Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels

Channel Catalog

(Page 1) | 2 | 3 | .... | 253 | newer

    0 0

    Hello all,

     I've been getting a lot of inquiries about Win2012 support in BE. Please visit the Beta blog for more information: 

    It will provide the most up-to-date information.



    0 0


    With the new year upon us, time for Arellia’s 2012 analysis of Microsoft vulnerabilities and those with privilege exploitation:

    Bulletins 83
    Vulnerabilities 172
    Bulletins with Privilege Exploitations 40
    Vulnerabilities with Privilege Exploitations 87
    % of Bulletins with Privilege Exploitation 48.2%
    % of Vulnerabilities with Privilege Exploitation 50.6%

    As a refresher from the Introduction on Privilege Exploitation, privilege exploitation is where the malicious software takes advantage of the rights of the logged in user to change the configuration of the local computer.  Further analysis of the vulnerabilities with privilege exploitation by Microsoft software component is as follows:

    Software Vulnerabilities Bulletins
    Internet Explorer 9 25 7
    Internet Explorer 6 20 5
    Internet Explorer 7 20 5
    Internet Explorer 8 20 5
    Office 17 10
    Windows Server 2008 13 12
    Windows XP 12 11
    Windows Vista 12 11
    Windows 7 12 11
    Windows Server 2003 12 11
    Visio 7 3
    Excel 4 1

    It’s no surprise to anyone in the security industry that out of all the Microsoft products, Internet Explorer had the most vulnerabilities with privilege exploitation in 2012. Internet Explorer is constantly under attack by hackers because exploiting Internet Explorer is easier than exploiting other Windows vulnerabilities. Internet Explorer is easier to exploit because most attacks can be driven by a malicious website or webpage, instead of executing a malicious file on the computer.

    It’s also no surprise that Office takes second place for most vulnerabilities with privilege exploitation in 2012. In the workplace environment, an exploit on Office products can be just as easily executed as Internet Explorer vulnerabilities because of the high use of Office documents. Application privilege management can mitigate Microsoft Office vulnerabilities by preventing Office applications from accessing or making changes to system settings.

    Privilege management can be implemented in one of two ways. First, one could move users from administrator accounts to standard user accounts. This can create some additional challenges around applications that require administrator rights – a challenge that can be addressed with privilege elevation using software such as Arellia Application Control Solution. The second and better option and one that is much easier to implement on any user is to remove privileges from commonly exploited applications as was illustrated in Zero Day Vulnerability Protection with Privilege Management.

    Arellia Application Control Solution and Local Security Solution provide application privilege managementand user privilege management for securing Microsoft applications against privilege exploitation. Use these as an additional line of defense against common exploits.

    About Arellia: Arellia provides solutions for privilege management, application whitelisting, securing local administrator accounts, and compliance remediation. Arellia products are integrated with the Symantec Management Platform and sold through Symantec.

    0 0

    Mobility is arriving at a plateau. The very fact that the iPhone 5 was met with more of a mixed reaction than previous iterations is testament to the fact that it is not enough for a device to simply be a smartphone. Indeed, it is ironic that most of the criticisms stemmed from its absence of ‘innovative’ features – NFC communications, for example.

    No doubt the debate will rage on about who has stolen what feature from whom. Behind the rhetoric however is a fundamental point – that advanced mobile devices have arrived, in all shapes and sizes. Until the next major innovation in form factors, the hardware conversation is largely complete. It’s not just Apple – Samsung, Microsoft and all other players are in the same boat.

    Almost inevitably, attention moves away from the platform to the applications, as the opportunity to innovate and differentiate moves up the stack. We’re not seeing any loss of appetite here, nor a slow-down in new app releases. Indeed, the model is totally different: rather than leaving innovation with a small number of very large companies, the app landscape is far more diverse and dynamic.

    As attention moves from hardware to software, so do the challenges of management and security. We know from Symantec’s recent Global State of Mobility survey that 71% of organisations are now looking at custom applications for themselves. Couple this with outside forces, such as the quite natural desire for an employee to hunt out and download an app, and the end result is a whole set of new challenges – from increased help desk calls to the occasional loss of data.

    It’s perhaps unsurprising, then, that management and security features are also moving from the device to software. What we know of as Mobile Device Management is now largely commoditized through the standardization efforts of industry organisations such as the Open Mobile Alliance. Attention is shifting to the applications, through initiatives around (the inevitably named) Mobile Application Management, which focuses more on individual applications and the data they control.

    Used right, mobile technologies make us more effective in our working lives and nobody would want to put a restriction on innovation, which is the life blood of business. But even as the curve starts to level off in terms of mobile hardware, the momentum in applications shows no signs of dissipating. This is not a problem in itself, as long as IT decision makers recognize it and put enabling strategies and indeed, tools for management and security in place early on. Otherwise, they could be faced with all of the cost and none of the benefit, to the advantage of nobody.


    0 0

    Join hashtag #MailSec and learn more about the dangers of targetted email attacks and how to prevent them.

    Takedowns of large botnet rings in recent years have caused spam numbers to plummet. However, the drop in spam doesn’t make spammers any less dangerous. Spammers have now turned to targeted attacks to reach their victims. As targeted attacks and malware continue to expand and grow in number, and data breaches continue to rise, users and businesses of all sizes need to be aware of what to look out for, and how to protect proprietary information. No business is too big or too small to be a target.

