by Phil Nash, Director Analyst Relations

As many commentators have pointed out over the years, Symantec has been built on two pillars, responding to the needs of both corporations and consumers. While this model has served us well it has sometimes added complexity. 

Even more importantly however, the world, and therefore the environment within which we work, has changed. The line between consumers and businesses is becoming ever more fuzzy: whether or not companies are giving employees budget for technology purchases, across the board people are using their own equipment, software or online services in the workplace.

The phrase “consumerization of IT” has been coined to describe this phenomenon. Equally however, we’re seeing the IT-ization of consumers. People are generally becoming more tech-savvy and, in parallel, less tolerant of what they see as inadequate technology. In parallel, the resulting loss of control is both frustrating for the IT department and creates a wealth of new challenges.

This doesn’t just change the risk landscape, but also how organizations respond to the situations that arise. As the boundaries between people and organisations evolve, so IT is having to change how it delivers the capabilities it provides is users. We all know the keywords – dynamic, flexible, agile, responsive. These used to be aspirational qualities, now they are becoming necessary criteria .

To respond to this very different landscape and following an in-depth review of our operations led by the new leadership, we have decided to change the way we do business. Yes, we are merging the division that deals with consumers into a combined structure looking at both individual and small business needs. This doesn’t mean that consumers are any less important to us – simply that it does not make sense for Symantec as a business to focus on them in isolation.

This relentless focus on how people and companies are operating will form a central plank of the Symantec strategy and approach moving forward. During the announcements, it’s what we referred to as “best of need” rather than “best of breed”. Our task is to maintain a clear understanding of how needs are changing and respond accordingly, delivering simple to use, customizable, integrated solutions that can adapt to the evolving requirements of our customers.

While some of these changes may be subtle, Symantec 4.0 represents a shift of mindset – listening rather than telling, aligning rather than directing, horizontally focused across the ecosystems at play, rather than vertically focused on specific product offerings. Over the coming months you can expect a number of announcements showing how this shift will play out. In the meantime, these are indeed interesting times, and we’re feeling pretty excited about the future.

Contributor: Vivek Krishnamurthi

The Cheltenham Festival, also known as the National Hunt Meeting, is a popular horse racing event that occurs every year in March in the United Kingdom. The festival usually coincides with Saint Patrick's Day. This year, the festival is currently in progress and will end on March 15. A large amount of gambling takes place during the Cheltenham Festival, a fact that spammers seem to be well aware of as we are presently observing an increase in online gambling spam.

One particular sample of spam included instructions on how to register a free bet. The link provided in the message directs the user to a form where they can sign up and get a free bet worth up to £50.

Some of the email header information found in this spam campaign includes the following:

• Subject: Bet on Cheltenham with the Best Odds!
• From: Cheltenham Festival Bets <xxx@BestWorldOnlinexxx.com>
• From: xxxCheltenham Festival Betsxxx“ <xxx.@x.greatnewoffersxxx.com>
• From: xxxCheltenham Festival Betsxxx“ <xxx.@x.ExcellentDealsOnlinexxx.com>

Figure. Cheltenham Festival gambling spam
 

Once the user registers, their personal details are in the hands of the spammers. This situation can be even more alarming if the user shares their banking details. Beware of any fake betting offers from such sites; the reality is you are partaking in much more than a free bet of £50.

Symantec also advises our readers to be cautious when handling any unsolicited or unexpected emails. We are keeping a close eye on spam related to the Cheltenham Festival event, and another upcoming festival—Saint Patrick’s Day.

聖パトリックの日は、アイルランドの文化と宗教にとって重要な祝日であり、3 月 17 日に世界各地で祝われますが、特にアイルランド人のコミュニティや組織にとっては大きな意味を持っています。最近、聖パトリックの日に関連するスパムメッセージが、Symantec Probe Network に多数届いていることが確認されています。確認されたスパムサンプルの多くは、車の在庫一掃セールをはじめとして、お買い得商品を宣伝するものです。

興味深いのは、この祝日の名前を、大容量ファイルの送受信に利用できる有名サイトと関連付けて騙そうとするスパムメールが確認されていることです。リンクをクリックすると、悪質なコードをダウンロードする Web ページにリダイレクトされます。このページでは、狙われやすい脆弱性がいくつか悪用されています。これらのスパム活動の主な目的は、電子メールの件名や本文で聖パトリックの日を利用してユーザーを誘うことにあります。「Patrick[RANDOM NUMBERS]（パトリック[ランダムな数]）」といった件名が一例ですが、このような手口には注意して、リンクはクリックしないようにしてください。

図 1. 聖パトリックの日を狙った悪質なスパムメール

スパムからリンクする Web サイトでは、聖パトリックの日にちなんだ在庫一掃セールが宣伝されています。

図 2.聖パトリックの日を狙った広告スパム

在庫一掃の特別価格を見ようとして［Get Prices］（価格を見る）ボタンをクリックすると、次の Web ページにリダイレクトされ、価格を比較するために車種を選択するよう求められます。

図 3. 車種ごとの価格を比較する在庫一掃 Web サイト

型式と車種を選ぶと、さらに別の Web ページにリダイレクトされ、今度は住所や電子メールアドレス、支払方法などの個人情報を入力する画面が表示されます。これは明らかに個人情報を盗み出そうとする手口であり、注意が必要です。

