Em julho de 2011, uma auditoria interna descobriu uma invasão na infraestrutura da autoridade de certificação (CA) DigiNotar, indicando o comprometimento de suas chaves de criptografia. A violação dessas chaves possibilitou a emissão fraudulenta de certificados de chave pública para várias dezenas de domínios, incluindo o domínio Google.com. Logo após o incidente, a DigiNotar revogou todos os certificados relacionados, realizou uma auditoria de segurança por terceiros e, em seguida, tentou revogar os certificados pendentes que haviam sido afetados. Após 19 de julho, a DigiNotar acreditava que todos os certificados fraudulentos haviam saído de circulação com a revogação.

Infelizmente, algumas semanas depois (WHEN WAS THIS EXACTLY), descobriu-se que ainda havia instâncias de certificados fraudulentos em circulação. Em 28 de agosto de 2011, foi descoberto um certificado SSL curinga da DigiNotar — falsificado — emitido para a Google. A Google anunciou que esse certificado afetava principalmente os usuários do Gmail no Irã.

Em dezembro de 2012, a TURKTRUST, uma Autoridade de Certificação turca, emitiu erroneamente dois certificados CA intermediários para duas organizações da Turquia. Com esses certificados intermediários confiáveis, as duas organizações (um banco turco e uma agência de transporte do governo turco) passaram a poder emitir certificados fraudulentos ou não autorizados para domínios que não controlavam. Nesse caso, um certificado curinga falso foi emitido para o site google.com sem a permissão da Google.

De acordo com a TURKTRUST, esse incidente ocorreu durante uma migração de software em agosto de 2011. Em um comunicado divulgado pela CA, os perfis dos certificados intermediários foram movidos para um servidor de produção. Isso fez com que os certificados intermediários da CA fossem emitidos sem que ela percebesse o ocorrido. A Google identificou o certificado falso em seu domínio em 24 de dezembro de 2012. Desde então, os certificados intermediários falsos foram relacionados na lista negra da Google, da Mozilla e da Microsoft.  Além disso, o navegador Chrome deixou de exibir o status Extended Validation para qualquer certificado SSL emitido pela TURKTRUST.

Esses são apenas dois de uma série de ataques bem-sucedidos contra autoridades de certificação nos últimos dois anos, e a ameaça contra as CAs por parte de criminosos certamente não diminuirá. Ao contrário, os hackers têm elevado o nível continuamente, e as técnicas usadas para explorar redes tornam-se cada vez mais sofisticadas.

Como uma das principais autoridades de certificação do mundo, nós, da Symantec, assumimos a responsabilidade de proteger o trânsito de dados na Internet como uma obrigação para com os nossos clientes. É essencial que a maior prioridade comercial de uma autoridade de certificação enfoque:

1) O fortalecimento contínuo da infraestrutura que protege as chaves criptográficas; e

2) A proteção do processo de autenticação que valida a identidade.

A manutenção rigorosa e diligente da infraestrutura de segurança que cerca as autoridades de certificação deve ser vista como um ingrediente crucial para o sucesso dos clientes de uma CA e para a comunidade de consumidores da Web de forma geral.

Nem todas as autoridades de certificação são criadas da mesma forma

As empresas que estiverem escolhendo fornecedores de CA devem se lembrar de que essa escolha é muito importante. Nem todos os certificados SSL são emitidos da mesma forma, e as empresas precisam considerar o nível e o rigor da autenticação e da segurança integrados aos certificados SSL dos quais depende a confiança de sua marca e de seus clientes. As organizações devem garantir que a CA publique suas políticas e se submeta a auditorias de rotina para garantir uma infraestrutura segura. Infelizmente, não existe um padrão mínimo no mercado atual de certificados SSL. Embora o preço certamente tenha papel significativo no processo de compra, como as várias violações de CA nos lembraram esse ano (WHAT YEAR? 2012?), sugerimos que o preço seja apenas um de vários fatores na escolha de uma CA. Ao avaliar uma CA, é altamente recomendável que você considere:

• A diligência da segurança usada pela CA para proteger chaves criptografadas
  • Instalações protegidas projetadas especificamente para defesa contra ataques
  • Sistemas de assinatura de criptografia baseados em hardware
  • Auditorias regulares executadas por terceiros
  • Segurança de rede aprofundada e defesas contra malware
• A imposição da emissão de certificados com duplo controle usada pelo fornecedor
• O uso das melhores práticas de autenticação e registro para a identificação de propriedade
• A investigação documentada do histórico dos funcionários da CA para proteção contra ameaças internas
• A força da história de confiança e segurança do fornecedor

Para os consumidores, é importante saber que o SSL continua a ser o método mais eficaz de transmissão segura de dados na Web. É igualmente importante permanecer informado sobre quem está por trás da segurança do site com quem você faz negócios. Eles têm boa reputação? Apresentam um histórico comprovado de emissão de certificados? Têm uma infraestrutura robusta implantada para impedir esses tipos de ataques? Para ter proteção online ainda melhor, saiba o que procurar:

• Verifique se o software de navegador está atualizado a fim de obter o conjunto mais recente de chaves-raiz válidas.
• Procure a barra de endereço com fundo verde fornecida pelo Extended Validation (EV) SSL para proteção adicional.
• Procure uma marca de confiança reconhecida, como o Norton Secured Seal com a marca de seleção.
• Procure o ‘s’ de “https” na URL, que indica um ambiente seguro.
• Procure o cadeado para verificar quem assinou o certificado SSL e garantir que você reconhece a CA.

No fim das contas, é importante que a comunidade compreenda que não há nada intrinsecamente errado com o SSL. As CAs e as empresas precisam fazer o que é certo e garantir que as informações dos consumidores permaneçam seguras. CAs que seguem as melhores práticas estabelecidas para a proteção de chaves privadas, além da aplicação cuidadosa de práticas de autenticação rígidas, são componentes essenciais para manter a Internet um ambiente seguro para todos.

Quando se trata de segurança, continuidade de negócios e tranquilidade, lembre-se de que nem todas as CAs são criadas da mesma forma.

As a small business owner, tax season can be… taxing. Between filing deadlines, issuing important tax documents to employees, and regular warnings from the IRS about scams and phishing attacks meant to trick you into revealing personal information about yourself or your business, it’s easy to understand why so many small business owners dread tax season.

But despite the added stress tax season brings, it can serve as an important yearly “self-check” reminder to make sure you are taking steps to protect your critical business information. Here are a few things to remember as you begin preparing for tax season:

Secure your data – Do you prepare your business’ taxes on a company computer? If so, you likely have some very sensitive financial information on your hard drive. Make sure your files are secured with password-protected directories and accounts, and that your entire system is protected from outside threats. Also, if you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection and never use public wireless hotspots.

