow an intruder to piggyback on that connection, straight into the internal LAN, compromising our entire firm!"

Finally:

There is an even bigger concern. Everyone is ready to listen to risk managers now, but the message is harder to transmit when the going is good. “Come the next boom we will have traders saying, 'that was eight months ago. Why are you dragging me down with all that?',” sighs one risk chief. To improve risk management through the cycle, deeper change is needed.

Oh, I thought security was a "business enabler" with a "positive ROI." On a directly applicable note, during and right after an incident everyone is very concerned with "security." Eight months later hardly anyone cares.

Bankers, welcome to our world.

SQL Server backups using SAN database snapshots

Thu, 22 May 2008 05:56:18 +0000

Get point-in-time database copies from your storage area network. SAN snapshots allow SQL Server to bypass backups at the operating system level and only take a few seconds – regardless of drive size. In his overview on SAN snapshots for the DBA's tool belt, SQL Server expert Brent Ozar discusses performance impact, filegroup and file layout, replication, transaction logs and snapshots for data warehouses.

Re-enable Exchange Server 2007 remote streaming backups in SP1

Thu, 08 May 2008 05:55:41 +0000

Read about a workaround that edits the Microsoft Exchange Server 2007 registry in Service Pack 1 (SP1) to re-enable remote streaming backups.

Email archiving and e-discovery best practices for Microsoft Exchange

Wed, 23 Apr 2008 07:36:38 +0000

Learn Exchange Server email archiving and e-discovery best practices, including how to implement backups, email retention and archiving strategies.

Reducing the size of network backups in Windows

Wed, 16 Apr 2008 04:57:43 +0000

By excluding network backups of unwanted file types, admins can decrease the amount of space consumed on a network while speeding up the nightly backup process.

RSA Day 2: Wednesday with JJ & the Engima

Sun, 13 Apr 2008 21:35:30 +0000

RSA Conference, San Francisco
Day 2: Wednesday, April 9th

I know, I know- it’s late- but better late than never, right?

I really tried my best to take photos as much as possible. A quick note on the photography- because of the size of the rooms, it didn’t make sense to have the flash on, unfortunately it slowed the shutter speed, making some images blurry (sorry).

So Day 2 already felt like day 5 somehow. I had flown in early to be a tourist for a day or so but caught up with partners and other event-goers early, making it an especially long week. Wednesday was an eventful day. I have a great Sins of Our Fathers session to share with you, a day with the Enigmas, and the Security Bloggers Party.

The highlight of the day’s sessions had to be the ‘Sins of Our Fathers’ breakout with an amazingly hilarious geek-filled panel including Daniel Houser, Ben Jun and Hugh Thompson. (Hugh unquestionably won the Most Entertaining Geek Award for the day). I was tweeting live from the session and took some photos of the interactive polls they intertwined in the discussion. They drew some interesting correlations between current security issues, such as SQL injections an ‘previous sins’, likening it to phone whistling. There were random notes about the inherent security risk of mixing data and coding together. View photos from session.

Then they talked about using good technology in a way that made it vulnerable. Examples, the Enigma code machines from WWII. (It was actually broken by the known plain-text gathered from repetition in contact initiation, and the mis-use of one-time-pads). They drew the line from Enigma to WEP and other algorithms that were okay, but mis-implemented.

There were a variety of other anecdotes, accompanied by audience-wide snickers, snorts and laughter. One story of tape backups, encrypted, with the key dutifully stick-noted to the case. Another of the secretary who type-writered all the 5.25” floppies. The story of the unmanned Predator aircraft flying unattended for about 5 minutes during a PC reboot. They were all tied into the topic nicely, and the guys did an outstanding job interacting and playing off one another.

One a more serious note- well, sorta- Hugh showed a clip from his participation in the documentary “Hacking Democracy” about the lack of security of electronic voting.

Here was something amusing… Their crypto list of
If you hear any of these, RUN!
Cryptography is expensive.
We have this guy that’s reallllly smart…
Wired EQUIVALENT encryption… .
It’s “proprietary” security
It’s revolutionary NEW cryptography technology!
It uses DES- so its FIPS 140 compliant

Some of the sins from the session…
Engineering, Development & Management sins
Using a good technology in a bad implementation
Lack of metrics to indicate misuse
Feature/mission creep - using item A for solution B
Not teaching people how to use security
Teaching them, but teaching bad habits
Normalization of deviancy

I’ve spent long enough on that, there’s plenty more to share, but that session was so good, I thought it deserved some special attention. I did stay for the Cyber Storm II Panel, but that left more than ‘a little’ to be desired. I would have liked more anecdotal stories and a little more personality. The panel participants were knowledgeable, and I’m sure they were doing what they had been told, but it made for a very dry session, little content of interest, and much repetition. There’s a little live Tweeting from that session too.

Playing with the Enigma
At the Sins of Our Fathers sessions, I believe it was Ben that mentioned we had at our disposal not one- but TWO Enigma machines on the expo floor here are RSA. And BOTH were for our playing! They had it set so we could set the key and encode a message at the NSA booth, then take the encrypted message to the Cryptographic Research booth and use that Enigma to decypher the message. HOLY COW!!!!!! If their session hadn’t been so great I would have left right then. The only time I’ve seen these beautiful little pieces of crypto history, they’ve been fully encased in glass, and not for the touching. They actually let you set the rotors and punch the code in yourself so my buddy Eric and I ran right over to take full geek advantage of the situation.

YES, that’s me with an Enigma, and I have more photos of the two Engimas.

The big highlight of the evening? The Security Bloggers Party of course! You get a whole post just for this topic, so stay tuned for that. I didn’t take photos here, because I felt pretty sure someone would be walking around with a camera. I need to find @ajolly (Apneet Jolly) and see if he has any- he’s usually fully equipped with a very nice camera…

# # #