    Please join Symantec’s email security experts Ian McShane (@ianmcshane), Paul Murray (@paulsmurray), Matt Cooke (@mattcooke), Paul Wood (@paulowoody)  and Eric Schwake (@lombar77) next Thursday, January 10 at 11 am ET, to discuss targeted attacks and what can be done to prevent them from harming you or your business.  
    Look forward to chatting!
    Ian McShane -  Senior Manager, Product Management
    Leads the product strategy and delivery of messaging, storage and cloud service security products at Symantec.
    Paul Murray - Director, Product Management
    Leads global product development efforts for Symantec’s .cloud hosted cloud security services.
    Matt Cooke, CISSP -  Senior Product Marketing Manager
    Product evangelist and global marketing manager for Symantec’s .cloud hosted email, web and IM security offerings.
    Paul Wood - Cyber Security Intelligence Manager
    Acts as the intrinsic link between the technical teams and external audiences through his articulation of threat data analysis via monthly Symantec Intelligence reports. 
    Eric Schwake, CISSP - Product Marketing Manager
    Manages marketing for Symantec Messaging Gateway, Symantec Web Gateway and associated solutions.
    Twitter Chat: Targeted Email Attacks #MailSec
    Date: Thursday, January 10, 2012
    Time: 11 a.m. ET
    Length: 1 hour
    Where: Twitter – follow the hashtag #MailSec
    Moderator: Symantec’s Ian McShane, @ianmcshane


    0 0


    In our recentblogs about the latest Internet Explorer zero-day vulnerability, we explained what watering hole attacks are and referenced our research paper about the Elderwood Project. The paper highlights a string of watering hole attacks by the Elderwood group. After revisiting those previous attacks, we have been able to confirm that this latest Internet Explorer zero-day is a continuation of the Elderwood Project.

    Related Elderwood zero-day vulnerabilities

    The following are the vulnerabilities produced by the Elderwood group that are directly related to the most recent Internet Explorer zero-day.







    Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability

    May 2012



    Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability

    Jun 2012



    Microsoft Internet Explorer Image Arrays Use-After-Free Remote Code Execution Vulnerability

    Sep 2012



    Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability

    Dec 2012

    Table 1. Vulnerabilities produced by the Elderwood group

    In May 2012, Amnesty International’s Hong Kong website was compromised and used to serve up a malicious SWF file that exploited CVE-2012-1875. In September 2012, the same group was responsible for CVE-2012-4969.  In addition, late last month the website for a US based think tank was compromised to serve up CVE-2012-4792. But that wasn’t the only site serving this vulnerability.

    Security Researcher Eric Romang wrote about another website that was found to be hosting the latest Internet Explorer zero-day. In his post, he also ties the same website to another zero-day vulnerability, CVE-2012-4969, back in September. Our own research has come to the same conclusion and we can add that this website was compromised to serve CVE-2012-1889 back in June with a file called movie.swf. The file, movie.swf, is associated with the Elderwood Project.

    Figure 1. Three zero-day vulnerabilities hosted on a single site

    Shockwave files

    We have analyzed a sampling of the SWF files that were used in the Elderwood watering hole attacks and found that the Flash exploit author included symbols in some of the attacks.



    Common symbols





























    Table 2. Symbols included in attacks

    Figure 2. Comparison of symbols used in the decompiled ActionScript

    As noted in Figure 2, all the samples we identified include a function named HeapSpary. HeapSpary is a clear mistyping of Heap Spray, a common attack step used in vulnerability exploitation. In addition to this commonality, there are many other symbols in common between the files. Examples include Geoffrey.swf and Moh2010.swf both using variables named URL_Addr and Flahs_Version (mistyping of Flash_Version), as well as all three exploit files using the variable name OS_Version.

    We were unable to recover the symbols of movie.swf for comparison, but movie.swf is tied directly to Moh2010.swf by the packer registrant information for the SWF files. Additionally, movie.swf and Moh2010.swf share similar structure and shellcode.

    AlienVault Labs has previously published some great research investigating the authors behind the Moh2010.swf attacks – the attackers believed to be behind the latest attack.

    It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year.

    0 0

    Hello all

    I am making a blog post after a long time but now onwards I will be regular!

    We keep getting queries on best practices/ways to protect Hyper-V VMs with SSR, so here is some useful information.

    Two different Methods/strategies could be employed to protect virtual machines on Windows Server with Hyper-V role enabled environment:


    Method 1: Host level backup

    [Please note that for the backups to be crash consistent snapshot integration services should be installed in the guest machine.]

    1. Install Symantec System Recovery on the Windows Server with Hyper-V role enabled
    2. Take host backup. During backup please select OS volume and all related drives for backup. If OS volume and related drives are not backed up then user will not be able to restore.

    As shown in screenshot below, all drives will be listed as related drives when Hyper-V role is enabled.

    In case of disaster, user will need to boot in to SRD and restore the setup from the backup done earlier.  The OS volume and all the drives will need to be restored.

    Please note that in the host level backup method, you won’t have granular restore functionality from inside the guests. To have granular restore functionality inside the guests SSR needs to be installed in the Guest VM.

    However, users may just want to restore specific VMs and also avoid the need to restore the complete setup. This would ensure the backups and restores are faster. In such instances use method 2 of backing up individual VMs.


    Method 2: VM level backup:

    1. If you want to backup specific VM then install SSR on that virtual machine and take backups.
    2. This way in case of VM failure the VM backup could be used for restoring the virtual machine back.


    Thanks and regards


    0 0

    0 0

    Happy New Year, Partners! Here's a fresh opportunity to recommit yourself and/or your company to efforts on social channels. And if there’s one place your company should have a social presence, it’s on LinkedIn. This channel keeps it strictly business…no pictures of what your colleague had for breakfast or their kid’s first birthday party (not that I'm against eating or celebrating!).

    Chances are you already have a personal LinkedIn account – along with 175 million other users on the site. This week, I’ll share three easy, no-cost steps to help increase your company’s visibility on the site.

    1. Create or update the LinkedIn page for your company.
    If you don’t yet have a LinkedIn page for your company, create one – it doesn’t take that long and provides free online real estate for your company where others who are like-minded are already networking.

