General connectity troubleshooting (status 24,25,58 and often database error 6 too)

New Symantec™ System Recovery 2013 R2 is here!

Symantec™ System Recovery 2013 R2 is here!

You need to stay competitive and allowing users to work anywhere, anytime is one of the ways your business keeps its edge.  However, in some cases this means using personal devices to access data in unsanctioned cloud applications.  In IT’s opinion this is risky behavior and something they are not comfortable with.  Your users don’t engage in this behavior out of any malicious intent, but to innovate and improve productivity.  However the increased use of mobility and cloud can increase the risk of loss of data or a breach.  In parallel the more apps users need to access or the more “security” IT imposes generally impacts the user experience – especially on small mobile devices. Ultimately, the burden falls to IT to find a solution to balance innovation with risk, despite their increasingly complex environments – more mobile users on more platforms, more user stores, more apps, more passwords, but not more resources.  Symantec Identity Access Manager (SAM) provides the much needed control, convenience, and compliance to bridge the gap between IT and the business.

SAM is a next generation access control platform for the cloud that integrates Single Sign-On (SSO) with strong authentication (supporting Symantec Validation and ID Protection Service (VIP), Symantec Managed PKI Service (MPKI), and RSA SecurID), access control, and user management.  To make sure that it works for your business we’ve made SAM available as either an on premise solution or hosted service.  Although SAM comes with a built-in user directory (a flexible way to help manage those contractors and other temporary workers) we’ve also made integration easy with common user directories.

With SAM you can give your user’s access anywhere, anytime, on any device, and with SSO they only have to login once!  Access policies help ensure they only have access to what they should and strong authentication means all the apps SAM protections have a layer of protection so only the good guys get in.

Easy to create connectors allow IT to add virtually any Web based application to the application catalog, which already includes over 100 applications, helping to manage Shadow IT without impacting the success of your business. Finally, SAM helps simplify compliance auditing for cloud applications by consolidating access logs across all users and applications it protects; so you don’t lose sleep over what could happen if you fail a compliance audit.

Find out more about Symantec Identity Access Manager now visit the website.

Follow us on Twitter: @SymantecSAM, @SymantecVIP,  or @SymantecMPKI

At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.

Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise

How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.

Figure 2. Injected iframe on compromised spin.com website

When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.

Figure 3. Rig EK searches for driver files used by security software products

The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:

• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551) 
• Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322)
• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0497)
• Microsoft Silverlight Double Deference Remote Code Execution Vulnerability (CVE-2013-0074)
• Oracle Java SE Memory Corruption Vulnerability (CVE-2013-2465)
• Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
• Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2013-7331)

Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).

Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:

Intrusion prevention

• Web Attack: Exploit Toolkit Website 47
• Web Attack: Malicious Executable Download 2
• Web Attack: MSIE CVE-2013-2551 3
• Web Attack: Rig Exploit Kit Website 5
• Web Attack: Rig Exploit Kit Website 9
• Web Attack: Rig Exploit Kit Website 4
• Web Attack: Rig Exploit Kit Website 21
• Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331 2
• Web Attack: MSIE XMLDOM ActiveX CVE-2013-7331
• Web Attack: Malicious Exploit Kit Silverlight Exploit 2

Antivirus

• Trojan.Maljava
• Trojan.Swifi
• Trojan.Zbot
• Infostealer.Dyranges
• Downloader

Just a write-up of my EV9 Indexing Service move to a new dedicated Indexing server.

My situation was Server1 was getting overwhelmed with both Storage and Indexing Services running. The Indexes folder was getting large (1.2 TB) too. (Separating the Services will help with our EV10 upgrade as we are hardware constrained.)

Proposed solution was to build a new dedicated Indexing server, Server2. Create new Open Indexes on Server2, Closing Indexes on Server1, then move all of the existing Server1 Indexes to Server2.

All EV9.0.5 on VM servers with virtual RDM storage.

• Server 2 was built and joined to the existing Site, following http://www.symantec.com/docs/TECH50844. Virtual RDM added for new Indexes as F:.
• Added the “Enterprise Vault Indexing Service” to Server 2 from the VAC, Servers, Server Name, right-click Services and open the Properties.
• Created new Open Indexes on Server2 (F:), updated the "Override the inherited Index Service" on each of my Provisioning Groups to Server2 and Closed Indexes on Server1 (E:). (as documented, an EV9 Closed Index continues to be updated and only new Indexes are created in the Open Index.)
• Following http://www.symantec.com/docs/TECH51450. I then had Server1 E: drive moved to Server2 as E: and updated the IndexPathRootEntry table as per the query provided in Step 5.

Took a fair bit of research to get to the above (thanks to a few Symantec Connect members) but the actual move process only took about 15 minutes to complete. The Help Files and Technotes* are all excellent I just wanted to connect them together in case it ever helps anyone in the future.

*Technote 51450 could be clearer, see https://www-secure.symantec.com/connect/ideas/ev9-moving-indexes-technote-confusion

Cloud-based business email and business documents are on the rise. Radicati Group estimates that nearly 40% of business email accounts will be cloud-based by 2017. 37% of enterprises expect to use Microsoft O365 applications in the next 24 months. With email and business documents driving most of eDiscovery data, what should you do to prepare for discovering data from increasingly “cloudy” sources? We frame the important issues and best practices in what follows.

Does your cloud data source preserve metadata?