Back up financial data – When was the last time you backed up your company data?  If you don’t already follow a backup schedule, tax season can be a great reminder that you need to regularly back up your data. Regularly backing up your data not only protects you at tax time in the event your data is compromised, it can also help protect you against future events such a natural disaster.  Remember that whether you back up to the cloud or a separate physical device/location, electronic data needs to be kept in a secure environment.

Keep your security software updated – You don’t have the time or resources to keep track of each and every new scam, phishing attack, or threat that comes around – that’s what your security software is supposed to do. But just as you can file your taxes without the most accurate tax information, your security software can’t do its job if it’s not up-to-date. The threat landscape changes daily, so keeping your security software up-to-date helps ensure that it will be able to address the most current threats to your information. After all, your ability to run an effective business depends on making sure your confidential data is safe and secure from outside threats.

It shouldn’t come as any surprise that tax- and wage-related fraud often top the Federal Trade Commission's annual list of identity theft complaints. By following these tips and using tax season as yearly “checkup” reminder, you can have confidence knowing you’ve taken steps to protect yourself and your business against the onslaught of tax-related scams and attacks.

For additional tips and reminders to help employees avoid sharing confidential data during tax season, please visit the Symantec security blog. You can find even more tax tips and Symantec product information here.

今週初めに Mandiant 社から公開された「APT1: Exposing One of China's Cyber Espionage Units」と題するレポートは、セキュリティ業界のみならず一般世間においても世界中から注目を浴びています。特に関心が集まっているのは、Comment Crew と呼ばれる特定の攻撃者グループが APT（Advanced Persistent Threat）を使って実行している標的型攻撃の発信元について、このレポートが導き出している結論です。レポートの内容に関するシマンテックの対応については、前回のブログでご紹介しました。

そして、本日、何者かがこのレポートを餌にして、その内容に関心を持つユーザーへの感染を目的に標的型攻撃を実行していることが確認されました。シマンテックが発見した電子メールは日本語で書かれていますが、だからと言って、出回っているのが日本語の電子メールだけとは限りません。この電子メールは、レポートを推奨するメディアを騙って送信されています。図 1 に示したとおり、添付ファイルを本物のレポートらしく見せるために、PDF ファイルのアイコンと、Mandiant 社の名前がファイル名に使われています。しかし、多くの標的型攻撃と同様、この電子メールの送信には無料のメールアカウントが使われており、本文の日本語も不自然です。普通の日本人であれば、この文面を見ただけで、日本人が書いたものではないことに気づくでしょう。

偽のレポートファイル（シマンテックは Trojan.Pidiefとして検出します）を開くと、空の PDF ファイルが表示されますが、バックグラウンドでは Adobe Acrobat と Adobe Reader に存在するリモートコード実行の脆弱性（CVE-2013-0641）を悪用したコードが実行されています。脆弱性の悪用に成功すると、この PDF ファイルは Trojan.Swaylibおよび Trojan.Dropperを投下する可能性があり、これらはさらに Downloaderを投下します。はたしてこれは、報道に対して Comment Crew が示した単なる悪ふざけなのでしょうか。それとも、多くの標的型攻撃でありがちなように、別の何者かが攻撃を実行するときに、またしてもうっかりミスを犯しただけなのでしょうか。真相は定かではありません。

図 1.レポートが添付されていると称する悪質な電子メール

類似の手口は過去にもあり、そのときは不敵にもシマンテックの名前を騙っていました。2011 年に、シマンテックが別の標的型攻撃の実行グループに関するホワイトペーパーを発表したとき、攻撃者はそのホワイトペーパーを逆手にとって、興味を示したユーザーへの感染を試みています。しかも、標的に送られてくるスパムには、本物のホワイトペーパーが添付され、その圧縮ファイルに隠してマルウェアが仕込まれていました。

Mandiant 社のレポートに限らず、なにか正規のコンテンツを入手したい場合は、該当する正規の Web サイトから直接ダウンロードしてください。Mandiant 社のダウンロードページには、ファイルが正規のものであることを確認できるように、ファイルのハッシュ値も示されています。どこから入手したファイルか心許ない場合には、ファイルのハッシュ値を確認することもお勧めします。

更新 - 2013/2/22

当初、このブログでは、PDF ファイルは何もマルウェアを投下しなかったと説明しましたが、さらに詳しく調査した結果、一部の環境下ではマルウェアが投下されることがわかりましたので、この結果に基づいてブログの内容を更新しました。

また、この悪質な偽のレポートには複数の亜種が存在することも確認しています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an attacker steal the private key from a digital certificate?

If a computer is infected by back door Trojan, the attacker may gain full access to the compromised computer and will be able to control it. The attacker will therefore be able to steal any information found on the computer.

An attacker can also steal both the private key and the digital certificate if he or she is interested in them. However, it is very hard for an attacker to check every compromised computer and if the attacker is successful in compromising several hundred computers, the task of checking every single one is made even harder. The more computers that are compromised, the harder the task becomes.

Gathered samples

I tracked malware samples that have functionality to steal both private keys and digital certificates from Windows certificate stores using the operating system’s functionality over a period of a month. During this time almost 800 unique sample files were gathered. The gathered samples consisted of some of the following malware:

• Backdoor.Beasty
• Infostealer.Snifula
• Downloader.Parshell
• Trojan.Spyeye
• W32.Cridex
• W32.Qakbot
• Infostealer.Shiz
• Trojan.Carberp
• Trojan.Zbot

Of those malware samples, many of them were Trojan.Zbot, also known as Zeus.

The following is a world map of all the gathered samples displaying infections by country:

Figure 1. World map displaying infections by country

As you can see, a large number of computers infected by the gathered malware appear to be in America.

How an attacker stores digital certificates

Windows stores digital certificates in a certificate store. Program code often uses the PFXExportCertStoreEx function to export certificate store information and save the information with a .pfx file extension (the actual file format it uses is PKCS#12).The PFXExportCertStoreEx function with the EXPORT_PRIVATE_KEYS option stores both digital certificates and the associated private keys, so the .pfx file is useful to the attacker.

The code shown in Figure 2 opens certificates stored using the CertOpenSystemStoreA function, so it chooses the most common system certificate store.