図 4.ユーザーの個人情報を要求するページ

聖パトリックの日を狙った在庫一掃セールのスパムで、これまでに確認された件名の例を以下に示します。

• /*St. Patrick's Day clearance, test drive your new car...（聖パトリックの日の在庫一掃セール、新車の試乗チャンスです...） .* */
• See Clearance Prices on all XXX Vehicles on St Patrick（聖パトリックにちなみ、XXX 全車種を在庫一掃価格でご提供）
• St Patrick' XXX Clearance（聖パトリックの日の XXX クリアランス）
• See Clearance Prices on all XXX Vehicles on St Patrick（聖パトリックの日、XXX 全車種を在庫一掃価格でご提供）
• 2013 St Patrick XXX Huge Discount - Slashing prices to meet Quotas（2013 年の聖パトリックの日を祝し、大幅値下げ。売上達成のための出血価格）

次に示すスパムメールのサンプルは、偽の広告でユーザーを煽って商品を購入させようとしています。URL をクリックすると、医薬品販売を騙る偽の Web サイトにリダイレクトされます。

図 5.偽の医薬品販売 Web サイト

迷惑メールや心当たりのない電子メールの扱いにはご注意ください。シマンテックでは、最新の脅威に関する最新の情報をお届けできるよう、24 時間 365 日態勢でスパムの監視を続けています。

安心して聖パトリックの日をお楽しみください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I had the opportunity to read a great post on PCI-DSS ! I want to follow up this topic and focus on implementing and maintaining PCI-DSS with a Data Loss Prevention Solution (DLP).

PCI-DSS is not only a matter of defining controls to respect some requirements. It is really important to guarantee that all the efforts done to respect the requirements will not be cancelled a few months later because nobody is taking care of cardholder data, or brand new unprotected applications work on this information. I will focus on 3 of the PCI-DSS requirements and how a DLP Solution can help during cardholder data lifecycle:

• Requirement 3: Protect Stored Data
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 10: Track and Monitor all access to network resources and cardholder data.

In order to respect these 3 requirements the first tasks to complete are identify confidential data, understand where they are stored and how they are used. 

In the context of respecting PCI-DSS the first item is probably the easiest: we are looking for cardholder data. We will define policies that look for credit card numbers and PANs (Primary Account Number) using regular expressions and ad hoc data identifiers.

While the first task can seem trivial the second one is one of the toughest. Companies believe they know where their confidential data are stored. Unfortunately this is not always true! In most cases they only know some of the places where data are stored: these are the legitimate (and sometimes protected) repositories. At the same time during every business day data move to several location. Not always IT folks is aware of this data movement because they include unmanaged removable drives, cloud storage, employees personal emails, etc. This is why identifying and protecting repositories is one of the hardest and most importan tasks in confidential data protection projects. 

Every responsible of confidential information should be able to understand where are these data. This requirement introduces the third item: how data are used? We already said that data are stored in a few known and protected locations and in several unknown and unprotected repositories. How does this happen? In most cases users copy data where they can easily access them. This is why we found confidential information on personal USB keys, personal emails, etc. In a smaller number of cases users move data to untrusted repositories because they behave as “malicious insiders”: internal users that intentionally expose company information. In order to protect confidential information we must implement controls to educate users and enforce data protection.

After implementing these controls we put our infrastructure in a safe state from a PCI-DSS perspective: we identified where are cardholder data, we learnt how people use these data, and we enforced controls on information. From now on in order to maintain PCI-DSS compliance we must keep protecting our data. The following picture reports the required steps. As you can see these steps are cyclic and require to be run frequently. Let’s go deeper in each of the steps:

• Define PCI compliant policies. This is done at the first step of the PCI-DSS program. Policies must be reviewed periodically because data management procedures change over time and information can be exposed to new and unexpected risks. At the same time policies must be reviewed and tuned using information from the reports described below.
• Remediation: this is one of the most important phases of the data protection process. During remediation phase the reviewer will be able to understand what happened to data and provide information on false positive and missed incidents. In some case the remediation can be automated in order to speed up the incident handling process and avoid interruption of business operations.
• Enforcement: after identifying where the data are stored and how they transit between systems it is important to enforce data protection. Sometimes this can be translated in encrypt data in transit or data at rest. In other cases data will be moved to safer locations. Enforcement actions can be taken by the DLP solution or through the integration with other applications.
• Reports: data protection cannot be considered complete without a measurement system that helps understand the status of the confidential information and provides inputs for tuning of existing policies and creation of new policies that address new requirements.

The periodical execution of these activities provides a dynamic view on confidential information and improves the results of a PCI-DSS program.

Now that we understand how a DLP solution helps achieve PCI-DSS compliance we can come back to the requirements we mentioned above and see how we can address them with Symantec DLP.
Protection of stored data must be split in two parts. The first part is data discovery, that can be translated in the question about where are confidential data. This activity must be run on storage repository and endpoints with the following objectives:

• Detection of exposed PANs and magnetic stripes
• Scan for inappropriately stored cardholder data on laptops, desktops, and workstations

The second part of the protection is the remediation on incidents. This activity will focus on:

• Quarantine data at risk to secure locations
• Prevent users to inadvertently expose credit card data
• Educate users about risk of confidential data exposure
• Control data flows on network protocols
• Integrate with encryption software 

In order to guarantee the need-to-know principle for confidential data the administrator of DLP will identify the authorized users that can access confidential information, and create ad hoc policies. An example of policy is "block access to all users except ones belonging to AuthorizedGroup". This control will be implemented using the DLP endpoint agent.

