On November 4, 2014, Symantec completed another release of SORT.
SORT Landing page at https://sort.symantec.com/

With this release we added the following features and enhancements:

General:
• Product and Platform Lookup can be accessed directly from the menu under Documentation and is the main entrance for product matrix (https://sort.symantec.com/platformlookup )
• Improved search performance

NetBackup Solutions:
• Enhancements to the NBDB space check to accommodate non-default configurations and all major, minor and release update upgrades of NetBackup
• Addition of NetBackup specific resources to the Product and Platform Lookup results
• Displayed which type of NetBackup host (master, media and/or client) requires the OS patch - Only applicable to 7.6.1 reports.
• Enhance the disk space system requirement for Windows platforms detailing where the space is required for the NetBackup product
• See separate NetBackup SORT news announcement for additional details

For the full list of SORT features and enhancements including Storage Foundation and High Availability Solutions and Data Collectors please visit: The New Sort Release Blog.

To keep our Exchange 2013 customers informed about Enterprise Vault's certification of CU6 we've created a Technote for you to subscribe too.

Use this technote for the latest information: http://www.symantec.com/docs/TECH226311

The Evolving Threat Landscape is something that is constantly referenced, but just what is that ‘landscape’ and what does it mean for organisations intent on keeping themselves safe from attacks? In essence, the threats are emanating from a number of directions, but, broadly speaking, can be categorised under ‘Cybercrime’, ‘Sabotage’, ‘Subversion’ and ‘Espionage’. It’s a murky world and one that needs to be understood and recognised for the dangers it presents, if the right steps are to be taken to ensure effective protection.

Just to get some idea of the scale of what has been happening, Symantec’s own security intelligence indicates that, in the world of cybercrime alone, more 1,400 financial institutions have been regularly attacked with ‘Financial Trojans’ since 2013, affecting 88 countries, with a tripling of infections. The USA, Japan, the UK and Germany have been the hardest hit.

As the threat landscape evolves and matures, cybercrime gangs who favour fakeAV have moved into ransomware with a vengeance, with a 500% increase in infection in 2013 alone. Users are told they have been found accessing illegal content and that a fine must be paid to unlock the computer. If the user enters the payment PIN, it is sent to the attacker’s command and control server. Of course, the computer is rarely unlocked after payment.

An evolution of ransomware is Cryptolocker, with cybercriminals holding data to ransom. Data on infected computer is powerfully encrypted and payment demanded for decryption of files – not possible without a private key.

Cybercrime infrastructure has also become more robust and resistant to takedown attempts with a greater move towards a peer-to-peer (P2P) botnet infrastructure. While a traditional botnet (where they all connect to an attacker-controlled command-and-control (C&C) servers):

• Has a single point of failure
• Has only one or a few C&C servers
• Is vulnerable to takedown & sinkholing.

A peer-to-peer botnet:

• Has no single point of failure
• Every peer acts as C&C server
• Difficult to take down or sinkhole.

It’s no great surprise then that cybercriminals are increasingly moving to P2P, because their lack of a centralized C&C infrastructure makes them more resilient.

However, the cybercriminals are not having it all their own way. Let me just give you one example of where Symantec hit back, neutralising half a million ZeroAccess bots. ZeroAccess uses a highly resilient decentralised P2P botnet architecture, with every botnet member acting as a C&C server, making sinkholing almost impossible. Except Symantec created sinkholes that acted like peers and then we inserted our sinkhole addresses into peer lists. Peer lists then propagated through the botnet until eventually the bots only had our sinkhole peer addresses, detaching them from the botnet. This made a serious dent in the ZeroAccess infrastructure.

Similarly, close collaboration between law enforcement and the security industry, under the code name ‘Operation Tovar’, saw the takedown of GameOver Zeus & Cryptolocker. However, these infections are showing signs of increasing again, so the need for ongoing counteraction is paramount.

Ultimately, whether we are dealing with subversion through hacktivism, distributed denial of service (DDoS) attacks (rapidly on the increase, with attack size growing 216% in Q1-Q2 2014), sabotage or cyber-espionage – such as the Turla campaign, which has systematically targeted the governments and embassies of former Eastern Bloc countries – the message is clear: we are only ever safe for as long as we are not an active target. In other words, never imagine that a determined attacker will not come after you, if you have not yet been a victim; or will not come after you, time and again.

It has become something of a cliché of late that finding yourself under attack or infected is not a matter of if, but when. Like all clichés, of course, it is also true. The more you accept that reality, the more likely it is you will take every possible step to be ready for such an attack in the future.

The good news is that Symantec can provide the expert advice and solutions to help organisations along that path. They don’t have to do this on their own.

Each year, as world leaders come together to discuss a variety of global economic issues at the G20 summit, organizations with a vested interest in the event are the recipients of malicious emails from threat actors.

This year, the summit will be held in Brisbane, Australia on November 15 and 16 and a specific attack group, which we call Flea, has been circulating malicious emails throughout 2014 in anticipation of the event. Targets include an international economic organization as well as a group connected to multiple monetary authorities. Once the attackers have compromised their target’s computers, they identify and steal valuable information from them.

Who is the Flea attack group?
The Flea attackers have been active since at least 2010 when they sent a decoy document to target those interested in the G20 Summit held in Seoul, South Korea that year. They have typically targeted European governments, global military organizations, and financial institutions. Flea uses one particular attack tool, detected as Infostealer.Hoardy, which can open a back door, run shell commands, and upload and download files on the compromised computer.

The attackers’ primary motivation is to steal information from targeted officials. They typically send spear-phishing emails with malicious attachments to compromise their intended victims’ computers. The content of these messages usually centers on an international event or theme that is of interest to their targets, such as nuclear issues, the Olympics, and major political conferences. They may also disguise these emails as job applications and send them to HR departments of targeted firms. Once the malware infects their target’s computers, the threat gives the attackers the ability to carry out reconnaissance on the compromised computers and identify and exfiltrate valuable information.  

The Flea attack group carries out new attacks every four to eight months, suggesting that the group only wishes to steal information over a short amount of time. Flea’s attack tools also indicate that the group is not interested in laterally moving across compromised networks to reach other targets.

Figure 1. Flea attacks since 2010

Current G20 summit campaign
The Flea group has been circulating two G20-themed emails in the run-up to this weekend’s summit. The subject of one of these emails posits, “What exactly is the point of the G20 in Australia?” The email includes a malicious Word document that attempts to exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) on vulnerable computers.

Another email relates to a G20 document that is of interest to financial institutions. Following each meeting between finance ministers and central bank governors, a communiqué is released which includes G20 policy discussions and commitments. The Flea attackers know about these documents and have been circulating emails with the subject “Communiqué Meeting of G20 Finance Ministers and Central Bank” along with a malicious Word document similar to the one previously discussed.

In each of these examples, the malicious Word documents have been used to deploy Infostealer.Hoardy. A non-malicious Word document is also opened up on the compromised computer to ensure that the recipient doesn’t suspect that anything is amiss.

Figure 2. Non-malicious Word document

The attackers have sent these emails to multiple targets, including an international economic organization and a group connected to multiple monetary authorities. These targets have an interest in what is discussed at the G20 summit and some may have delegations attending the event. It gives the attackers a major opportunity to steal valuable data from their targets by enticing them with G20-themed communications.

