We talk a great deal about using strong authentication to secure access for enterprise employees, but often we don’t think about how breaches to vendors could make our own enterprise vulnerable.  In some cases all an attacker needs is to steal the username and password from a vendor to begin their attack on your enterprise.  That is exactly what happened to Home Depot; and it is an excellent example of why not only you, but also your outside vendors should be using strong authentication like Symantec VIP – Home Depot hackers exposed 53 million email addresses.  This kind of breach not only damages customer trust but also Home Depot estimates that the theft would cost about $62 million.

“According to Home Depot, the attackers stole login credentials from an outside vendor and used this information to infiltrate Home Depot’s systems. They could then move from a peripheral third-party vendor system to the company’s main computer network by exploiting a Windows vulnerability. Microsoft released a patch for this bug after the breach began, but while Home Depot applied the patch when it was released, it was too late. The attackers could then move to more Home Depot computers, eventually reaching 7,500 of the company’s POS terminals at self-checkout lanes. However, the attackers may have missed 70,000 of the retailer’s standard cash registers as these terminals were only identified by numbers.

The attackers moved through Home Depot’s network during regular business hours and used malware that stole data, transmitted details to a remote location, and deleted its traces. According to the investigation, the breach could have gone unnoticed for much longer if the attackers hadn’t put some of the stolen credit card details on sale while a number of Home Depot executives were on vacation for Labor Day. “

The Symantec Internet Threat Report highlighted how attackers are using smaller businesses and the supply chain to attack larger entities - the Home Depot attack dramatically reinforces this finding.  Attackers are becoming more relentless, using multiple avenues to stage attacks.  Enterprises need to engage in a layered security approach to mitigate the risk.  A mandatory first step is ensuring that not only your enterprise but your vendors are securing access to their networks and applications.  Symantec VIP is a simple, smart, and secure way to easily add a second layer of protection to secure access.  A username and password may be compromised but a secure second factor will not.

Collecting and analyzing metrics is a key to understand a system’s runtime behaviors and thus to provide a better guideline of optimization. As the user of a metrics system, you might want to collect metric and event with simple APIs, retrieve historical metric data. and view visualized metrics statistics. This article shows an example metrics system that composes of a client, a datastore, and visualization UI. There are many available open source packages. This article shows you how to build a metric system with StatsD, influxdb, and Grafana.

The figure above shows you the data flow. User sends application metrics to StatsD. StatsD stores the metrics data in InfluxDB, a time-series database. Users can view visualized metrics from Grafana.

Let’s briefly talk about the softwares. StatsD is a daemon that collects and aggregates metrics data. Its UDP protocol is well accepted. There are clients library for almost all major programming language. StatsD can also acts as  a local aggregator. StatsD also provide a extensible backend architecture. Grafana is a metrics dashboard that provides data visualization and generates statistic graph. InfluxDB is a time-seies database. 

The rest of this article shows you how to installation and configuration steps in Ubuntu.

InfluxDB

The installation is pretty simple. Below summaries the steps from InfluxDB’s website. You can see the full instruction here.

wget http://s3.amazonaws.com/influxdb/influxdb_latest_i386.deb
sudo dpkg -i influxdb_latest_i386.deb
sudo /etc/init.d/influxdb start

You should be able to access to the web UI at port 8083(http://localhost:8083/).

Enter the username root and password root and click Connect. You’ll then see a logged in screen like this:

Create a ‘demo’ database!

StatsD

Install nodejs, npm, statsd, and InfluxDB backend.

sudo apt-get install nodejs
cd /opt
sudo git clone https://github.com/etsy/statsd.git
cd statsd
apt-get install npm
npm install statsd-influxdb-backend -d

Edit /opt/statsd/config.js to configure StatsD to send data to InfluxDB.
 

{
    influxdb: {
        host: '127.0.0.1', // InfluxDB host. (default 127.0.0.1)
        port: 8086, // InfluxDB port. (default 8086)
        database: ‘demo ',  // InfluxDB database instance. (required)
        username: 'root', // InfluxDB database username. (required)
        password: 'root', // InfluxDB database password. (required)
        flush: {
            enable: true // Enable regular flush strategy. (default true)
        },
        proxy: {
            enable: false, // Enable the proxy strategy. (default false)
            suffix: 'raw', // Metric name suffix. (default 'raw')
            flushInterval: 1000 // Flush interval for the internal buffer.
                // (default 1000)
        }
    },
    port: 8125, // StatsD port.
    backends: ['./backends/console’, 'statsd-influxdb-backend'],
    debug: true,
    legacyNamespace: false
}

Start Statsd

nodejs stats.js config.js

Grafana

Installation

apt-get install apache2
wget http://grafanarel.s3.amazonaws.com/grafana-1.5.4.tar.gz
tar xvf grafana-1.5.4.tar.gz
mv grafana-1.5.4/ /var/www/
cd /var/www/grafana-1.5.4
cp config.sample.js config.js

Configure Grafana to use InfluxDB. Edit /var/www/grafana-1.5.4/config.js

// datasources, you can add multiple
datasources: {
        influxdb: {
            type: 'influxdb',
            url: "http://<influxdb-host>:8086/db/demo",
            default: true,
            username: 'root',
            password: 'root'
        },

Access Grafana at http://<grafana-host>/grafana-1.5.4/.
Learn to use Grafana interface, visit the beginner guide.

Send some data ! 

Here is an example that uses the StatsD Python Client. This example sends random counter to StatsD.

Install  Python StatsD library. 

sudo pip install statsd

Create test.py

#!/usr/bin/python
import time
import random
import statsd
counter_name = ‘my.test.1'
wait_s = 1
while 1:
    c = statsd.StatsClient('localhost', 8125)
    random_count = random.randrange(1, 100)
    print 'Count=(%d)' % random_count
    while random_count > 0:
        c.incr(counter_name, 5)
        random_count -= 1
    time.sleep(wait_s)

Execute test.py

python test.py

You should be able to see your data from Grafana now.
 

Reference:

• http://influxdb.com/docs/v0.7/introduction/getting_started.html
• http://influxdb.com/docs/v0.7/api/query_language.html
• https://github.com/etsy/statsd/
• http://grafana.org/docs/
   

Many times when I've used Outlook I have used the follow-up flag to remind me about the item that I'm looking at.  Sometimes I use it just so that I can see it in a pile of things within my mailbox, other times I use the Outlook search folder and look at the things that I've marked for follow-up and then I process them.

But what happens when the item gets archived?

Well, the best way to consider this situation is that archiving effectively creates a freeze-frame of the item.  If the item was archived with a flag set then the archived item will always have a flag set. If the item was archived without the flag set, then yes, it can be set later, but if you restore the original item, it won't have a flag.

It's fairly logical, but it does sometimes lead to confusion when a user clears the flag on an archived item, then at some point later then double click on the archived mail to view, and they see the reminder again (even though they've cleared it)

As I said the way to remember things is that the archived item is a snapshot or freeze-frame of the item AT THAT PARTICULAR point.

If you use flags, how do you find using them when archived messages are involved? Let me know in the comments.

The recent Symantec Vision 2014 event in London – the culmination of four such global events that also took in Munich, Paris and Dubai – was packed with presentations, break-out sessions and panel debates on the key industry issues of the day. But nothing captured the minds of the delegates present more than the insights they gained into the company’s decision to divide its business into two separate trading organisations: one focused on Information Security and the other on Information Management.

The big question everyone wanted answers to was why this was happening and Simon Moor, VP of Symantec UK & Ireland, laid out the reasons in his keynote speech: “The evolution of the security and storage industries just continues to grow and accelerate. We believe it’s absolutely clear that we need distinct strategies that address both. We need focused investments for both, and go-to-market innovation to meet your needs,” he told delegates. “Separating Symantec into two companies will allow us to create and innovate businesses that can respond more quickly to your IT needs. This is about us being more agile as business units and we believe that we will do this better as separate companies.”

Symantec expects to complete the process by the end of 2015, he added. “However, in the meantime, it will be business as usual as Symantec continues to develop its products and technologies, and this will be an evolution to the company’s splitting.”

The decision to divide Symantec’s business along the lines of Information Security and Information Management comes at a time when the IT industry itself is in a dramatic state of change, illustrated by the instant on-line polling app at Vision, with Moor asking delegates to select, from a list of possible responses which was their most pressing IT challenge. Top was ‘Managing the exploding number and variety of mobile devices’.

“We’ve moved from a PC-centric environment to a device-agnostic world,” acknowledged Moor. “There will be around 26 billion connected devices by 2020, it is forecast. Symantec’s transformation as an organisation is about helping its customers to cope with all of that change; to address this highly complex digital landscape.”