Last requirement we are focusing on is " Track and Monitor all access to network resources and cardholder data". In order to satisfy this requirement we must control data on Network, Storage and Endpoints. Our objectives will be the following:

• Track confidential data network activity
• Content-aware coverage of all activity including USB, print, fax, email, web
• Continuous protection even when disconnected from the corporate network
• Monitor user activity on shares where cardholder data are stored

At the end of this process we should have satisfied three of the twelve requirements of PCI-DSS. There is still a long way to achieve and maintain PCI-DSS compliance. There are several technical and procedural aspects to cover. I wil leave you with some questions:

• What are the tasks and tools to identify vulnerable systems?
• How to determine if the systems that manages confidential information have the correct patching level?
• How to correlate information from the different protection systems?
• How to provide high level dashboards with the status of the infrastructure with respect to PCI-DSS?
• What about users awareness on security risks? how to educate them?

HI All

Good Day ..

Must Disable the Tace on SEPM because it is a known problem with SEP. usually auditing people will find the following on environment.

Error

Error:"Trace method must be disabled, port 8014"

Environment

SEP Version: SEP 12.1
Server Operating System: Windows Server 2008 R2- Standard Edition
 

Cause

- How to disable the Trace?

Solution

- Go to C:\Program Files\Symantec\Symantec Endpoint Protection Manager\apache\conf folder

- Open httpd.conf in notepad and add "TraceEnable off" in the file and save the file.

- It will turn off the Trace.

- Restart the Apache web server and SEPM services from services.msc

As per tech Article TECH173154

Regards

Ajin

Last month, Symantec hosted its 2nd annual internal CyberWar Games and I had the privilege of joining Efrain Ortiz, Ben Frazier, and JR Wikes as part of team Avengers. For five days, we worked on limited sleep, grinding our way through the process of hacking systems and applications to capture flags and rack up enough points to secure our team a spot in the finals. Along the way, I made a couple of observations that I thought would be worth passing alone.
 
Lesson #1: Vulnerability Scanners LIE!!!
 
…or at least they don’t always tell the full story. If we had believed the results we got back from the vulnerability scans we ran against the systems in the CyberWar environment, we would not have made it very far. You see, our scans showed that there were no “Critical” or high-risk vulnerabilities present on the systems scanned and there were no useful “Medium” or “Low” vulnerabilities. What was interesting is that in some cases, the scan results were accurate – no directly exploitable vulnerabilities existed. In other cases, however, easily exploited vulnerabilities in running services were completely missed by vulnerability scans.
 
If we were the security team responsible for the defense of these systems and relied on vulnerability scans to tell us if we were protected or not, we would have had a very, very false sense of security. Where the automated vulnerability scanners failed, human intelligence and creativity found ways to gain access to sensitive information and, in some cases, full remote control of these systems. The vulnerability scanners completely missed MAJOR application security flaws that allowed us to access and manipulate critical data. They also missed weaknesses in listening APIs and service configurations that allowed us to work our way into the systems.
 
The lessons learned is that there is (at least for now) no substitute for human intelligence when it comes to vulnerability assessment and penetration testing and that applications cannot be ignored when assessing vulnerabilities. While automated vulnerability scans do serve a very useful purpose, they should be augmented with full-on human penetration testing to ensure proper depth of coverage and accuracy of reporting.
 
Lesson #2: You Need Diverse Skills on Your Penetration Testing Team
 
I don’t think that anyone on team Avengers would claim to be an expert in all aspects of penetration testing and system/application exploitation. In fact, we all have our strengths and weaknesses. What made us successful in the preliminary round was teamwork. 
 
When one of us would get stuck on a particular flag, the level of collaboration and creativity shown by the team was simply amazing. By pooling our collective knowledge and skills, we were able to overcome obstacles that no individual alone would have figured out (at least in the time we had allotted).
 
While there are a few unique individuals who have a mastery of all aspects of penetration testing, they are not the norm. When you are putting together your penetration testing teams, you should make sure that you have a diverse set of collective skillsets represented by the team. Expertise in application security, cryptography, malware analysis, system/network engineering, protocol analysis, and forensics (just to name a few) should be represented.
 
In addition to the diverse set of skills needed, you should also provide a system for collaboration and sharing of information. This will make it easy to engage the full knowledge and skills of the larger team even when they are not directly working on a given set of tests.

NetBackup 7.6Beta is currently being tested by a wealth number of customers. So far the feedback has been very positive especially with regards to one of its new features: NetBackup Accelerator for VMware.

NetBackup Accelerator reduces the backup time for VMware backups. NetBackup uses VMware Changed Block Tracking (CBT) to identify changes made within a virtual machine. Only the changed data blocks are sent to the NetBackup media server, to significantly reduce the I/O and backup time. The media server combines the new data with previous backup data and produces a traditional full NetBackup image that includes the complete virtual machine files

Accelerator has the following benefits:

• Performs full backups faster than traditional backup.
• Creates a compact backup stream that uses less network bandwidth between the backup host and the server.
• Accelerator sends only changed data blocks for the backup. NetBackup then creates a full traditional NetBackup image that includes the changed block data.
• Accelerator backups support Granular Recovery Technology (GRT) for restoring Exchange and SharePoint applications (using a full schedule only).
• Accelerator backups support instant recovery of virtual machines. if the Enable file recovery from VM backup option on the policy VMware tab is enabled, you can restore individual files from the backup (full or incremental).
• Reduces the I/O on the backup host.
• Reduces the CPU load on the backup host.