Future G20-themed attacks
The Flea attack group isn’t the only threat to worry about during G20 summits. Threat actors have always found the G20 summit an opportune time to target individuals within governments and financial and economic development organizations. Prior to last year’s summit in Saint Petersburg, Russia, we observed a campaign using the Poison Ivy remote access Trojan (RAT) to target multiple groups. These targeted organizations should expect more of the same during future G20 summits. Different threat actors will no doubt continue to use organizations’ interests in the G20 summit to target them again in the coming years.

Protection
Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. Symantec detects the malware used in these latest G20-themed attacks as Infostealer.Hoardy.

Indicators of compromise
MD5s:

• 026936afbbbdd9034f0a24b4032bd2f8
• 069aeba691efe44bfdc0377cd58b16ae
• 072af79bb2705b27ac2e8d61a25af04b
• 09b5f55ce2c73883c1f168ec34d70eb9
• 153b035161c8f50e343f143d0f9d327f
• 277487587ae9c11d7f4bd5336275a906
• 2a3da83f4037ad82790b2a6f86e28aa2
• 2df1fd8d73c39dbdbb0e0cdc6dbd70de
• 34252b84bb92e533ab3be2a075ab69ac
• 4c46abe77c752f21a59ee03da0ad5011
• 4c86634100493f0200bbdaf75efa0ebe
• 56dd30a460cdd3cf0c5356558550e160
• 5cc39185b302cc446c503d34ce85bab7
• 5ee64f9e44cddaa7ed11d752a149484d
• 5ee81c755aa668fc12a9cbcbab51912f
• 5ff0cb0184c2bcfbda32354f68ca043c
• 62af361228a14b310042e69d6bab512c
• 649691e1d367721f0ff899fd31133915
• 6af82418fa391ea1c5b9a568cb6486b1
• 6cb633b371700d1bd6fde49ab38ca471
• 703c9218e52275ad36147f45258d540d
• 727ef86947f5e109435298e077296a42
• 745355bbb33c63ebc87d0c021eebbf67
• 777aab06646701c2c454db5c06982646
• 7fd4dcc3ae97a5cd2d229b63f1daa4b6
• 82b1712156c5af50e634914501c24fb1
• 89495d7f2f79848693f593ea8385c5cd
• 8aebcd65ac4a8c10f0f676a62241ca70
• 8c7cf7baaf20fe9bec63eb8928afdb41
• 8c8d6518910bc100e159b587a7eb7f8d
• 98f58f61f4510be9c531feb5f000172f
• a8d6302b5711699a3229811bdad204ca
• aa0126970bab1fa5ef150ca9ef9d9e2e
• abe4a942cb26cd87a35480751c0e50ae
• b391d47b37841741a1817221b946854a
• b68a16cef982e6451ddf26568c60833d
• b9c47a5ccd90fda2f935fc844d73c086
• be58180f4f7ee6a643ab1469a40ffbca
• c2c1bc15e7d172f9cd386548da917bed
• c50116a3360eec4721fec95fe01cf30e
• c718d03d7e48a588e54cc0942854cb9e
• d03d53f3b555fe1345df9da63aca0aaf
• da9f870ef404c0f6d3b7069f51a3de70
• e0abc2e1297b60d2ef92c8c3a0e66f14
• e4d8bb0b93f5da317d150f039964d734
• e75527a20bb75aa9d12a4d1df19b91fa
• e8c26a8de33465b184d9a214b32c0af8
• ecc1167a5f45d72c899303f9bbe44bbc
• feec98688fe3f575e9ee2bd64c33d646
• 14e79a4db9666e0070fe745551a2a73e
• 2fc6827c453a95f64862638782ffeb9d
• 4f2cc578e92cdf21f776cbc3466bad10
• b2c51b84a0ebb5b8fc13e9ff23175596
• cc92b45a6568845de77426382edf7eb0
• 05f854faef3a47b0b3d220adee5ccb45
• db8e651a2842c9d40bd98b18ea9c4836
• 15302b87fe0e4471a7694b3bc4ec9192
• 9ee87ad0842acf7fc0413f2889c1703e
• 836ea5f415678a07fd6770966c208120
• ea12d6f883db4415d6430504b1876dc6
• 88e869f7b628670e16ce2d313aa24d64

Command-and-control servers:

• g20news.ns01[.]us
• news.studenttrail[.]com
• skyline.ns1[.]name
• www.trap.dsmtp[.]com
• ftp.backofficepower[.]com
• news.freewww[.]info
• blackberry.dsmtp[.]com
• adele.zyns[.]com
• windowsupdate.serveuser[.]com
• officescan.securitynh[.]com
• cascais.epac[.]to
• www.errorreporting.sendsmtp[.]com
• www.sumba.freetcp[.]com
• google.winfy[.]info
• cname.yahoo.sendsmtp[.]com
• mail.yahoo.sendsmtp[.]com
• update.msntoole[.]com
• expo2010.zyns[.]com
• win7.sixth[.]biz
• ensun.dyndns[.]org
• www.spaces.ddns[.]us
• blog.strancorproduct[.]info
• belgiquede[.]com
• brazil.queretara[.]net
• facebook.proxydns[.]com
• windows.serveusers[.]com

Con tanta variedad de incidentes de seguridad en 2014 -desde las fugas de datos a gran escala hasta las vulnerabilidades en la web- es difícil saber qué destacó más. ¿Cuáles situaciones fueron meramente interesantes y cuáles tienen que ver con las tendencias más grandes en temas de seguridad en Internet? ¿Qué amenazas son restos del pasado y cuáles son indicaciones de lo que nos depara el futuro?

A continuación presentamos cuatro de los acontecimientos más importantes en el ramo de la seguridad en línea del último año, lo que aprendimos (o deberíamos haber aprendido) a partir de ellos y lo que presagian para el próximo año.

El descubrimiento de las vulnerabilidades Heartbleed y ShellShock \ Bash Bug

En la primavera de 2014, se descubrió Heartbleed, una grave vulnerabilidad en OpenSSL. Es una de las implementaciones más comunes de los protocolos SSL y TLS que se utilizan en muchos sitios web populares. Heartbleed permite a los atacantes robar información confidencial como credenciales de acceso, datos personales o incluso las claves de cifrado que pueden llevar a la revelación de comunicaciones seguras.

Luego, a principios de otoño, una vulnerabilidad fue encontrada en Bash, un componente común conocido como un caparazón, que se incluye en la mayoría de las versiones de los sistemas operativos Linux y Unix, además de Mac OS X (que en sí mismo está basado en Unix). Conocida como ShellShock o Bash Bug, esta vulnerabilidad permite a un atacante no sólo robar datos de una computadora infectada sino también tener control sobre el propio equipo, lo que podría darle acceso a otros equipos de la red.

Heartbleed y ShellShock se convirtieron en el centro de atención en seguridad del software de código abierto y se identificó como el núcleo de muchos sistemas de los que dependemos para el comercio electrónico. Para las vulnerabilidades en software patentado dependemos de un solo proveedor para proporcionar un parche. Sin embargo, cuando se trata de un software de código abierto, éste puede estar integrado en cualquier número de aplicaciones y sistemas. Esto significa que un administrador tiene que depender de una variedad de proveedores para el suministro de parches. Con ShellShock y Heartbleed hubo una gran confusión en cuanto a la disponibilidad y eficacia de los parches. Esperemos que esto sirva como una llamada de atención para la necesidad de contar con mayores respuestas coordinadas a las vulnerabilidades de código abierto, similares al programa MAPP.

