Android.Uractoという悪質なアプリが、感染を広げる目的で、あるいはユーザーを欺いて、ありもしないサービスの利用料金を支払わせようとしてスパム SMS メッセージを送信していることは、1 つ前のブログでお伝えしたとおりです。この攻撃について調査を進めたところ、同じ詐欺グループがさらに別のアプリをいくつも用意していることが判明しました。これまでのところ、このグループが管理していると見られるいくつかの専用ドメインに合計 10 種類のアプリがホストされていることが確認されています。ドメインのホストに使われているサーバーは、シンガポールと、米国ジョージア州に置かれているようです。この記事の執筆時点でもまだ有効になっています。
 

図 1. 10 種類のアプリのマーケットページ
 

アプリの見かけはすべて異なりますが、基本的には 3 つの亜種に分類されます。1 つ目は、デバイスの連絡先に登録されているデータを盗み出すタイプです。2 つ目は、やはり連絡先情報を盗み出しますが、それに加えて、悪質なアプリのダウンロードリンクを含む SMS メッセージをすべての連絡先に送信します。3 つ目は、連絡先情報を盗み出しつつ、被害者を欺いて偽のサービス利用料金を支払わせようとするタイプです。

アプリの見かけ上のタイプとしては、母親向けの子育て支援アプリから、ビデオゲームのエミュレータ、無料で漫画を読めるアプリ、有名人のゴシップを読めるアプリ、占いアプリ、アダルト系の動画ビューア、そしてデバイスのカメラで服が透けて見えると謳うアプリなどが存在します。
 

図 2. 10 種類のアプリのアイコン
 

現時点で、Android デバイスユーザーがこれらのサイトに誘導される経路はわかっていません。ネットを閲覧している間にこれらのサイトに行き着く場合もありますが、おそらくはスパムが使われているものと考えられます。日本では、Android の脅威をダウンロードするよう誘導されるケースの多くが、スパムを経由したものだからです。

一部のアプリは、しばらく前から出回っていたようで、アプリをホストしているサーバーのディレクトリリストを見ると、早いものは 2012 年 7 月にサーバーにホストされていました。
 

図 3.アプリをホストしているサーバーのディレクトリリスト
 

もうひとつ注目すべき点は、Android.Uracto が、現在も盛んに活動を続けている Android Maistealerや Android.Enesolutyと同じコードを共有していることです。Android.Maistealer は Android.Enesoluty のプロトタイプとして作成されたとシマンテックでは考えています。これについて詳しくは、以下のブログをお読みください。

• Android の連絡先情報を盗み出すためにアニメのキャラクター「あなる」を悪用
• 「あなる」マルウェアが実用段階に入り、窃盗も可能に

これらの悪質なアプリは、すべて同じ詐欺グループの手で運用されているのでしょうか。それとも同じ作成者が雇われて 2 つのグループにマルウェアを提供しているのでしょうか。シマンテックは今後もこれらに関する調査を続け、最新の情報をお届けする予定です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Contributor: Saurabh Farkade

The Vatican City has been in the news a lot in the past few weeks due to Benedict XVI’s resignation and the election of Pope Francis. Spammers have picked up on this opportunity for spreading malware.

Symantec Security Response has observed attackers distributing spam which leads users to a site hosting the Blackhole Exploit Kit. The good news is, Symantec customers are protected and this threat is detected as Blackhole Toolkit Website.

The spam email alleges to be from a well-known news channel. The following subject lines are used in this attack:

• Subject: Opinion: Can New-Pope Benedict be Sued for the Sex Abuse Cases? - [REMOVED]
• Subject: Opinion: New Pope, Vatican officials sued over alleged sexual abuse! - [REMOVED]
• Subject: Opinion: New Pope Sued For Not Wearing Seat Belt In Popemobile... - [REMOVED]

The domains used in the email have all been recently registered. Clicking on the link contained in the email directs the user to a compromised website that hosts the payload. The following is a screenshot of the malicious email:

Abusing the popularity of a well-known news agency increases the chances of a successful attack. However, Symantec customers are protected from this threat by multilevel protection. We advise our readers not to open unsolicited news emails and to keep their security software up-to-date in order to stay protected from online threats.

Vision Las Vegas 2013 will offer a wonderful opportunity for you to catch up on all things Symantec. During the many breakout sessions, we will educate you on various aspects of the Symantec product portfolio, but for sheer entertainment AND education, you have to attend session 1A B27, “Exchange Server on trial for crimes against archiving and eDiscovery”, to be presented by the dynamic Symantec duo of Alex Brown and Shawn Aquino, whose “Hangover 2.5” breakout scored the highest ratings among all Vision Las Vegas 2012 sessions last year.