The PFXExportCertStoreEx function exports the content of the following certificate stores:

• MY: A certificate store that holds certificates with the associated private keys
• CA: Certificate authority certificates
• ROOT: Root certificates
• SPC: Software Publisher Certificates

In the example below, the MY certificate store information is saved with the password “Pass” in .pfx file format. As the PFXExportCertStoreEx function is called with the EXPORT_PRIVATE_KEYS option, it exports both digital certificates and the associated private key.

Figure 2. Example of code exporting certificate store information

The code performs the following actions:

1. Opens the MY certificate store
2. Allocates 3C245h bytes of memory
3. Calculates the actual data size
4. Frees the allocated memory
5. Allocates memory for the actual data size
6. The PFXExportCertStoreEx function writes data to the CRYPT_DATA_BLOB area that pPFX points to
7. Writes data

When it writes the content of the certificate store, there is no decryption routine; it just writes exactly what is in the certificate store.

Only one of the malware samples gathered waits for the attacker's command to steal certificate stores. The other malware samples all steal certificate store information when the computer starts running. This would therefore suggest that almost no attackers actually check the compromised computer before stealing the certificate stores.

What password does the attacker use?

In the preceding example (Figure 2), the attacker used “Pass” as the password when writing the certificate store data to a file. Other attackers were seen to use “Password”, “0”, “12345” and so on as the password. What about in the case of Trojan.Zbot?

Figure 3. An example of an encrypted password

The password is encrypted and is unreadable without decryption; the attacker encrypts data to hide it from antivirus vendors.

Figure 4. The _decrypt_password code

The code inside the red box in Figure 4 is the main decryption code. Although the code in the samples varies, all the samples have the same password: “pass.” The attacker obtains the private key from the .pfx file through a batch process and having the same password makes the task easier for the attacker.

The signing process is not difficult

Stuxnet is not a special case. We often see reports that an attacker signs malware using the private key from a stolen certificate.

Microsoft distributes a signing tool bundled with Windows DDK, Platform SDK, and Visual Studio. If an attacker can steal the content of the certificate store, the attacker can then run Sign Tool (signtool.exe) and digitally sign malware. If one knows where to look for the Trojan.Zbot source code, they can get it, configure it, and distribute it. Sign Tool can also be obtained by anyone; technical ability is irrelevant for stealing certificates.   

How can private keys be protected?

One way to protect private keys is to create a network for developing software that is completely segregated from the internal company network and to use different passwords for both networks. If malware compromises a computer on the company network, it cannot gain access to private keys. 

Developers should also only sign code by using the test certificate until they are ready to ship the software. If digital certificates are stored on a computer that is compromised by malware, the private keys may be stolen.

While storing private keys in a file on a computer is not recommended, there may be situations where it is unavoidable. If so, limit the number of computers that store private keys and restrict access to as few users as possible.

The private key and digital certificates should be kept in a secured location, such as a safe or locked room, and ideally on an encrypted device, like an IC card or a USB token (not a USB memory stick) or hardware security module (HSM). If that is not possible, digital certificates and private keys should be archived and protected by a strong password. Only when absolutely necessary should a private key be stored on portable media and it should eventually be removed from that media and stored offline.

Symantec also offers a service to protect private keys called Extended Validation (EV) Code Signing. More information on EV Code Signing can be found here. If you would like to learn more about security best practices for code signing, please see the white paper located here.

Symantec will continue to monitor the malware and malicious techniques outlined in this blog. We also recommend that users do not run suspicious programs and keep their operating system and antivirus software up to date.

Don’t customers hate being misled?

I know I do.  Sometimes it can be innocent…you know, like maybe the sales person wasn’t as knowledgeable as he/she could’ve been.  Or perhaps they were new.  In any case, it behooves the customer to do some homework to make sure that they are not being misled, innocently or otherwise.

Your homework is done.

I came across a situation recently where a customer said that a vendor told them their solution could do global deduplication the same as Symantec, but cheaper.  My first thought was wow that’s a big deal.  As you may know, Symantec deduplication capabilities built into NetBackup and Backup Exec offer customers the flexibility of leveraging dedupe at the client, server, or target, and can efficiently dedupe across workloads like physical and virtual infrastructures seamlessly (See the V-Ray video here for more info).  On top of that, if your dedupe storage capacity on a single device is maxed out, Symantec can add another to increase capacity and compute resources, but to the customer, it would still appear as a single dedupe storage pool – global deduplication.

Anyhow, the customer asked if this was true.  Quite honestly, I too needed to do some homework to answer that question…what I found out was pretty disturbing.

First off, the vendor in question was not using the term “global deduplication” correctly, and what they were actually referring to was plain old deduplication, not even bordering on global yet, which I’ll get to in a minute.

According to the vendor’s documentation a customer would need to manually set a dedupe block size for all data sources in order to employ “global deduplication”.  Furthermore, the default and recommended size was 128KB.  For the record, global deduplication refers to the ability to deduplicate across dedupe storage devices so that no two devices contain the same blocks of data.  Here’s a generic definition from TechTarget:

“Global data deduplication is a method of preventing redundant data when backing up data to multiple deduplication devices.”

What the vendor is saying is that you can have multiple data sources (like VMware data, files system data, databases, etc.) feeding into a single dedupe storage pool, where the dedupe block size is set to 128KB, and those multiple data sources will dedupe against one another.  But that’s NOT global deduplication, that’s regular deduplication. 

Global deduplication in this example could be illustrated when the storage capacity that our 128KB chunk sized pool is reached and we need to stand up another.  Can the customer see both those storage devices as a single pool without any data redundancies across them or not?  If the answer is not, then the vendor cannot provide global dedupe capabilities.  And unfortunately, such was the case with our vendor in question.

The interesting thing was that even though this inquiry started as a result of a question on comparative global dedupe capabilities, I uncovered some other points of information that may cause you to think twice when purchasing from this vendor.

I’ve organized these into the chart below for ease of understanding:

As you can see above, the vendor is recommending those specific dedupe block sizes to maintain an optimal dedupe efficiency level for each data source.  What this means is that:

1. IF you want dedupe efficiency within data sources you have to manually configure and manage multiple dedupe storage pools (that’s a lot of management overhead by the way), and
2. You’ll likely have duplicate data stored because your VMware data at 32KB is not going to dedupe with your files system data at 128KB, and lastly
3. If you go ahead and use the same block size (128KB that the vendor recommends for their “global dedupe”), your dedupe efficiency is lost because 128KB is only optimal for file systems and databases smaller than 1TB, not for anything else.

This problem is defined as “content-aligned” deduplication.  Given that this particular vendor is unable to instead be “content-aware” and efficiently deduplicate source data without manual configuration of block sizes, there is certainly no hope for the vendor to claim global deduplication capabilities…unless the attempt is made to redefine the term.