This was a theme that was taken up wholeheartedly by Symantec VP of Marketing EMEA, Darren Thomson, in the next keynote address. Against the backdrop of an ever darker threat landscape, what was essential was a greater, more comprehensive and holistic approach to security management – especially the proactive management of security, he stressed.

“What if we could leverage Big Data and analytics, and help customers get ahead of the game? What if we could help you to predict the things that might happen, so that you could stand up security policy that’s appropriate to your particular risk context? What if we could by predictive about security, so that fewer threats get to us – but, when they do, we can react appropriately to mitigate that risk?” This was the vision towards which Symantec was now working.

At the same time, said Thomson, new pressures and demands meant that IT had had to evolve from a system-centric to an information-centric view of the world. “The expectation on IT, from the board’s point of view, is that it has become the information service delivery partner, allowing people to connect with information to differentiate their businesses.”

All of which, he told delegates, had fuelled Symantec’s decision to focus on two fundamentally important domains, ‘Symantec Security’ and ‘Information Management’, so that Symantec can provide both value around and risk mitigation for its customers. “Security is about empowering people in organisations to proactively use their information in a protected way. Information Management is about ensuring that information works for the business by giving visibility and access to that information in appropriate ways and, again, in context.”

The two new independent companies, Thomson pledged, would have a “maniacal focus” on those technology domains. “They are both strong businesses in their own rights. We want to alleviate and take away the pressure to constantly think of integration points between the two… We are not innovating quickly enough in either of these organisations, because we are trying to innovate between them.

“At Symantec, our belief is that we can only innovate and focus in the right way by separating the company and allowing those two companies to have that laser focus they now need.”

You can watch the keynote sessions on our Symantec YouTube channel. To access presentation materials from the Vision breakout sessions, please check out the dedicated site on Symantec Connect.

I’m extremely happy to announce that NetBackup 7.6.0.4 and NetBackup Appliances 2.6.0.4 are now Generally Available!

NetBackup 7.6.0.4 is our latest maintenance release for the NetBackup 7.6 line.  This release contains fixes to 262 issues (bringing our total to over 1100!) including resolutions for most commonly downloaded EEBs, customer escalations, and critical internally found defects. 7.6.0.4 also provides several critical security fixes and many high-demand proliferations to our customers. The significant content of this release is:

• Over 120 customer-related defect fixes, including nine 7.6.0.3 issues highlighted in the 7.6 Late Breaking News

Proliferations:

•     MSC - W2012 MSCS
•     EV 11
•     BMR AF Disk Support

Features:

•     Increasing FT Pipes for FT Media Server    
•     Java UI password encryption
•     JRE update (7u55)
•     Tomcat update (7.0.54)
•     Tomcat vCenter Plugin 6.0.41
  •     changed due to display issues in OpsCenter
  •     addresses vulnerabilities discovered  in 7.0.33
•     fileupload 1.3.1

To download 7.6.0.4, please visit the following page:

NetBackup 7.6.0.4 Download Links
 http://symantec.com/docs/TECH223695

This is a MAINTENANCE Release for NetBackup (as opposed to a Release Update) - it can be applied on top of NetBackup 7.6 GA or any 7.6.0.x.  (If you are currently running 7.0, 7.0.1, 7.1, 7.1.0.x, 7.5 OR 7.5.0.x, you will need to upgrade to 7.6 GA before you can apply 7.6.0.4.)

To check to see if your particular Etrack is resolved in NetBackup 7.6.0.4, please refer to these Release Notes and our updated EEB guide:

NetBackup 7.6.0.4 Release Notes
 http://symantec.com/docs/DOC7450

Symantec NetBackup 7.6 Emergency Engineering Binary Guide
 http://symantec.com/docs/DOC6085

The NetBackup 7.6 Late Breaking News has also been updated to reflect newly released fixes in 7.6.0.4 for some of our highest visibility issues:

NetBackup 7.6 Late Breaking News
 http://symantec.com/docs/TECH199999

Bookmark the NetBackup Product Landing Page to have these links and many more useful links handy:

 http://go.symantec.com/nb

NetBackup Appliances 2.6.0.4 is the equivalent patch release for NetBackup 52xx Appliances.  It can be applied in an upgrade to Appliances running ANY 2.5.x or 2.6.0.x version.

To download 2.6.0.4, please visit the following page:

NetBackup Appliance 2.6.0.4 Release
 http://symantec.com/docs/TECH223530

More information on 2.6.0.4 can be found at the following locations:

NetBackup Appliances 2.6.0.4 Release Notes
 http://symantec.com/docs/DOC7646
 
Complete Symantec NetBackup 52xx Appliance Documentation Set - Release 2.6.0.4
 http://symantec.com/docs/DOC7653

The NetBackup Appliances Late Breaking News can be found here:

NetBackup 5xxx appliance series Late Breaking News
  http://symantec.com/docs/TECH145136

Bookmark the NetBackup Appliances Common Topics page to have these and many more useful links handy:

 http://go.symantec.com/nba

bit.ly/76LBN | APPLBN | 75LBN

Disaster Recovery Orchestrator now supports Amazon Web Services(AWS) as a failover target. With today's new release for Disaster Recovery Orchestrator, you can choose between Microsoft Azure and AWS as your target environment for disaster recovery. We provide the same benefits and features irrespective of which cloud provider you decide to go with. Businesses can automate and manage disaster recovery of Microsoft Windows based applications residing on either physical or virtual machines to the public cloud; targeting the cloud for disaster recovery helps in significantly reduce costs while achieving stringent Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Resources

You can also download a free 30-day trial. For more information about the product please refer to the following links:

• Environment supportability details - Software Compatibility List (SCL)
• Data sheet and solution brief
• Product guides - Online Help or the Documentation section of Symantec Operations Readiness Tools (SORT)
• Latest updates and patches - Downloads section of SORT
• Technical assistance - Technical Support

When I talk to customers, one of their common challenges is to get custodians to acknowledge their Legal Hold notifications. This is even more important considering courts are increasingly imposing sanctions for inadequate Legal Hold notification and evidence spoliation (e.g., DuPont v. Kolon).

Why does this happen? Are custodians lazy? Do they not understand the severity of the sanctions? Are they intentionally not acknowledging so that they can delete the data? or something else...more basic.

Here are the top three reasons that custodians fail to acknowledge their Legal Hold notifications and the steps you can take to ensure that Legal Notifications are not ignored and that relevant data is preserved.

1) Custodians are confused and sometimes fearful when a notification is received: Most first time custodians don’t understand that the only reason they are receiving the hold notice is because they might have information that might be relevant to the case. They may feel that they are being directly investigated and this instills fear and action-paralysis in them. It is possible they will delay acknowledgement until they have found out more about the case from other people.

• Solution: Be extremely clear about the intent of the Legal Hold notice in the language. It will also go a long way if you sent a separate email before the actual Legal Hold notice informing them about the matter and their role in resolving the matter. Even better, personally call them on the phone, explain the notice, and answer any concerns. Most custodians will acknowledge right away after the phone call. Here is a quote from an experienced Legal Hold paralegal: “We get around 60% response rate on the first notice, 80% after 1st reminder and 100% after a phone call.”

2) Custodians don’t understand potential sanctions:  Many custodians may understand that they are not directly involved but fail to understand the sanctions that may be imposed on the corporation if they don’t comply.

• Solution: Clearly outline in the notice and during the phone conversation, the sanctions and penalties that may be imposed if they fail to acknowledge the notice and delete relevant data.

3) Custodians don’t think it is urgent: Many notices are sent with a deadline of 21-30 days to acknowledge the notice. The body of the notice is lengthy and custodians may put off the notice to read at a later time. The language of the notice contains generic words about the need to preserve. However, 30 days to respond never conveys urgency.

• Solution: Keep the notice as short as possible so custodians read it in one pass and act upon it. Shorten the response deadline to as soon as possible. Use words (e.g., urgent, must, penalty for failure to) to convey urgency. Use rich text to highlight and bold specific areas of the notice like the call to action and the deadline.

The above are simple things to do and will boost your average response rate as well as lower the average response time. Remember many custodians don’t understand the legal process and need some education to alleviate their concerns.

Today, Kim Zetter released her book, “Countdown to Zero Day”. The book recounts the story of Stuxnet’s attempt to sabotage Iran’s uranium enrichment program. The work that Eric Chien, Nicolas Falliere, and I carried out is featured in the book. During the process of writing the book, Kim interviewed us on many occasions and we were lucky enough to be able to review an advanced copy.