With the first release of NetBackup 7.6, GRT restores of SharePoint will be supported (Fig1), allowing administrators to restore Site Collection, Library, documents, Webapps.

FIG1

Accelerator VMware backups will be supported for MS SharePoint and MS SQL and only Full schedule types, no Incremental or Differential.

Requirements will be NetBackup 7.6 for Master, Media and Client, Proxy Hosts (SLES or AMD64), VMware ESX version 4.0.3 or greater.

Similarly to file system Accelerator backup, supported since NBU 7.5, the Accelerator backup for VMware will generate a Full image on the storage server using blocks from previous image (Synthetic backups). Only the blocks that have changed are transferred from client to media server.

The Accelerator for VMware does not require any changes to the installation process and the feature is available with the standard NBU installation. As with previous accelerator, it requires NetBackup Data Protection Optimization Option license.

One of the key benefits of the new (in NetBackup 7.5) VIP Policy is the possibility to select the VM to backup, by means of a query. This reduces the risk to miss the backup of a VM if the VMware Administrator does not notify the Backup administrator of the creation of the VM to protect. Fig 2 and Fig3 show the Query builder tab and some of the selectable options.

FIG2

FIG3

Performing a VMware backup using the Accelerator, leaves the user shocked by the speed reached by backup. The screenshot below shows the throughput of the fist backup without accelerator. Fig4, JOD ID 23 and JOB ID 24

FIG4

JOB ID 25, 26 and 27 show the speed of the first backup with Accelerator. This is similar to the previous backup since the first accelerated backup gathers all the information needed to facilitate the subsequent bacukps. FIG5

FIG5

The deduplication rate of the first backup was already as high as 54%. The seconf full backup deduplicated at 98% reducing drastically the amount of data moved via the LAN.

Accelerator Optimization field this time is populated with 0% since this was the first accelerated backup.

Last, Fig 6, shows the real benefits of the Accelerator. Enlapsed time goes from around 10 minutes down to 4 minutes.

FIG6

I expect that Accelerator performances and benefits will be much higher in a production environment with powerful machines.

Hello Everyone,

I thought i would share this with you all, it is a webcast on Symantec best practice approach to effective patch management for clients and servers.

Effective Patch Management for Clients and Servers

An effective and comprehensive patch management strategy is an essential part of a solid security defense. The vast majority of vulnerabilities exploited by malicious code are ones for which a fix is available from the software vendor. A recent Gartner report stated that “90% of successful attacks occurred against previously known vulnerabilities where a patch or secure configuration standard was already available.”1 (‘Managing the Next Generation of Client Computing,’ Terrance Cosgrove, Gartner, February 8, 2011)

Attend our webcast to learn how to build and roll-out a complete patch management strategy to:

•Ensure that Windows, Mac, Red Hat® and SUSE computers are properly patched or updated
•Maintain visibility into newly released security updates and automate the detection and facilitate the remediation of vulnerabilities.
•Ensure that Microsoft operating systems and applications are kept up-to-date with non-security related updates and service packs.

With Adobe Acrobat version 10 came a new feature called Protected Mode.  It was aimed to improve the security of handling PDF files, and it's a great idea.  There is a however a 'but'.  With protected mode turned on Enterprise Vault FSA customers noticed that they were not able to open archived PDF files from the placeholder left behind after archiving.  They would get messages saying 'Access denied' :

寄稿: Vivek Krishnamurthi

チェルトナムフェスティバルは、英国で人気の高い障害競馬の祭典です。ナショナルハントフェスティバルとも呼ばれ、毎年 3 月に開催されます。この開催時期は聖パトリックの日とも近く、今年は 3 月 15 日まで続きました。祭典の期間には多くの賭け金が動きますが、その点はスパマーにもよく知られているらしく、ギャンブルを利用したオンラインスパムの増加が現在確認されています。

あるスパムサンプルでは、無料で賭けに参加する手順が説明されていました。メッセージに記載されたリンクを開くとフォームのページにリダイレクトされ、そこで登録すると 50 ポンド相当の賭け金をもらえることになっています。

このスパムメールで確認されたヘッダー情報は、以下のとおりです。

• 件名: Bet on Cheltenham with the Best Odds!（チェルトナムで賭けるなら、オッズ最高の今!）
• 差出人: Cheltenham Festival Bets（チェルトナムフェスティバル賭博） <xxx@BestWorldOnlinexxx.com>
• 差出人: xxxCheltenham Festival Betsxxx“（xxx チェルトナムフェスティバル賭博 xxx） <xxx.@x.greatnewoffersxxx.com>
• 差出人: xxxCheltenham Festival Betsxxx“（xxx チェルトナムフェスティバル賭博 xxx） <xxx.@x.ExcellentDealsOnlinexxx.com>

図 1.チェルトナムフェスティバルを利用したギャンブルスパム
 

登録すると、個人情報がスパマーの手に握られてしまいます。インターネットバンキングに関する情報まで入力してしまうと、事態はさらに深刻です。このようなサイトで賭けに誘われたら、くれぐれもご用心ください。実際には、登録してしまったら 50 ポンドの賭け金では済まないことになります。

迷惑メールや心当たりのない電子メールの扱いにはご注意ください。シマンテックでは、チェルトナムフェスティバルを悪用するスパムの監視を続けるとともに、聖パトリックの日についても同様の警戒態勢をとっています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

SMS messages attempting to lure Android device owners to download an app that supposedly allows the camera on the device to see through clothes are circulating in Japan. This type of spam is usually sent by the malware authors themselves, but in this case the authors have developed an app to send the spam messages by SMS to phone numbers stored in the device’s Contacts. This allows the recipients of the spam to be tricked easier because the invitation to download the app is coming from someone they know rather than from an unknown sender. If a friend is recommending an app, why would you not at least try it out, right?