Metadata is critical for eDiscovery but it is unclear if cloud sources preserve dates consistently. Salesforce.com, for example, recommends that its customers backup data and points out that “to preserve old/original create dates, request that Salesforce.com enable Create/Audit Fields for you before restoring.” In other words, if you are not careful, data restored into Salesforce.com backups may be not be defensible for eDiscovery. Similarly, transfers into Box.com need special care to ensure that original and modified dates are preserved – in particular, FTP and browser uploads into Box.com do not preserve creation dates. Version history for files is another aspect worth looking into. Many editions of Box allow only up to 10 revisions of a file – any more edits will overwrite prior versions.

Best practice: Given these challenges, it might be worth looking into an archiving solution to ensure preservation of metadata.

How long does your cloud data source hold backups?

In Brown v. Tellermate, it turned out that the defendants failed to preserve Salesforce.com data in a defensible way even after being served the complaint. The plaintiffs (“Brown”) were former sales reps of Tellermate and complained that their age had been the cause of termination. They requested disclosure of sales performance data for themselves and younger employees from Tellermate’s Salesforce.com system. It turns out that

• An enterprise’s admin users and current employees can change Salesforce.com data at any time
• User accounts in Salesforce can be reassigned or de-activated - there is no guarantee that data in such accounts remain immutable. Plaintiff Brown’s accounts were reassigned by Tellermate.
• Salesforce.com holds backups for only 3 to 6 months from the current date

Similar considerations apply to cloud-based instant messaging solutions, email and transient sources like Twitter and Salesforce.com Chatter.

In short, unless an enterprise is diligent about exporting cloud data and storing it in an immutable fashion, it is vulnerable to missing its obligation to preserve data in the event of a complaint. The judge in Brown v. Tellermate noted: “….Tellermate did not do …“data export” when the preservation letter was received…and because salesforce.com deleted any backups that were more than 6 months old, it now appears to be impossible for Tellermate to produce salesforce.com information whose reliability can be guaranteed.”

Best practice: Given these challenges, an archiving solution is the proven approach to data preservation. If you do not own an archive, you should consider “collecting to preserve” into your eDiscovery solution from your cloud data sources as soon as you become aware of a complaint.

How diverse is your data?

The “80-20 rule,” unfortunately, doesn’t apply to eDiscovery. Meaning: any data, however, insignificant in terms of its overall share in your environment, might be considered discoverable. So, while you may rush to a one-stop shop for cloud-based email and collaborative applications, your historical files and emails in on-premises data sources and email are still relevant for eDiscovery. I have seen recent cases in financial services that call for 7-10 years of historical data and most of it will remain on-premises for the foreseeable future.

Best practice: Given the “look back” requirement of eDiscovery, consider solutions that have a comprehensive approach to collecting both cloud and on-premises data.

How quickly can you get the data out of your cloud sources?

Several customers have pointed out that searching and exporting from cloud-based email and collaboration applications takes too long and hinders their ability to meet eDiscovery timelines.

Best practice: Test search and export performance for eDiscovery scenarios (lots of custodians, lengthy date ranges) before signing up for cloud-based email and collaboration suites.

These are some issues that we have encountered in our experience. What do you think? We would love to hear from you. 

“Diversity drives innovation – when we limit who can contribute, we in turn limit what problems we can solve.”  ~ Telle Whitney, President & CEO of Anita Borg Institute

Grace Hopper Conference 2014

On October 8th, 7500 women and 500 men came together in Phoenix, Arizona for a three day celebration. The Grace Hopper Conference (GHC) presented by theAnita Borg Institute in partnership with the Association of Computing Machinery, is the largest gathering of women technologists in the world and is dedicated to celebrating women in computing. The three day conference is designed to empower women technologists by providing a platform to showcase women in technology featuring inspiring presentations from industry leaders and professional development activities. This year marked an incredible year for the GHC with double the number of attendees from last year and over 67 countries represented.

The impressive cast of speakers included Arati Prabhakar, Director of US Defense Research, Megan Smith, US Chief Technology Officer, and Shafi Goldwasser, Professor of Electrical Engineering and Computer Science at MIT, just to name a few. Presentations spanned from the latest technological innovations, such as the use of robotic technology in the armed forces and cryptography in cloud computing, all the way to the classic cybersecurity issue of selecting secure passwords.

Additionally, the conference provided an opportunity to continue developing Symantec’s current employees. Discussions also focused around career advancement and professional development – from the value of mentors and sponsors in career advancement to fine-tuning your ‘Superhero’ strengths.  As Satya Nadella, the CEO of Microsoft said, “We all have different superpowers – and bring different perspectives to the table. These different perspectives are needed to create the product truth.” Most enlightening are the passionate testimonials from the Symantec attendees invigorated with inspiring accounts of their experience:

It was a fascinating three days… to learn from and connect with not only world renowned leaders, but also extremely bright and courageous women from around the world from undergraduates to VPs. In fact, I have never seen in my life 7,500 women in a single room and felt that kind of energy and passion from a single group of people. Truthfully, I learned some interesting and new things, but the life-changing experience for me was to know how many people struggle with similar challenges and questions, and how the secrets to solving them are simple and basic, yet de-emphasized in our daily lives. ~ Jenny Kang, Director of Globalization

As a veteran of GHC, this one is truly an impressive one. I’m very happy to see and hear from lots of you that you have greatly benefited from the conference and are energized by it. The most rewarding part for me is that many women whom I never met before asked me how they could get involved in the future for the conference. ~ Wei Ling, Sr. Director of Engineering

Wei Ling, Sr. Director of Engineering at Symantec, addresses attendees as General Co-Chair of this year's GHC

While there are countless female leaders that contribute to technological progress around the world, women continue to be under-represented and under-paid, particularly in the field of technology. Recognizing that a diverse workforce translates into a successful organization, Symantec proudly continues to support and participate in the Grace Hopper Conference, one of many efforts to bolster women’s voices in technology. Symantec was once again a silver sponsor and Symantec’s Wei Lin, Sr. Director of Engineering, was General Co-chair for this year’s event.