Figure 1. Kim Zetter’s new book, “Countdown to Zero Day”

In chapter 17 of the book, “The Mystery of the Centrifuges”, Kim talks about how Stuxnet infections began in Iran, identifying several companies where she believes the infections originated.

“To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees.”

This is a different story from the one that David Sanger’s sources painted in his New York Times article and in his book “Confront and Conceal”. Sanger states:

“. . . an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed [Stuxnet] to escape Iran’s Natanz plant and sent it around the world on the Internet.”

So which is right? Did Stuxnet originate outside of Natanz and spread all over the world with the hopes of eventually entering Natanz? Or did Stuxnet start inside of Natanz and accidentally escape due to a programming error?

Tracing the spread of Stuxnet
We actually covered how Stuxnet originated in a blog post in February 2011. Let’s start with whether it is possible to track Stuxnet’s origin back to specific companies in Iran.

Normally, it would not be possible to state with 100 percent accuracy where an infection started. However, in the case of Stuxnet version 1.x, the attackers left a trail behind which allows analysts to trace the specific genealogy of each sample. This is possible because every time Stuxnet executes, it records some information about the computer it is executing on and stores that within the executable file itself, creating a new unique executable in the process. As a result, every unique executable contains an embedded and ordered list showing the computers it has previously infected. As Stuxnet spreads from computer to computer, the list grows and grows. By examining this list, we can trace back from one entry to the next, extracting computer information from each entry. These are the breadcrumbs we can follow to get back to the original compromised computers.

What do the breadcrumbs look like?
Each entry in the list looks like the data shown in the following image. Although this may not make sense at first, by analyzing the code within Stuxnet, we can find out what each number represents.

Figure 2. List entry of compromised computers

Among other information, the computer name, domain name, date, and IP address are stored in each entry. We can extract information from previous data, which is shown in the following image.

Figure 3. Details stored in each entry

By looking at each entry in the list embedded in any sample, we can see how the threat moved from one computer to the next. The real computer names and domains have been anonymized.

Figure 4. List of compromised computers from one sample shows how Stuxnet spread

In the previous image, we can see Stuxnet’s path through the first six compromised computers. This information was extracted from one sample. When we look at the first six infections from a different sample, we get the following path.

Figure 5. List of compromised computers from another sample shows different movement pattern

The two samples’ first four entries are the same but after that, the samples moved in two different directions. At the fifth step, one sample compromised a computer on the WORKGROUP domain while the other sample compromised a computer on the MSHOME network.

Using this data, we graphed the spread of Stuxnet infections. See pages eight to ten of our Stuxnet whitepaper for more details.

Figure 6. Spread of Stuxnet infections

Many computers and domains used generic names that do not provide much insight into the targets. For example, WORKGROUP and MSHOME—two default workgroup names—appear very frequently in the breadcrumb logs. However, we were able to identify all of the places where Stuxnet infections originated, and they were all in Iran.

The verdict
So did Stuxnet spread into Natanz as Zetter says or escape out of Natanz as Sanger reported?

Based on the analysis of the breadcrumb log files, every Stuxnet sample we have ever seen originated outside of Natanz. In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work.

This technical proof shows that Stuxnet did not escape from Natanz to infect outside companies but instead spread into Natanz.

Unfortunately, these breadcrumbs are only available for Stuxnet version 1.x. There was at least one previous version of Stuxnet released, version 0.5 (which we analyzed in our whitepaper), for which this infection path information is not available.

While version 0.5, which did not spread as aggressively as version 1.x, could have been planted inside Natanz and then spread outwards, this version was no longer operational during the conversation timeframe (the summer of 2010) outlined in the Sanger article. As a result, it is unlikely the 0.5 version is the subject of his article.

To make up your own mind, you should read Kim Zetter’s “Countdown to Zero Day”, which is out today.

Ya esta disponible la versión 2.6.0.4 de Symantec NetBackup Appliance.

Esta versión incluye actualizaciones de seguridad del sistema, correciones de incidencias y otras nuevas funcionalidades. Tales como:

• Mejoras en las políticas de Password del sistema.
• Blindaje del sistema y auditoria.
• Corrección de vulnerabilidades.

Enlaces a los binarios y documentación:

·    Enlace al software  http://www.symantec.com/docs/TECH223530
·    Documentación versión 2.6.0.4 www.symantec.com/docs/DOC7646

Cuando se libera un nueva release, se utiliza la ultima versión de NetBackup como base del mismo. Esto nos asegura de que todas las funcionalidades y avances aplicados en NetBackup estan incluidos en el formato appliances.  En este caso NetBackup 7.6.0.4.

La información relativa a a esta versión se puede encontrar en el siguiente enlace:

http://www.symantec.com/docs/DOC7450

Nos gustaría anunciar que tanto NetBackup 7.6.0.4 como NetBackup Appliances 2.6.0.4 ya están disponibles.

NetBackup 7.6.0.4 es en este momento la maintenance release  más moderna para NetBackup 7.6.  Esta release contiene corrección de errores para 262 cuestiones/problemas (¡llevando el total hasta 1100!) incluyendo resoluciones para  los EEBs (Emergency Engineering Binaries), escalaciones de clientes y defectos criticos internos encontrados. 7.6.0.4, además, provee de muchos parches de seguridad y algunas de las proliferaciones más demandadas por nuestros clientes. Los contenidos clave de esta release (entre otros), son:

• Alrededor de 120 parches sobre plataformas cliente, incluyendo 9 problemas de 7.6.0.3 destacados en Late Breaking News de 7.6.

Proliferaciones:

• MSC - W2012 MSCS
• EV 11
• BMR AF Disk Support

Características:

• Incremento de los FT Pipes para los FT Media Server
• Cifrado de la password para Java UI
• JRE update (7u55)
• Tomcat update (7.0.54)
• Tomcat vCenter Plugin 6.0.41
  • Cambio debido a problemas de visualización en OpsCenter
  • Corregidas vulnerabilidades descubiertas en 7.0.33
• fileupload 1.3.1

Para descargar 7.6.0.4, por favor visitar el siguiente enlace:

NetBackup 7.6.0.4 Download Links
 

http://symantec.com/docs/TECH223695

Esta es una MAINTENANCE Release para NetBackup (diferente de una Release Update) - esto significa que puede ser aplicada a NetBackup 7.6 GA o cualquier 7.6.0.x.  (Si actualmente se posee 7.0, 7.0.1, 7.1, 7.1.0.x, 7.5 o 7.5.0.x, se requiere actualización a 7.6 GA antes de aplicar 7.6.0.4.)

Para mayor información acerca de la release, así como chequeo de Etracks resueltos en NetBackup 7.6.0.4, se puede descargar las Release Notes, así como nuestra guía de EEB actualizada:

NetBackup 7.6.0.4 Release Notes
 

http://symantec.com/docs/DOC7450

Symantec NetBackup 7.6 Emergency Engineering Binary Guide
 

http://symantec.com/docs/DOC6085

Las NetBackup 7.6 Late Breaking News han sido actualziadas para reflejar los parches/correciones:

NetBackup 7.6 Late Breaking News


 http://symantec.com/docs/TECH199999

NetBackup Appliances 2.6.0.4 es el equivalente a esta versión para los NetBackup 52xx Appliances.  Podeis encontrar detalles en esta otra entrada:

NetBackup Appliance 2.6.0.4 | Symantec Connect

 http://www.symantec.com/connect/blogs/nuevo-netbackup-appliance-2604

Ignacio De Pedro

In October 2014, Symantec released its FY14 Corporate Responsibility (CR) Report reflecting our deep commitment to building a diverse and inclusive workplace, reducing our environmental impact, and investing in positive social impact around the globe. Over the next month, we will share a few CR program highlights. Today we take a look at our signature program, the Symantec Cybersecurity Career Connection (SC3).

If you speak with hiring managers at many mid-to-large sized organizations, they will tell you that cybersecurity jobs are some of the most difficult positions to fill. According to a recent cybersecurity report it is estimated that in 2014 there were one million unfilled cybersecurity jobs globally. 1 And the U.S. Bureau of Labor Statistics expects the information security analyst field to grow by 37 percent by 2022, which is much faster than the average job growth rate.

In June 2014 Symantec introduced the Symantec Cybersecurity Career Connection (SC3), an innovative program designed to address this epidemic by attracting, educating, and training the next generation of cybersecurity employees.

Only 11 more weeks to go before these budding cybersecurity professionals start their internships! 