Why? Justice needs to be served.

Intended for IT administrators and IT managers considering the built-in archiving and eDiscovery capabilities of Exchange 2010 or Exchange 2013, the session will highlight that these built-in capabilities are not good enough for most customers. Moreover, we feel Microsoft's messaging in this area could be detrimental to your overall Exchange environment. You’ll hear testimony and see evidence to support this position, in the areas of Platform and Migration, End User Experience, eDiscovery, PST Migration and Storage. And in the end, with a mighty crack of his gavel, you’ll hear the judge render his verdict.

So, if you’re attending Vision Las Vegas 2013, mark your calendar for Tuesday, April 16th at 1:15 pm and plan on catching session 1A B27. Seriously. You’ll laugh. You’ll learn. You’ll be entertained. And you’ll leave significantly more informed.

Vision Las Vegas 2013 will offer a wonderful opportunity for you to catch up on all things Symantec. During the many breakout sessions, we will educate you on various aspects of the Symantec product portfolio, but for sheer entertainment AND education, you have to attend session 1A B27, “Exchange Server on trial for crimes against archiving and eDiscovery”, to be presented by the dynamic Symantec duo of Alex Brown and Shawn Aquino, whose “Hangover 2.5” breakout scored the highest ratings among all Vision Las Vegas 2012 sessions last year.

Why? Justice needs to be served.

Intended for IT administrators and IT managers considering the built-in archiving and eDiscovery capabilities of Exchange 2010 or Exchange 2013, the session will highlight that these built-in capabilities are not good enough for most customers. Moreover, we feel Microsoft's messaging in this area could be detrimental to your overall Exchange environment. You’ll hear testimony and see evidence to support this position, in the areas of Platform and Migration, End User Experience, eDiscovery, PST Migration and Storage. And in the end, with a mighty crack of his gavel, you’ll hear the judge render his verdict.

So, if you’re attending Vision Las Vegas 2013, mark your calendar for Tuesday, April 16th at 1:15 pm and plan on catching session 1A B27. Seriously. You’ll laugh. You’ll learn. You’ll be entertained. And you’ll leave significantly more informed.

Symantec brought its Cyber Readiness Challenge to the Silicon Valley on March 13, 2013 where more than 50 participants gathered at the Computer History Museum (how appropriate!) to engage in the evening’s friendly competition. This event series promotes discussions about the evolving cyberthreat landscape with the objective of helping organizations mitigate risk and maintain their security posture. Symantec previously hosted games all over the U.S., including Dallas and Chicago.

The evening began with a keynote presentation by Kevin Haley, director of Symantec Security Response, that covered some key trends in the evolving and sophisticated nature of today’s threat landscape. Highlights included randsomware trends, mobile threats (including a fake app that purports to turn your phone into a solar panel) and provided attendees with current examples of targeted attack techniques. Then, the games commenced with Symantec’s Cyber Readiness Challenge, an interactive competition – set in a ‘capture the flag’ style environment -- designed to have users with varying levels of technical acumen, perform a series of tasks attacking and defending simulated data centers (similar to that of a hacker attempting to infiltrate an organization).

Competing for both cash prizes as well as for bragging rights among their technical peers, the participants enjoyed the game as it unfolded throughout the evening. The winner of the $2,500 grand prize was Kyle Osborn using the player handle “KOS.” Other victors at the event include second place winner David Tomaschik (player handle: Matir) and third place winner Joshua Chin who played as axesslan. Chin is the first repeat winner in the Challenge series. Previously, he took second place at Symantec’s Cyber Readiness Challenge in Irvine, California. This Challenge also marked the first time that all three winners reached Level 3 of the game.

According to Kevin Haley, “According to Kevin Haley, “Bringing the Cyber Readiness Challenge to the Silicon Valley was enormously gratifying. This audience had a lot of fun with the attack scenarios in the game and let us know that they feel wiser about protecting their own organizations after walking a few hours in the attackers’ shoes.”

Insight, a Symantec Platinum National Partner, sponsored the event and contributed a Kindle Fire to the mix of prizes for participants. As one of the world’s largest software resellers, Insight has the ability and expertise to deliver software solutions worldwide; as such, the company understands the increasingly vital role software plays in the IT environment of organizations.

Over the next few months, Symantec will host additional Cyber Readiness Challenges in New York City and Nashville, Tennessee.