Figure 1. SMS message sent from a person whose device is compromised

The site where the link takes the user to introduces an app called Infrared X-Ray that supposedly allows the user to see through clothes when viewed through the device’s camera and of course also allows pictures to be taken.

Figure 2. Screenshot of the page hosting the malicious app

Once the app is executed, details stored in the device’s Contacts are uploaded to a predetermined server.  Not surprisingly, the app does not work as per advertised and a picture of man holding up his middle finger stating that the victim is a pervert is displayed.

Figure 3.“You pervert!”

We have also confirmed that several variants of this app exist and the latest variants have added an interesting payload: rather than sending SMS messages to the victim’s friends and family, the ultimate goal is to scam the victim with something similar to what is called “one-click fraud” in Japan. While the contact data is being stolen and sent to the malware author, the new variants also download and display registration details for a website hosting adult content. The app no longer attempts to turn the camera on like it did previously. Instead, it displays a splash screen for a second or two before displaying a message stating that registration has completed and the victim is asked pay 29,000 yen for the “service”.

Figure 4. Registration details

The app also sends SMS messages detailing the payment. The malware author threatens to contact people found in the victim’s contacts list if the victim doesn’t pay for the “service”. The app continuously displays the registration details and sends SMS messages to the victim’s contacts until the app is uninstalled. In order to make it difficult for the victim to uninstall the app, it removes itself from the launcher after it is initially executed, although it can be removed in Applications under Settings.

Figure 5. SMS message explaining payment details

To stay protected, refrain from clicking links found in messages such as emails and SMS messages from unknown senders as well as suspicious messages from known senders. Furthermore, only download apps from trustworthy vendors. Users who have installed one of Symantec’s security apps, Norton Mobile Security or Symantec Mobile Security, are protected from this threat, which is detected as Android.Uracto. For more general safety tips for smartphones and tablets, please visit our Mobile Security website.

The February edition of the Symantec Intelligence report provides the latest analysis of cyber security threats, trends, and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this report includes data from January through February 2013.

Report highlights

• Spam – 65.9 percent (an increase of 1.8 percentage points since January)
• Phishing – One in 466.3 emails identified as phishing (an increase of 0.018 percentage points since January)
• Malware – One in 408.2 emails contained malware (a decrease of 0.11 percentage points since January)
• Malicious websites – 1,530 websites blocked per day (a decrease of 32.2 percent since January)

Introduction

In the past month we‘ve discovered of the earliest known variant of the Stuxnet worm, as well as combat the Bamital botnet, which was successfully shut down through a joint Symantec/Microsoft collaboration.

Up until last month the earliest known variant of Stuxnet was 1.001, created in 2009. Last month, we discovered the earliest known version of the Stuxnet worm, Stuxnet 0.5, which stems from 2007. Stuxnet 0.5 allows us further insight into the history and evolution of Stuxnet.

Stuxnet 0.5 differs in form from other known variants as it is based on a different programming platform. Stuxnet 0.5 is partly based the same platform as W32.Flamer, whereas 1.x versions were based on the Tilded platform. It is also different in that Stuxnet 0.5’s only method of replication is through infection of Siemens Step 7 project files. When a removable drive is inserted in an infected drive, Stuxnet 0.5 will infect any Step 7 project archives with .s7p or .zip file name extensions on the drive.

Stuxnet 0.5 takes control of valves attached to centrifuges, opening and closing the valves at intervals, compromising the integrity of the system as a whole. Version 0.5 works by fingerprinting target computers to determine if it is in the right location before activating the payload. Stuxnet 0.5 also collects instrument readings when the centrifuges are running as normal and, when it is making its attack, displays those readings to the controllers in order to mask its activities. Stuxnet 0.5 differs in that it was designed to attack the centrifuges’ valve system as opposed to 1.x variants which sought to disrupt the operation of frequency converters used to control the speed of the centrifuges.

In other news, Symantec, in partnership with Microsoft, shut down a botnet controlling hundreds of thousands of computers. Bamital, a botnet which in the last two years has compromised more than eight million computers, operated by hijacking search engine results and redirecting to servers controlled by attackers. Analysis of a single Bamital command and control (C&C) sever over a six week period in 2011 revealed over 1.8 million unique IP addresses communicating with the server. The botnet servers have now been shut down, and users of infected computers will be informed of their infection when attempting to search the Internet.

Bamital is an example of click fraud, a highly lucrative endeavor where by attackers aim to distort the numbers of clicks on an advertisement or visits to a specific website. Redirecting internet users to corrupt third party vendors or selling internet traffic through fictitious users, attackers seek to make financial gain from advertising expenditure.

Please download the Symantec Intelligence Report here and feel free to leave any comments or feedback below.

It’s all your fault, really, it is. Whether it’s a lack of caring, naivety or a misunderstanding you executives of companies and leaders of agencies have helped to create an underground ecosystem for attackers to collaborate and coordinate attacks against all of us. It’s time for a change. It’s time that we all realize that good security is good business.