Teaming up to close the gap

Standing alongside Secretary Hillary Clinton at the 2014 Clinton Global Initiative America meeting, Symantec launched SC3 to help close the hiring gap in cybersecurity while also improving the career outlook for underserved youth (ages 18 to 29). This one-year program debuted its first round of pilots in September in New York, Baltimore, and San Francisco with just under 50 students, working with leading educational and workforce development non-profits Year Up and NPower. The students are currently engaged in a mix of classroom education and soft skills development for the first six months of the program, which will be followed by a cybersecurity internship with some of America’s leading employers including Symantec for the second six months of the program.

According to Erika Lange, Director, IT Intern Program, Symantec, “Cybersecurity is still a reasonably young profession and one in which there isn’t a structured feeder system yet. As the needs for these careers are becoming more mainstream, it’s important for security leaders to identify creative ways to recruit talent into these roles.”

In Lange’s role she is responsible for Symantec’s IT recruitment strategy, including collegiate and entry-level hires. She has committed to hiring at least two SC3 pilot participants as interns, and is excited about the potential for future SC3 graduates to have successful careers with Symantec.

“Throughout my career at Symantec, we’ve always had an unwavering commitment to corporate responsibility. While many of our programs are purely philanthropic, SC3 is a unique mix that leverages our corporate assets and expertise to provide business opportunities, while addressing social needs. I believe this program has the opportunity to make an important impact by providing value to both the individual participants and the companies they are working with,” said Lange.

Inspiring a career in cybersecurity

Today 16 percent of young adults ages 18 to 29 in the United States are unemployed, more than double the national rate, with people of color and women underrepresented in the cybersecurity profession.

While certain cybersecurity roles require specialized degrees and deep expertise, it is estimated that 60,000 open cybersecurity jobs could be filled by individuals without a college degree. These are roles that SC3 is focused on. These positions are not only abundant in today’s economy, but they are critical to protecting corporate infrastructure around the world.

Ashley, Patrick, and Nicholas are students currently enrolled in SC3’s first pilots. Each of the three individuals were working in other roles when they learned about SC3.

“I was contracted to Bank of America as a Refresh Technician. I planned to go down the networking route, and in a few years move into security. This program was the perfect opportunity for me and couldn’t have come at a better time,” said Patrick.

For Ashley, her interested in cybersecurity arose after she had an experience with identity theft. While she was fortunate to protect herself from further damage, the event piqued her interest in protection, vulnerabilities, and solutions.

“Cybersecurity is interesting because it relies on curiosity. While I thought it began with the technology, I was mistaken. Curiosity is the fuel that helps us understand where vulnerabilities are, and what solutions exist. After I graduate, I aspire to teach individuals and business owners about security awareness, and how to protect themselves from the dangers that lurk,” said Ashley.

Nicolas, one of the participants from Baltimore, believes that the hands-on experience of SC3 is what makes the program stand out.

“Before I started this program, I saw many promotions for cybersecurity education however most of it was online training, whereas I wanted a hands-on approach to learning,” said Nicolas. “There are many interesting aspects about this promising career. Much of the course content so far is about authorized users and authorized access as well as mapping networks and mitigating risk solutions—they are all fascinating concepts. I am so thankful for Symantec and YearUp for extending this unique opportunity.”

Protecting your information is a corporate responsibility

Our corporate responsibility platform is organized into three pillars: Our People, Your Information, and The World. In addition to SC3, Symantec launched the Victims of Internet Crimes Empowered (VOICE) website in April 2014 which provides cybercrime information, such as videos and guides on preventing and recovering from Internet-related crimes, and directly links victims to the Internet Crime Complaint Center (IC3) to file complaints of malicious Internet activity. Symantec also supports initiatives such as Cybercrime Prosecutor Training with UCLA and works with and trains law enforcement on how to investigate and successfully prosecute cybercrimes.

“The National Intelligence Estimate describes cyber threats as the top U.S. national security challenge. It is our hope that with SC3 and our other corporate responsibility initiatives, we are recruiting and training a base of talented professionals that will help companies around the globe tackle these threats,” said Marian Merritt, Director of Cyber Education and Online Safety Programs, Symantec. “Since launching the program, we’ve seen a great outpouring of support from other companies, as well as deep interest from student candidates. It’s been an absolute inspiration.”

For more information on SC3 visit: http://www.symantec.com/corporate_responsibility/topic.jsp?id=cyber_career_connection

Related:

Symantec Launches Cyber Career Connection (SC3) Initiative to Develop Cybersecurity Careers for Young Adults

1 Cisco Security Report

We are asking for your feedback! Take our brief survey on the content of our 2014 Corporate Responsibility Report. As a thank-you, we’re asking you to vote for an organization to receive a $50k USD grant! 

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing fourteen bulletins covering a total of 33 vulnerabilities. Fourteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

• Install vendor patches as soon as they are available.
• Run all software with the least privileges required while still maintaining functionality.
• Avoid handling files from unknown or questionable sources.
• Never visit sites of unknown or questionable integrity.
• Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the November releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-nov

The following is a breakdown of the issues being addressed this month:

1. MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

   Windows OLE Automation Array Remote Code Execution Vulnerability (CVE-2014-6332) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory.

   Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352) MS Rating: Important

   A remote code execution vulnerability exists in the context of the current user that is caused when a user downloads, or receives, and then opens a specially crafted Microsoft Office file that contains OLE objects.

2. MS14-065 Cumulative Security Update for Internet Explorer (3003057)

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-4143) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6337) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6341) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6342) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6343) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6344) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6347) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6348) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6351) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2014-6353) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6349) MS Rating: Important

   An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

   Internet Explorer Elevation of Privilege Vulnerability (CVE-2014-6350) MS Rating: Important

   An elevation of privilege vulnerability exists when Internet Explorer does not properly validate permissions under specific conditions. An attacker who successfully exploited this vulnerability could run scripts run with elevated privileges.

   Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6340) MS Rating: Important

   An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

   Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6345) MS Rating: Important

   An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

   Internet Explorer Cross-domain Information Disclosure Vulnerability (CVE-2014-6346) MS Rating: Important

   An information disclosure vulnerability exists when Internet Explorer does not properly enforce cross-domain policies. An attacker could exploit this issue to gain access to information in another domain or Internet Explorer zone.

   Internet Explorer Clipboard Information Disclosure Vulnerability (CVE-2014-6323) MS Rating: Important

   An information disclosure vulnerability exists when Internet Explorer does not properly restrict access to the clipboard of a user who visits a website. The vulnerability could allow data stored on the Windows clipboard to be accessed by a malicious site. An attacker could collect information from the clipboard of a user if that user visits the malicious site.

   Internet Explorer ASLR Bypass Vulnerability (CVE-2014-6339) MS Rating: Important

   A security feature bypass vulnerability exists when Internet Explorer does not use the Address Space Layout Randomization (ASLR) security feature, which could allow an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.

3. MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

   Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) MS Rating: Critical

   A remote code execution vulnerability exists in the Secure Channel (Schannel) security package due to the improper processing of specially crafted packets.

4. MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

   MSXML Remote Code Execution Vulnerability (CVE-2014-4118) MS Rating: Critical

   A remote code execution vulnerability exists when Microsoft XML Core Services (MSXML) improperly parses XML content, which can corrupt the system state in such a way as to allow an attacker to run arbitrary code. The vulnerability could allow a remote code execution if a user opens a specially crafted file or webpage.

5. MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

   Microsoft Office Double Delete Remote Code Execution Vulnerability (CVE-2014-6333) MS Rating: Important

   A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files.

   Microsoft Office Bad Index Remote Code Execution Vulnerability (CVE-2014-6334) MS Rating: Important

   A remote code execution vulnerability exists in the context of the current user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

   Microsoft Office Invalid Pointer Remote Code Execution Vulnerability (CVE-2014-6335) MS Rating: Important

   A remote code execution vulnerability exists in the context of the local user that is caused when Microsoft Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

6. MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

   TCP/IP Elevation of Privilege Vulnerability (CVE-2014-4076) MS Rating: Important

   An elevation of privilege vulnerability exists in the Windows TCP/IP stack (tcpip.sys, tcpip6.sys) that is caused when the Windows TCP/IP stack fails to properly handle objects in memory during IOCTL processing.

7. MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

   Windows Audio Service Vulnerability (CVE-2014-6322) MS Rating: Important

   An elevation of privilege vulnerability exists in the Windows audio service component that could be exploited through Internet Explorer. The vulnerability is caused when Internet Explorer does not properly validate permissions under specific conditions, potentially allowing script to be run with elevated privileges.

8. MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

   TypeFilterLevel Vulnerability (CVE-2014-4149) MS Rating: Important

   An elevation of privilege vulnerability exists in the way that .NET Framework handles TypeFilterLevel checks for some malformed objects.

9. MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

   SharePoint Elevation of Privilege Vulnerability (CVE-2014-4116) MS Rating: Important

   An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user.

10. MS14-074 Vulnerability in Remote Desktop Protocol could allow Security Feature Bypass (3003743)

    Remote Desktop Protocol (RDP) Failure to Audit Vulnerability (CVE-2014-6318) MS Rating: Important

    A security feature bypass vulnerability exists in Remote Desktop Protocol (RDP) when RDP does not properly log failed logon attempts. The vulnerability could allow an attacker to bypass the audit logon security feature. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this bypass vulnerability in conjunction with another vulnerability.

11. MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

    IIS Security Feature Bypass Vulnerability (CVE-2014-4078) MS Rating: Important

    A security feature bypass vulnerability exists in Internet Information Services (IIS) that is caused when incoming web requests are not properly compared against the 'IP and domain restriction' filtering list.

12. MS14-077 Vulnerability in Active Directory Federation Services could allow Information Disclosure (3003381)

    Active Directory Federation Services Information Disclosure Vulnerability (CVE-2014-6331) MS Rating: Important

    An information disclosure vulnerability exists when Active Directory Federation Services (AD FS) fails to properly log off a user. The vulnerability could allow an unintentional information disclosure.

13. MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

    Microsoft IME (Japanese) Elevation of Privilege Vulnerability (CVE-2014-4077) MS Rating: Moderate

    An elevation of privilege vulnerability exists in Microsoft IME for Japanese that is caused when a vulnerable sandboxed application uses Microsoft IME (Japanese).

14. MS14-079 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service (3002885)

    Denial of Service in Windows Kernel Mode Driver Vulnerability (CVE-2014-6317) MS Rating: Moderate

    A denial of service vulnerability exists in the Windows kernel-mode driver that is caused by the improper handling of TrueType font objects in memory.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Symantec are building a new security client designed specifically for embedded systems.  We’ve taken the code base of our Critical System Protection client edition re-architected, feature enhanced and optimized it to run on embedded systems such as those used in industrial control systems, automotive, point of sale, healthcare and beyond.

We are inviting you to take part in our Symantec Embedded Security: Critical System Protection beta program beginning early December 2014. By participating in the beta program, you will be able to experience first hand the benefits of our new Internet of Things (IoT) product offering.

Key features in Symantec Embedded Security: Critical System Protection

Securing IoT devices: Symantec Embedded Security: Critical System Protection provides a signature-less policy-based approach to security for your terminals or embedded devices. Symantec Embedded Security: Critical System Protection provides a centralized management environment with an easy to use interface and with comprehensive out-of-the-box policies for complete system monitoring and protection for intrusion prevention and intrusion detection. A signature-less policy-based approach reduces emergency patching and minimizes patch-related downtime and IT expenses through proactive protection that does not require continuous updates.

Broad platform support: Symantec Embedded Security: Critical System Protection secures devices running a variety of platforms and operating systems. Apart from various Windows ,Linux and Embedded versions of these platforms, Symantec Embedded Security: Critical System Protection supports RTOS (Real-time operating systems) such as QNX, which is widely used in embedded devices, especially in automotive and healthcare verticals. With a broad platform support and features targeted towards standalone embedded systems, Symantec Embedded Security: Critical System Protection can help secure devices in industrial control systems, automotive, healthcare, finance, and retail sectors.

Modular: Symantec Embedded Security: Critical System Protection provides the option to install individual features as required. While installing the agent, you can install either IPS (Intrusion Prevention) or IDS (Intrusion Detection) or both. Selective deployment of IPS or IDS helps reduce the performance impact Critical System Protection has on the device. If you are installing Symantec Embedded Security: Critical System Protection for the first time, you can install IDS before installing IPS. IDS monitors important system and application files and registry entries, system and application logs, and other system data sources to detect and notify you when suspicious activity is occurring on your systems. Installing IDS first will let you observe how Symantec Embedded Security: Critical System Protection works before going for a full-fledged system hardening with IPS.

Software, policy, and config updates: Symantec Embedded Security: Critical System Protection provides the capability to update the software, policy and configurations on the agents without the need for a direct connectivity with the server. Agents can be updated using an over the air (OTA) channel on QNX in automobiles, or from a secure fileshare server (using FTPS) for Windows and Linux agents.

Managed and standalone agents: Symantec Embedded Security: Critical System Protection provides both managed and standalone agents. Standalone agents can be deployed on the devices which have minimal or no connectivity with the server

To participate in the Symantec Embedded Security: Critical System Protection beta program, you must meet the following requirement.

• Be prepared to submit feature requests and defect information via SymBeta forums prior to the key deadlines.
• Test some key use cases for the product as documented in the Beta test guide.
• Located in countries not under international embargo / restricted access legislation (Cuba, Iran, North Korea, Sudan and Syria, Belarus, Cuba, and Russia)

To sign up, please apply for the Symantec Embedded Security: Critical System Protection beta program via SymBeta and select New User to begin your application.

We look forward to your feedback and are excited you will test our new release.

Symantec Embedded Security: Critical System Protection Team

Updates deployed to the Connect production servers as a result of the code sprint that ended 08 Jul 2014.

User Facing: Desktop

• Fixed an issue that was allowing unpublished content to show up on list pages.
• Patched code that was sorting URL aliases incorrectly.
• Updated cache flushing code to include URLs with the "device=desktop" suffix.
• Added code that sets a limit on the length of feedback submitted to the translate.cloud system.
• Updated email notifications to consistently use https:// when linking back to Connect.
• Eliminated cases where content updates were programmatically submitting redundant cache-clear requests to Akamai.
• Removed references to Badgeville badges from user profile pages.

Admin Facing

• Enhanced the link checking tool to avoid reporting false-positives in broken link reports.

Performance Wins

• Tuned code to serve up RSS from http:// so the oft-visited RSS feeds can be cached by Akamai.

On Nov 11, 2014, SORT delivered a release specifically focused on supporting the GA release of DRO 6.1.1.  For this release, we support the following features for DRO 6.1.1:

• Custom Reports via the Data Collector [Windows] (https://sort.symantec.com/data_collectors)
• Users can upload reports to SORT to:
  • Manage reports
  • Compare system configurations for drift
  • View associated documentation, upload statistics, and error statistic summaries

• Uploaded reports can also be shared with other users
• Installation and Upgrade General Checklist ( https://sort.symantec.com/checklist/install#report)
• Product Feature Table (https://sort.symantec.com/product_features)
• Product and Platform Lookup (https://sort.symantec.com/platformlookup )
• Product/Platform Matrix (https://sort.symantec.com/productmatrix/show/DRO)
• Documentation (https://sort.symantec.com/documents)
• Patch Notifications (https://sort.symantec.com/welcome/notifications)
• EOSL dates (https://sort.symantec.com/eosl)

Disaster Recovery Orchestrator 6.1.1 supports Amazon Web Services (AWS) as a failover target. For more details, visit Symantec Connect (https://www-secure.symantec.com/connect/blogs/aws-support-symantec-disaster-recovery-orchestrator )

JustSystems has issued an update to its Ichitaro product line (Japanese office suite software), plugging a zero-day vulnerability. This vulnerability is being actively exploited in the wild to specifically target Japanese organizations.

The exploit is sent to the targeted organizations through emails with a malicious Ichitaro document file attached, which Symantec products detect as Bloodhound.Exploit.557. Payloads from the exploit may include Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell; however, all payloads aim to steal confidential information from the compromised computer.

The content of the emails vary depending on the business interest of the targeted recipient’s organization; however, all are about recent political events associated with Japan. Opening the malicious attachment with Ichitaro will drop the payload and display the document. Often such exploitation attempts crash and then relaunch the document viewer to open a clean document in order to trick users into believing it is legitimate. In this particular attack, opening the document and dropping the payload are done without crashing Ichitaro and, as such, users have no visual indications as to what is really happening in the background.