En el futuro, amenazas como éstas seguirán descubriéndose en programas de código abierto. Pero, si bien esto es potencialmente una rica y nueva área para los atacantes, el mayor riesgo viene de las vulnerabilidades conocidas, en las que no se están aplicando los parches adecuados. El Informe sobre las Amenazas de Seguridad de Internet de este año mostró que 77% de los sitios web legítimos tenía vulnerabilidades explotables. Así que, en 2015 probablemente veremos atacantes utilizando Heartbleed o ShellShock, pero hay cientos de otras vulnerabilidades sin parches que los hackers continuarán explotando libremente.

Ciberespionaje coordinado y potencial: Dragonfly y Turla

El grupo Dragonfly que parece haber estado en funcionamiento por lo menos desde 2011, inicialmente se enfocó en atacar empresas de defensa y aviación en Estados Unidos y Canadá, antes de cambiar su blanco a empresas de energía, a principios de 2013. Capaz de lanzar ataques a través de varios vectores diferentes, su más ambiciosa campaña de ataque infectó una serie de sistema de control industrial (ICS) de proveedores de equipos, dañando su software con un tipo de acceso remoto troyano. Esto dio a los atacantes acceso completo a los sistemas en los que se había instalado este software. Si bien esto permite a los atacantes llegar a las organizaciones objetivo con el fin de llevar a cabo actividades de espionaje, muchos de estos sistemas estaban utilizando programas ICS para controlar infraestructura crítica, tales como oleoductos y redes de energía. Si bien no se vio ciberespionaje en estos ataques, no hay duda que los atacantes tenían la capacidad y podrían haber puesto en marcha este tipo de acciones en cualquier momento. Quizás eligieron esperar y fueron interrumpidos antes de que pudieran seguir adelante.

Dragonfly también utiliza campañas dirigidas de correo electrónico spam y ataques de tipo watering hole para infectar organizaciones seleccionadas. Del mismo modo, el grupo detrás del software malicioso Turla también utiliza una estrategia de ataque múltiple para infectar a las víctimas a través de correos electrónicos de suplantación de identidad y ataques watering hole. Los ataques infectan una serie de sitios web legítimos y sólo “entregan” el software malicioso a los visitantes de cierto rango de direcciones IP preseleccionados. Los atacantes también podían dejar sus herramientas de vigilancia más sofisticadas para objetivos de alto valor. Los motivos de Turla son diferentes a los de Dragonfly. Los atacantes detrás de Turla están vigilando a largo plazo embajadas y departamentos del gobierno, una forma muy tradicional de espionaje.

Sin embargo, tanto las campañas de Dragonfly y de  Turla llevan el sello de operaciones patrocinadas por algún Estado, mostrando un alto grado de capacidad técnica y recursos. Ellos son capaces de montar ataques a través de múltiples vectores e infectar numerosos sitios web de terceros, con el propósito aparente de ser ciberespionaje -y sabotaje- como una capacidad secundaria de Dragonfly.

Estas campañas son sólo ejemplos de las muchas otras campañas de espionaje que vemos y se crean a diario. Este es un problema mundial y no muestra señales de disminuir, como por ejemplo ataques como Sandworm , relacionados con una serie de vulnerabilidades de día-cero. Dada la evidencia de los amplios recursos técnicos y financieros, es muy probable que estos ataques estén patrocinados por el Estado.

Tarjetas de crédito en la mira

El lucrativo negocio de la venta de datos de tarjetas de crédito o débito robadas en el mercado negro las vuelve un objetivo prioritario para los cibercriminales. En 2014 se presentaron varios ataques de alto perfil dirigidos a sistemas de punto de venta (POS) para obtener información de tarjetas de pago de los consumidores. Un factor que hace de Estados Unidos un objetivo prioritario es la falta de adopción del sistema chip-and-PIN, conocido como EMV (Europay, MasterCard y Visa), que ofrece más seguridad que las tarjetas de banda magnética. Los ataques utilizan malware que puede robar información de la banda magnética de la tarjeta de pago, al momento de ser leída por el equipo y antes de que se encripte. Esta información robada puede entonces ser utilizada para clonar esa tarjeta. Debido a que la información de transacciones de tarjetas EMV se codifica de forma única, cada vez, es más difícil para los criminales recoger pedazos de datos útiles de pago y utilizarlos de nuevo para otra compra. Sin embargo, las tarjetas EMV son tan susceptibles de ser utilizadas para compras en línea fraudulentas como las tarjetas tradicionales.

Apple Pay, que básicamente convierte tu teléfono móvil en una "billetera virtual" utilizando tecnología de comunicación de campo cercano (NFC), también se lanzó en 2014. NFC es un tipo de comunicación que implica la transmisión de datos de forma inalámbrica desde un dispositivo a otro objeto físico cercano, en este caso una caja registradora.

Mientras que los sistemas de pago NFC han estado disponibles por un tiempo, esperamos ver el próximo año un aumento en la adopción de esta tecnología en los consumidores, a medida que más teléfonos inteligentes son compatibles con él. Vale la pena señalar que, si bien los sistemas NFC son más seguros que las bandas magnéticas, todavía hay una posibilidad de que los hackers lo exploten, aunque esto requeriría que los atacantes se enfoquen en tarjetas individuales y no daría lugar a fugas a gran escala o robos como los que hemos visto. Sin embargo, la tecnología de pago utilizada actualmente no protegerá contra las tiendas que no almacenan los datos de las tarjetas de pago de sus clientes de forma segura, así que ellos todavía tendrán que estar al pendiente en proteger los datos almacenados.

El aumento de la colaboración con la policía

Ahora, para hablar un poco de buenas noticias: en 2014 vimos muchos ejemplos de equipos internacionales de aplicación de la ley que tomaron una postura más activa y agresiva sobre los delitos informáticos, colaborando cada vez más con la industria de la seguridad en Internet para acabar con los criminales cibernéticos.

Blackshades es un troyano de acceso remoto (RAT) muy popular y poderoso utilizado por una amplia gama de agentes de amenaza, desde piratas informáticos principiantes hasta sofisticados grupos de ciberdelincuencia. En mayo de 2014, el FBI, Europol y varias otras agencias de aplicación de la ley arrestaron a decenas de personas sospechosas de actividad criminal cibernética centradas en el uso de Blackshades (también conocido como W32.Shadesrat). Symantec trabajó en estrecha colaboración con el FBI en este esfuerzo coordinado para acabar con ellos, compartiéndoles información que permitió a la agencia localizar a los presuntos implicados.

Apenas un mes después, el FBI, la Agencia Nacional de Crimen del Reino Unido y una serie de agencias internacionales encargadas de hacer cumplir la ley, trabajaron en conjunto con Symantec y otras empresas del sector privado, para detener dos de las operaciones de fraude financiero más peligrosas del mundo: el botnet Gameover Zeus y la red de ransomware CryptoLocker. Y, como resultado, el FBI confiscó una gran infraestructura utilizada por ambas amenazas.