    Or if you have a company page and haven’t reviewed it in a while, take a few moments to look at it and update any old information. What a great New Year’s resolution!

    Your company page is your central hub on LinkedIn, so be sure to:

    • Write an informative and compelling description
    • Add keywords within the specialty section
    • Pick your industry
    • List your location
    • Link to your RSS feeds if applicable

    2. Be creative in how you highlight your company’s products and opportunities.
    At the top of your company’s page, there are tabs for Careers, Products and Insights. On the products tab, the information doesn’t have to be strictly product related. You can highlight a free trial of your product or service, or a whitepaper download for example. Be imaginative! This can really drive the conversion rate on your page as well.

    3. Update your company’s status regularly with interesting updates.
    For those that follow your company and use LinkedIn regularly, this is a great way of giving them the freshest information possible. When you provide updates, they’ll appear in your follower’s feed and provide exposure to any number of your initiatives, like:

    • Holding a contest
    • Hosting a webcast
    • Sharing data that’s valuable to your audience

    Obviously, there are more options to each of the steps I’ve covered above, and our team is just getting started on our own Symantec Partners company page (which you can find here). Hopefully this gives you some ideas on how you can reinvigorate your social efforts this New Year, and as time goes on, I'll continue to share tips and hints for how you can take your LinkedIn presence to the next level.

    A question for you – does your company use LinkedIn today? If so, what valuable tip would you recommend?


    Next week: Google+…how is it different from the other social channels? Why should I care?

    Join Symantec and Your Fellow Symantec Partners on LinkedIn
    Join Symantec and your fellow partners in the LinkedIn Symantec Partners group for partner updates and engaging exchanges on being a Symantec partner. And follow the Symantec Partners page for industry trends news, Symantec reports and whitepapers and more.


    Also in this series:

    What’s all the fuss about? Why social media participation is important for your business.

    Social Networking Platforms Part 1

    Social Networking Platforms Part 2

    Insights: Facebook’s built-in analytics

    More tools for monitoring and measuring social media success

    0 0

    Did you miss the webcast, "Manage Unstructured Data with Symantec Data Insight for NetApp Storage Systems," last month with guest speaker, Sharyathi Nagesh, NetApp Technical Marketing Engineer? Listen to the recording and learn how Symantec Data Insight, jointly developed with NetApp and integrated with NetApp storage systems, can help organizations improve data governance through data owner identification and visibility into data usage and access permissions.


    0 0

    It has been a busy end of 2012 indeed. Last November and December, a few of my colleagues and I represented the Storage and Availability Management team at the back-to-back NetApp Insight conferences in Las Vegas, Dublin and Macau. At this technically-oriented conference,we promoted our latest product partnership with NetApp, specifically for:

    (1) Dynamic Multi-Pathing for VMware (vDMP)- provides performance, availability and visibility for block-attached storage for VMware ESX.

    (2) Symantec Data Insight- helps customers improve data governance through data owner identification and visibility into data usage and access permissions.

    Through conversations with NetApp's partners and product management employees from around the world, it is evident that there is a big opportunity for vDMP and Data Insight integrated with NetApp storage systems. For more information of Symantec and NetApp's partnership and latest joint solutions, log on to our partner portal,

    0 0
  • 01/06/13--04:58: 2013 - A Look Forward

    I was thinking the other day, whilst waiting for Santa Claus, of all the things that I'd like to see or do in 2013.  The main things are:


    • The next Enterprise Vault 10.0.3 Service Pack - there are some little hints here and there on the Symantec Connect Forums of what it might contain, and I hope it is as good as it 'sounds' from the things that have been written.
    • More work from awesome companies like QUADROtech and Adept-tec and others.
    • BBQ's on the beach (and I've purchases a handful of disposable BBQ's to try out :))
    • More happiness


    The last one is something that I don't often write about.  I'll mention it briefly now, seeing as I have added it to the list.  For the last few winters I think I have suffered from Seasonal Depression.  Each Winter I get depressed, it lasts for months.  I also get headaches, probably in part to not having the window open whilst I am sleeping. 


    All these have changed, and pretty much cleared up.  Yes it's this years magical move to Bude, in North Cornwall, which has 'fixed' all the problems.  Of course I still get occasional days of gloom, much like everyone does, I imagine.  But now they are days, not weeks or months.  The move to Bude was definitely the way forward.  There are some bad side-effects but I'm working on those.

    0 0

    After verifying backups by restoring files to alternate location, it sometimes happens that we can not remove restored files by 'You require permission from TrustedInstaller to make changes to this file' error as Figure 1. This most likely happens when restoring system or program files. Owner of unremovable files is TrustedInstaller user, and only this user has full control right.

    Figure 1 File Access Denied

    Figure 2 Owner of unremovable files

    Figure 3 Permissions of unremovable files

    We can manage to remove files by changing owner and permissions of unremovable files. Here is an example of removing System State files restored to C:\restore(See HOWTO36039 for how to restore System State to an alternate location).

    Step 1 - Open Security tab in properties window

    Figure 4 Select a folder where System State files are restored

    Figure 5 Click Advanced button in Seciruty tab

    Step 2 - Change owner of files and subfolders

    Figure 6 Click Edit button in Owner tab

    Figure 7 Check 'Replace owner on subcontainers and objects'

    Step 3 - Change permisson of files and subfolders

    Figure 8 Click Change permissions button

    Figure 9 Check 'Replace all childobject permissions ...'

    Step 4 - Remove restored files

    Figure 10 Delete folder

    Figure 11 Delete system files

    Figure 12 Completed!!