CloudyOmega
As Security Response previously discussed, unpatched vulnerabilities being exploited is nothing new for Ichitaro. However, during our investigation of this Ichitaro zero-day attack, we discovered that the attack was in fact part of an ongoing cyberespionage campaign specifically targeting various Japanese organizations. Symantec has named this attack campaign CloudyOmega. In this campaign, variants of Backdoor.Emdivi are persistently used as a payload. All attacks arrive on the target computers as an attachment to email messages. Mostly the attachments are in a simple executable format with a fake icon. However, some of the files exploit software vulnerabilities, and the aforementioned vulnerability in Ichitaro software is only one of them. This group’s primary goal is to steal confidential information from targeted organizations. This blog provides insights into the history of the attack campaign, infection methods, malware payload, and the group carrying out the attacks.

Timeline
The first attack of the campaign can be traced back to at least 2011. Figure 1 shows the targeted sectors and the number of attacks carried out each year. The perpetrators were very cautious launching attacks in the early years with attacks beginning in earnest in 2014. By far, the public sector in Japan is the most targeted sector hit by Operation CloudyOmega. This provides some clue as to who the attack group is.

Figure 1. Targeted sectors and number of attacks

Attack vector
Email is the predominant infection vector used in this campaign.

Figure 2. Sample email used in attack campaign

Figure 2 is an example of an email used in recent attacks prior to those exploiting the Ichitaro zero-day vulnerability. The emails include password-protected .zip files containing the malware. Ironically, the attackers follow security best practices by indicating in the first email that the password will be sent to the recipient in a separate email. This is merely to trick the recipient into believing the email is from a legitimate and trustworthy source. The body of the email is very short and claims the attachment includes a medical receipt. The email also requests that the recipient open the attachment on a Windows computer. The file in the attachment has a Microsoft Word icon but, as indicated within Windows Explorer, it is an executable file.

Figure 3. Attached “document” is actually a malicious executable file

Payload
The malicious payload is Backdoor.Emdivi, a threat that opens a back door on the compromised computer. The malware is exclusively used in the CloudyOmega attack campaign and first appeared in 2011 when it was used in an attack against a Japanese chemical company. Emdivi allows the remote attacker executing the commands to send the results back to the command-and-control (C&C) server through HTTP.

Each Emdivi variant has a unique version number and belongs to one of two types: Type S and Type T. The unique version number is not only a clear sign that Emdivi is systematically managed, but it also acts as an encryption key. The malware adds extra words to the version number and then, based on this, generates a hash, which it uses as an encryption key.

Both Emdivi Type S and Type T share the following functionality:

• Allow a remote attacker to execute code through HTTP
• Steal credentials stored by Internet Explorer

Type T is primarily used in Operation CloudyOmega, has been in constant development since the campaign was first launched in 2011, and is written in the C++ programing language. Type T employs techniques to protect itself from security vendors or network administrators. Important parts of Type T, such as the C&C server address it contacts and its protection mechanisms, are encrypted. Type T also detects the presence of automatic analysis systems or debuggers, such as the following:

• VirtualMachine
• Debugger
• Sandbox

Type S, on the other hand, was used only twice in the attack campaign. Type S is a .NET application based on the same source code and shared C&C infrastructure as Type T. However, protection mechanisms and encryption, essential features for threat survival, are not present in Type S. One interesting trait of Type S is that it uses Japanese sentences that seem to be randomly taken from the internet to change the file hash. For instance, in the example shown in Figure 4, it uses a sentence talking about the special theory of relativity.

Figure 4. Japanese text used by Emdivi Type S variant

Who is Emdivi talking to?
Once infected, Emdivi connects to hardcoded C&C servers using the HTTP protocol.

So far, a total of 50 unique domains have been identified from 58 Emdivi variants. Almost all websites used as C&C servers are compromised Japanese websites ranging from sites belonging to small businesses to personal blogs. We discovered that 40 out of the 50 compromised websites, spread across 13 IP addresses, are hosted on a single cloud-hosting service based in Japan.

Figure 5. Single IP hosts multiple compromised websites

The compromised sites are hosted on various pieces of web server software, such as Apache and Microsoft Internet Information Services (IIS), and are on different website platforms. This indicates that the sites were not compromised through a vulnerability in a single software product or website platform. Instead, the attacker somehow penetrated the cloud service itself and turned the websites into C&C servers for Backdoor.Emdivi.

The compromised cloud hosting company has been notified but, at the time of writing, has not replied.

Symantec offers two IPS signatures that detect and block network communication between infected computers and the Emdivi C&C server:

• System Infected: Backdoor.Emdivi Activity
• System Infected: Backdoor.Emdivi Activity 2

Zero-day and links to other cybercriminal groups
During our research, multiple samples related to this attack campaign were identified and allowed us to connect the dots, as it were, when it came to CloudyOmega's connections to other attack groups.  

In August 2012, the CloudyOmega attackers exploited the zero-day Adobe Flash Player and AIR 'copyRawDataTo()' Integer Overflow Vulnerability (CVE-2012-5054) in an attack against a high-profile organization in Japan. The attackers sent a Microsoft Word file containing a maliciously crafted SWF file that exploited the vulnerability. Once successfully exploited, the file installed Backdoor.Emdivi. As CVE-2012-5054 was publicly disclosed in the same month, the attack utilized what was, at the time, a zero-day exploit.

Interestingly, the Flash file that was used in an Emdivi attack in 2012 and the one used in the LadyBoyle attack in 2013 look very similar.

Figure 6 shows the malformed SWF file executing LadyBoyle() code that attempts to exploit the Adobe Flash Player CVE-2013-0634 Remote Memory Corruption Vulnerability (CVE-2013-0634). The Flash file seems to have been created using the same framework used by the CloudyOmega group, but with a different exploit.

Figure 6. Malformed SWF file used in the LadyBoyle campaign in February 2013

Both attacks use a .doc file containing an Adobe Flash zero-day exploit that is used to install a back door. No other evidence connects these two different campaigns; however, as described previously in Symantec Security Response’s Elderwood blog, it is strongly believed that a single parent organization has broken into a number of subgroups that each target a particular industry.

In terms of the latest attack on Ichitaro, we collected a dozen samples of JTD files, all of which are exactly the same except for their payload. The parent organization, it would seem, supplied the zero-day exploit to the different subgroups as part of an attack toolkit and each group launched a separate attack using their chosen malware. This is why three different payloads (Backdoor.Emdivi, Backdoor.Korplug, and Backdoor.ZXshell) were observed in the latest zero-day attack.

Figure 7. Parent group sharing zero-day exploit

Conclusion
Operation CloudyOmega was launched by an attack group that has communication channels with other notorious attack groups including Hidden Lynx and the group responsible for LadyBoyle. CloudyOmega has been in operation since 2011 and is persistent in targeting Japanese organizations. With the latest attack employing a zero-day vulnerability, there is no indication that the group will stop their activities anytime soon. Symantec Security Response will be keeping a close eye on the CloudyOmega group.

Protection summary
It is highly recommended that customers using Ichitaro products apply any patches as soon as possible.

Symantec offers the following protection against attacks associated with Operation CloudyOmega:

AV

• Backdoor.Emdivi
• Backdoor.Emdivi!gen1
• Backdoor.Emdivi!gen2
• Bloodhound.Exploit.557
• Trojan.Mdropper

IPS

• System Infected: Backdoor.Emdivi Activity
• System Infected: Backdoor.Emdivi Activity 2

ジャストシステム社は、一太郎製品群（日本語オフィススイートソフトウェア）のゼロデイ脆弱性を修正するための更新を公開しました。この脆弱性は、日本の組織を標的とする攻撃で活発に悪用されています。

今回の攻撃では、悪質な一太郎文書ファイルが添付された電子メールが標的の組織に送信されます。シマンテック製品は、このファイルを Bloodhound.Exploit.557として検出します。ペイロードには、Backdoor.Emdivi、Backdoor.Korplug、または Backdoor.ZXshellが含まれている可能性がありますが、これらはすべて、侵入先のコンピュータから機密情報を盗み取るためのものです。

電子メールの内容は標的となる組織の業務に応じて異なりますが、いずれも最近の日本における政治的な出来事に関するものです。悪質な添付ファイルを一太郎で開くと、ペイロードが投下されるとともに文書が表示されます。この手の攻撃では、多くの場合、文書ビューアをクラッシュさせてから再起動してクリーンな文書を開くことによって、正規の文書に見せかけようようとします。今回の攻撃では、一太郎をクラッシュさせることなく文書を開いてペイロードを投下するため、被害者は、バックグラウンドで実際に起こっていることに気が付きません。