Si bien estos desmantelamientos son parte de un esfuerzo continuo, no veremos a la ciberdelincuencia desaparecer de la noche a la mañana. Tanto la industria privada como las autoridades tendrán que seguir cooperando para tener un impacto duradero. En este sentido, a medida que la tasa y la sofisticación de los ataques cibernéticos se incrementa, esperamos ver la continuación de esta tendencia de colaboración para localizar a los delincuentes y detenerlos en el camino.

Así que, estos son los cuatro eventos más importantes de seguridad en línea que hemos visto este 2014. Por supuesto, todavía quedan algunas semanas antes de que llegue el 2015, por lo que todavía podríamos ver que aparezcan otros eventos, pero se puede confiar en que Symantec está aquí y protegemos tu información, sin importar lo que venga a futuro.

Welcome to the October edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.

The number of spear phishing attacks per day continues to trend downward over the last twelve months, coming in at 45 per day in October. Of the attachments used in such email-based attacks, the .doc attachment type comprised 62.5 percent and .exe attachments made up 14.4 percent. Of the industries attacked, the category of Finance, Insurance, and Real Estate received 28 percent of all spear phishing attempts in the month of October, followed by Manufacturing at 17 percent.

The largest data breach that was disclosed in October took place back in July. This breach had previously been reported; however, we learned this month that the breach resulted in the exposure of identities within 76 million households, plus information on an additional seven million small businesses.

In the Mac threat landscape, OSX.Okaz was the most frequently encountered OSX risk seen on OSX endpoints, making up 28.8 percent of OSX risks. OSX.Okaz is an adware program that may modify browser homepage and search settings.

Finally, ransomware as a whole continues to decline as the year progresses. However, the amount of crypto-style ransomware seen continues to increase. This particularly aggressive form of ransomware made up 55 percent of all ransomware in the month of October.

We hope you enjoy the October Symantec Intelligence Report. You can download your copy here.

Over time IT professionals have seen the technology we most need change dramatically. Though seemingly small and simple, backup appliances in the data center can be added to our lives with little or no effort, perform with little outside intervention needed, provide significant time savings and generally require no configuration. Because of the simplicity they provide, appliances can free-up resources in your enterprise in ways you may not even imagine.

ROLE OF APPLIANCES

So what role do these small but mighty backup appliances play in a data center? The answer isn’t simple as there are many. A Purpose Built Backup Appliance (PBBA) can help enable application availability, provide dynamic backup, and assist in rapid data recovery, all integrated into a single appliance. Although their uses are many, their true strength lies in appliances’ ability to merge separate, independent components, simplifying the world of the data center and eliminating multiple legacy systems and mitigating data center sprawl, which can be the source of increasingly burdensome operating expenses.

SIMPLE AND NIMBLE

The ability to bring simplicity to a data center is the appliance’s biggest advantage. In much the same way that multiple virtual machines can now exist on a single piece of hardware, so too can an appliance integrate multiple hardware components in one physical box, freeing up IT resources and infrastructure for other purposes. This function becomes even more valuable when you consider that more than 50% of IT departments within enterprise are keeping their staff levels flat. Simplified management frees IT departments to focus on other critical tasks like managing their information or supporting strategic business initiatives.

Simplified management of information can also make networks more nimble. For example, consider a backup appliance such as the NetBackup 5230. By utilizing deduplication and consolidating the backup of cloud, virtual, and physical systems, this appliance makes the data backup more nimble. This in turn leads to a more flexible data center capable of spinning up applications and virtual machines with secure backup more rapidly.

Simplicity is just one of the primary benefits of adding an appliance to a data center. In our next post, we’ll explore the second primary benefit: cost savings. If you’re considering adding an appliance to your data center, both of these benefits are going to be crucial to your research. Make sure you’re following along.

One of the questions which is frequently asked on the forums after a new Exchange Server update is whether or not Enterprise Vault will work with it, and whether it will be supported. For the most part in the past, roll-ups or cumulative updates weren't specifically tested and called out individually. Customers could contact Support, and if an issue was found, it would be worked on and (hopefully) fixed.

Microsoft, in their wisdom, changed things a bit with Exchange 2013. The Cumulative Updates there are more like service packs than every before. Take a look at the table below for an example of what I mean:

Exchange 2010:

With Exchange 2010 come service packs, and then update rollups after that.. then another service pack, and more update rollups.

Exchange 2013:

With Exchange 2013, the service pack is just blended in with the cumulative updates.

(Taken from here and here.)

So with Exchange 2013 the cumulative update revisions are important when it comes to Enterprise Vault, to the point that just the other day the following technote was published:

Enterprise Vault support for Microsoft Exchange 2013 CU6

If you plan to upgrade Exchange, it is well worth looking for these type of articles, and subscribing to them, so you will be notified of updates.

I used the Code (Script) Component for some minor things and then got to a feature that would be easily solved with a recursive function but hard to solve within only one function.
So I create a simple script with only a return statement (return intext;) and clicked the "View Source Code" button in the "4. Test Page" in the wizard and got something like this:

using System;
namespace DynamicNamespace {
public class DynamicClass {
public System.String DynamicMethod(System.String intext)
{
    return intext;
}

Then I realized that I could perhaps "inject" the function that I needed and tested with the code below to see if there where any validator that would stop me from doing this. 
(If you look closely to the code I added an "}" after my function call and then declared my function but excluded the  "}" from the end of the function.)
 

return myFunction(intext);
}
private String myFunction(String intext)
{
    char[] charArray = intext.ToCharArray();
    Array.Reverse( charArray );
    return new string( charArray );

When I  clicked "View Source Code" button in the "4. Test Page" in the wizard and got something like this:
 

using System;
namespace DynamicNamespace {
public class DynamicClass {
public System.String DynamicMethod(System.String intext)
{
    return myFunction(intext);
}
private String myFunction(String intext)
{
    char[] charArray = intext.ToCharArray();
    Array.Reverse( charArray );
    return new string( charArray );
}
}
}

as you can see the end result is valid code and it will compile and return a reversed version of the intext string.
Using this "hack" you can write much more complex code with functions and will be able to write code with recursive functions and convenient functions to make your code more manageable.

I have included a small workflow with the code in the example.

Happy coding and I hope you can make use of my little finding.

At the 15th Annual Powered by EF Awards, Symantec was named Company of the Year. This is the second time that we have been honored with this award and it clearly demonstrates that we are on the right track as we continually enhance our corporate responsibility objectives. 

The video below highlights Symantec's impact in the communities where our employees live and work:

The Entrepreneur’s Foundation of the Silicon Valley Community Foundation is a non-profit organization that works towards bridging the gap between the corporate and social sectors by aligning business goals with community needs to create maximum social impact and value. Their annual award event brings recognition to the leaders in corporate citizenship to acknowledge the successes of the past year.

The Silicon Valley Community Foundation had this to say of Symantec:

In reviewing the nomination, the awards committee was thoroughly impressed with the strategy that underlies all of Symantec’s CSR initiatives, and its focus on long-term, capacity building with its NGO partners. Additionally, four of Symantec’s NGO partners (Teach For America, WAGGS, NPower and Room to Read) nominated Symantec for Partnership of the Year. In reading these nomination forms, we were given even greater insight into the commitment and strong relationship present with each of your partnerships. As such, we are pleased to honor Symantec’s best in class CSR program with this award.