Antoine Andrews, Director of Global Diversity and Inclusion at Symantec, addresses the student winners at the NCWIT Student Seed Fund Lunch

During one of the conference days, Symantec sponsored the NCWIT Student Seed Fund Lunch, where several student winners of the NCWIT Seed Fund presented their grant-winning programs to executives. The NCWIT Student Seed Fund offers $1,000 to student-run programs that encourage women’s participation in technology. Avani Patel, Principal Software Engineer at Symantec, found that the “opportunity to talk to some of the smartest girls was probably the highlight of my conference.”

Symantec looks forward to future participation at the Grace Hopper Conference in years to come. You can see more about what the attendees had to say in thisvideo. To learn more about Symantec’s involvement, email: Global_Diversity@Symantec.com

在安全通訊端層 (Secure Sockets Layer，SSL) 3.0 加密通訊協定 (SSLv3) 中發現一項錯誤，該錯誤可能會造成通訊協定遭到入侵，以攔截電腦與伺服器之間本應加密處理的資料。三名 Google 安全研究員發現這項瑕疵，並詳述如何透過所謂的 Padding Oracle On Downgraded Legacy Encryption (POODLE，貴賓狗) 攻擊 (CVE-2014-3566) 進行入侵。

值得注意的是，這「並非」SSL 憑證、其私密金鑰或設計上的瑕疵，而是舊版 SSLv3 通訊協定上既有的問題。SSL 憑證不會受到影響，而擁有支援 SSL 3.0 的伺服器憑證之客戶也無須更換憑證。

據信這項錯誤並不如 OpenSSL 的 Heartbleed 錯誤那樣嚴重，原因是攻擊者需要在網路中佔有具備權限的位置才能入侵最新資料。熱點和公用 Wi-Fi 的使用都讓這項攻擊變成實際問題。這類型的攻擊歸類為「攔截式」類別。

背景

根據 Netcraft 的最新報告指出，自 1996 年推出 SSL 3.0 至今，有將近 95% 的網頁瀏覽器均提供支援。許多傳輸層通訊端 (Transport Layer Socket，TLS) 用戶端搭配舊伺服器使用時，會將加密通訊協定降級至 SSL 3.0。據 Google 表示，控制電腦與伺服器之間網路的攻擊者能夠針對伺服器使用「通訊協定降級程序」(protocol downgrade dance) 時可接受哪個加密通訊協定，而干擾其信號交換程序。此舉會強迫電腦使用比較舊的 SSL 3.0 通訊協定保護正在傳送的資料。攻擊者就能透過執行攔截式 (MITM) 攻擊的方式入侵錯誤，將安全的 HTTP Cookie 解密，以便竊取資訊或控制受害者的線上帳戶。雖然在撰寫本文時網站管理員已迅速停用移至 TLSv1 及以上版本功能，但仍有許多事情尚待處理。如果能夠從 Heartbleed 身上學到一件事，那就是大型公司的步伐雖快，但許多小型公司卻因為需要修補重要漏洞而不斷扯其後腿。
為了緩解錯誤，提供下列幾項行動方針：

企業需採取的行動

1.     使用免費的 SSL 工具箱查看網頁伺服器是否有漏洞。

2.     使用支援 TLS_FALLBACK_SCSV的工具，亦即可防止攻擊者強迫網頁瀏覽器使用 SSL 3.0 的機制。

3.     完全停用 SSL 3.0，或停用 SSL 3.0 CBC 模式加密方式

4.     雲端式 Web 應用程式防火牆可協助防護這類漏洞。如需詳細資訊，請造訪我們的網站。

5.     對於詐騙者嘗試利用不確定感或缺乏技術知識牟利所寄送的任何垃圾郵件訊息，抱持懷疑態度。

我的同事 Christoffer Olausson 提供一些如何在 Apache 上修正此問題的秘訣：

> SSLProtocol All -SSLv2 -SSLv3                   <- 移除 SSLv2 和 SSLv3

> apachectl configtest                                   <- 測試您的組態設定

> sudo service apache restart                      <- 重新啟動伺服器

Google 補充說明他們將在未來幾個月內，移除旗下所有產品對 SSL 3.0 的支援。Mozilla 也表示將停用 FireFox 34 中的 SSL 3.0 (FireFox 34 將於 11 月底推出)。

使用者需採取的行動

存取賽門鐵克推薦網站的使用者：

1.     查看您的瀏覽器是否停用 SSL 3.0 (例如在 Internet Explorer 中，此設定位於「網際網路選項」底下的「進階設定」)。

2.     確認您所造訪的網站全程顯示「HTTPS」即可避免遭受 MITM 攻擊。

3.     留意廠商有關軟體或密碼更新建議的任何通知。

4.     迴避攻擊者要求您更新密碼的潛在網路釣魚電子郵件，避免誤入冒牌網站，並且一律造訪官方網站網域。

更多資訊

賽門鐵克已發佈此主題的相關知識庫文章供您參考。詳情如下：

Symantec Managed PKI for SSL 使用者

https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&id=AR2182

Symantec Trust Center/Trust Center 企業使用者

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR2183

掌握最新消息

隨時掌握關於此漏洞和其他漏洞的最新更新消息。請在 Twitter和 Facebook關注我們，或是造訪我們的技術論壇，瞭解管理 SSL 和程式碼簽署憑證的相關問題。

