USB keys can carry malware, too.
But more importantly, there's no one here to carry one. They're all
working from home.
It sounds like Samba needs to be disabled.
Rob
--
Не думай что всё пропели,
Что бури все отгремели;
Готовься к великой цели,
А слава тебя найдёт.
On Tue, 14 Dec 2021, Tim Camp wrote:
Well according to the forensics that have been done there is a nmb hack that
works with with samba that allows one to use samba to place a ssh key on the
samba connected machine and thus gain ssh root access.I found out the
computer science dept at the local university even demonstrates how this is
done in one of their classes.
I have been advised to use read only nfs shares for connected windows boxes
for reconciliation and the safest way to get the traffic and music logs
seems to be to carry it down the hall on a usb. :)
The Secret Service cyber attack team that came here hates windows.
If not for the connected windows box I don't believe they ever would have
gotten into the studio side of the network.
Tim
WZEW
On Tue, Dec 14, 2021 at 12:10 PM Rob Landry <41001...@interpring.com> wrote:
On Fri, 10 Dec 2021, Jake Tremper wrote:
> 2) Network segregation. An infection on the business side is
awful and
> hard to recover from. An infection on the business side that
jumps and
> wipes out the on-air machines is catastrophic. Isolated VLANs,
when
> implemented properly, help greatly in this area.
The problem, unfortunately, is that a traffic machine has to be
able to
write a log file to the automation, and read aired log files
from it for
electronic reconciliation.
Traffic machines are typically on the office network, and are
used for
things like email.
Music scheduling software typically also runs on an office
machine.
Programming people are forever getting songs and syndicated
shows off the
Internet to add to the audio library.
Both of these are potential malware vectors into an automation
systems.
The question is: even if someone exploits Samba to drop
something onto a
Rivendell machine, it goes into a Samba-writable folder, not
/var/snd. How
did they leverage that into access to other folders?
Rob
--
Не думай что всё пропели,
Что бури все отгремели;
Готовься к великой цели,
А слава тебя найдёт.
> and, not directly related to this one, but a good concept:
>
> 3) Untested backups are not backups. Test your backups
periodically and
> verify that you can actually recover from them.
>
> On Fri, Dec 10, 2021 at 12:42 PM Tim Camp <t...@dotcom1.net>
wrote:
> Greetings,
> This past Sunday morning our four station had a cyber attack.
> They gained access through a windows server that we use for
traffic
> and bookkeeping.
> Through this connection they exploited samba to place ssh keys
on many
> of our linux machines and erased all files on the control room
pc's
> and erased /var/snd on our nfs server.
>
> They encrypted the windows server for ransome and just erased
the
> linux machines they got access to.
>
> Trying to rebuild four radio stations from the ground up.
> We had backup on several drives but they were on the network
so they
> got them as well.
>
> One issue if someone can help me with.
> I have recompiled rivendell on two control rooms and
everything works
> except no audio and no meters, Carts act like they are playing
but no
> output. I'm sure I have overlooked something, I've been up for
days.
>
> Warning to all that Samba is a weak spot.
>
> Tim Camp
> WZEW-FM
> Mobile, Al.
>
>
>
>
>
> _______________________________________________
> Rivendell-dev mailing list
> Rivendell-dev@lists.rivendellaudio.org
>
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
>
>
>
_______________________________________________
Rivendell-dev mailing list
Rivendell-dev@lists.rivendellaudio.org
http://caspian.paravelsystems.com/mailman/listinfo/rivendell-dev