For Symantec, corporate responsibility is tethered to our core business values and it is an honor to be recognized for our commitment to our philanthropic endeavors. As we continue to focus our philanthropic efforts towards four core areas – science, technology, engineering and math (STEM) education, the environment, online safety, and diversity inclusion – we also encourage our employees to engage in volunteering and charitable giving through Dollars for Doers, Matching Gift, and corporate grant programs. We are particularly proud of our international pro-bono program, the Symantec Service Corps, that was first launched in February of this year. We will announce the new Service Corps team soon and will be sending them off to Ankara, Turkey in early 2015. To learn more about corporate responsibility at Symantec, you can access our recently launched FY14 Corporate Responsibility Report.

To learn more about Symantec’s philanthropic and volunteer efforts visit us at our community relations website or contact community_relations@symantec.com.

In October 2014, Symantec Cluster Server announced general availability for Cisco UCS HA solution. The new Cluster Server agent provides high-availability for Cisco UCS servers that had no standard way to achieve HA before the agent. To achieve HA for UCS, customers were performing service profile migrations manually or through complex custom scripts. In case of a fault, users had to identify the target server and then either manually associate the service profile to the target servers or had to write complex custom scripts specific to their environments to perform service profile migrations. Either of these cases made the whole process of service profile migration completely unpredictable and manual thus leading to increased downtime.  

With Symantec Cluster Server agent for UCS HA, customers can now achieve completely automated and predictable service profile recovery. The agent integrates with Cisco UCS Manager through XML API interface and monitors all the blade servers running inside a Cisco UCS domain. The solution monitors for Cisco UCS service profile configuration faults as well as hardware faults and performs the service profile migration in case of a failure.

Symantec Cluster Server agent for Cisco UCS HA provides two modes of service profile failover.

• In Automatic Failovermode, Cluster Server monitors service profile for configuration and hardware faults and once a fault is detected, Cluster Server notifies UCS Manager which then identifies the target blade and performs the failover.
• In Intelligent Failover mode, Cluster Server not only monitors for and detect the faults, it also identifies the target blade server and completes the service profile failover to the identified target blade.

With Symantec Cluster Server, UCS customers can now perform service profile failovers for unplanned downtime and scheduled maintenance.  The Cluster Server UCS HA Solution Brief (attached) provides an overview of UCS HA agent. 

The Symantec Cluster Server, powered by Veritas High Availability agent for Cisco UCS is available for download at https://sort.symantec.com/agents (select Application Type: Application Agents and Release: 6.1). The agent is available for all major Linux platforms Oracle Enterprise Linux, Red Hat Enterprise Linux and SUSE Linux Enterprise Server.

Attackers want your employee usernames, their passwords, their authentication codes and access to your approved devices. They want your endpoints. They want to extract the information they contain, then use that information to penetrate your networks. From files to user credentials, endpoints can be a one-stop-shop for thieves looking to go on a data shopping-spree within your business and your identity can be their way in.

Difficult to Protect

When protecting endpoints and identities there is a delicate balance between flagging and impeding advanced threats, and preserving performance and functionality. Endpoint protection software monitors the behaviors of files and of websites. It compares those behaviors network-wide to current attack trends. The software is updated as solutions to new threats are discovered. That’s all well and good – as long employee systems or devices are not bogged down - and as long as employees abide by corporate security policies. But what happens when employees are on personal devices, off the corporate network, accessing data from applications in the cloud that are not sanctioned by IT? That’s where the first line of defense is identity protection.

In the world of cyber security, more is more. Cyber thieves have a lot of tools and take a variety of approaches simultaneously. Multifaceted attacks require multilayered levels of protection. Standard antivirus controls, password only solutions, and assuming employees follow standard security policies are simply not enough. Organizations need solutions that can monitor how endpoints operate and flag anything that’s out of the ordinary. The software has to know the signs, and how to respond to them.  They need solutions that can help ensure that only the right people have access to the right data and applications, and if something suspicious occurs the right people are notified to take immediate action.

The Cloud has no Perimeters

“The goal of ensuring that only identified and authorized users have access to specific applications, data, and networks is the same as it has ever been. The challenge has expanded as a result of mobility and cloud computing.” writes Charles Kolodgy, Research VP with IDC’s Security Products services.  Shadow IT and rogue cloud applications are a significant challenge for IT.  For the most part users do not engage in this risky behavior out of any malicious intent but to improve productivity.  However the danger of loss of data or a breach does exist because data is being made vulnerable.  The burden falls to IT, which is challenged with ever more complex environments – more mobile users on more platforms, more user stores, more apps, more passwords, but not more resources. 

The best defense is a strong offense.  “With a single point of control, the complexity created by the explosion of devices and applications can be reduced,” Kolodgy explains.  Validating the identity of a user and granting access to only the applications and data for which they are authorized, minimizes the potential for attack or unintentional loss of data.  A strong focus on a positive user experience and access to sanctioned data sharing apps motivates users to follow security procedures reducing their risky behavior while not stifling productivity, which is vital for the competitiveness of an organization.  

Above & Beyond the Standard

In addition to recognizing or minimizing risky behaviors, endpoint protection security and identity protection needs to be intelligent. “Security must also expand in sophistication in order to analyze data for indicators of compromise and provide a profile that includes a risk assessment for every file, URL, user, and many other variables,” writes Charles Kolodgy, Research VP with IDC’s Security Products services.

“Intelligent Security is the capability to analyze data to accurately identify anomalous activities that could indicate an ongoing attack,” he explains. “Security has to get smarter because of technology advances, user capabilities, and the exceptional capabilities of attackers.”

Intelligent security presents a variety of benefits. It can pinpoint where an attack began and how it progressed. It can separate the activities used in attacks from the standard activities that may be concealing them. Overall, intelligent security can make it easier to identify an attack and limit its damage.

Find more information about intelligent Symantec Endpoint Protection and Symantec Identity Access Manager, a next generation Single Sign–On solution with integrated strong authentication, access control, and user management, by visiting these links:

http://go.symantec.com/sep12

http://go.symantec.com/sam

至少有兩群攻擊者仍持續運用近期發現的 Windows Sandworm 漏洞，使用可繞過修正程式的攻擊程式。這項漏洞隨著名為 Sandworm 的團體所撰寫的攻擊程式而曝光，但現在有部分證據顯示，在這些團體中至少有一個團體於 10 月 14 日揭露這項漏洞之前便得知它的存在。

有了 Sandworm，這些攻擊會以電子郵件附加檔案的形式寄送，便可再次運用受感染的 PowerPoint 文件做為感染的方式。賽門鐵克偵測到這些惡意附加程式屬於 Trojan.Mdropper。此攻擊可傳遞至少兩個不同的酬載給受害者，亦即 Trojan.Taidoor和 Backdoor.Darkmoon (亦稱為 Poison Ivy)。