Like bigbrotherApache, default Tomcat logging leaves a little something to be desired, especially in regard to forensics. And you know what they say: When Tomcat forensic logging is away, the hackers will play! Well fine, maybe nobody ever said that, but you get the point. In any case, let's play cat and mouse with those wily hackers and bolster default Tomcat logging! For this blog post we'll be working with Tomcat 7.0.56 running on Debian Linux:

root@debian $ /usr/share/tomcat7/bin/version.sh | grep "Server version"
Server version: Apache Tomcat/7.0.56 (Debian)

Tomcat offers rich logging functionality. For example, Tomcat web applications can utilize the system logging API java.util.logging, the servlets logging method javax.servlet.ServletContext.log(), or a custom logging solution. In addition, Tomcat writes console messages to the /var/log/tomcat7/catalina.out file. However, what we are interested in is the Tomcat access logs. The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve  interface within the /etc/tomcat7/server.xml configuration file:

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
 prefix="localhost_access_log." suffix=".txt"
 pattern="%h %l %u %t &quot;%r&quot; %s %b" />

Tomcat access logs are be stored within the /var/log/tomcat7 directory and are named "localhost_access_log.YYYY-MM-DD.txt" where "YYYY-MM-DD" is the logfile date. For example, the Halloween access log would be named "localhost_access_log.2014-10-31.txt ". Logfile entries are stored in the Common Log Format as specified by the pattern attribute of the Valve component. Consequently, Tomcat log entries will look like this little guy:

10.1.1.1 - - [31/Oct/2014:09:02:00 -0500] "GET /example.html?foo=bar HTTP/1.1" 200 999

That looks like a whole lot of crazy talk, so let's break down the Common Log Format piece by piece:

• The %h pattern code logs the remote hostname. In the example log entry this value is "10.1.1.1".

• The %l pattern code logs the remote username from the rarely deployed identd daemon. In the example log entry this value is "-", meaning that the identd daemon was not deployed.

• The %u pattern code logs the remote username if the request was authenticated with HTTP Basic or Digest authentication. In the example log entry this value is "-", meaning that the request was not authenticated with HTTP Basic or Digest authentication.

• The %t pattern code logs the date and time that the request was received in Common Log Format. In the example log entry this value is "[31/Oct/2014:09:02:00 -0500]".

• The %r pattern code logs the first line of the request. In the example log entry this value is "GET /example.html?foo=bar HTTP/1.1".

• The %s pattern code logs the status code of the request. In the example log entry this value is "200".

• The %b pattern code logs the number of bytes sent to the client, excluding HTTP headers. In the example log entry this value is "999".

The default Common Log Format clearly provides some useful information, but surely we can flex our forensic muscle and let Tomcat logging out of the bag! Let's implement the enhanced log format by modifying the pattern attribute of the Valve component accordingly:

<Valve className="org.apache.catalina.valves.AccessLogValve"
 directory="logs" prefix="localhost_access_log." suffix=".txt"
 pattern="%{E M/d/y @ h:mm:ss.S a z}t %a (%{X-Forwarded-For}i) > %A:%p
 &quot;%r&quot; %{requestBodyLength}r %D %s %B %I &quot;%{Referer}i&quot;
 &quot;%{User-Agent}i&quot; %u %{username}s %{sessionTracker}s"/>

Consequently, Tomcat enhanced log entries will now look like this bad boy:

Fri 10/31/2014 @ 9:02:00.666 PM CDT 10.1.1.1 (-) > 192.168.1.1:443 "GET /example.html?foo=bar HTTP/1.1" - 2 200 999 http-bio-443-exec-1 "https://192.168.1.1/previous.html""Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0"– billy 0bcdd30af79b6aca8c8f7808c02ab530ac4c4a75

Holy guacamole! That's even more crazy talk than the Common Log Format, so let's break down the enhanced log format piece by piece:

• The "%{E M/d/y @ h:mm:ss.S a z}t" pattern code logs the time in a more intuitive format by utilizing a custom SimpleDateFormat specification. The day of the week is now included, the time is now specified in 12-hour format with millisecond precision, and the time zone is now specified by abbreviation. Note that all production servers should be synchronized with a Network Time Protocol (NTP) server in order to ensure consistent time settings across the enterprise. In the example log entry this value is "Fri 10/31/2014 @ 9:02:00.666 PM CDT".

• The "%a (%{X-Forwarded-For}i) > %A:%p" pattern logs the source and destination of the request. The %a pattern code logs the IP address of the client. In the example log entry this value is "10.1.1.1". The "%{X-Forwarded-For}i" pattern code logs the underlying client IP address for requests from proxy servers. Note that the value of the "X-Forwarded-For" header could be spoofed by the client. In the example log entry this value is "-", meaning that the request was either not received from a proxy server or the proxy server did not include the "X-Forwarded-For" header. The %A pattern code logs the IP address of the server, and the %p pattern code logs the server port. The server port is useful to determine whether requests were transmitted over cleartext HTTP or encrypted SSL network connections. In the example log entry these values are "192.168.1.1" and "443", respectively.