CloudyOmega
以前にブログで取り上げたとおり、パッチ未適用の一太郎の脆弱性に対する攻撃は、今に始まったことではありません。しかし、調査の結果、今回のゼロデイ攻撃は、日本のさまざまな組織を標的とする継続的なサイバースパイ攻撃の一環であることがわかっています。シマンテックは、この攻撃を CloudyOmega と名付けました。ペイロードとしては Backdoor.Emdivi の亜種が常に利用されており、すべての攻撃において電子メールに添付されて標的のコンピュータに送り込まれます。多くの場合、添付ファイルは、偽のアイコンが表示された単純な実行可能ファイルですが、一部のファイルは各種ソフトウェアの脆弱性を悪用しています。今回の一太郎の脆弱性は、その 1 つにすぎません。攻撃グループの主な目的は、標的の組織から機密情報を盗み取ることです。ここでは、一連の攻撃活動の時系列、感染経路、マルウェアのペイロード、そして攻撃を実行しているグループについて考察します。

活動の時系列
最初の攻撃は少なくとも 2011 年まで遡ります。図 1 は、標的となった業種と攻撃件数を年別に示しています。攻撃は初期には非常に慎重に実行されていましたが、2014 年になってから本格化しました。これまでのところ、CloudyOmega 攻撃で最も多く狙われているのは公共部門です。このことが、攻撃グループの正体を探るための手掛かりになるでしょう。

図 1.標的の業種と攻撃件数の内訳

攻撃経路
攻撃に利用されている主な感染経路は電子メールです。

図 2.攻撃に使用された電子メールの例

図 2 は最近の攻撃で使用された電子メールの一例で、一太郎のゼロデイ脆弱性を悪用する攻撃の前段階となるものです。添付されている zip ファイルはパスワードで保護されており、中にはマルウェアが含まれています。皮肉なことに、セキュリティの基本対策（ベストプラクティス）に従って、パスワードは別の電子メールで送信すると記載されていますが、これは、正規の信頼できる送信元から届いたと信じこませようとしているにすぎません。本文には、添付ファイルに医療費の通知が含まれていることが簡潔に記載され、添付ファイルを Windows コンピュータで開くよう求めています。zip 内のファイルには Microsoft Word のアイコンが表示されていますが、Windows エクスプローラで確認できるように、実際には実行可能ファイルです。

図 3.添付されている「文書」は実際には悪質な実行可能ファイル

ペイロード
ペイロードは Backdoor.Emdivi であり、侵入先のコンピュータでバックドアを開きます。このマルウェアは CloudyOmega による一連の攻撃でのみ利用されており、2011 年に日本の化学会社に対する攻撃で初めて確認されました。Emdivi を使うと、リモートの攻撃者は、HTTP を介してコマンドの実行結果をコマンド & コントロール（C&C）サーバーに送信することができます。

Emdivi の亜種にはそれぞれ一意のバージョン番号があり、タイプ S またはタイプ T のいずれかに属します。一意のバージョン番号があるのは、Emdivi が体系的に管理されている証拠です。さらに、バージョン番号に単語を追加したものをベースにハッシュ値が生成され、暗号化キーとして使用されています。

タイプ S とタイプ T では次の機能が共通しています。

• リモートの攻撃者が HTTP を介してコードを実行できる
• Internet Explorer に保存されている認証情報を盗み取る

CloudyOmega 攻撃で主に使用されているのは、タイプ T です。C++ プログラム言語で記述されており、2011 年に攻撃が開始されてから継続的に進化を重ねています。セキュリティ企業やネットワーク管理者から自身を保護するための技術を備え、接続先の C&C サーバーのアドレスや保護メカニズムなど、タイプ T の重要な部分は暗号化されています。また、次のような自動分析システムやデバッガの存在を検出します。

• 仮想マシン
• デバッガ
• サンドボックス

一方、タイプ S が一連の攻撃で使用されたのは 2 回だけです。タイプ S は同じソースコードに基づく .Net アプリケーションで、C&C インフラをタイプ T と共用しています。しかし、活動を継続するために不可欠な保護メカニズムや暗号化機能は備えていません。タイプ S について興味深いのは、インターネットからランダムに取得したとみられる日本語の文を使ってファイルのハッシュ値を変更する機能です。たとえば、図 4 のように、特殊相対性理論を説明する文が使用されています。

図 4. Emdivi のタイプ S の亜種で使用されている日本語の文

Emdivi の通信先
Emdivi は、感染すると、ハードコード化された C&C サーバーに HTTP プロトコルを介して接続します。

これまでに、58 種類の Emdivi の亜種から、重複を含まず合計 50 件のドメインが特定されています。C&C サーバーとして利用された Web サイトは、ほぼすべてが小規模企業が所有するサイトや個人ブログなど、侵害された日本の Web サイトです。50 件の Web サイトのうち、13 個の IP アドレスに分布する 40 件は、日本に拠点を置く単一のクラウドホスティングサービスでホストされています。

図 5.侵害された複数の Web サイトが、単一の IP アドレスでホストされている

侵害されたサイトは、さまざまな Web サイトプラットフォーム上で Apache や Microsoft Internet Information Services（IIS）など各種の Web サーバーソフトウェアによってホストされています。このことから、単一のソフトウェア製品や Web サイトプラットフォームの脆弱性を突かれて侵害されたのではないことが分かります。攻撃者は何らかの手段でクラウドサービス自体を侵害して、複数の Web サイトを Backdoor.Emdivi の C&C サーバーとして改ざんしたのです。

侵害されたクラウドホスティング会社には通知済みですが、このブログの執筆時点ではまだ返答がありません。

シマンテックでは、感染したコンピュータと Emdivi の C&C サーバーとの間のネットワーク通信を検知して遮断するために、次の 2 つの IPS シグネチャを提供しています。

• System Infected: Backdoor.Emdivi Activity
• System Infected: Backdoor.Emdivi Activity 2

ゼロデイ脆弱性と他のサイバー犯罪グループとのつながり
調査を進めるなかで一連の攻撃に関連する複数のサンプルが特定されたことから、他の攻撃グループとのつながりが見えてきました。

2012 年 8 月、CloudyOmega の攻撃者は Adobe Flash Player と AIR に存在する copyRawDataTo() の整数オーバーフローの脆弱性（CVE-2012-5054）を悪用して、日本の有名な組織を標的とする攻撃を実行しています。攻撃者は、脆弱性を悪用するように細工された SWF ファイルを含む Microsoft Word ファイルを送信しました。脆弱性の悪用に成功すると Backdoor.Emdivi がインストールされます。CVE-2012-5054 は同月に公表されたものであり、この攻撃で利用された当時はゼロデイ脆弱性でした。

さらに興味深いことに、2012 年の Emdivi 攻撃で使用された Flash ファイルと 2013 年の LadyBoyle 攻撃で使用された Flash ファイルは、非常によく似ています。

図 6 は、Adobe Flash Player に存在するリモートメモリ破損の脆弱性（CVE-2013-0634）の悪用を試みる LadyBoyle() コードを実行する、不正な形式の SWF ファイルを示しています。この Flash ファイルは、CloudyOmega グループと同じフレームワークを使って作成されたと思われますが、別の悪用コードが組み込まれています。

図 6. 2013 年 2 月の LadyBoyle 攻撃で使用された不正な形式の SWF ファイル

両方の攻撃において、バックドアをインストールするための Adobe Flash のゼロデイ悪用コードを含む .doc ファイルが使用されています。2 つの攻撃を関連付ける証拠は他にはありませんが、Elderwood プラットフォームのブログで説明したとおり、単一の上位グループから複数のサブグループが派生して、それぞれが特定の業種を狙っている可能性が高いと考えられます。

一太郎の脆弱性を悪用する今回の攻撃では、収集された JTD ファイルのサンプル十数件はすべて、ペイロード以外はまったく同一のものでした。上位グループが複数のサブグループに、攻撃ツールキットの一部としてゼロデイ悪用コードを提供し、各グループがそれぞれマルウェアを選択して別々に攻撃を実行したものと思われます。今回のゼロデイ攻撃で Backdoor.Emdivi、Backdoor.Korplug、Backdoor.ZXshell という 3 つの異なるペイロードが確認されているのは、このためでしょう。

図 7.ゼロデイ悪用コードを共有する上位グループ

結論
CloudyOmega 攻撃を実行しているグループは、LadyBoyle の実行グループや HiddenLynx など、他の悪名高い攻撃グループと密接なつながりがあります。CloudyOmega 攻撃は 2011 年から確認されており、日本の組織を狙って執拗に活動を継続しています。今回、ゼロデイ脆弱性を悪用した攻撃が実行されたということは、攻撃グループは当面の間、活動を停止する気配がないということです。シマンテックセキュリティレスポンスは CloudyOmega グループに対して注意深く監視を続けていきます。

保護対策
一太郎製品をお使いのお客様は、できるだけ早くパッチを適用することを強くお勧めします。

シマンテック製品をお使いのお客様は、次の検出定義によって、CloudyOmega に関連する攻撃から保護されています。

ウイルス対策

• Backdoor.Emdivi
• Backdoor.Emdivi!gen1
• Backdoor.Emdivi!gen2
• Bloodhound.Exploit.557
• Trojan.Mdropper

侵入防止システム

• System Infected: Backdoor.Emdivi Activity
• System Infected: Backdoor.Emdivi Activity 2

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

With such an array of security incidents in 2014—from large-scale data breaches to vulnerabilities in the very foundation of the web—it’s difficult to know which to prioritize. Which developments were merely interesting and which speak of larger trends in the online security space? Which threats are remnants from the past and which are the indications for what the future holds?