    0 0


    Internet Explorer の新しいゼロデイ脆弱性が悪用されているという複数の報告が寄せられています。第一報によれば、この攻撃に使われている Web サイトは米国に拠点を置くシンクタンクのものでした。このサイトは、いわゆる「水飲み場」型攻撃の一環として侵入を受け、ゼロデイ脆弱性の悪用に利用されたと考えられ、攻撃の日付は 12 月 21 日に遡ります。
    Internet Explorer の脆弱性のトリガには、today.swf という名前の Flash ファイルが使われていました。この Flash ファイルは Trojan.Swifiとして検出され、シマンテック製品をお使いのお客様に対しては、12 月 21 日から保護が提供されています。詳しい情報と解析結果は、間もなくお伝えできる予定です。
    シマンテックは、「水飲み場」型攻撃について 2009 年から綿密な調査を続けています。この調査と解析結果は、2012 年 9 月に公開した「The Elderwood Project」(英語)というホワイトペーパーにまとめられています。
    * 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、にアクセスしてください。

    0 0

    前回のブログ記事で、Internet Explorer の新しいゼロデイ脆弱性が頻繁に悪用されていることをご報告しました。Microsoft 社はその後、セキュリティアドバイザリ 2794220を公開し、Microsoft Internet Explorer の 'CDwnBindInfo' の解放後使用によるリモートコード実行の脆弱性(CVE-2012-4792)がゼロデイ脆弱性であり、Internet Explorer 6、Internet Explorer 7、Internet Explorer 8 がその影響を受けることを確認しました。

    以下の Q&A では、「水飲み場」型攻撃の概略、Internet Explorer のゼロデイ脆弱性、そしてシマンテックが提供している保護対策について説明します。


    「水飲み場型」攻撃とは、対象とする標的がアクセスする可能性の高いサイトを狙う手法です。攻撃者は目的のサイトに侵入して、標的のユーザーを別の悪質なコードに誘導する JavaScript や HTML をインジェクトします。侵入先のサイトは、ユーザーがアクセスしてくるのを待ち、ドライブバイダウンロードによってユーザーに感染します。

    図 1.「水飲み場」型攻撃

    シマンテックは、「水飲み場」型攻撃に関する調査結果を公開しており(「The Elderwood Project(英語)」)、その標的、増加している傾向、2009 年以来確認されている攻撃プラットフォームなどを詳しくまとめています。


    Internet Explorer に対する今回のゼロデイ攻撃は、米国に拠点を置くシンクタンクの Web サイトに侵入していました。標的のユーザーがサイトにアクセスすると JavaScript が実行され、多数のチェックを実行した後にブラウザが悪用されます。

    まず、ページにアクセスしているブラウザが Internet Explorer 8 かどうかを確認します。次に、Flash がインストールされているかどうかを確認し、最後にシステムの言語を調べます(具体的には、中国語、台湾中国語、米国英語、ロシア語、日本語、韓国語を探します)。このチェックのいずれかに該当しない場合、被害者は空のページにリダイレクトされます。上記のチェックすべてに該当する場合には攻撃が次に進み、システムに侵入したことを示すために cookie がロードされます。侵入してから 7 日以内に被害者がこのページに再度アクセスすると、空のページにリダイレクトされます。

    次に、インストールされている Java のバージョンを確認するために、追加のチェックが実行されます。Java バージョン 6 を探し、見つかった場合には CLSID を使って Flash オブジェクトをロードします。ここでロードされる悪質な Shockwave Flash ファイル(today.swf)には、ヒープスプレーを実行する機能があります。news.html というページにリンクする iFrame も作成され、これに Internet Explorer 8 用の悪用コードが含まれています。

    この悪用コードは、Windows 7 と Windows XP を使用しているユーザーを標的としています。Flash オブジェクトには ActionScript コードが含まれ、このコードを利用してオペレーティングシステムのバージョンとインストールされている言語パックに基づいてシェルコードが作成されます。ActionScript は、検出した Windows のバージョンに基づいて特定のシェルコードを作成します。Windows 7 の場合は Return-Oriented Programming(ROP チェーン)を使ってシェルコードを作成します。

    図 2. 「水飲み場」型攻撃の手順


    news.html の iFrame を介してブラウザを悪用する一方、侵入先の元のページからは、xsainfo.jpg ファイルをダウンロードして Internet Explorer の Temporary Internet Files フォルダに保存する GET 要求が実行されます。このファイルはエンコードされた DLL バイナリであり、これが攻撃のペイロードに当たります。

    ロードされた Flash オブジェクトは、ヒープスプレーを実行してシェルコードをインジェクトし、そのシェルコードを使って xsainfo.jpg ファイルを検索、デコードして、%Temp%/flowertep.jpg ファイルに保存します。

    次に robots.txt ファイルに対する要求が送信され、このファイルの不明瞭化を解除したうえで悪質なペイロード(flowertep.jpg)をロードします。このとき用いられるのが、Windows 7 上で DEP と ASLR をすり抜ける手法です。



    Microsoft 社によると、メモリ内のオブジェクトが削除された場合や、適切に割り当てられなかった場合に、Internet Explorer がそのオブジェクトにアクセスする方法に脆弱性が存在します。これが原因でメモリ破損が起きると、攻撃者に任意のコードの実行を許してしまいます。これは、解放後使用の脆弱性として知られています。

    現時点でシマンテックには、問題の脆弱性に関連してこれ以上公開できる情報はありません。Microsoft 社は現在、完全なセキュリティ更新プログラムの公開に向けて、全力で取り組んでいるところです。


    前述したように、xsainfo.jpg ファイルには暗号化された最終的なペイロードが含まれ、flowertep.jpg ファイルには復号された悪質な DLL が含まれています。

    図 3.最終的なペイロード

    flowertep.jpg ファイルが実行されると、まず悪質な最終ペイロードが一時的に %Temp%\shiape.exe ファイルに投下されます。そこから、このファイルが %CommonProgramFiles%\DirectDB.exe ファイルとして最終的な場所に移動されます。また、ファイルの末尾にはランダムなジャンクデータが追加されます。これは、ファイルのハッシュ値を毎回変化させるためですが、最初の 0xe000 バイトは常に同じです。