• The "&quot;%r&quot; %{requestBodyLength}r %D %s %B %I" pattern logs details about the request and response. The %r pattern code matches the first line of the request, namely the request method, URL path, query string, and protocol ("&quot;" simply specifies a literal double quote). Suspicious anomalies within the first line of the request could indicate automated scanning tools or targeted attacks:

  • Suspicious methods such as "PUT"

  • Suspicious URL paths such as "/admin.html"

  • Suspicious query strings such as "' or 1=1--"

  • Suspicious protocols such as "HTTP/1.0"

• The query string is of particular interest, which could contain a wealth of useful forensic information. Common attacks such as SQL injection (SQLi) and cross-site scripting (XSS) could be identified by telltale attack signatures within the query string such as "' or 1=1--" or "<script>", respectively.  In the example log entry this value is "GET /example.html?foo=bar HTTP/1.1".  The "%{ }r" pattern code can be utilized to log arbitrary ServletRequest attributes from the incoming request. The %{requestBodyLength}r pattern code logs the ServletRequest attribute named requestBodyLength. The application would explicitly set this attribute to contain the length of the request body for POST requests. For example, the application would include the following code within each doPost() method:

request.setAttribute("requestBodyLength", request.getContentLength());

• This code would not be required within each doGet() method as GET requests do not contain a request body. An unusually large request body could indicate certain types of attacks such as buffer overflows. In the example log entry this value is "-", meaning that the client sent a GET request. The %D pattern code logs the number of milliseconds taken to serve the request. Unusually long times could indicate certain types of attacks such as time-based SQL injection. In the example log entry this value is "2". The %s directive logs the status code of the response. Uncommon status codes such as "405" (Method Not Allowed) could indicate automated scanning tools or targeted attacks. In the example log entry this value is "200". The %B pattern code logs the total number of bytes sent to the client, excluding headers.  An unusually high number of bytes could indicate certain types of attacks such as SQL injection. In the example log entry this value is "999". Finally the %I pattern code logs the Tomcat thread that processed the request. The thread name can be utilized to correlate the request with subsequent Tomcat stacktraces. In the example log entry this value is "http-bio-443-exec-1".

• The "&quot;%{Referer}i&quot;" pattern logs the "Referer" header sent by the client. Note that the value of the "Referer" header could be spoofed by the client. In addition, note that the name of the "Referer" header is deliberately misspelled due to a mistake within RFC 1945. In the example log entry this value is "https://192.168.1.1/previous.html".

• The "&quot;%{User-Agent}i&quot;" pattern logs the "User-Agent" header sent by the client. Note that the value of the "User-Agent" header could be spoofed by the client. In the example log entry this value is "Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0".

• The "%u %{username}s %{sessionTracker}s " pattern logs details regarding the application user. The %u pattern code logs the username if the request was authenticated with HTTP Basic or Digest authentication. The identity of the authenticated user can be extremely useful during forensic investigations. In the example log entry this value is "-", meaning that the user was not authenticated with HTTP Basic or Digest authentication. The "%{username}s " pattern code logs the "username" attribute of the associated HttpSession. The application would set the "username" attribute of the associated HttpSession to the name of the user upon successful form-based authentication. For example, the application would implement the following code upon successful form-based authentication:

session.setAttribute("username", authenticatedUsername);

• This code assumes that the authenticatedUsername variable contains the name of the authenticated user. Note that because the "username" attribute is only stored on the server it cannot be spoofed by attackers. As previously mentioned, the identity of the authenticated user can be extremely useful during forensic investigations. In the example log entry this value is "billy". The "%{sessionTracker}s " pattern code logs the "sessionTracker" attribute of the associated HttpSession. The application would set the "sessionTracker" attribute of the associated HttpSession to a unique identifier in order to track requests throughout the duration of a session. For example, the application would implement the following code upon session initialization:

session.setAttribute("sessionTracker", DigestUtils.sha1Hex(session.getId()));

• This code utilizes the Apache Commons Codec, specifically, the sha1Hex() method of the org.apache.commons.codec.digest.DigestUtils class, in order to generate the SHA-1 hash of the "JSESSIONID" session identifier. Consequently the commons-codec-1.9.jar file must be included within the Java classpath during compilation and copied to the "WEB-INF/lib" directory of the web application. A SHA-1 hash cannot be reversed. In addition, the odds of two session identifiers generating the same SHA-1 hash are statistically insignificant. It is important to note that because the "sessionTracker" is not the actual session identifier it cannot be utilized to resume a session. The actual session identifier could be tracked with the %S pattern code, but then attackers could leverage a compromised logfile in order to hijack authenticated sessions. Therefore, session identifiers and other sensitive security tokens should never be logged. In addition, because the "sessionTracker" attribute is only stored on the server it cannot be spoofed by attackers. Tracking requests throughout the duration of a session can be extremely useful during forensic investigations. In the example log entry this value is "0bcdd30af79b6aca8c8f7808c02ab530ac4c4a75".

In addition to the pattern codes included within our enhanced log format, Tomcat provides several others that can be utilized to capture other pieces of relevant information:

• The "%{ }t" pattern code can be utilized to log the date and time according to a custom SimpleDateFormat specification. For example, we utilized "%{E M/d/y @ h:mm:ss.S a z}t" in order to log the date and time in a more intuitive format.

• The "%{ }i" pattern code can be utilized to log arbitrary request headers. For example, we utilized "%{X-Forwarded-For}i" in order to log the "X-Forwarded-For" header.

• The "%{ }r" pattern code can be utilized to log arbitrary ServletRequest attributes. For example, we utilized the "%{requestBodyLength}r " pattern code in order to log the "requestBodyLength " ServletRequest attribute.