A better way

With Symantec, the customer would not have to worry about this scenario at all.  It doesn’t matter if the data source is coming from a physical machine or virtual.  It doesn’t matter if the database is large or small, or if it’s just file system data.  Symantec is able to look deep into the backup stream and identify the blocks for which a copy is already stored, and store only the ones that are unique.  No block size limitations or inefficiencies between policies.   This means that you get the best in dedupe storage efficiency with the lowest management overhead.

Symantec calls its approach end-to-end, intelligent deduplication because we can deliver data reduction capabilities at the source, media server, or even on target storage (via our OpenStorage API).  We gain intelligence from content-awareness of the data stream for backup efficiency.  And of course, we deliver global deduplication capabilities.

More resources:

Symantec Deduplication

NetBackup Platform

Backup Exec Family

NetBackup Appliances

Op 7 februari stelde de Europese Commissie een nieuwe richtlijn voor inzake cyberbeveiliging. Het wil een Computer Emergency Response Team per lidstaat en een gezamenlijke instelling die cybermisdaad slimmer moet bestrijden. Het voorstel legt bedrijven ook op om overheden in te lichten bij datalekken of significante beveiligingsincidenten. Tot nu toe was dit beperkt tot bepaalde sectoren en varieerde de verplichting van land tot land.

Men kan het belang van dit voorstel niet genoeg benadrukken. Organisaties hebben nog al te vaak iets van ‘dat overkomt mij niet’. Of de IT-directeur wil wel er iets aan doen, maar krijgt het budget voor beveiliging niet verkocht bij zijn directie. Alleen al een security upgrade uitstellen, is om problemen vragen. De cyberwereld is onveilig, punt. De Botnets hebben na amper een kwartier een nagelnieuwe, onbeveiligde pc geïnfecteerd. Toch wordt IT security nog steeds als een kost beschouwd.

Voor Symantec is de EU-richtlijn meer dan een stap in de goede richting.  Ze moet nog geratificeerd worden door de lidstaten en door het Europees Parlement, maar deze handschoen pak je als CIO best meteen op. Het volstaat niet om gauwgauw een op handtekeningen gebaseerd antivirusprogramma te installeren. Het gaat om de intensieve doorlichting van processen en architecturen, mobiele beveiliging, compliance, cloudbeveiliging, dataverlies, enzovoort.

Verbeter je beveiliging in drie stappen

1. Doe een volledige security en risk scan
End point protection is het strikte minimum, de rest wordt bepaald door de  business van uw organisatie. Je moet de business en de IT op elkaar kunnen afstemmen. De business vat de risico’s niet en trekt de nodige budgetten dus niet uit, de IT-technici beseffen doorgaans de impact van de risico’s voor de business niet of maken de hele opdracht te ingewikkeld.

Een Europees bedrijf lanceerde onlangs zijn nieuwe, innovatieve landbouwmachine op een internationale beurs. Helaas, drie standen verder stond een concurrent te pronken met exact hetzelfde werktuig. Zonder data loss prevention kunnen je plannen lekken. Je competitief voordeel verdampt en je investering in onderzoek en ontwikkeling is voor niets geweest. Als je geen accurate en bijgewerkte bescherming in huis hebt, kun je je blootstellen aan langdurige cyberspionage.

Haal daarom een security consultant aan boord die een volledige risk assessment scan doet en je adviseert over de noodzakelijke beveiligingsstrategie.

2. Houd je verdedigingsmechanisme up-to-date
Een paar weken geleden gooide het dochterbedrijf van een grote verzekeraar de gegevens van zijn klanten te grabbel. Een van de servers was te zwak beveiligd. In ruil voor de gegevens vroegen de hackers de betaling van een flinke som. Het kostte de verzekeraar veel geld, maar de imagoschade kan erger zijn.

Het is de taak van bedrijven als Symantec om cybercriminelen voor te zijn en reputation-based technologie te bouwen tegen slimme en gesofistikeerde aanvallen. Werk dus continu je beveiligingssystemen bij en schakel zeker geen standaardfuncties uit. Je beveiligt je voordeur niet om vervolgens de achterdeur open te laten.

3. Voorzie permanente opleiding voor computergebruikers
Je gebruikers zijn mogelijk de zwakste schakel bij interne bedreigingen.  Sensibiliseren is de opdracht, want je kunt niet alles dichttimmeren. Hoe kunnen ze zichzelf en hun bedrijf beschermen tegen digitale schade? Leer hen meer over wachtwoordenbeheer, fysieke computerbeveiliging, de gevaren van social engineering en digitaal vertrouwen. Als het te mooi lijkt voor woorden, is het dat meestal niet. Beveiligingswaarschuwingen willen je niet vervelen of storen. Meer aandacht voor beveiliging is zeker een stap in de goede richting.

Cyber security challenge op komst

Organisaties strijden doorlopend tegen interne en externe cyberaanvallen. Symantec is van mening dat burgers, bedrijven en overheidsorganisaties dankzij de nieuwe EU-richtlijn meer aandacht zullen hebben voor cyberbeveiliging. De richtlijn zal CIO’s en CSO’s helpen om hun vraag naar een hogere beveiligingsgraad te concretiseren en om van informatiebeveiliging een wettelijke en zakelijke vereiste te maken. Dit gebeurt heus niet alleen in films. Symantec organiseert daarom op 20 maart een cyberreadiness challenge ter gelegenheid van Infosecurity. Securityspecialisten krijgen 20 rondes waarbij ze moeten proberen om gesimuleerde IT-beveiligingsproblemen op te lossen.

Meer informatie en inschrijven via deze link.

Ready for another cool web application penetration test trick? In this installment we'll cover clickjacking, also known as "UI redressing". Clickjacking is an instance of the classic "confused deputy" problem, and occurs when attackers leverage framesets and stylesheets in order to create opaque bottom and transparent top layers within the victim's browser. The target web application is loaded within the transparent top layer, while a dummy web application is loaded within the bottom opaque layer. By aligning elements between the transparent top and opaque bottom layers, attackers entice the victim to click on something within the opaque bottom layer, but the transparent top layer hijacks the click and performs some unintended action.

For example, the dummy web application loaded within the opaque bottom layer could inform the victim that they have won $1,000 and they simply need to click the "Claim Prize" button in order to cash in. Meanwhile, the victim's email application is loaded within the top transparent layer, and the "Delete Message" button is aligned with the "Claim Your Prize" button. When the victim attempts to click the "Claim Prize" button within the opaque bottom layer, the click is hijacked by the transparent top layer and the victim's email message is deleted. Refer to https://www.owasp.org/index.php/Clickjacking for more information regarding clickjacking.