    両方のファイルを比較してみると、ドロッパーである flowertep.jpg ファイルには Portable Executable のタイムスタンプがあり、このファイルのコンパイル日時が "Wed Dec 12 11:06:04 2012" であることが示されています。最終的なペイロードである DirectDB.exe ファイルはこれよりさらに古く、"Thu Mar 01 00:29:20 2012" まで遡ります。

    ドロッパーである flowertep.jpg ファイルも、DirectDB.exe ファイルも、Backdoor.Bifrose.Nとして検出されます。

    Backdoor.Bifroseは 2004 年に初めて発見された脅威のグループであり、それ以来数多くの進化が確認されています。最新の亜種である Backdoor.Bifrose.N は、Backdoor.Bifrose.Mと似ていますが、シマンテックの以前のブログで説明されているようにネットワーク通信に TOR を使用しない点が異なります。この脅威は、ファイルのアップロード、ダウンロード、実行など一般的なバックドア機能を実装しています。


    今回のゼロデイ攻撃に関するシマンテックの初期の遠隔測定から、影響を受けるコンピュータの数は今のところ限定的と考えられます。この攻撃の被害者は、北米に集中しているようです。侵入を受けてゼロデイ攻撃のホストとして使われた Web サイトの所在地と属性により、この傾向は、ゼロデイ脆弱性を「水飲み場」型の標的型攻撃として使うという発想に合致しています。

    図 4. 今回の「水飲み場」型ゼロデイ攻撃に関連したシマンテックの検出分布図


    Microsoft 社は、今回の脆弱性に関する Technet ブログを公開し、コードの実行を防ぐ方法(英語)を示しています。対策リストの最上位に挙げられているのは、脆弱なコードを含まない Internet Explorer 9 または 10 へのアップグレードです。





    標的型攻撃でゼロデイ脆弱性を悪用する手口は、特に目新しいものではありません。Hydraq(別名 Aurora)、StuxnetDuquなどの注目を集めた事案でも、ゼロデイ脆弱性を悪用して目的を達成していました。シマンテックのホワイトペーパー「The Elderwood Project」(英語)でも詳しく解説しているように、こうした攻撃ではゼロデイ脆弱性の悪用が増加する傾向にあります。ほとんどの攻撃者は依然として、一般的に入手が容易な手法で攻撃を実行しているのが現状ですが、ゼロデイ脆弱性を利用した今回の事例では、月並みなハッカーの技量を超えたリソースやスキルを必要とする巧妙さが見られます。


    * 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、にアクセスしてください。

    0 0

    By Robert Hamilton, Director Product Marketing, Symantec

    One of the most damaging events a business can experience is the loss or theft of sensitive information, be it proprietary information about the organization itself of personal details of its customers – either way a data breach can cause millions of dollars in damages. Reducing the risk of data breach is a board-level priority for organizations. Much of the focus has always been on preventing external attacks. But, it’s not just bad people doing bad things that organizations need to worry about. On a daily basis, employees take inadvertent risks while trying to get their jobs done. With the massive growth in tablets and smartphone adoptions, security organizations have struggled with how to better support their businesses in adopting these new technologies, while also maintaining strong protections for their sensitive information.

    More than ever, CISOs and security organizations want to be seen as business enablers who embrace new productivity devices and services, but first they need to be able to ensure the business data on these devices will be protected. Organizations are looking for security vendors that can protect their sensitive data completely – no matter where it’s used or stored. Use cases for Data Loss Prevention solutions now go beyond the basics, as organizations need to mange sensitive data on mobile devices and in clouds and virtual environments.

    Gartner, Inc. evaluates vendors of data loss prevention solutions in its annual Magic Quadrant report, and the 2013 Magic Quadrant for Content-Aware Data Loss Prevention positions Symantec in the Leaders quadrant for the seventh year running*. Leaders are recognized for their ability to execute and completeness of vision, according to the report:

    Leaders have products that work well for Gartner clients in midsize and large deployments. They have demonstrated a good understanding of client needs and generally offer comprehensive capabilities in all three functional areas — network, discovery and endpoint. They have strong management interfaces, and have tight integration with other products within their brand or through well-established partnerships and tight integration. They offer aggressive road maps and usually deliver on them. Their DLP products are well-known to clients and are frequently found on RFP shortlists.

    We believe our position as a leader in the Gartner Magic Quadrant report for content-aware DLP is well deserved and affirms Symantec’s vision, focus and lasting commitment to stand as a partner and trusted advisor in protecting our customers’ information and infrastructure. Not only is our current offering strong, but our long-term vision is clearly recognized as well.

    DLP Developments in 2012

    This past year, we saw high-profile data breaches making headlines. We also continued to see mobile devices penetrating nearly every aspect of our lives. For many the line between personal and business devices has been blurred, or erased altogether, with a single device used for both personal and business activities. The security challenges mobile devices create weigh heavily on CISOs’ minds. The rapid adoption of smart mobile devices is leaving organizations vulnerable to data loss from insiders, both malicious and well-meaning. Protecting information on mobile devices is a must-have, and DLP technology is the leading choice here.

    Symantec, a recognized world leader in Data Loss Prevention, delivers a comprehensive, content-aware solution to discover, monitor and protect confidential data wherever it is stored or used – across network, storage and endpoint systems. The solution allows organizations to measurably reduce the risk of a data breach, establish broad-based security awareness and safeguard customer privacy, brand equity and intellectual property.