使用 Taidoor 團體是一個組織嚴密的威脅行動者，至少自 2008 年起便開始運作。根據過往記錄，它在發動攻擊時會入侵近期發現的零時差漏洞。最近在 3 月時，該團體針對台灣政府機關與教育機構的攻擊中，就利用了 Microsoft Word 零時差錯誤。

更惱人的還有 Darkmoon 變體。在揭露原始 Sandworm 漏洞 (CVE-2014-4114) 前數週，有線索指出，該團體可能準備在 9 月時使用這項變體 。酬載編譯時間戳記為 9 月 10 日，而上次修改受感染 PowerPoint 文件的時間為 9 月 12 日。酬載指令與控制活動則是在 9 月 24 日偵測到。

必須注意的是，賽門鐵克尚未觀察到酬載交付日期，而且攻擊者可能蓄意使用錯誤設定的電腦來建立錯誤的時間戳記。然而，從這三個時間戳記的關聯性可得知此群組很可能在 10 月 14 日之前便已運用該漏洞。

圖 1. 受感染的 PowerPoint 檔案入侵 Sandworm 漏洞

Microsoft 得知這項漏洞，並發佈了全新安全建議，就可能的攻擊向使用者示警。但該公司目前尚未發佈這項最新問題的修正程式；經過追蹤後，這項漏洞稱為 Microsoft Windows OLE 遠端程式碼執行漏洞 (CVE-2014-6352)。

原始 Sandworm 漏洞 (即 Microsoft Windows OLE Package Manager 遠端程式碼執行漏洞 (CVE-2014-4114)) 關係著 Windows 處理 OLE 的方式；OLE 這項 Microsoft 技術可讓文件中的大量資料內嵌至另一份文件，或是將文件以連結方式內嵌至另一份文件。OLE 通常會用來內嵌儲存在本機的內容，但此漏洞會在未經提示的情況下自行下載並執行外部檔案。此漏洞可讓攻擊者從外部位置內嵌「物件連結與嵌入」(Object Linking and Embedding，OLE) 檔案。透過此漏洞入侵，可在目標電腦上下載並安裝惡意軟體。

當原始漏洞 (CVE-2014-4114) 涉及連結至外部檔案的內嵌 OLE 檔案時，較新的漏洞 (CVE-2014-6352) 就會與內部內嵌可執行酬載的 OLE 檔案建立關聯。

新漏洞會影響所有 Microsoft Windows 的支援版本，但不包括 Windows Server 2003。Microsoft 已製作 Fix it 解決方案來處理已知的攻擊程式。建議 Windows 使用者在開啟 Microsoft PowerPoint 檔案或其他不受信任來源的檔案時需審慎應對。另外如果尚未啟用「使用者帳戶控制」(User Account Control，UAC)，也建議使用者啟用該功能。

賽門鐵克防護
賽門鐵克會以下列方式偵測攻擊中運用此漏洞所使用的惡意軟體，以保護客戶安全。

防毒

·         Trojan.Mdropper

·         Trojan.Taidoor

·         Backdoor.Darkmoon

·         Bloodhound.Exploit.553

IPS

·         網頁攻擊：Microsoft OLE RCE CVE-2014-6352

這項威脅正在調查中，必要時會推出進一步防護措施。

賽門鐵克的 DISARM 技術 (隨附於 Symantec Message Gateway 10.5 及更新版本) 可正確封鎖利用 Sandworm 漏洞的酬載。由於 DISARM 不使用特徵，因此執行此技術的客戶即使在揭露此漏點之前也同樣獲得保護。

賽門鐵克建議使用者保持安全性解決方案處於最新狀態，並在開啟來路不明電子郵件的附加檔案時審慎應對。使用賽門鐵克雲端服務的賽門鐵克客戶皆可享有保護，防範傳遞惡意軟體的垃圾郵件。為了達到最佳防護，賽門鐵克客戶也應確保使用結合消費者與企業解決方案的最新賽門鐵克技術。

更新– 2014 年 10 月 24 日：
已使用入侵防禦特徵 (IPS) 網頁攻擊：Microsoft OLE RCE CVE-2014-6352和啟發式偵測 Bloodhound.Exploit.553保護使用者並抵禦此威脅。本部落格已隨之更新。

In business today, the quality of a customer experience that a company provides often depends on technology. Even when a customer is face-to-face with a company employee, or interacting over the phone, it’s likely that the company employee is interacting with a computer application on the customer’s behalf.

As a result, there is greater pressure than ever on IT teams to keep corporate services and data available and resilient. In the 21st century, companies are their technology. The trust that they earn from customers depends on the availability and reliability of services.

Backup and recovery have become more important than ever. On the other hand, because IT teams need more time to develop new technology services that keep businesses competitive, there is less time for routine tasks such as backup and recovery. Companies need to streamline backup and recovery to minimize costs and resources, yet also protect faster-growing volumes of data at higher service levels.

These goals seem contradictory. But a number of Asia Pacific companies have developed strategies that achieve them all. The companies spend less time and money on backup, and have more resources for innovation as a result. Eight of these companies share their backup and recovery strategies below.

1. To simplify, turn multiple locations into one domain

How do you protect 20 million customers and back up several hundred terabytes daily with near 100 percent success—and a backup team of just two people?

Shanghai Mobile installed a NetBackup appliance at each of its five sites and organized them into one backup domain, run from a single console. Backups now complete twice as fast, and a process that used to involve several dozen people now takes just two. Get the details here.

2. Replicate automatically, recover anywhere

No company wants to handle 600 to 800 backup tapes, or shoulder the risk involved in sending tapes off site for disaster recovery. Suning CommerceGroup, China’s largest retailer, decided to move from tape-based to disk-based backup.

Using two NetBackup appliances, it can now back up file servers 25 times faster, save CN¥3 million (US$483,000) in tape costs, and automatically replicate only changed blocks of deduplicated data between two sites, enhancing disaster recovery while eliminating the risk of shipping tapes.

The two appliances replicate data and the associated backup catalog, which includes records listing the files that have been backed up and the media on which the files are stored. As a result, data is ready for fast recovery at any site.  Learn more here.

3. Use technology to beat the competition

How does a small ad agency transform legacy technology into capabilities that help crush the competition?  One key step is to reduce complexity. Perth, Australia-based Marketforce uses NetBackup to unify three platforms, reducing training and administration time, boosting backup success, and giving the IT team 200 more hours a year for innovation. That’s a big gain for a small IT staff.

It was all part of an impressive IT makeover from a Symantec Partner. The agency’s smart processes were cited by a major advertiser when it awarded its account to Marketforce over the competition. Get the details.

4. Be ready to recover granularly

New Zealand’s Mitre 10 understands the importance of good tools. It’s an independent home improvement chain with 100 stores, twice as many as its nearest competitor.

Mitre 10 tripled its backup speed by upgrading to Symantec Backup Exec 2014. But it’s the granular recovery and the resulting 100 percent recovery rate that are most important to the company’s backup administrator: “The ability to back up a virtual machine image as well as the files inside it—or restore an entire virtualized application or the granular data in it—that’s what makes Backup Exec 2014 far more compelling than its competitors,” says Paul Flatt, infrastructure and support manager at Mitre 10.

Mitre 10 has been able to reduce backup and recovery administration time by 400 hours per year, enabling the IT team to take on higher value projects. It has recently been able to reduce the disaster recovery time objective from days to hours. Get the details here.