• The "%{ }s" pattern code can be utilized to log arbitrary HttpSession attributes. For example, we utilized the "%{username}s " pattern code in order to log the "username" HttpSession attribute.

• The "%{ }c" pattern code can be utilized to log arbitrary HTTP cookies. For example, we could utilize "%{JSESSIONID}c" in order to log the "JSESSIONID" HTTP cookie.

If you would like to log additional pieces of relevant information, you can refer to the complete list of supported AccessLogValve pattern codes. If you would like to modify the date and time format, you ca refer to the complete list of supported SimpleDateFormat pattern codes. All that's left now is to restart the Tomcat daemon in order to load the configuration changes:

root@debian $ service tomcat7 restart

Tomcat will now begin logging each request in the enhanced log format, providing a wealth of additional information that will be extremely useful during forensic investigations. Look out unsuspecting hackers, your nine lives are now in danger! The claws are out and Tomcat forensic logging is on the prowl!

Today, Symantec released a new security advisory impacting older versions of the Symantec Endpoint Protection Manager (SEPM). Product engineering teams have worked closely with SEC Consult Vulnerability Lab and @virtualminds_es to verify the vulnerabilities. The latest release, SEPM 12.1.5, is available on FileConnect and contains updates that prevent the issues and should be installed to prevent infection.

The issues affect XML External Entity Injection, reflected cross-site scripting and the potential for arbitrary file write/overwrite. The vulnerabilities are considered medium to high severity. With normal SEPM installation the affected port(s) should not be accessible without gaining initial access to the network. Successful exploitation of these vulnerabilities could result in unauthorized user-level access to the SEPM, elevated or application-level access on a server, or network/system access.

If you’re unable to update to 12.1.5 (RU5) immediately, a SEP administrator has two options:

• Restrict web console access to localhost
• Disable web console access available under https://localhost:8443/console

To date, Symantec is not aware of exploitation of or adverse customer impact from these issues. Further details regarding the vulnerabilities should be reviewed in the advisory.

On November 4, 2014, Symantec completed another release of SORT.
SORT Landing page at https://sort.symantec.com/

With this release we added the following features and enhancements:

General:
• Product and Platform Lookup can be accessed directly from the menu under Documentation and is the main entrance for product matrix (https://sort.symantec.com/platformlookup )
• Improved search performance

Storage Foundation and Availability Solutions:
• Feature Support History (https://sort.symantec.com/product_features/history ) provides the capabilities to find out the supported product versions by feature
• Product features page (https://sort.symantec.com/product_features ) extends the product list to Storage Foundation HA, Storage Foundation HA/DR, Storage Foundation Cluster File System HA, Storage Foundation Cluster File System HA/DR, Storage Foundation for Windows, etc
• Symantec Management Packs (MP) for Microsoft System Center Operations Manager (SCOM) can be download directly on SCOM Packs page (https://sort.symantec.com/scom)
• EOSL information available in Product and Platform Lookup (https://sort.symantec.com/platformlookup)
• Quick access to the OS native commands to use for filling in details in the SPVU Calculator page (https://sort.symantec.com/spvu_calc )
• AIX LPAR and DLPAR environment support in UNIX Data Collector increases the accuracy in SPVU reporting within the licensing deployment reports

The highlights of SORT Data Collectors( https://sort.symantec.com/data_collectors )
• Vxexplorer collects the vxvm disk information in the evidence log for troubleshooting
• Added more Risk Assessment checks for the vxreplay feature in the UNIX data collector to identify the risks based on the evidence logs
• Bridged the gap between traditional Windows Vxexplorer functionalities and Log Collection functionalities in SORT Windows Data Collector
• Added the feature in Windows Data Collector CLI to redirect the generated Windows Vxexplorer log files to a separate path/location

NetBackup Solutions:
• Enhancements to the NBDB space check to accommodate non-default configurations and all major, minor and release update upgrades of NetBackup
• Addition of NetBackup specific resources to the Product and Platform Lookup results
• Displayed which type of NetBackup host (master, media and/or client) requires the OS patch - Only applicable to 7.6.1 reports.
• Enhance the disk space system requirement for Windows platforms detailing where the space is required for the NetBackup product
• See separate NetBackup SORT news announcement for additional details

Symantec Security Response is currently investigating OSX.Wirelurker, a threat that targets Apple computers running Mac OS X and Apple devices running iOS. Wirelurker can be used to steal information from compromised iOS devices.
 

Figure. Maiyadi App Store
 

Wirelurker has been discovered on the Maiyadi App Store, a third-party App store in China. The threat is trojanized into pirated Mac OS X applications. Once a pirated application has been downloaded onto a computer running OS X, Wirelurker will spread to any iOS device connected to that computer with a USB cable. Wirelurker can then install malicious applications, even if the iOS device is not jailbroken.