    In 2012, Symantec launched Symantec Data Loss Prevention for Mobile, which added support for the iPhone. The solution helps CISOs monitor and control the transmission of confidential data from mobile devices without restricting users’ access to applications. Combined with the recent release of Symantec Mobile Management, Data Loss Prevention for Mobile provides the industry’s most comprehensive solution to enable organizations to support business productivity and personal use concurrently. By adding iPhone support to existing support for iPad, Symantec provides comprehensive DLP for one of the most widely deployed enterprise mobile operating systems.

    For more information on Symantec Data Loss Prevention visit:

    About the Magic Quadrant

    Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

    * Vontu was acquired by Symantec; previous titles include Magic Quadrants for “Content Monitoring and Filtering” and “Data Loss Prevention”. 

    0 0

    Stakeholders are becoming increasingly concerned about accountability and management of operational risks.  Regulations like HIPAA, Sarbanes-Oxley, and Basel II are placing requirements that are more stringent on corporate governance.  More and more high technology is embedded in the operating fabric of the organization and, in many respects, technology is the organization.  Amazon and eBay are outstanding examples of businesses created by and totally dependent on technology.  It is this reliance on technology and escalating dependency on interconnected infrastructures that has elevated the exposure to business interruptions.  These interdependencies ripple through an organization, as well as outside to major stakeholders:  customers, suppliers, lenders, and partners.

    Simultaneously, non-conventional threats such as, denial of service, hacking, and September 11th 2001 changed the very nature of operational risk instantaneously and on a scale not previously envisaged.  These newborn threats seek-out and exploit the vulnerabilities of an organizations’ soft underbelly.  Short-term interruptions, once considered minor, can now quickly mushroom into significant and serious financial loss analogous to a major disaster.

    Widely publicized accounting irregularities and high-profile incidents intensify stakeholder concerns. The financial debacles at HeathSouth, Enron, and Worldcom fuel stakeholder doubts by underscoring dubious internal controls that aggravate operational risks.  Furthermore, the sudden demise of one of America’s best-known professional services firms, Arthur Andersen, raises doubts regarding independent oversight practices.  Yes, stakeholders are concerned because today’s business environment appears to be supported by a sensitive technical platform that has soaring exposures and is operating without the safeguard of adequate control or oversight.

    The foundation of this stakeholder concern is operational risk and the lack of its effective treatment by business management.  Many managers appear to be jousting with the windmills of guesswork and best practices, rather than taking a businesslike approach to managing the growth of operational risks.

    Managers are under great pressure to cut costs, and often do not know how to build a strong business case for expenditures to achieve regulatory compliance and manage risks.  Success dealing with risk requires more than guesswork and luck. Competent managers know how to keep the odds in their favor if they must make a gamble.  As the great philosopher Immanuel Kant said, “We have a duty - especially where the stakes are large - to inform ourselves adequately about the facts of the situation”. The stakes in today’s business environment are particularly high and a bad choice about operational risk could be fatal.  Risks need to be measured, but many managers doubt that this can be done.             

    However, without the benefit of a measurement of risk managers resort to their intuitive judgments, little more than stabs in the dark and certainly subject to error.  Rapid, intuitive judgment operates as a substitute for more careful study of risk and lead to devoting costly resources to little problems rather than big ones.  It also causes concern about risks that are actually quite small and indifference to risks that are extremely serious.    

    Simply classifying a ‘Serious’ risk does not usually lead to a “serious” budget allocation.  Business lines need to be given financial incentives that motivate them to reduce operational risk.  Unless risks can be put in a comparative economic context, managers end up doing very little to address risk. Historically, the lack of an economic comparative of risk has cause risk-reduction investments to be made to avoid the appearance of negligence and/or to meet minimal audit requirements rather than cost-effective reduction of risk.  This has caused managers to appear to be complacent about operational risk but actually they are simply unsure of the business-value of the risk-reduction investments.  What is needed is a quantitative basis for risk management decisions.

    Risk losses are caused by the exposure to threat events.  Threat events are quantified by estimating their rate of occurrence (or probability), and the duration of the service interruptions they cause.  Business processes are characterized by their potential for loss when impacted by threat events.  The product of the threats and loss potentials is expected loss, the monetary loss one can reasonably expect to experience expressed at an annual rate.  This makes it simple to identify the material threats.

    Next one can evaluate the Return On Investment (ROI) of proposed mitigation measures by comparing the anticipated reduction in expected loss (the return) with the cost to implement (the investment.)  Obviously, managers will want to select mitigation measures with a strongly positive ROI, and avoid the money losers.  It is also important to address potential fatal risk exposures.  By addressing all the exposures collectively, one evolves the optimal risk management strategy on a sound businesslike basis.

    Governments and regulatory bodies have recognized the reluctance of businesses to account properly for operational risk.  Not accounting for operational risk makes certain functions or systems appear artificially attractive.  The stakes have become so high, in fact, that governments have taken swift and compelling action to force the issues of operational risk to the forefront of business management.

    Companies can expect stricter regulation and oversight by government regulators.   Internal controls are no longer ‘Nice-to-haves’, they are ‘Must-haves”.  As an example, Section 404 of the Sarbanes-Oxley Act requires public-company executives and auditors to certify the controls and procedures.  Section 409 of Sarbanes-Oxley requires prompt reporting of material changes in both financial and operating conditions, i.e. material impairments due to business interruption events.

    There are severe civil and criminal penalties related to non-compliance of Sarbanes-Oxley. Much more that the customary slap-on-the-wrist to business executives, these penalties have teeth, long and sharp.  Failure to comply could result in fines up $25 million and/or prison terms of up to 20 years.  These liabilities land squarely on the key executives, as the law also prohibits company-backed loans to pay the fines or from making extraordinary payments to insiders during an investigation.                  

    Business executives must learn to manage operational risk and that requires that they first learn how to measure it, and evaluate it proprtly through quantitative assessments.  Second they must assess the tradeoffs by exploring the costs of alternative preventative measures, also in quantitative terms.   Third, to make best use of scarce resources, they must choose the optimal mitigation solutions for the most serious risks.


