How To Prevent Being Hacked Via Backups?

Popsikle writes "A few days ago one of the Web's largest hosting discussion forums was supposedly hacked via their backup servers. From the story: 'We've since learned that this very deliberate, sophisticated and calculated hack against Web Hosting Talk was carried out by gaining access to our offsite backup servers. From our backup servers, the hacker gained access to the WHT db server. The malicious attacker deleted all backups from the backup servers within the infrastructure before deleting tables from our db server. We were alerted of the db exploitation and quickly shut down the site to prevent further damage.' What sort of security do you put on your backup infrastructure? Looking at your backup solution could you be completely taken down by either someone obtaining a backup or accessing your backup servers? What sort of recommendations does everyone have for this not to happen?"

Easy fix

[bingbong]

Offline and offsite storage (i.e. iron mountain) is a simple (though sometimes costly) way of doing things.

it'll solve this problem quite easily.

Re:Easy fix

[QuantumRiff]

Even easier.. put a external HD with Truecrypt under your bed. Maybe take a second one into the office, Lock it in a drawer, just in case your house burns down..

Every week or so, use 1 to backup. Alternate which one. Add more drives, or more often backups until you get to the point you sleep easy at night.

Re:Easy fix

[tepples]

HDs are NOT backup media.

Please provide a citation that hard disks are noticeably worse than tape, which you appear to otherwise recommend.

Re:Easy fix

[QuantumRiff]

No, they are not, you are correct. In my post, I was assuming that this was a small website or business, not a mission critical company product. I didn't mention software, or tape libraries, or hot backups. I think sometimes its better to have some backups, then none at all. An external drive can be bought for next to nothing.. really, I can get a 500GB HD for about the cost of a couple of tapes, but then I have to buy 2 tape drives (in case one has hardware failure).

Believe me, I could go on about backup windows, media, and techniques, but was hoping by keeping it simple, they would not be overwhelmed. By not being overwhelmed, they might start the process.

Also, by not using a computer based backup, they would not have the same problem as the site mentioned in the linked article, where someone first cracked their backup servers, and deleted their only backups.

Re:Easy fix

[asdfghjklqwertyuiop]

You take your harddrive , I'll take my tape. We'll both drop them from four feet to the floor a couple times and then see which one still works.

...At which point we'll observe that the hard drive failed. Then I'll pull out one of the several other copies of it which I was able to make thanks to the large amount of money I saved by not using tape. We'll finish by making a note not to repeatedly throw backup media on to the floor from four feet and conclude that hard drives are a fine backup medium.

Tachikoma

[Anenome]

Take a lesson from Ghost in the Shell, hire digital Tachikoma to protect you :) Problem solved!

See also: The classic answer to computer problems

[dmomo]

>>What sort of security do you put on your backup infrastructure?

It depends.

I guess it depends how valuable the data is, how current it needs to be. Does it need to be kept secret or simply kept uncorrupted? How fast do you need to access these backups. The harder for you, potentially the more secure.

For starters let's have a copy off-line in a location where the servers are not. Heck, choose another location for more security. I am thinking: A tape and a DVD in a safe with a lock on it. And another somewhere else.

If you really need to keep it safe, commit it all to memory and then shoot yourself in the temple.

Encrypt it

[micksam7]

Encrypt your backups.

Don't let your backup system have access to your main system.

Allow your main system write-only access to your backup system, for the sole purpose of delivering new backups.

eggs in multiple baskets

[jgercken]

1) divide your eggs in at least two baskets, thoughtfully designed to protect their integrity
2) keep your baskets in physically isolated locations
3) take steps to protect your eggs from theft
4) after retrieving your eggs, inspect them for tampering before using them in your souffle
5) purchase insurance for the off chance you get yolk on your face

Why were your backup servers

[Jane+Q.+Public]

accessible in the first place? Somebody in IT was not doing their job.

Re:Why were your backup servers

[CAIMLAS]

There are a couple ways to 'automate' your backups being "offline" but still automated; not perfect, but better than what they apparently had.

Server on the Internet, with a private subnet behind said server where your backup server(s) are. Internal interface on server must have absolutely zero services running, and the connection must not be routable.

However, backup servers also need to be not kept "online" when not backing up. You can:

* Keep them powered off and only power them on (automatically) when you're doing backups (which occur on a schedule from the main server).
* Keep them on, but with the network interface down.
* If the backup servers use external storage but are kept on, have those on a separate power unit that powers up only on schedule as well.

Personally, this sounds like an "inside job": it's malicious and performed with a great deal of knowledge of the operation. That speaks of a disgruntled employee to me, not some kiddie at it for kicks. There are a lot of steps which can be taken, but realistically, you're not going to be able to deal with something like this unless you've got your data backups completely 'unattached'.

Prevention for exploit via backups

[Junior+J.+Junior+III]

Easy, don't do backups! 99% of the world is already way ahead of you on this. Hard drive failure is a myth, anyway.

Re:See also: The classic answer to computer proble

[TheGratefulNet]

If you really need to keep it safe, commit it all to memory and then shoot yourself in the temple.

hey, the guy might NOT be jewish.

did you consider that?

Obvious Oversight by WHT

[Revotron]

There was a very blatant oversight and an unfortunate assumption on the part of WHT and iNET Interactive.

They quite obviously overlooked the fact that the WHT servers (and ONLY the WHT servers) would ever need routine access to the backup servers. Therefore it was an obvious security hole that could have been plugged by restricting traffic through iptables to only iNET-affiliated IPs. Any teleworkers who needed access should simply use a VPN to iNet's offices if they really need access to the backup systems. If under some extreme circumstance (such as the loss of a database) an outside party needs access to the backup servers, the system admin can then add an exception under iptables.