Symantec protection

Symantec detects Wirelurker as:

• OSX.Wirelurker

Here are some steps Mac users can take to avoid malware like OSX.Wirelurker:

• Do not download pirated Mac OS X applications from third-party app stores
• Avoid connecting iOS devices to unknown or untrusted computers
• Install security software on Mac OS X computers

Be Like Jim!

https://vine.co/v/ObVHq53v9Mb

赛门铁克安全响应中心当前正在调查 OSX.Wirelurker，该威胁的主要攻击目标为运行 Mac OS X 的 Apple 计算机以及运行 iOS 的 Apple 设备。Wirelurker 可用于从受感染的 iOS 设备窃取信息。

图：麦芽地 App Store 


目前已在中国一家第三方应用商店“麦芽地 App Store”上发现了 Wirelurker 的身影。该威胁通过木马程序攻入盗版 Mac OS X 应用程序。一旦在运行 OS X 的计算机上下载了盗版应用程序，Wirelurker 就会扩散到通过 USB 线缆连接到该计算机的任何 iOS 设备上。然后，Wirelurker 就可以安装恶意应用程序，即使是未越狱 iOS 设备也难逃入侵厄运。

赛门铁克保护

赛门铁克检测到 Wirelurker 的形式为：

•  OSX.Wirelurker

Mac 用户可采取以下一些措施，避免遭受 OSX.Wirelurker 等恶意软件的入侵：

• 切勿从第三方应用商店下载盗版 Mac OS X 应用程序
• 避免将 iOS 设备连接至未知或不可信的计算机
• 在 Mac OS X 计算机上安装安全软件

Symantec Security Response 正在調查鎖定執行 Mac OS X 的 Apple 電腦以及執行 iOS 的 Apple 裝置的新興威脅：OSX.Wirelurker。Wirelurker 可用於竊取遭到入侵的 iOS 裝置中的資訊。

圖麥芽地 App Store

Wirelurker 是在中國的第三方應用程式商店：麥芽地 App Store 發現的。此威脅會在盜版 Mac OS X 應用程式中植入木馬程式。在盜版應用程式下載至運行 OS X 的電腦後，Wirelurker 就會散播至所有使用 USB 纜線連接至該電腦的所有 iOS 裝置。Wirelurker 隨後就會在裝置中安裝惡意應用程式 (即使 iOS 程式並未進行越獄處理亦然)。

賽門鐵克防護

賽門鐵克已偵測到 Wirelurker 並命名為：

•  OSX.Wirelurker

為避免 OSX.Wirelurker 之類的惡意軟體的侵襲，Mac 使用者可以採取以下措施：

• 請勿透過第三方應用程式商店下載盜版 Mac OS X 應用程式
• 避免將 iOS 裝置連接至不明電腦或者無法信任的電腦
• 在 Mac OS X 電腦上安裝安全軟體

現在、シマンテックセキュリティレスポンスは OSX.Wirelurkerについて調査を進めています。WireLurker は、Mac OS X が実行されているコンピュータや iOS デバイスを狙う脅威であり、侵入先の iOS デバイスから情報を盗み出す可能性があります。

図. Maiyadi App Store

WireLurker は、中国のサードパーティのアプリストア Maiyadi App Store で発見されました。この脅威は海賊版の Mac OS X アプリケーションに仕込まれており、OS X が実行されているコンピュータに、こうした海賊版アプリケーションをダウンロードすると、USB ケーブルで接続されているすべての iOS デバイスに WireLurker が拡散します。そして、たとえ iOS デバイスがジェイルブレイクされていなくても、悪質なアプリケーションがインストールされてしまいます。

シマンテックの保護対策

シマンテック製品は、次の検出定義で WireLurker を検出します。

• OSX.Wirelurker

Mac ユーザーが OSX.Wirelurker などのマルウェアを防ぐためには、次のような方法があります。

• サードパーティのアプリストアから海賊版の Mac OS X アプリケーションをダウンロードしない。
• 素性の分からないコンピュータや信頼できないコンピュータに iOS デバイスを接続しない。
• Mac OS X コンピュータにセキュリティソフトウェアをインストールする。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Vision 2014 – EMEA Roadshows

Following the flagship Vision conference in Las Vegas in May this year, Symantec hosted a series of one- and two-day events in Dubai, Munich, Paris and London. Attendees had the opportunity to experience Symantec products, learn about the latest product roadmaps, hear customer testimonials and network with Symantec executives and key partners.

Please check out the dedicated site on Symantec Connect to access presentation materials and visit Symantec on YouTube to watch keynote sessions and other videos from the events:

London 2014 Vision Symposium Session Directory

Keynote sessions:

Opening Keynote - Vision Symposium London

Darren Thompson - Vision Symposium London

Panel Discussion - Vision Symposium London

Closing Keynote - Vision Symposium London

What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.

A game of two halves:

Ransomware

Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).

This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.

Figure 1. Top ten ransomware detections as of 11-07-14

Technical support scams

Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.

When scams merge

We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!

In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.

For the sake of research, we made a call to the number to see just what these crooks are up to.

Figure 2. Fake BSoD lock screen

According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.

Figure 3. The scammers get a bright idea

Trojan.Ransomlock.AM

Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.

Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.

Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.

Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.

Symantec protection

Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:

1. Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
2. Open Task Manager
3. Search for the malware name (it should be diagnostics.exe) and end the process
4. When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
5. Delete the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Diagnostics" = "[PATH TO MALWARE]"
6. You should also delete the file folder from the directory

Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.

Symantec has the following detections in place to protect against this threat:

Antivirus detections

• Downloader
• Trojan.Dropper
• Trojan.Ransomlock.AM

Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected. 

By Alicia Pereira Pimentel: Social Business Strategist, Allyson Gomez: HR Project Specialist, Chris Brown: Senior Principal IT Application Specialist, Claire Dean: Senior Director of Global Segment Marketing, Craig Chan: Senior Principal Price & License Spec, Kamal LaBreche: Commercial Sales Engineer, Marq Bauman: Senior Principal IT Business Analyst, and Prakash Pereppadan Pappachan: Manager Customer Support

In February 2014, we flew from the four corners of the world and landed in Arequipa, Peru with a common goal. The ten of us were selected among 200 applicants to be part of a unique pilot program called the Symantec Service Corps (SSC), where we worked together on international pro-bono assignments. Organized into different teams based on skill-set, we advised three Peruvian NGOs– Paz Peru, Descosur, and CIED (Center of Research, Education and Development) – on their various needs ranging from marketing to accounting and organizational structuring. Over the course of four weeks readers followed our journey as the projects developed and as we explored Peruvian food and culture.