    0 0

    以前、W32.Virutというファイルインフェクタをこのブログで取り上げたことがあります。それだけではなく、ボットネットのシャットダウン要請に関する考察も掲載しました。最近の訴訟手続きによって Virut のコマンド & コントロール(C&C)サーバーのドメインが一時的に停止したため、シマンテックはランダムなドメインジェネレータによるバックアップを予測してシンクホールに捕捉し、ボットネットのサイズや統計に関する情報を収集することに成功しました。あいにく停止は一時的だったため、Virut は今も活動し続けています。


    W32.Virut が使う C&C サーバーで、ドメイン と は命令を受信するために使われますが、最近のバージョンにはハードコードされたサーバーにアクセスできない場合に使うドメインジェネレータのバックアップも追加されています。シマンテックは Virut の監視を続けていましたが、長期にわたって稼働していた Virut の C&C ドメインは接続クライアントへの応答を 2012 年 11 月中ごろに停止しており、対応するレジストラのステータスも変更されていることが確認されました。

    図 1. Virut の既知の C&C サーバーでステータスが「undergoing proceeding」(訴訟進行中)に変更

    ポーランドのドメイン名レジストリによれば、ドメインのステータスが「undergoing proceeding」となっている場合、そのドメインは訴訟手続きが進行中であることを意味します。同じような変更は、他の Virut ドメインにも見られました。


    C&C サーバーが接続クライアントへの応答を停止したため、Virut クライアントはランダムなドメインジェネレータによるバックアップを使い始めました。シマンテックはこの機を逃さずに Virut が使うドメインジェネレータを調査し、ドメインをシンクホールに捕捉してボットネットのサイズを推測し始めました。

    その結果、3 日間だけドメインをシンクホールに捕捉することができ、接続についての統計が得られました。

    Virut ボットネットに関する統計

    図 2.シンクホールデータに基づく、全世界での Virut の検出数

    Virut の検出は全世界に広がっていますが、特にエジプト、インド亜大陸、インドネシアに集中していることがわかります。

    図 3. Virut ボットネットの国別の内訳

    確保できたシンクホールデータによると、Virut ボットネットは重複を数えずに約 308,000 台のコンピュータに感染していると推測されます。これは特定の 1 日に稼働していたコンピュータに限った数であり、電源が入っていなかった、またはインターネットに接続していなかったコンピュータは含まれないため、控え目な見積りにすぎません。


    2012 年 12 月初めに、 domain ドメインのステータスが「undergoing proceeding」から変わったことが WHOIS 情報によって確認できます。

    図 4. Virut の既知の C&C サーバードメインが としてパーキングされている

    このドメインがパーキングされたのは 12 月 12 日です。その後まもなく、 ドメインと ドメインはどちらもステータスが再び変わります。

    図 5. ドメインと ドメインがともにオンラインに復帰

    12 月 26 日になるとハードコードされていた C&C サーバーはオンラインに復帰し、12 月 28 日には Virut ボットネットのクライアントに新しいペイロードが送信され始めました。

    それ以来 Virut は多くのペイロードを送信し続けています。このペイロードには、広告や詐欺を目的としたスパムメールを送信する、米国郵政公社を詐称して悪質なファイルが添付されたメールを送信する、クリック詐欺を実行する、侵入先のコンピュータ上でインターネットプロキシサービスをホストするなどの機能があり、かなり悪質なマルウェアと言えるでしょう。

    まとめると、Virut にハードコードされていたサーバーはオフラインになり、かわりに代替ドメインが生成されるようになりました。この代替アルゴリズムのおかげで、シマンテックはボットネットの統計を集めることに成功し、アクティブな Virut クライアントの数が、わずか 1 日で重複を数えずに約 308,000 台にも及ぶというその規模を推測できました。しかし、ハードコードされていた元のサーバーがオフラインだったのは一時的で、12 月後半にはオンラインに復帰し、またしても新しいペイロードの拡散を開始します。つまり、ボットネットは活動を維持しているのです。


    * 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、にアクセスしてください。

    0 0

    寄稿: Cathal Mullaney

    アダルト画像でユーザーを誘い込み、マルウェアやセキュリティリスクをコンピュータに仕込むという手法は特に目新しいものではありません。シマンテックは最近、この「アメとムチ」のテクニックを用いたアプリを 3 つ発見しました。いずれも Google Play で公開されていたもので、累積で 500,000 回から 1,500,000 回もダウンロードされています。

    問題のアプリの名前は「Porn Sexy Models Wallpaper」、「Porn Sexy Girls Live Wallpaper」、「Sexy Girls Ass Live Wallpaper」ですが、現在はすでに Google Play から削除されています。

    図 1. Google Play に公開されていたセキュリティリスクのスクリーンショット

    入念な調査の結果、これらのアプリはいずれも同じ開発者によって作られたもので、正規の安全なアプリを改変したものではなく、最初からセキュリティリスクとして開発されたものであることがわかりました。シマンテックでは、これらのアプリを Android.Coolpaperleakとして検出します。

    それでは、Android アプリの「Porn Sexy Model Wallpapers」を見てみましょう。


    図 2.アプリのアイコン


    • アプリ名
    • Gmail アドレス
    • GPS の緯度と経度
    • IMEI 番号
    • ネットワークオペレータの情報

    次に、上記の情報を使って HTTP POST 文字列を改ざんし、それをリモートのコマンド & コントロール(C&C)サーバーに送信して、下記の場所と通信するよう要求します。