Although solid-state continues to be touted as a way to address storage bottlenecks for running performance-intensive applications, enterprises are struggling with how to implement the technology in an optimized manner. Though the benefits of solid-state are great, they cannot be fully realized or accomplished unless paired with enterprise-grade data management software in order to optimize their available capacity, and provide high levels of data protection and continuous application availability. This also helps to cost-effectively make use of available tiers of storage. Symantec’s Veritas Storage Foundation can help alleviate these issues because it increases visibility, is automated, efficiently stores data, and provides dynamic storage tiering. To learn more about how Symantec storage solutions can help your company or organization reap the benefits of solid-state technology, check out this article: http://bit.ly/Y4jiAR   

Yesterday, Facebook users may have noticed an influx of their friends posting about something called Facebook Black.
 

Figure 1. Facebook photo plugging “Faecbook” Black (notice the typo in this image)
 

Similar to previous scams, users are tagged in a picture that contains a link to an external website. In this case, the link is found within the comments instead of the description field (Figure 1).
 

Figure 2. Iframe is used to redirect the user to the landing page, briefly displaying this page
 

If a user clicks on the Facebook link, they are redirected to a Facebook page. This page contains an iframe (Figure 2) that goes through a series of redirects and ultimately lands on a page promoting Facebook Black (Figure 3).

Some of the sites we have observed leading to the Facebook Black landing page include:

• photocurious.com
• phototart.com
   

Figure 3. Facebook Black Page
 

Users are then enticed to install a Google Chrome extension (Figure 4).
 

Figure 4. Fake Chrome extension for Facebook Black
 

The extension is used to download two JavaScript files that are hosted on Amazon’s Simple Storage Service, Amazon S3 (Figure 5).
 

Figure 5. Extension downloads more files
 

These JavaScript files are used to keep the scam spreading through each victim’s account. It does so by creating a new Facebook page on the victim’s account, which includes an iframe to the page that will redirect users to the Facebook Black landing page (Figures 6 and 7).
 

Figure 6. User account contains a new page
 

Figure 7. Newly created Facebook page contains iframe redirect (Welcome tab)
 

Ultimately, users that install this Facebook extension will be presented with a set of survey scams (Figure 8), which is how the scammers monetize these types of campaigns.
 

Figure 8. Survey scam pushed after extension is installed
 

Symantec customers are protected against this attack by our Web Attack: Fake Facebook Application 3 IPS signature and we detect the fake Chrome extension as Trojan Horse.

Google has already removed several of these Chrome extensions and continues to improve their automated detections for malicious extensions. Users that may have been tricked by this scam should uninstall the Chrome extension and delete the Facebook page that was created.

Hi all,

Just posting a PDF that's an updated packaging guide for Office 2010.  This guide covers dealing with the Lincesing Services in office and how to remove them from a layer and capturing one as well.

There are many organisations that want to implement File System Archiving, and each and everyone seems to have an odd request that they want to see accomplished during the evaluation of their archiving strategy. Usually it's straight forward enough such as not archiving items with a particular file extension. FSA with Enterprise Vault can easily do that. An odd one though is not archiving files based on a partial filename match.

For example you may not want to archive files that have 'JET' in their filename. You can do that with Enterprise Vault, by creating a rule like this:

1. Edit the Folder Policy for the place that you want to make the exclusion.

2. On the Rules tab add a new rule, and make sure the rule type is 'Do Not Archive'

3. Make sure the rule is high up in the list, before any rules that actually do some archiving

4.  And that’s it.  When the archiving task runs, you’ll see entries like this in the report file which is generated:

You know, it’s 2013 and we still have this issue of employees believing that corporate data is their own to do with as they please. In a recent Ponemon survey report ~two thirds of employees believe this to be true. Unfortunately, this is an incredibly big problem going forward with the advent of Cloud and Mobility. We now have more places that data can be placed than ever before and, more importantly, without the employers’ knowledge in most cases. So, the question is this! Why is security awareness failing to meet the mark after all these years?

Well, there may be a couple of different answers to this question: 1) It’s possible that most companies don’t understand the value of the information they have and, hence, aren’t training employees (properly) about their responsibilities regarding corporate information; or 2) Companies still don’t see security awareness as an important element of driving employee conduct in their organizations.

I’ve been in information security for a while now and this issue of employee security awareness still mystifies me that there’s either not enough of it or that it’s even occurring in companies – even regulated ones. The simple answer is that employees don’t own the data created, used, processed or even disposed of, even if the employee had a hand in the creation of that information. Unless of course the employee and company had a specific agreement in place that stipulated ownership to the employee – rare, even in the most extreme cases.