5. Make many small gains add up to a big one

South Korea’s Hanwha General Insurance used a steady stream of improvements to increase its sales while winning awards for achieving great customer service for three years straight. One improvement was automating backup with Backup Exec 3600 appliances, using them to replicate data between locations.

Says Bang Seokjae, IT manager at Hanwha: “The Backup Exec 3600 appliances enable us to recover our servers twice as fast as we did before. We will achieve 100 percent payback in six months.”  Here are the details.

6. Revise the backup approach to triple the speed

Hitachi Consulting Software Services India Pvt Ltd. develops intellectual property for major clients, and taking care of client data is critical. The company wanted to speed its file-based backups, and chose a technology that eliminates the scan to determine file change percentages. Leveraging client-side deduplication, the approach synthetically constructs a full backup image with full recovery benefits in the time it takes to do an incremental.

What’s the overall gain?  Full file server backups now complete three times faster, in 6 hours instead of 18, and the network and the IT team have more bandwidth for more valuable projects. See the story here.

7. Recover up to 20 times faster

From its Hong Kong office, Michael Page International, a leading professional recruitment consultancy, is expanding fast and working hard to provision new offices across Asia.

Backup and recovery were a struggle until it adopted new technology that made recoveries up to 20 times faster: now it can restore 1.8 terabytes in 3-4 hours instead of the 3-4 days its prior solution required. Deduplication has enabled the company to keep five times more data on site, enabling email message recoveries in an hour that once took a day. Learn more here.

8. Reduce the cost of backup by 60-70 percent

In South Korea, ForceTEC Co. Ltd. manages global logistics as well as a number of other transportation-related businesses. The company wanted to simplify a complex backup environment, and chose an approach based on backup appliances.

Its new processes include snapshot backups that combine the speed of raw-partition backups with the ability to restore individual files and keep the file system mounted during backups. The result is a first-time-ever capability to do full backups of a vast file environment within backup windows.  In addition, time and space savings have reduced the total cost of backup operations by 60 to 70 percent. See the details here.

Many other businesses offer advice in this customer success finder on how to go forward by backing up more efficiently.

Since Deployment Solution 7.5, computers rebooted to Automation are renamed to their serial numbers rather than "MiniNTxxxx".

To retrieve the computer serial number, while in automation, type on the command prompt:

"wmic bios get serialnumber"

Then lookup the computer on the console under Manage > Computers.

Instead of adding a Search custom criteria, that should help to quickly identify the target machine for troubleshooting purpose.

Summary:

Today, strong partnerships are critical to developing pathways that inspire youth to succeed in STEM careers. Working alongside Boys & Girls Clubs of America, Symantec is playing a key role as an innovator and thought leader, increasing STEM programming and opportunities in the communities in which we serve.

Introduction:

Each year Symantec worldwide works with thousands of internal and external stakeholders to help drive progress within our four philanthropic focus areas: science, technology, engineering, and math (STEM) education; online safety; diversity; and environmental responsibility. Today, we take a look at STEM, and how Symantec is partnering and inspiring youth to become our future leaders and innovators.

Symantec is committed to promoting STEM education, and helping today’s youth understand and prepare for the vast career opportunities these fields offer. In fact, one goal, outlined in Symantec’s recently released FY14 Corporate Responsibility Report, is to excite, engage and educate one million students in STEM education through global nonprofit partnerships, with an emphasis on computer science and cybersecurity, by 2020 with an investment of US$20 million.

BGCA’s STEM Great Think

As Symantec looks toward the future, there’s a significant opportunity to advance STEM education in the out-of-school time (OST) space. That’s why in May 2014, Symantec joined with thought leaders representing higher education, government, corporations and nonprofit organizations to participate in the Boys & Girls Club of America’s (BGCA) STEM Great Think, the first national thought leadership forum to combine innovation and creativity with STEM programming in the OST environment. The result of this conference was a white paper published in October 2014: “Advancing Underrepresented Youth in STEM During Out-of-School Time.”

“The real challenge is getting our kids to understand that careers in STEM exist—that you can see beyond what’s at the end of your own block and your own street,” said Pandit F. Wright, president and CEO, Boys & Girls Clubs of Greater Washington during the STEM Great Think discussion.

With the goals to examine critical issues affecting America’s youth, develop plans for establishing strategic partnerships that advance OST STEM education, and engage more underrepresented youth in these disciplines to set them on the path to successful careers, the STEM Great Think featured a panel discussion and roundtable session in which participants offered guidance for OST providers.

“The STEM Great Think brought together an incredible group of innovators to discuss different challenges that kids face and how we can improve their educational experiences and positively impact their futures,” said Ken Schneider, vice president and fellow at Symantec and participant in the Great Think.

During the discussion, Schneider’s group was tasked with evaluating societal pressures and ingrained thinking and exploring the hurdles that many kids face. He heard stories from Club youth in which a strong support system helped them overcome challenges early in their education and build confidence and ultimately perseverance.

“This session was a great reminder about the fragile nature of education and how quickly many kids might give up if they don’t have strong teachers, parents and mentors available to encourage them,” said Schneider. “It was very evident the positive impact that OST programs, including Boys & Girls Clubs, can have in inspiring more underrepresented youth to become the innovators and problem-solvers of tomorrow.”

“I was very proud to represent Symantec at this event and continue to be impressed with the commitment the company has made to STEM and BGCA. We have great resources and a very smart team. Our investment can make a significant impact in the lives of these Club kids,” said Schneider.

A bright future for STEM education

Helping to provide access to quality programs is one of the most important things Symantec can do to encourage STEM studies. Since the beginning of 2013, Symantec has supported the development of BGCA’s highly engaging STEM programming. Boys & Girls Clubs provide a safe place for children to learn and grow, all while having fun. With more than 4,100 Clubs serving nearly four million young people annually through their after-school and summer programs and community outreach, partnering with BGCA continues to have a huge impact.

With Symantec’s support, Clubs have taken part in programs such as the national high school cyberdefense competition, an underwater robotics project; and a digital game design curriculum. Also, Symantec employees share their advice and expertise in the “STEM 101: Careers” article series on myclubmylife.com to help Club members learn more about what they can do to prepare for an educational path and career in STEM.

In addition, Symantec provides mini-grants, smaller funds allocated to individual Clubs in cities in which Symantec has employees, to help these locations expand their STEM programs. Over the past year, nearly 800 STEM program sessions were held in 10 Clubs thanks to Symantec’s grants. These Clubs saw an increase in daily attendance and were able to successfully recruit more children by promoting their STEM programs.

“At BGCA, our aim is to ensure that all Club members graduate and are globally competitive leaders. By providing STEM mini-grants to Clubs, we were able to support the critical work of ensuring that Club youth become aware of possible STEM career opportunities, engage in meaningful hands-on learning experiences, and build core competencies in creative thinking and problem-solving,” said Edwin Link, senior director of academic success, arts and innovation at BGCA.

Symantec continues to explore opportunities to support BGCA’s efforts in positive youth development, including serving on BGCA’s STEM Advisory Council and volunteering at local Clubs.

To review the white paper that resulted from BGCA’s Great Think, visit: “Advancing Underrepresented Youth in STEM During Out-of-School Time.”