The following are four of the most important developments in the online security arena over the past year, what we learned (or should have learned) from them, and what they portend for the coming year.

The discovery of the Heartbleed and ShellShock\Bash Bug vulnerabilities
In spring 2014, the Heartbleed vulnerability was discovered. Heartbleed is a serious vulnerability in OpenSSL, one of the most common implementations of the SSL and TLS protocols and used across many major websites. Heartbleed allows attackers to steal sensitive information such as login credentials, personal data, or even decryption keys that can lead to the decryption of secure communications.

Then, in early fall, a vulnerability was found in Bash, a common component known as a shell, which is included in most versions of the Linux and Unix operating systems, in addition to Mac OS X (which is, itself, based around Unix). 

Known as ShellShock or the Bash Bug, this vulnerability allows an attacker to not only steal data from a compromised computer, but also to gain control over the computer itself, potentially providing them with access to other computers on the network.

Heartbleed and ShellShock turned the spotlight on the security of open-source software and how it is at the core of so many systems that we rely on for e-commerce. For vulnerabilities in proprietary software we just need to rely on a single vendor to provide a patch. However, when it comes to open-source software, that software may be integrated into any number of applications and systems. This means that an administrator has to depend on a variety of vendors to supply patches. With ShellShock and Heartbleed there was a lot of confusion regarding the availability and effectiveness of patches. Hopefully this will serve as a wake-up call for how we need greater coordinated responses to open-source vulnerabilities, similar to the MAPP program. 

Moving forward, new threats like these will continue to be discovered in open-source programs. But while this is potentially a rich, new area for attackers, the greatest risk continues to come from vulnerabilities that are known, but where the appropriate patches aren’t being applied. This year’s Internet Security Threat Report showed that 77 percent of legitimate websites had exploitable vulnerabilities. So, yes, in 2015 we'll see attackers using Heartbleed or ShellShock, but there are hundreds of other unpatched vulnerabilities that hackers will continue to exploit with impunity.

Coordinated cyberespionage and potential cybersabotage: Dragonfly and Turla
The Dragonfly group, which appears to have been in operation since at least 2011, initially targeted defense and aviation companies in the US and Canada, before shifting its focus mainly to energy firms in early 2013. Capable of launching attacks through several different vectors, its most ambitious attack campaign compromised a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This gave the attackers full access to systems where this software was installed. While this provided the attackers with a beachhead into target organizations in order to carry out espionage activities, many of these systems were running ICS programs used to control critical infrastructure such as petroleum pipelines and energy grids. While no cybersabotage was seen in these attacks, no doubt the attackers had the ability and could have launched such attacks at any time. Perhaps they chose to lie in wait and were interrupted before they could move on. 

Dragonfly also used targeted spam email campaigns and watering hole attacks to infect targeted organizations. Similarly, the group behind the Turla malware also uses a multi-pronged attack strategy to infect victims through spear-phishing emails and watering hole attacks. The watering hole attacks display extremely targeted compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. The attackers would also save their most sophisticated surveillance tools for high-value targets. Turla’s motives are different to Dragonfly, however. The Turla attackers are carrying out long-term surveillance against embassies and government departments, a very traditional form of espionage. 

Both the Dragonfly and Turla campaigns bear the hallmarks of state-sponsored operations, displaying a high degree of technical capability and resources. They are able to mount attacks through multiple vectors and compromised numerous third-party websites, with their apparent purpose being cyberespionage—and sabotage as a secondary capability for Dragonfly. 

These campaigns are just examples of the many espionage campaigns we see on an almost daily basis. This is a global problem and shows no sign of abating, with attacks such as Sandworm also leveraging a number of zero-day vulnerabilities. Given the evidence of deep technical and financial resources these attacks are very likely state-sponsored. 

Credit cards in the crosshairs
The lucrative business of selling stolen credit or debit card data on the black market makes these cards a prime target for bad guys. 2014 saw several high-profile attacks targeting point-of-sale (POS) systems to obtain consumers’ payment card information. One factor making the US a prime target is the failure to adopt the chip-and-PIN system, known as EMV (Europay, MasterCard and VISA), which offers more security than magnetic stripe-based cards. The attacks used malware which can steal the information from the payment card’s magnetic stripe as it is read by the computer and before it is encrypted. This stolen information can then be used to clone that card. Because EMV card transaction information is uniquely encoded every time, it's harder for criminals to pick up useful payment data pieces and use them again for another purchase. However, EMV cards are just as susceptible to being used for fraudulent online purchases.

Apple Pay, which basically turns your mobile phone into a “virtual wallet” by using near-field communication (NFC) technology, was also launched in 2014. NFC is a type of communication that involves wirelessly transmitting data from one hardware device to another physical object nearby, in this case a cash register. 

While NFC payment systems have been around for a while now, we expect to see an uptick in consumer adoption of this technology in the coming year, as more smartphones support the NFC standard. It’s worth noting that while NFC systems are more secure than magnetic stripes, there is still a possibility of hackers exploiting them, although this would require the bad guys to target individual cards and wouldn’t result in large scale breaches or theft like we have seen in the US. However, the payment technology used won’t protect against retailers who aren’t storing payment card data securely, they’ll still need to be vigilant in protecting stored data. 

Increased collaboration with law enforcement 
Now, for a bit of good news: 2014 saw many examples of international law enforcement teams taking a more active and aggressive stance on cybercrime by increasingly collaborating with the online security industry to take down cybercriminals.

Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry-level hackers right up to sophisticated cybercriminal groups. In May of 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on the use of Blackshades (also known as W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, providing information that allowed the agency to track down those suspected of involvement. 

Just one month later, the FBI, the UK's National Crime Agency, and a number of international law enforcement agencies, working in tandem with Symantec and other private sector parties, significantly disrupted two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. This resulted in the FBI seizing a large amount of infrastructure used by both threats. 

While these takedowns are part of an ongoing effort, we won’t see cybercrime disappearing overnight. Both private industry and law enforcement will need to continue to cooperate to have long-lasting impact. As the rate and sophistication of cyberattacks grows, we expect to see a continuation of this trend of collaboration to track down cybercriminals and stop them in their tracks.

So, there you have it, my take on the four most important online security events of 2014. Of course, there’s still a few weeks left before we ring in 2015, so we may yet see other events arise, but you can trust that Symantec is here and that we’ve got your back, no matter what the future may bring!

Hello!

Backup Exec team is currently looking for user feedback on several security features for an upcoming release. 

If you are interested in participating in a user experience session, please check out the sessions here. These are remote session via WebEx and about an hour long. This is your opportunity to help shape the future of Backup Exec.

If you have any questions about this, feel free to leave a comment here - or send me an email directly.

Regards,

Muzayun

We need your help!  We would be grateful if you could give us about ten minutes of your time to help Symantec improve its knowledgebase content.

We know you want to get the right answers to your support questions, as quickly as possible. To do that, Symantec wants to provide you with online help articles that are easy to read and easy to use, and give you the information you need, when you want it. 

So that we can better understand your needs, we are asking for your feedback about two sample Symantec online help articles, each with two different versions. After you read the articles, please complete the short survey and share your opinions about the articles.  Thank you for your time—your responses will help us help you more effectively.

Test 1 – Push install Symantec Endpoint Protection 12.1 clients using Remote Push

Version A: http://www.symantec.com/docs/TECH224952

Version B: http://www.symantec.com/docs/TECH164327

Survey: https://www.surveymonkey.com/s/GRQSNGQ

Test 2 - Disaster recovery best practices for Symantec Endpoint Protection 12.1

Version A: http://www.symantec.com/docs/TECH160736

Version B: http://www.symantec.com/docs/TECH224995

Survey: https://www.surveymonkey.com/s/GRWM5J7