The best solution to clickjacking is the X-FRAME-OPTIONS server response header. Setting the X-FRAME-OPTIONS header to DENY or SAMEORIGIN prevents the target web application from being loaded within an <IFRAME> or <FRAMESET>, effectively preventing clickjacking attacks. For example, a request to http://www.google.com/ returns the following response header:

X-FRAME-OPTIONS: SAMEORIGIN

The X-FRAME-OPTIONS response header is supported by the latest release of all major browsers, including Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Apple Safari. However, there is another solution to clickjacking. Framebreaker code, also known as "framebuster" or "framekiller" code, is a snippet of JavaScript code that prevents the page from being loaded within an <IFRAME> or <FRAMESET>. Consider simple framebreaker code:

if(top.location != self.location) { top.location = self.location; }

If the page is not the top element (i.e., the page is being loaded into an <IFRAME> or <FRAMESET>), the page reloads itself into the top element (i.e., the page breaks out of the <IFRAME> or <FRAMESET>).  Note that there are limitations to framebreaker code. Refer to https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet for optimal framebreaker code.

Because there are multiple ways to prevent clickjacking, each solution must be tested individually. In addition, framebreaker code is often buried within recursively included JavaScript files, making testing slow and tedious. So what's the trick? Simply attempt to load the target page within an <IFRAME> and see if the page loads! Why bother inspecting response headers and digging through a maze of JavaScript files? Consider the following Clickjacking Test page loaded with http://www.google.com/:

<HTML>
<BODY>
<H1>Clickjacking Test</H1>
<IFRAME SRC="http://www.google.com/" HEIGHT="600" WIDTH="800"></IFRAME>
</BODY>
</HTML>

If http://www.google.com/ is displayed within the <IFRAME>, the web application is vulnerable. We know that http://www.google.com/ returns the X-FRAME-OPTIONS response header set to SAMEORIGIN, so it is indeed not vulnerable:

Conversely, consider the Clickjacking Test page loaded with http://www.microsoft.com/:

<HTML>
<BODY>
<H1>Clickjacking Test</H1>
<IFRAME SRC="http://www.microsoft.com/" HEIGHT="600" WIDTH="800"></IFRAME>
</BODY>
</HTML>

The http://www.microsoft.com/ application is indeed vulnerable to clickjacking:

Piece of cake! That's all for this installment of the "Web Application Penetration Test Tricks" blog series. Next time we'll consider a subtle and often overlooked vulnerability related to web application authentication. Cheers!

Mandiant recently released a document containing indicators of compromise (IOCs) related to multiple espionage campaigns by a group known as the Comment Crew. Symantec has been actively tracking this group for six years while maintaining our own database of indicators. From our investigations we have collected thousands of indicators related to Comment Crew.

To help increase public awareness, we have decided to release hundreds of additional Comment Crew indicators to those already released. These are indicators that have been seen within the past year.

Symantec products already protect against the artifacts related to these indicators and many of these artifacts have already been shared with the security community.

You can find these indicators in the following paper: Comment Crew Indicators of Compromise.

Great review from @JasonHolbert at Biztech Magazine

Review: Symantec Backup Exec 2012 Is a Recovery Solution SMBs Can Rely On

About the Author

Nobody likes to be restricted in their use of a computer, or think they are being limited because they don’t have administrator rights. Most users do not NEED administrator privileges, they just WANT them. So why do users want administrator privileges? Here are the top 5 reasons:

1. Freedom: Users want administrator privileges so they can install or modify anything and everything on their computer. They may or may not view themselves as computer experts, but believe they know enough about computers to be able to make changes to their system without any negative repercussions. Unfortunately they are usually wrong, causing the IT department to spend countless hours fixing the issues.
2. Control: Users also want more privileges on a computer because of the control associated with being able to call your own shots. Control leads to even more headaches for the IT department as they clean up the mess left by users who make changes without understanding implications. Installing a software package without proper licensing can result in costly audit expenses. Changing the security configuration might make life easier, but it can result in expensive breaches.
3. Time: Most people hate to wait – we want everything done instantaneously. It’s the same for computing. Most users fear that if they don’t have administrator rights, they’ll have to wait for someone in the IT department to install or update a piece of software that could take them minutes to do if they had administrator privileges.
4. Entitlement: Some users believe that they deserve administrator rights because they started the company, make more money than the IT department employees, or because they are just special for one reason or another. These reasons aren’t good enough though. They might be the reason that the company is making a profit right now, however with administrator rights they could be the reason the company suffers a loss next quarter when their computer is compromised and key data stolen.
5. Habit: For some companies, users have always had administrator rights. It has become the standard of how users operate their computers in the company. However with increasing cyber threats, this habit simply does not provide enough security to organizations any more.

The reasons listed above may or may not be good reasons for the desire of users to keep administrator rights. However, administrator rights are a huge threat to IT security. Users may think that if they lose administrator privileges that their lives will become harder, but this is not the case. If privilege management is implemented the right way, users will be able to continue to work as before and will most likely not even notice the change.

So how do you implement privilege management successfully? It’s really a two-step process, requiring knowledge of what applications will need administrator rights to work correctly and which users have administrator rights. After that knowledge is obtained companies create application privilege management policies for applications that need admin rights. Then companies remove administrator privileges from their users by using user privilege management software. It’s that easy.

Arellia Application Control Solution and Local Security Solution assist businesses concerned with security protect their assets from security threats, mitigate zero-day vulnerabilities, control system stability, and enforce software compliance by using application and user privilege management capabilities.

In the last blog article we discussed the top 5 reasons why users want administrator privileges. In this article we will discuss the top 5 reasons why a user actually NEEDS administrator rights. Here are the top 5 reasons:

1. System Utilities: many of the control panel applications require administrator rights including driver installation, disk defragmenter, and backing up the.
2. System Settings: changing system settings such as the date\time or network configuration settings require administrator privileges.
3. Software Installation: software that tries to install into the Program Files or Windows directory needs administrator rights to do so.
4. Software Updates: application updaters require administrator rights in order to make changes to the applications in the Program Files directory. This includes updaters for Adobe, Java, and iTunes.
5. Legacy or Poorly Coded Software:  some applications simply require administrator rights to run normally.

The reasons listed above may or may not be good reasons for why users need administrator rights; however, those reasons usually lead to users being granted administrator rights and granting those rights create a huge threat to IT security as well as increased manageability costs. Most companies are left in a bind: do they remove administrator rights and limit the productivity of their employees or do they let their users keep admin privileges?