Maybe if I put it this way. Do you want your organization to have maximum uptime? Do you want to have known manageable long term costs? Do you want your kid’s identity stolen? It’s really that bad. The evidence is there, we see it in the news daily. We need to change the way you think about Information Security and its place in your life.

Things are only going to get better when all C-level executives and leaders of governments step up and embrace a strong information security program that reinforces their business goals. So please listen to your information security team and implement the appropriate changes to strengthen your business and protect everyone.

Oh, and some of your security executives, it’s your fault too. You need to stop proposing every new shiny toy that comes out and focus on the risks that make the most sense to protect your organization. This way the other leadership will see that you are focused on the business and its success and not just interested in playing with fun stuff. On the other hand, if the fun stuff addresses a known risk then you can have your cake and eat it to.

It’s everyone’s job to pay attention to information security and to implement appropriate solutions and practices. Once we get it right at work, we can get it right at home and make a serious dent in the attack actors ability to affect us all.

As I settle into my new role here at Symantec in User Authentication and Website Security Solutions, I am pleased to find myself surrounded by passionate people that really care about security, from the customer experience and confidence out through the security ecosystem to end-user education.
 
I’m happy to share that Symantec User Authentication has made a leap into the Visionary quadrant of the high profile Gartner 2013 Magic Quadrant for User Authentication.  We are very proud of this recognition!  If you are a Gartner customer and want to read this report you can access it on Gartner’s web site:  
http://www.gartner.com/DisplayDocument?id=2362415&ref=%27g_fromdoc%27
 
These kinds of accolades are gratifying validation of our work.  The report made note of some of our new innovations, which includes both token-less authentication options available in our “Intelligent Authentication” feature set, as well as traditional OTP hardware tokens and OTP software tokens for mobile phones which are often used by our customers.   
 
We will continue to innovate and improve our user authentication offerings and hope to do even better in next year’s MQ.  In the meantime, I’m happy that customers are discovering the value our solutions deliver and pleased to see Gartner recognizing our achievements.

We are also the world’s leading certificate authority, and here at Symantec we take the responsibility for securing the transit of data as a serious obligation. It is critical that a certificate authority’s top business priorities remain:
1)    The continual hardening of the infrastructure that protects the cryptographic keys
2)    A constant diligence and improvement for our authentication processes that validate identities, and
3)    A dedication to staying ahead of the curve in security trends and innovation
We’re proud of what we’ve accomplished building this business, and I look forward to continued journeys with this successful and industry-leading organization that holds responsibility for trust on the internet.
 

Earlier today, we blogged about Android.Uracto, a malicious app that sends spam SMS messages in an attempt to infect others or scam users into paying a fee for a non-existing service. We continued doing further investigation on the attack and this has led us to discover more apps prepared by the same group of scammers. So far we have been able to find a total of 10 apps hosted on a few dedicated domains believed to be maintained by the group. The servers hosting the domains appear to be located in Singapore and in Georgia in the United States. They are currently still live at the time of this writing.
 

Figure 1. Market pages for the 10 apps
 

Though the apps look different in appearance, they can basically be broken down into three main variants. One steals data stored in the device’s Contacts. The second also steals contact details but also sends SMS messages, containing a link to download the malicious app, to all the contacts. The third one steals contact details and attempts to scam the victim into paying for fake services.

The type of apps include apps for mothers raising kids, video game emulators, apps allowing users to read comics for free, apps to read celebrity gossip, a fortunate teller app, adult-related video viewer, and an app that claims to allow the device’s camera to see through clothes.
 

Figure 2. Icons of the 10 apps
 

It’s unknown at this point how the Android device’s owners are lured to the sites. The sites are reachable by surfing the net, but spam could potentially be used as this is a common way to lure people into downloading Android threats in Japan.

It appears that some of the apps may have been around a while. Some of the directory lists of the servers hosting the apps indicate that the apps were hosted on the server as early as July 2012.
 

Figure 3. Directory lists of the servers hosting the apps
 

One other interesting point to note is that Android.Uracto shares common code with Android.Enesoluty, which is still very much active in the wild, and Android Maistealer as well. We believe Android.Maistealer was created as the prototype for Android.Enesoluty. You can read the following blogs to find out more about this:

• Anime Character Anaru Exploited to Help Steal Android Contact Details
• Anaru Malware Now Live and Ready to Steal

Could these malicious apps be maintained by the same group of scammers or was the same developer hired to create malware for two different groups? We’ll continue to investigate this and hope to give you an update at a later date.

Hashtags—or # symbols, such as #SYMCPartners—are digital markers used to identify keywords or topics in a Tweet on Twitter. They were created organically on Twitter by users as a way to categorize and find messages more easily.

According to Twitter:

• People use the hashtag symbol # before a relevant keyword or phrase (no spaces) in a Tweet to categorize the Tweet and help it show up more easily in a Twitter Search—think of it as you would a keyword entered into a search in Google or Bing—an identifiable word or phrase so you can more quickly find what you’re looking for.
• Clicking on a “hashtagged” word in any message shows you all other Tweets marked with that tag or keyword.
• Hashtags can be used anywhere in a Tweet—at the beginning, middle or end.
• “Hashtagged” words or phrases that become very popular often become “Trending Topics.”
• If you use a hashtag in a Tweet on a public Twitter account, anyone who does a search for that hashtag can find your Tweet
• You don’t want to #spam #with #hashtags. In other words, don't overuse hashtags in a single Tweet. Twitter recommend using no more than two hashtags per Tweet.
• Only use hashtags on Tweets relevant to the tag being used. In other words, don’t use #gravy in a post about about apple pie—unless you’re partial to gravy on your apple pie, in which case….