And on that note, the other incredibly thoughtless assumption was that any traffic coming from the backup servers would be approved traffic. So once the attacker gained access to the backup servers, the database servers were one insecure hop away.

I think this proves the following very important points to the entire IT industry:
1) Internal infrastructure should remain just that - internal! Restrictions should always be put in place as to who can (or can't) access a system.
2) No traffic can be guaranteed authorized or authentic. It's one thing to add an SSH keyfile to your home servers, but in an enterprise environment everything must be highly scrutinized. It's no longer a matter of protecting systems from users - it's now a matter of protecting systems from other systems as well.

I was personally affected by the loss of information at WHT and while it's annoying, it's a fact of life and can't be undone. All that's left now is to pick up the pieces, secure the site as best they can and move on with lessons learned.

Re:See also: The classic answer to computer proble

[dmomo]

Well done sir. Either way, it'd be a horrible way to parish.

Re:See also: The classic answer to computer proble

[BluBrick]

I think you need to altar your attitude.

Why were all the backups online?

[pembo13]

I understand why the most recent backup would be online, but I assumed it was standard procedure to have the remaining archive offline.

Why was this possible?

[RAMMS+EIN]

I don't understand. The attackers gained access to the database...through the backup servers? That leaves me with two questions:

1. Why were the backup servers accessible to the attacker?
2. Why was the database accessible from the backup servers?

It seems to me that the only way you need to access the backup servers is through some mechanism that allows you to transfer data to and from them. A single open port, which you need a password (or key) to use seems all that should be exposed. That shouldn't be too hard to secure.

It also seems to me that the backup server has no business accessing the database, and therefore shouldn't be able to access the database.

Unless, of course, the way the system works is that the backup server accesses the production server to retrieve the data from it. That doesn't seem the most obvious design to me, but it would at least explain why the backup server could access the database. Maybe that is a good reason not to design the system that way (on the other hand, it saves complexity on the production server, which is good). At any rate, it doesn't answer the first question, which is why the attackers were able to access the backup server.

My sympathy goes out to the WHT administrators. Good luck on recovering from this and figuring out what went wrong. I hope you will keep us posted, so that we can all learn from this incident.

Re:See also: The classic answer to computer proble

[dougisfunny]

Too soon?

Can I hire him?

Dunno, but our backups are so secure that even the DBAs are usually unable to restore them. We might need this evil hacker to teach them a trick or two.

Re:See also: The classic answer to computer proble

[Sandbags]

First off, lets focus on one thing, if your company is already at a size, complexity, or business need of having backup data electronically replicated offsite (whether this is a true hotsite you're replicating to, or just a method for not rotating tapes through your front door every day), then we're not talking about USB drive data protection schemes here...

OK now, the offsite system should NOT be an administrator access node of your existing backup solution. It should receive replicated data sets and have the ability to operate as a DR server to recover them, but it should be controlled remotely from YOUR site, and should not be able to initiate backups, restores, or make operations changes to another site's DR servers. This is handled by wither firewall rules or user structures.

Second, Physical access at the DR site needs to be as or more strict than at your primary site. If you don;t own the building (or host services through someone like SunGuard) they should have your units in locked racks. Insist that anyone with access has passed Government C2 or higher clearance, and DO NOT give ANYONE outside your organization passwords to those systems.

Next, If the system allows, the user accounts at the hot site should not be the same at any of your other sites.

Next, You STILL NEED TO ARCHIVE DATA, preferably monthly at worst, weekly may be needed depending on your data set size. Replicated systems can corrupt data, and replicated date sets typically only contain your current data set (no rollback copies). Generally, if your replication system is handling moving data automatically, you can leave your local DR copies in your building in a secure area. Daily backups should be archived to local disks so if you have a DR server failue you still have something to recover from (recovery over the WAN is usually not an option). If you have a fire or disasterous event, your offsite systems is your #1 backup, last month/week's archive is your #2.

I've spent a lot of time working with multiple DR companies, and I've supported medium and enterprise class businesses alike (my current employer has 12 mainframes, a couple hundred AIX servers, and over 2000 x86/64 boxes. DR is a BIG thing around here!) Once you enter enterprise class, we're not typically talking "backups" as you know them, more SAN replication and disk write journaling. Recovering 400TB from backups simply isn't an option in a 24-48 hour recovery model! However, if you've got less than 50TB, you can VERY REASONABLY build a great solution out of DPUs (Data Protection Units) made by Unitrends (unitrends.com). They're totally tapeless systems, can share jobs between multiple units at multiple sites, have secure packet level replication technology, and can use 256bit real time encryption as 8GB/minute (per chassis!) with up to 7 concurrent jobs running (per chassis!). a 50TB environment would use 4-8 DPUs (usually departmentalized) conencted to a SAN, and another 1-2 units offsite to handle replication and DR recovery. They also support P2V and V2P recovery and dissimilar recovery. Fully integrated BareMetal backup (they actually invented and patented that one!), and support for 40 operating systems in one multi-site seamless DR solution. You should REALLY look into them. For small sites (less than 1TB data) you can get into one of these units for around $15K with all the bells and whistles (another 10K for replication). There are NO PER CLIENT OR PER AGENT LICENSING FEES, it's ALL inclusive, the only thing you license is storage. Oh, their Data Vault unit can handle up to 40 sites, and each site can be run by a different company with different accounts, and their data can be logically seperated on the vault making it impossible for one customer to interfere with another's data, you can even lock the vault operator out of the solution. This has been validated by the DOD as a secure solution...

Re:See also: The classic answer to computer proble

[complete+loony]

Christ, you guys are merciless. Next you'll be wanting to nail him to a tree or something.

Jesus, I come here for the intellectual discussion. I didn't expect this kind of Spanish Inquisition.