Most companies choose to let their users keep administrator privileges because they can’t afford to hinder employee productivity, thus gambling their IT security. What if there was another option that would enable system utilities, options, installers, updaters, and legacy applications to run with admin privileges AND enforce IT security by removing administrator rights from users? Well there is. Application and user privilege management enables companies to remove administrator rights from users while also adding administrator rights to applications that need them to run normally.

Arellia Application Control Solution and Local Security Solution assist businesses concerned with security by protect their assets from security threats, mitigate zero-day vulnerabilities, control system stability, and enforce software compliance by using application and user privilege management capabilities.

APJ partners, Nexus, eNerds, and 9spheres face diverse challenges from their myriad of customers. Though each company has varied customer demands, each company found the confidence, credibility, and efficiency from being part of Symantec’s SMB Partner Program. Learn more about how these partners are benefiting from the SMB Partner Program in this video:

In January, the Symantec Partner Communication team hosted its first ever Google+ Hangout. It was a great success and a great way to connect face to face with partners and customers. On February 19, we did it again focusing this time on Backup Exec V-Ray Edition, “So what, exactly, is this Backup Exec V-Ray Edition?”

Matt Stephenson, Product Marketing Manager and Scott Baker, Product Manager from Symantec's Backup Exec team came together to help users and partners understand Symantec Backup Exec V-Ray Edition and its licensing options.

Some of the topics discussed were:

• The meaning of ‘per processor’ licensing
• Features included in the Backup Exec V-Ray Edition
• How the Backup Exec V-Ray Edition works in virtual and physical environments
• Licensing scenarios for Backup Exec V-Ray Edition

Check out the video below to see the entire conversation and let us know if there are topics you'd like us to cover in a future Google+ Hangout.

今月のレポートでは、電子メールマルウェアの比率が昨年 12 月以降大幅に低下していることがわかり、今年 1 月はウイルスを含んでいた電子メールは 400 通に 1 通のみでした。これは 2009 年以来最低のウイルス比率です。これは、電子メールウイルスの配布者が休暇シーズン後で一休みしている、または悪質なペイロード配信のための選択肢としての電子メールからの乗り換えが続いていることを示している可能性があります。今後もこの傾向を注視し、低下が続くかどうかを確認していきます。

今月のその他のニュースとして、バレンタインスパムの本格化が挙げられます。この時期、このようなスパムは一般に電子カードとして届き、「片思いの人」からかもしれない（最初にきちんとした電子メールが一方的に送られてくることが多い）という被害者の好奇心につけ込みます。残念ながら、この時期のこのような電子メールの多くは予期しない恋物語ではなく、むしろ偽の掘り出し物、フィッシング詐欺、または悪質なコードにつながります。これらの詐欺の詳細は、こちらに記載されています。

最後に、今月、シマンテックは Microsoft 社と連携して悪名高いボットネット Bamital を活動停止させました。このボットネットの主な目的は、検索エンジン結果を乗っ取り、それらを攻撃者が選んだ広告をホストする C&C サーバーへリダイレクトすることによって広告収入を生み出すことでした。シマンテックは、2009 年から追跡してきたこのボットネットの活動に使用されている既知のコンポーネントをすべてシャットダウンすることに成功しました。セキュリティレスポンスでは、ホワイトペーパーをリリースし、このボットネットの詳しい概要を提供しています。こちらでダウンロードできます。

今月のシマンテックインテリジェンスレポートをダウンロードし、ぜひご活用ください。

Contributor: Masaki Suenaga

We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro.

JustSystems has just announced a vulnerability that is currently being exploited in the wild. Symantec has seen the exploitation in the wild since mid-January, but it has been limited to users in Japan. The attacks using the exploit typically involve archive files containing the following files:

• A clean Ichitaro document (.jtd file)
• A modified JSMISC32.DLL file with a hidden attribute
• A malicious DLL file with a hidden attribute and a .jtd file extension

Figure. The files found in the archive file

When an Ichitaro document is opened on a vulnerable computer, Ichitaro searches for the file JSMISC32.DLL, which is usually found in the installation path or system directory. In this targeted attack, when the clean Ichitaro document is opened, it executes JSMISC32.DLL, located in the same directory, which then launches the malicious DLL file with the .jtd file extension. JSMISC32.DLL is modified so that it loads the malicious .jtd file, which is actually a DLL file.

Symantec proactively detects the archive file that contains the files used in this attack as Bloodhound.Exploit.489. The malicious DLL is detected as either Trojan Horse or Backdoor.Trojan. To protect against this exploit, download the patch from JustSystems and make sure your security software is up to date.

寄稿: 末長政樹

今年に入ってからすでに、ゼロデイ脆弱性の悪用がいくつか確認されています。これらの脆弱性は全世界のユーザーに影響を及ぼしており、個人も組織も急いでコンピュータの保護対策を行う必要に迫られています。うんざりするような繰り返しですが、日本語ワープロソフト「一太郎」をお使いのユーザーは、まだ安心するわけにはいかないようです。

ジャストシステム社は、現在悪用が確認されている 1 件の脆弱性について発表しました。シマンテックは、この悪用を 1 月中ごろから確認していましたが、被害は日本のユーザーに限られています。この脆弱性を悪用する攻撃は通常、圧縮ファイルを伴っており、そこに以下のファイルが含まれています。

• 正常な一太郎文書（.jtd ファイル）
• 改変され、隠しファイル属性が設定された JSMISC32.DLL ファイル
• 隠しファイル属性が設定され、.jtd 拡張子の付いた悪質な DLL ファイル

図.圧縮ファイルに含まれているファイル

脆弱性のあるコンピュータで一太郎文書を開くと、一太郎は JSMISC32.DLL を検索します。この DLL は通常、インストールパスかシステムディレクトリにあります。今回の標的型攻撃では、正常な一太郎文書を開くと、同じディレクトリにある JSMISC32.DLL が実行され、次に .jtd 拡張子の付いた悪質な DLL ファイルが実行されます。JSMISC32.DLL は悪質な .jtd ファイルをロードするように改変されています。この .jtd ファイルも、実際には DLL ファイルです。

シマンテックは、この攻撃に利用されているファイルを含む圧縮ファイルを Bloodhound.Exploit.489として未然に検出します。悪質な DLL は Trojan Horseや Backdoor.Trojanなどとして検出されます。この悪用から保護するには、ジャストシステム社のサイトからパッチをダウンロードして適用し、セキュリティソフトウェアを最新の状態に保つようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Release Notes for SEP 11.x reaching back to SEP 11 RU5 - PDF documents for download.