Get involved

• To learn more about STEM programs and opportunities at Boys & Girls Clubs, visit www.GreatFutures.org.

Related article

• Symantec Signs On to Change the Equation’s Commitment to Excellence in STEM.

There is an ongoing debate in the industry around how to treat document families.  But, what is a document family?  Well, there are several kinds of families whether this is an e-mail and its attachments or a zip file with the contained content.

But the usual debate is around e-mail families.  The e-mail is the parent and each attachment is a child, hence the term family!

Why is there a debate about this?  An email is just an email right?  Well, anyone trying to control costs and reduce risk within an eDiscovery exercise very much cares about this topic.

Consider an e-mail with 10 attachments.  I have some targeted keyword searches and I identify a hit in only one of the attachments to the email.  Does my reviewer need to review the email and 10 attachments or just the one attachment that has the hit?  The approach taken will have a large impact on the overall review costs and the approach taken will very much depend on the matter.

When I come to produce my data to the opposition, do I need to include the whole family or just the single attachment that was deemed to be relevant to the case?  I don’t want to disclose more than I need as this could be detrimental to my case.  However, I also don’t want the completeness of my production to be questioned and enter into a lengthy back and forth and incur the cost and time penalties associated with it.

The problem exists as there are no hard and fast rules.  During the Abu Dhabi Commercial Bank v. Morgan Stanley & Co, Inc. case, the Special Master needed to investigate the appropriate approach and found that although there are guidelines, there is nothing to dictate the required approach:

The Special Master concluded that the “best practice” was for parties to discuss and settle issues surrounding emails and attachments in advance.

The typical approach with regard to producing data is the data should be produced “as kept in the usual course of business”- complete families.  There needs to be a placeholder to represent any data that needs to be withheld due to Privilege or Commercial sensitivity for example.  And lets not forget data unavailable due to technical reasons – these items also need to be represented.

The eDiscovery application chosen needs to be flexible to meet your differing case requirements.  From a review perspective you need to be able to review at an item level, family level or perhaps a combination of the two.

When you produce data, you need to have the option to include placeholders that clearly denote the reason for their placement whether it is due to privilege or any number of technical reasons. 

If you're familiar with web application penetration testing and SQL injection then the classic SQL injection exploit string should ring a bell:

' OR 1=1--

This exploit string is utilized by attackers to modify the structure of a dynamic SQL query executed by the target web application. For example, consider the following Java code snippet that executes a SQL query against a backend MySQL database in order to search for albums by a specified artist. The code constructs a dynamic SQL query including unvalidated user input:

String artist = request.getParameter("artist");
query = "SELECT * FROM musicCatalog WHERE artist = '" + artist + "'";

This query will match all database table rows where the artist name matches the unvalidated "artist" parameter supplied by the user. A typical search would result in a SQL query that looks something like this:

SELECT * FROM musicCatalog WHERE artist = 'Arctic Monkeys'

However, attackers can utilize the classic SQL injection exploit string in order to maliciously modify the structure of the SQL query:

SELECT * FROM musicCatalog WHERE artist = '' OR 1=1--'

This SQL query will match all table rows where either the artist name matches the empty string or one equals one. Because one always equal one, all rows are matched and returned to the attacker. The double-dash sequence specifies a SQL comment, causing the database to ignore the remainder of the query. Attackers can utilize the "UNION" operator in order to further modify the structure of the query to compromise information from other database tables. For example, another database table might store customer billing information including credit card numbers. Piece of cake, eh? Maybe. Maybe not.

Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, note that there are exceptions to this rule. For example, user input included within an "ORDER BY" clause is not encapsulated within single quotes. Instead the web application code typically appends a space and either the "ASC" or "DESC" keyword. Therefore the classic SQL injection exploit sting would indeed work in this case. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and dash:

' OR 1=1-- -

This updated classic SQL injection exploit string would result in a SQL query that looks something like this:

SELECT * FROM musicCatalog WHERE artist = '' OR 1=1-- -'

The double-dash comment now properly terminates the remainder of the SQL query and Heather The Hacker can happily get her SQL injection on while scarfing down Cheetos and chugging Mountain Dew. Mmm, Cheetos and Mountain Dew. Note that for simple SQL queries the terminating single quote appended by the web application can simply be matched instead of commented out. For example, consider the following SQL injection exploit string:

' OR 'a'='a

This exploit string would result in a SQL query that looks something like this:

SELECT * FROM musicCatalog WHERE artist = '' OR 'a'='a'

In this case the exploit string properly balances the terminating single quote appended by the web application. Therefore the syntax of the SQL query is still valid and the SQL injection attack is successful. The same technique can be used within exploit strings that utilize the "UNION" operator in order to compromise information from other database tables. However, this approach will not work against more complex SQL queries. For example, consider the following SQL query:

query = "SELECT * FROM musicCatalog WHERE artist = '" + artist + "' AND price = '6.99'";

This query will match all database table rows where the artist name matches the unvalidated "artist" parameter supplied by the user and the price is $6.99. In this case the additional "AND" condition prevents single quote matching from resulting in useful SQL injection. The previous exploit string would result in a SQL query that looks something like this:

SELECT * FROM musicCatalog WHERE artist = '' OR 'a'='a' AND price = '6.99'

As you can see even though the exploit string properly balances the terminating single quote the additional "AND" condition prevents the query from matching all table rows. However, a properly spaced double-dash comment will still result in useful SQL injection:

SELECT * FROM musicCatalog WHERE artist = '' OR 1=1-- -' AND price = '6.99'

Of course web application developers should implement parameterized prepared statements (or securely coded stored procedures) in order to prevent SQL injection in the first place. Are your developers perfect? Didn't think so. In that case, remember this double-dash comment syntax quirk when penetration testing a web application that interfaces with a backend MySQL database. In addition, some automated web vulnerability scanning tools do properly account for MySQL double-dash comment syntax, so be sure to pick up their slack. Otherwise your doomed SQL injection attempts might flop like busted politicians across the nation: "No comment!"

This is only a short guide to help you get started in compiling your own drivers or use my pre-compiled, the guide is written for some one who have prior linux and kernel compiling experience.

Required software:
A system that runs rhel server 6.4 i386 can be a vm on your local workstation.
Kernel sources and headers 2.6.32-358.el6 
gcc-4.3 the GNU C Compiler
make the tool that runs the compile script
wget a tool to download files from http servers
bzip2 a compression tool
build-essentials tools and libraries used to compile

Get the kernel config from you altiris server it's path should be something like c:\Program Files\Altiris\Notification Server\NSCap\bin\Deployment\BDC\bootwiz\Platforms\Linux\x86\Build\config.x86
copy the config.x86 file to your kernel source directory (mine is /usr/src/kernels/linux-2.6.32-358.el6)and rename it to .config and "make oldconfig" to solve any configuration problems.

Change the config to enable compiling of a driver eater by editing the .config file and run "make oldconfig" or "make menuconfig" and select the missing driver.
Then "make modules" to compile the modules, then you will find your modules in /usr/src/kernels/linux-2.6.32-358.el6/drivers.

I have compiled quite a few drivers that I have included in the attached zip file, most of them are not tested and only compiled 
for future use so I will not give any support for them but the one you need is included and it works you have saved some time.