How Symantec uses hashtags on our partner Twitter account

The Symantec Partners Twitter account uses hashtags to target relevant audiences and create conversations or become involved in conversations around relevant topics.

The following outlines the hashtags for the Symantec Partners @SYMCPartners Twitter feed. Use it as a guide for which hashtags to use on your own accounts and to find content you’re intestest in reading and/or retweeting.

Our Symantec partner hashtag is #SYMCPartner. Appropriate use of this tag and other subject-matter hashtags can help you bring Symantec and or solutions into conversations among you, your customers and your peers.  

Symantec and Community Hashtags

• #SYMCPartners—Used to categorize partner-specific content posted by @SYMCPartners; any content that is directly relevant to partners can be tagged with this hashtag
• #BetterBackup—Used when promoting Backup Exec 12 content. Note: @BackupExec may also be mentioned in relevant tweets
• #NetBackup—Used when promoting Net Backup content. Note: @NetBackup may also be mentioned in relevant tweets
• #BYOD—Used when sharing content related to the Bring Your Own Device theme
• #SymIntel—Used when sharing content related to the Symantec Intelligence Report
• #SymISTR—Used when sharing content related to the Internet Security Threat Report
• #Archiving—Used when sharing content related to Enterprise Vault
• #Security—May be used when discussing security-related content; typically appended to tweets when space is available
• #Cloud—May be used when discussing cloud computing-related content
• #Mobile/#Mobility —May be used when discussing mobile/mobile security-related content and/or mobile devices
• #Virtualization—May be used when discussing virtualization-related content
• #SMB—May be used when discussing Small and Medium Sized Business-related content

In some cases, @SYMCPartners uses hashtags in an ad hoc format, for instance if we post content from other teams who have supplied content using a non-standard hashtag. If the hashtag is only expected to be used for a short period of time, it will be used and discarded. However, if the hashtag will be used frequently (for instance, as #BetterBackup now is), then it is built into our ongoing hashtag strategy.

What hashtags to you like to use  for your own tweets? What tags do you think we should add to our list?

At Nektra we have done a performance comparison of Virtualizing IE6 on W7 in VMWare ThinApp and Symantec Workspace Virtualization. 

You can read the full article in our blog: Benchmarking IE6 Virtualization: VMWare ThinApp vs. Symantec Workspace

We use SpyStudio to compare ThinApp and Workspace Virtualization performance. Both Symantec and VMWare highlight the use of application virtualization to run legacy web applications. There is a huge number of mission critical web applications that only run correctly on Internet Explorer 6 and while companies may be able to afford the cost of migrating applications to modern browsers, they cannot afford even a short application interruption. Virtualization allows companies to continue to run their legacy applications while moving to more modern technology.

Read more...

The SMB community plays a vital role in a healthy economy. Growing a small business presents a variety of challenges, particularly when it comes to selecting the right technologies. The explosive growth of data, the use of mobile devices in the workplace (BYOD), as well as cloud and virtualization technologies are creating a seemingly endless array of technologies to choose from for SMBs. Symantec understands the challenges these choices present and is committed to providing the solutions that are cost-effective, easy to deploy and provide the best possible user experience.

Leading this charge are Symantec executives from around the globe. Having three Symantec executives named to the SMB 150 Channel Influencers List is an honor for Symantec and speaks to dedication we have to the SMB community. We are proud to have Brian Burch, vice president of Americas Marketing for SMB at Symantec, Jay Epton, director of SMB & Distribution Sales for the EMEA Northern Region, and Steve Cullen, who most recently served as Symantec's senior vice president of Worldwide Marketing for SMB and Symantec.cloud, named as part of the SMB 150.                                                                                                                                                                  

Brian has worked for several years with a focus on serving the SMB community. At Symantec he leads the marketing efforts dedicated to helping the tens of millions of SMBs in the U.S., Canada and Latin America protect the information that is the lifeblood of their business. Jay has been with Symantec for over a decade and has driven a variety of SMB and channel programs throughout the European market, as well as leading Symantec’s Managed Service Provider (MSP) strategy for Symantec in EMEA. Steve was responsible for leading the charge of creating brand awareness and driving global and regional demand generation activities and partner enablement programs.  

The third annual SMB 150, which is a collaboration between SMB Nation and SMB Technology Network, is the SMB technology channel's annual list recognizing the 150 most influential members. The SMB 150 Channel Influencers List was selected by a two-phase voting process. The community vote accounted for 40 percent of each nominee's overall rating, with the expert panel's decision contributing the remaining 60 percent. SMB Nation and SMB Technology Network will host the SMB 150 Awards Gala on May 4, 2013, during SMB Nation’s Spring Conference at the Microsoft Conference Center in Redmond, WA.  

Symantec is proud to have Brian, Jay and Steve named as part of the SMB 150.

Greetings, earthlings. I’ve been enjoying some much-needed R&R off the grid for the first time since beginning our U.S. tour last October.

A thrilling trip to Las Vegas in December left my circuits fried, but our most recent jaunt to the 3rd Annual Red Hat Partner Conference North America was enough to put me into a post-failover coma. While in San Diego Jan. 14 through 16, our team marveled conference attendees with the fruits of our Silver Sponsor collaboration with Red Hat.