The video below encapsulates this journey:

The program has made an impression not only within Symantec, but also externally, as it’s positioned Symantec as a leader in pro bono volunteer initiatives and employee engagement. Some time has passed since the project closed, and we’ve each returned to our respective homes and Symantec jobs. Returning home had some challenges – heavy workloads and a few still-unsettled stomachs. However, the experience continues to live vibrantly in our minds.

We each have our individual cultural memories, but the most noteworthy was the people. Teamwork, camaraderie, and shared experiences brought us together and created a one of a kind experience.

 “I fondly remember and miss the phenomenal team that I had the opportunity to work with, both from within Symantec, and also at the NGO in country (DESCO in my case). Getting to know these people was one of the highlights of my trip,” reflects Kamal LaBrèche.

Each project consisted of delivering a meaningful and valuable solution to a complex problem in a tight timeframe. We each took home valuable skills and lessons to apply to our respective roles – project  management, patience and flexibility, leadership development, and teamwork. Working with a tight timeframe enabled the whole team to really work on our project planning, development and management skill set. Patience was also an important skill emphasized on the trip, as having a translator was necessary for conversations.

“I’m applying some of the leadership skills I developed in Peru, what I called ‘leading from behind.’ In my current role as strategist, I have to lead cross-functionally through influence, not directly. It was a skill I also had to learn to use in our project work,” says Claire Dean.

“Everyone understood that we had some major work challenges ahead and not a lot of time to achieve results, so we dove right in,” said Craig Chan. “I left realizing how much teams can get done when they’re motivated, aligned, and realize they have a hard deadline.”

Valuable Lessons From Each of Us:

“Make a human connection first. At Paz Perú, the CEO was an incredibly busy woman who was running 7 different businesses that all served to finance the shelter for abandoned or abused young women. No matter how busy she was, she would come to our work group and ask about our families, what food we had tried, how Ashley was doing with the early stages of her pregnancy. That human connection is a core part of Peruvian culture. I tend to be very focused on the business at hand and fall right into the work, not asking first about the human being I am working with. I’ve made a conscious effort to be sure and connect with people on a human level first, and then tackle the business at hand.” ~ Claire Dean

“Be aware of your assumptions. A lot of time we ‘think’ we know what is best but really need to check in with the client on what their goals and objectives are.  And to view the situation through their lens and current environment, not through our own personal lens or the resources we may have available back home.” ~ Craig Chan

“People are the same everywhere. We are all part of one world community and regardless of our location we are all trying to achieve the same thing: a better quality of life and happiness. Being able to serve a very marginalized group of people was highly influential on my view of the world, and really opened my eyes to the high level of skill that was available in a country working to solve some very fundamental problems.” ~ Kamal LaBrèche

“No action is too small. We were only there for a month. It seemed so little, how could WE make a difference? I realized that if you work hard at it, focus on one single goal surrounded by great minds, anything can happen. While still onsite, we saw people’s minds changing and opening to new ideas. We saw that the little advice and tweaks we made did make a huge difference. This to me was incredible!” ~ Alicia Pereira

“Talk less and listen more. Although I have practiced this in the past as a people manager, I have renewed my focus on this.” ~ Prakash Pereppadan Pappachan

“I knew the importance of meeting people, managing contacts and self-development beforehand, but the trip definitely made this very apparent. The Service Corps team was comprised of people from different branches of the company with promising careers, and we had the chance to meet with one of our executives while in Peru.  ~ Chris Brown

“The most valuable experience was consulting in a foreign country. I learned more about organizational development in Peru and working cross-culturally to implement change. Looking back, I realized that I know a lot more than I thought I knew about implementing change and change management (I still have a lot to learn). I learned to sit at the table.” ~ Allyson Gomez

“I saw the Symantec Service Corps opportunity as a way to challenge myself in a new culture and skill set. The problems we were addressing with our NGO had only a small amount of technology issues but were more related to people and process areas. This meant that I had the opportunity to stretch beyond my core comfort area.  The success of our work validated my ability to address a myriad of business challenges, not just IT issues like I do in my regular job.  Having the opportunity to use my skills in a different area reminded me that I should be confident in my skills, even when the core tasks are vastly different from my recent work tasks.” ~ Marq Bauman

At Symantec, one of the primary focuses of our corporate responsibility strategy is Our People. On the surface, the Symantec Service Corp is about approaching real challenges within communities and applying our skills to create sustainable solutions.  While that alone is reason enough to continue investing in programs like this, the program’s overall impact is much greater. Pro bono volunteering also provided skills-based learning and development for our own employees. It reinforces Symantec’s commitments to employee satisfaction and talent development, and also helps to develop cultural competencies as we travel to unfamiliar locations to work with local NGOs.

“The trip reminded me how important it is to learn from other cultures and their ways of looking at the world.  Our differences make us stronger together because we get a chance to learn from each other. And if you are willing to try new things, or approach problems in a different manner, you learn that there is no one path to success, but that is always achievable,” says Marq Bauman.

Each of us is so grateful for this opportunity on personal level and as part of a team.

The second Symantec Service Corps will be deploying to Ankara, Turkey in February 2015! Team members will be announced the week of November 10th.