CA BrightStor ARCserve Backup 11.5 remote vulnerability
Note: The earlier post about PoC code is found to be for an older ARCServe vulnerability. We do not know of any PoC code at this point.
-------------------
Jason Lam, jason /at/ networksec.org
Week of Oracle 0-Day
----------------
Jason Lam, jason /at/ networksec.org
Online backup strategy
Availability is one of the three key aspects of information security, it is also the most often neglected aspect. To safeguard against data lost due to harddisk crashes, backup is absolutely necessary. The backup idea is simple, just make a duplicate copy of the data and store it somewhere safe and ensure you can access the backup data when you need it. This simple idea is actually difficult to implement, cost of backup media and equipment, safe transport of media to the "safe" place, scheduling the backup job regularly, etc.... Things are even worst for home and small business users who have limited knowledge and resource. There are quite a few online storage companies marketing their solution as secure online backup solution. One company even offers 25GB of free storage space for anyone to store their files online.
The online backup vendors seem to all claim themselves as very secure and can protect your data properly. A lot of them simply copy your files via an SSL tunnel to their datacenter and store the file as is. Not sure how you like the idea of some other companies storing your important (sensitive) files and have access to them. I personally dislike that idea a lot and I think data should be encrypted before shipping over to the backup location.
There are some solutions that encrypt the data before shipping it over to the datacenter, making it impossible even for the online storage vendors to read your content (if the client hasn't been backdoor that is). While choosing an online backup vendor, be sure to look for encryption capability, encryption before you send them the data, that is.
Make sure you also periodically check to see if you can retrieve the data (unencrypt the data). For the encryption key, either select something that you can remember real well or have a copy of the key available somewhere. For the forgetful readers, you might want to consider copying the encryption key on a USB key drive and put that in your safety deposit box or other safe location (outside of your primary residence/office).
With the technology available today, backup is real easy and cheap. However, you must do some proper planning to ensure your backup data is safe and sound, most importantly, available when you need them.
You might also want to review our previous stories about backup:
http://isc.sans.org/diary.php?storyid=1589
http://isc.sans.org/diary.php?storyid=702
---------------------------------------Jason Lam, jason /at/ networksec.org
Comments
www
Nov 17th 2022
2 months ago
EEW
Nov 17th 2022
2 months ago
qwq
Nov 17th 2022
2 months ago
mashood
Nov 17th 2022
2 months ago
isc.sans.edu
Nov 23rd 2022
2 months ago
isc.sans.edu
Nov 23rd 2022
2 months ago
isc.sans.edu
Dec 3rd 2022
1 month ago
isc.sans.edu
Dec 3rd 2022
1 month ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
1 month ago
isc.sans.edu
Dec 26th 2022
1 month ago