Meet the super friends

Director of Product Management Tom Harwood delivered a keynote session on the first day, explaining how employing the Red Hat Enterprise Linux data center basically enables you to create your own virtual Justice League.

Stick with me on this one: Let’s say that your business is Batman, Symantec is Flash, Oracle is Green Lantern, Veritas Cluster Server is Wonder Woman and Gartner is Aquaman. That makes Red Hat the Martian Manhunter. Each one is forceful on its own … but together? Simply invincible.

Having had such a stellar experience collaborating with Red Hat Enterprise Linux data centers, my nodes were tingling with glee as our team awakened attendees to a universe of possibilities. Perhaps the biggest draw is Veritas Cluster Server’s enterprise-grade application protection in the form of wide-area disaster recovery.

Just how wide can a disaster recovery area be?

In my video, you watched as data failed over to the data center on the roof. But what about a distance of 238,900 miles, an attendee wondered. Can we really failover to the moon? Absolutely!

Veritas Replicator provides asynchronous software data replication, or integration with hardware replication solutions, for failover across 100 kilometers or more. Your data isn’t disappearing on our watch!

We know this because Symantec and Red Hat’s aligned engineering teams have conducted rigorous mutual testing of joint solutions. Businesses have access to our aligned support departments via TSANet, as well as shared reference architectures, white paper and best practices.

Recovery recon and simple scripts

Natural disasters, like alien attacks, are rarely something that a business can plan for. You don't invest in a product with the expectation that it’ll eventually stop working – you take precautions to ensure that you’re prepared for when that day comes. You wouldn't take the Batmobile on a high-speed chase without having Lucius Fox routinely check to ensure that the oil in the engine was fresh. That’s where disaster recovery testing comes in. You need it, plain and simple.

Further, Veritas Cluster Server deploys DR with fast, efficient and out-of-the-box agents for apps, DBs and replication. This is good for your business for several reasons, including the obvious avoidance of potential human error with manual scripting. You know what happens when you send a human to do a datacenter’s job? Someone gets thrown off the roof, that’s what.

But I digress. With reduced reliance on personnel during such incidents, and reduced system resource utilization, your dollars and data resources are freed up for other processing. In single instance Oracle databases, recovery takes less than a minute.

Alas, I must recharge before our next mission to Orlando, but this story isn’t over yet.

Check back next week to hear about how Dynamic Multi-Pathing can maximize your data center investment, like it did for a major U.S. government agency.

Android デバイス搭載のカメラで衣服が透けて見えるアプリ。そんな謳い文句でユーザーを誘う SMS メッセージが日本で出回っています。この種のスパムはマルウェアの作成者自身から送信されるのが普通ですが、今回の作成者は、デバイスの連絡先に保存されている電話番号に宛てて SMS でスパムメッセージを送信するアプリを開発しました。アプリのダウンロードを誘う言葉が、赤の他人ではなく知人から届くのですから、このようなスパムを信じ込んでも無理はないかもしれません。友人から勧められたアプリなら、ひとまず試してみるくらいの気にはなるものです。

図 1.感染したデバイスの所有者から送信された SMS メッセージ

リンクをタップすると、「Infrared X-Ray」という名前のアプリに誘導されます。このアプリでは、デバイスのカメラから服越しに透視することができ、その写真さえも撮影できると謳われています。

図 2.悪質なアプリがホストされているページのスクリーンショット

このアプリを実行すると、デバイスの連絡先に保存されている情報が所定のサーバーにアップロードされます。もちろん、宣伝文句どおりにアプリが動作するはずもなく、中指を立てて人を侮蔑しながらユーザーをスケベ呼ばわりする男性の写真が表示されるだけです。

図 3.「このスケベ野郎!」

このアプリには亜種がいくつか存在することも確認されており、最新の亜種には興味深いペイロードが追加されています。被害者の友人や家族に SMS メッセージを送信するのではなく、日本で「ワンクリック詐欺」と呼ばれている手口と同様に被害者を欺こうとします。連絡先データを盗み出してマルウェアの作成者に送信する点は変わりませんが、この新しい亜種はアダルトコンテンツをホストしている Web サイトの登録情報をダウンロードして表示します。以前の亜種のようにカメラ機能をオンにしようとはせず、1、2 秒間だけスプラッシュ画面を表示します。そして、次の瞬間には登録が完了したというメッセージとともに、「サービス利用料金」と称して 29,000 円が請求されます。

図 4.登録情報

同時に、支払方法が詳しく記載された SMS メッセージも送られてきます。このメッセージには、「利用料金」の支払いがなければ連絡先リストに登録されている友人や知人に連絡するという脅しが書かれています。アプリは、アンインストールしない限り登録情報を表示し続け、被害者の連絡先に対しても SMS メッセージの送信をやめません。アプリをアンインストールしにくくするために、初回の起動後はランチャーから削除されますが、［設定］の［アプリケーション］から削除することができます。

図 5. 支払いの詳細を示す SMS メッセージ

デバイスや情報を保護するために、不明な送信者からだけでなく既知の送信者からであっても、疑わしい電子メールや SMS メッセージなどに記載されているリンクをクリックすることは避けてください。また、アプリは必ず信頼できるベンダーからのみダウンロードするようにしてください。ノートン モバイルセキュリティや Symantec Mobile Securityなどシマンテックのセキュリティアプリをインストール済みのお客様は、この脅威（Android.Uractoとして検出されます）から保護されています。スマートフォンとタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト（英語）を参照してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。