The fix notes are based on the Article: http://www.symantec.com/docs/TECH103087 - here split into .pdf documents separate for each SEP Revision. Easy to find, easy to browse.

Additionaly some of the Best Practices, Installation-Client-Administration Guides for 11.x - as found on the Installation media from SEP 11 RU6 till RU7 MP3 - documents are in version 11.00.06.00.00.

I will try to add some more documentation in the future as well keep it up to date with next SEP 11.x Releases.

Day 2 has started and all the impressions from Day 1 are being gathered and processed. Asia has a huge representation and yesterday I met Japanese, Chinese and Koreans every two meters in the exhibition. It is clearly a global show where all and everyone in the industry take part. Some of my key observations and reflections from yesterday I have gathered here. More to come today!

Phablets and affordable devices with LTE functionality

More tablets getting to the market and prices are increasingly more competitive where Lenovo was launching multiple models where Acer Iconia Tab A700, Huawei MediaPad 10 FHD and Google Nexus 10 are the key competitors. The Lenovo A3000 and A1000 both feature 7" displays, and will allow for tablet adoption in emerging regions. On the phablet side (phone/tablet), Samsung Galaxy Note 8 is the biggest and loudest launch so far.

On the handset side Nokia is leading the way for the lower end segment, releasing a series of budget and midrange handsets, adding to the Windows Phone 8 range, with Lumia 720 and 520. At the budget end was the Nokia 150, a 15-euro phone, which with a 1.5-inch screen and weeks' worth of battery life in standby mode.  LG also showed equal determination on their focus on mid-range budget alternatives with F7 and F5 including LTE functionality.

For Asia, this is good news and considering that China Mobile is already covering the 15 biggest cities with LTE, the demand for LTE enabled phones to an affordable price is real. It also clear that the Asian suppliers are gaining traction and market share across the board.

Mobile OS sprawl rather than consolidation

Mozilla is moving up the list when Sony revealed that they will launch a phone built with Firefox next year. Samsung are also looking to provide an alternative with Tizen, but also notes that Android and Windows Phone will still be offered. Other names mentioned were Ubuntu, and there might be more. This trend is not helping enterprises to support employee mobility though. The ever changing open source developed platforms are complicating how security can me uphold and will in some cases decrease the uptake and deployment of for example BYOD, purely out of fear for security breaches.

Mobile innovation and security

Mobile innovation is high in Asia compared to the rest of the world (Symantec State of Mobility survey 2013), and that is no big surprise. Yet, it comes paired with the acceptance of higher number of incidents and in addition the hardware suppliers keep pushing out new models, OS sprawling and numbers of devices growing at an unforeseen pace. The question is of course, for any enterprise to ask themselves how we support mobility in the short run, but also make sure to work for the bigger plan rather than putting point solutions in to place. It is a fact that 95% of Asia Pacific companies have BYOD initiatives in place, while only 20% have policies or frameworks related to those initiatives (IDC numbers). It makes me a little bit worried… Watch out for an upcoming IDC whitepaper with more on this topic.

いつもシマンテックのブログをお読みいただいていれば、有効なデジタル証明書を使って署名された不正ファイルや、盗み出したデジタル証明書を使って署名されたマルウェアについての記事を何度かご覧になったことがあるでしょう。

マルウェア史上最も悪名高いと言っていい Stuxnetの作成者が、有名企業の有効なデジタル証明書の秘密鍵を使ってマルウェアに署名していたことを連想する向きもあるかもしれません。

デジタル証明書の重要性は言うまでもなく、デジタル証明書の付いたファイルを調べれば、作成者がわかり、改変されていないことも確認できます。また、一部のバージョンの Windows では、デジタル署名の付いていないファイルを開くときにダイアログボックスが表示されますが、デジタル証明書から盗み出した秘密鍵を使って攻撃者がマルウェアに署名している場合、たいていのファイルは実行されてしまいます（ただし、そのファイルが Web ブラウザを使ってインターネットからダウンロードされた場合は除きます）。

攻撃者がデジタル証明書から秘密鍵を盗み出す手口

コンピュータにバックドア型のトロイの木馬を仕掛けると、攻撃者はそのコンピュータへのフルアクセスを手にして制御できるようになります。そのため、攻撃者はそのコンピュータ上であればどのような情報も盗み放題です。

また、攻撃者はその気になれば、秘密鍵とデジタル証明書の両方を盗み出すこともできますが、侵入先のコンピュータすべてを調べることは非常に困難で、仮に何百台ものコンピュータに侵入できたとしても、その 1 台 1 台を調べるのはさらに厄介です。感染したコンピュータが増えるほど、この作業は難しくなります。

収集したサンプル

シマンテックは、オペレーティングシステムの機能を利用して Windows 証明書ストアから秘密鍵とデジタル署名の両方を盗む機能があるマルウェアのサンプルを、1 カ月以上にわたって追跡しました。この間、重複を数えずに 800 近いファイルが集まりました。収集したサンプルには、以下のようなマルウェアがありました。

• Backdoor.Beasty
• Infostealer.Snifula
• Downloader.Parshell
• Trojan.Spyeye
• W32.Cridex
• W32.Qakbot
• Infostealer.Shiz
• Trojan.Carberp
• Trojan.Zbot

マルウェアサンプルのうちの多くは Trojan.Zbot（別名 Zeus）でした。

収集したすべてのサンプルの分布を感染のあった国や地域別に示したのが以下の図です。

図 1. 国/地域別の感染を示した分布図

この図でわかるとおり、収集したマルウェアに感染しているコンピュータの大多数は米国にあるようです。

デジタル証明書の保存方法

Windows は、デジタル証明書を証明書ストアに保存します。多くの場合プログラムコードは、PFXExportCertStoreEx 関数を使って証明書ストア情報をエクスポートし、その情報を .pfx という拡張子のファイルに保存します（実際のファイル形式では PKCS#12が使われます）。PFXExportCertStoreEx 関数で EXPORT_PRIVATE_KEYS オプションを指定すると、デジタル証明書とそれに対応する秘密鍵の両方が保存されるので、.pfx ファイルは攻撃者にとって有益です。

図 2 に示したコードは、保存されている証明書を CertOpenSystemStoreA 関数で開くので、最も一般的なシステム証明書ストアを選択しています。

PFXExportCertStoreEx 関数は、以下の証明書ストアの内容をエクスポートします。

• MY: 秘密鍵が関連付けられている証明書を含む証明書ストア
• CA: 認証局の証明書
• ROOT: ルート証明書
• SPC: ソフトウェア発行者の証明書