    C&C サーバーとの通信

    感染したデバイスと C&C サーバーとの間では、図 3 のような形ですべてのデータがやり取りされます。

    図 3.盗まれた情報のスクリーンキャプチャ

    感染したデバイスは、POST を送信します。POST には、デバイスを識別する情報に加えて、C&C サーバーに対して要求するデータの「req」フィールドが含まれます。リモートサーバーはトロイの木馬の要求に対して「ans」フィールドで応答します。上のスクリーンショットでは、アプリが「req=server」という形式で C&C サーバーからサーバーパラメータを要求しています。サーバーは、「ans=http://farm.tak[削除済み]」という形式のフィールドで応答します。

    サーバーから受信した要求の種類によっては、それ以外のデータがデバイスから送信されることもあります。感染したデバイスと C&C サーバーとの間でこのように通信が繰り返され、各 HTTP POST で重要な情報が送信されます。最終的に、デバイスは次の 2 つの要求を受信します。

    • Req=ua
    • Req=imagearray

    この時点で、アプリはリモートサーバーから複数の URL を受信します。それぞれの URL はアプリのギャラリーとして表示されます(図 4)。

    図 4.確認されたギャラリー

    アプリはここで複数の異なる広告サーバーに接続して、取得した広告にアクセスします。その際、ユーザーには操作の結果は表示されません。さらに、最初のギャラリー画像を読み込み、図 5 のようにユーザーに小さな広告を 1 つ表示します(ただし、バックグラウンドではさらに多くのサイトにアクセスしています)。

    図 5.小さな広告が表示された画像

    :アプリは Android の GET_ACCOUNTS 許可を要求します。この許可により、設定されているアカウントを列挙できるようになります。これは、ユーザーがアカウント名の漏洩に同意したことを意味しているわけではありません。ほとんどのアプリは、ユーザーをサービスに接続させられるかどうかを確認するためにこの許可に要求しますが、正規のアプリの場合、ユーザーのアカウント名を実際にサーバーに送信することはありません。





    Google は、アダルトアプリについてガイドラインで次のような趣旨を明記しています。「アプリケーションには、(テキスト、画像、動画、またはその他の媒体により)ポルノ、わいせつなコンテンツ、ヌード、性行為を表示またはこれらにリンクするコンテンツを含めないでください」しかし、この文言では規制の迂回を防ぐことはできず、開発者は別の経路でアプリを配布したり、本当のコンテンツを隠して配布したりするだけでしょう。

    このブログで取り上げたアプリは、こうした迂回策の実例です。Google Play ページで表示されていた画像や説明文は許容範囲内にあるものです。しかし、いったんアプリ内の壁紙をブラウズすると、目の前にあるのは膨大な数のポルノ画像です。



    Android 携帯でノートン モバイルセキュリティをお使いのお客様は、この脅威から保護されています。

    ノートン モバイルセキュリティは、5 つ星(投票数 81,000)の評価と 5,000,000 回から 10,000,000 回ものインストール数を記録していますので、少なくとも Google Play のアダルトアプリよりは成功していると言えるでしょう。


    * 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、にアクセスしてください。

    0 0
  • 01/09/13--06:56: Altiris 7.1 migration, Day 3
  • A few days in to the migration, have some questions came up. So lets go through it.

    Our infrustructure is more like 1 huge building than 80 separate sites. The availability of having fiber connected to all the sattalite campuses means we can centrally manage as if they were in the same building. The problem is SMP isnt really designed for that kind of infrustructure. And the few issues we encountered are:

    1. The technicians cannot manage the infrustructure in real time from 1 console. The amount of our clients meant we had to use hierchy, which means teh Parent server sees things later(Synch schedule). While all synched machines will be on the Parent server, any new clients will take 24 hours for the Parent console to see. Which means no OOB deployment from the parent Console.

    2. Replication of packages maybe required as Task Servers, which means we would have to replicate our packages atleast 5 times(5 Task Servers). We dont need that as our San can handle the biggest deployments in the past with no issues for all clients accessing that one file share. replicating this 5 times will be expensive and over kill.

    3. Big pain cleaning 6.x agent. If there are any reminents, the 7.1 agent ignores some of the install configurations. For example, it will install to C: instead of D: on the servers causing obvious issues.

    Other than that, with Symantec poaching Altiris Administrators from the area, I dont have too many people to bounce ideas off of any more. Not the best start, but atleast all servers are up and running, just alot of tweaking and pilot to go through now.

    Next week, DS and HII imaging, Software Library, and Agent deploy to Pilot Campuses. 

    0 0

    Contributor: Jeet Morparia

    Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.

    Figure 1. Downloader.Ponik spam campaign world map

    One of the most recent malicious spam campaigns we encountered used online dating as its lure. While broad in scope, targeting users around the world, this campaign was largely focused on users in the United States, the United Kingdom, and Australia.

    Figure 2. Sample Downloader.Ponik dating spam email

    The email messages used in the campaign claims to be from someone named “Kat” with varying subject lines:

    • It’s a pleasure to meet you here
    • Write me again, ok? I really need your advice
    • How are you today? What are you doing now?
    • You dont know me, so Im here to fix it!
    • Hey how are you?
    • Hello there!
    • Im glad to see you!
    • Hola!
    • How do you do?

    The body of the message is identical in each email:

    Hello from Kat. I got some information about you from a=dating site. I found out that you are looking for a woman for LTR. I’m expec= to find a perfect match. Also I wish to exchange photos with you and may=e try to know you better. I will be waiting for your reply with impatience.

    It is interesting to note that the emails claim that they obtained information on the target through an online dating site.

    Attached to each message is a file named, which contains a threat that we detect as Downloader.Ponik. Downloader.Ponik is known for bringing some baggage with it. This particular version of Downloader.Ponik downloads the following malware:

    As always, be careful when opening attachments in emails from unknown sources. I think it is safe to say that this is one long-term relationship you don’t want to get involved in.

(Page 1) | 2 | 3 | .... | 253 | newer