以下の例では、MY 証明書ストアの情報が、「Pass」というパスワードとともに .pfx ファイル形式で保存されています。この PFXExportCertStoreEx 関数は EXPORT_PRIVATE_KEYS オプションを指定して呼び出されるので、デジタル証明書とそれに対応する秘密鍵が両方ともエクスポートされます。

図 2. 証明書ストアの情報をエクスポートするコードの例

このコードは、以下の処理を実行します。

1. MY 証明書ストアを開く。
2. 3C245h バイトのメモリを割り当てる。
3. 実際のデータサイズを計算する。
4. 割り当てられていたメモリを解放する。
5. 実際のデータサイズにメモリを割り当てる。
6. PFXExportCertStoreEx 関数が、pPFX でポイントされている CRYPT_DATA_BLOB 領域にデータを書き込む。
7. データを書き出す。

証明書ストアの内容を書き出すときに暗号化ルーチンはなく、ただ証明書ストアの内容を正確に書き出すだけです。

収集したマルウェアサンプルのうち、攻撃者のコマンドを待ってから証明書ストアを盗み出すものは 1 つしかなく、その他のマルウェアサンプルはいずれも、コンピュータの起動時に証明書ストア情報を盗み出します。このことから、証明書ストアを盗み出す前に侵入先のコンピュータを実際にチェックしている攻撃者はほとんどいないと考えられます。

攻撃者が使うパスワード

上の例（図 2）で攻撃者は、証明書ストアのデータをファイルに書き出すときに「Pass」というパスワードを使っていました。他の攻撃では、「Password」、「0」、「12345」などもパスワードとして使われています。では、Trojan.Zbot の場合はどうでしょうか。

図 3.暗号化されたパスワードの例

パスワードは暗号化され、復号しないと判読できません。攻撃者はデータを暗号化して、ウイルス対策ベンダーからパスワードを隠しているのです。

図 4. _decrypt_password コード

図 4 の赤い枠で囲んだコード部分が、メインの復号コードです。サンプルのコードはさまざまですが、どのサンプルにも同じパスワード「pass」がありました。攻撃者は、バッチプロセスを利用して .pfx ファイルから秘密鍵を取得しており、同じパスワードを指定することで処理を簡単にしています。

署名プロセスは容易

Stuxnet は特殊な例ではありません。攻撃者が、盗み出した証明書の秘密鍵を使ってマルウェアに署名するという報告は頻繁に見かけます。

Microsoft 社は、Windows DDK、Platform SDK、Visual Studio にバンドルして署名ツールを配布しています。証明書ストアの内容を盗み出すことさえできれば、攻撃者は署名ツール（signtool.exe）を使ってマルウェアにデジタル署名することができます。Trojan.Zbot のソースコードがある場所を知っていれば、それを手に入れて設定し、拡散できるうえに、署名ツールは誰でも入手できます。証明書を盗み出すのに、技術力は不要なのです。

秘密鍵をどのように守ればよいか

秘密鍵を保護する方法のひとつは、社内ネットワークから完全に切り離してソフトウェア開発用のネットワークを構築し、それぞれのネットワークで異なるパスワードを使うことです。マルウェアが社内ネットワークに侵入した場合でも、秘密鍵にはアクセスできません。

と同時に、ソフトウェアの出荷準備ができるまで、開発者がコードに署名するときには、必ずテスト用証明書を使うようにします。デジタル証明書が保存されているコンピュータにマルウェアが侵入すると、秘密鍵が盗み出されてしまいます。

秘密鍵をコンピュータ上のファイルに保存することは推奨されませんが、やむをえずそうするしかない状況もあります。そのような場合は、秘密鍵を保存するコンピュータの数を制限し、アクセスするユーザーも最小限に限定してください。

秘密鍵とデジタル証明書は、保管室や鍵のかかる部屋などの安全な場所に保管します。IC カードや USB トークン（USB メモリスティックのことではありません）、HSM（ハードウェアセキュリティモジュール）のような暗号化デバイスを使うのが理想的です。それができない場合、デジタル証明書と秘密鍵は圧縮して、強力なパスワードで保護します。ポータブルメディアに秘密鍵を保存するのは、絶対に必要な場合のみとし、最終的にはそのメディアから秘密鍵を削除してオフラインにしてください。

また、シマンテックは、Extended Validation（EV）コードサイニングと呼ばれる秘密鍵を保護するサービスも提供しています。EV コードサイニングについて詳しくは、こちら（英語）を参照してください。コードサイニングの基本的なセキュリティ対策について詳しくは、こちらのホワイトペーパー（英語）をご覧ください。

シマンテックは、今回ご報告したマルウェアや悪質な手口を引き続き監視していく予定です。疑わしいプログラムは実行しないようにし、オペレーティングシステムとウイルス対策ソフトウェアは最新の状態に保つことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

2 月は短い月ですが、興味をそそるスパムの材料には事欠かないようです。バレンタインデーとそれを悪用する脅威は過ぎ去りましたが、今度は 3 月 8 日の国際女性デーが狙われています。国際女性デーは、すべての女性に対して親愛、尊敬、厚意を表す絶好の機会ですが、スパマーもこうしたイベントを利用しようといつも目を光らせています。今回は、国際女性デーを狙って模造品を宣伝するスパム行為についてご報告します。

オンラインマーケティングキャンペーンを利用したスパムが、ロシアから送信されてくることがよくありますが、なぜか奇妙な電話番号が使われています。今回も、スパマーはバレンタインデーや国際女性デーに向けた素敵なプレゼントと称した偽の商品広告でユーザーを標的にしていますが、ギフトカードの注文先として掲載されている電話番号には、やはり変わった特徴があります。

ロシア語で書かれたスパムの一例として、シマンテックが確認したメールを以下に挙げます。

件名を見ると、スパムであることがわかります。

• 件名: Лучший подарок на 14 февраля и 8 марта

翻訳: 「2 月 14 日と 3 月 8 日に最高の贈り物を」

別のスパムサンプルでは、女性向けの美容製品でユーザーを誘っています。今回の攻撃では、以下のような件名も確認されています。

• 件名: ココロとカラダでダイエット
• 件名: 女性のためのエクササイズ
• 件名: 無理をしないバランスフィットネス

迷惑メールや心当たりのない電子メールには注意して、偽のプレゼントや商品広告に引っかからないようにしてください。シマンテックでは、最新の脅威に関する最新の情報を読者の皆さんにお届けできるよう、24 時間 365 日の態勢でスパムの監視を続けています。

どうぞ、すばらしい国際女性デーをお迎えください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。