There are too many options for employees to copy or otherwise take information and move it to a place where they can use it down the road. Cloud and Mobile exacerbate this issue given the ease by which information can be moved or copies without anyone’s knowledge. Many companies today are still trying to catch up with data monitoring and discovery just within their own networks let alone as the data moves outside the company.

So, what to do? Well, companies could continue to stick their heads in the sand and claim blissful ignorance, claim this is a chicken and egg problem whereby if they don’t have the ability to effectively monitor information theft, then there’s no use in creating employee awareness, or they could just simply create another responsibility for Human Resources to conduct employee security awareness training as a key part of all employee awareness training and do this at new hire and on an annual basis. AND, if you have some budget, look into creation of a Data Loss Prevention program to at least monitor where your data is going and also to help remind employees automatically when they’re violating policy.

My key message to companies out there! It’s bad enough that hackers and attackers are stealing your information, do you want your employees to adding to this problem? Implement basic security awareness training and implement basic solutions that can help remind employees of their responsibilities.

In recent days, the European Union (EU) financial crisis has taken a dramatic turn. Cyprus, one of the EU's smallest member states by population, announced plans to impose a one-off levy of up to 10 percent on ordinary bank deposits. Banks across the island state have been closed while the unprecedented measures are debated in the country's parliament. Meanwhile, anxious bank account holders—ordinary people, not bond holders or investors in Cypriot banks—await news of what will happen to their savings.

The notorious Blackhole Exploit Kit, previously featured in several posts on this blog, has started exploiting the public concern about this situation by sending out emails claiming to be news stories related to the unfolding situation.

Figure 1. Blackhole Exploit Kit malicious email

The message claims to be from the British Broadcasting Corporation (BBC) news site's article recommendation service. The sending address has been spoofed, as have certain BBC recommendation message headers.

These messages link to a landing page with the title "Cyprus Crysys [sic] - BBC" that pretends to actually be from the British Broadcasting Corporation. This page also states: "You will be redirected to news".

Figure 2. Blackhole Exploit Kit's fake BBC news landing page

The page actually redirects to a familiar Blackhole Exploit Kit page which attempts several exploits, targeting vulnerabilities in Adobe Flash Player, Adobe Acrobat Reader, and Java. After several seconds, a timer function is run which then redirects the user to the real BBC website.

Figure 3. Blackhole Exploit Kit's obfuscated JavaScript targets vulnerabilities

As mentioned, Cyprus is one of the smallest member state in the EU, but the impact of events there have broader implications. Many people in Greece moved money to Cyprus during Greek's recent financial and political instability, believing their money would be safer there. Cyprus is also a popular offshore center for Russian business.

The parliament in Cyprus has since rejected the proposed tax, and a prominent North American bank is now being used as social-engineering content for new Blackhole Exploit Kit emails—demonstrating how quickly malware authors can respond to current affairs.

Symantec.cloud has identified more than 50 compromised websites redirecting to this latest Blackhole Exploit Kit social-engineering attack.

It has been reported in the media that several South Korean banks and local broadcasting organizations have been impacted by a cyber attack.

The attack included the defacement of a Korean ISP/telecoms provider and also the crippling of servers belonging to a number of organizations.

The defacement displays an elaborate animated Web page with sound effects, showing three skulls and included a message by the claimed attackers calling themselves the “Whois” team.

The attack was first noticed when a number of websites began to experience problems. Customers of banks could not access their online accounts and reports of other sites being down began to surface. While specific details are not known at this time, it has been reported that a number of sites affected had their hard drives wiped leaving the affected computers in a crippled state.

Symantec detects the suspected malware as Trojan Horse/Trojan.Jokra and WS.Reputation.1.

We are currently performing detailed analysis of it.  At this time, we can confirm that the malware performs the following actions:

• Creates a file mapping object to reference itself using the name: JO840112-CRAS8468-11150923-PCI8273V
• Kills two processes relating to local antivirus/security product vendors:
  • pasvc.exe
  • clisvc.exe
• Enumerates all drives and begins to overwrite MBR and any data stored on it by writing the either the string “PRINCPES” or “HASTATI”. This will wipe all contents of the hard disk.
• The threat may also attempt to perform the same wiping actions on any drives attached or mapped to the compromised computer.
• Forces the computer to reboot by executing "shutdown -r -t 0” which renders the system unusable as MBR and contents of the drive is now missing.

The results of the disk wiping actions are consistent with the major outages reported in that region. Disk wiping is not a new activity, in a separate incident in August 2012, a number of middle eastern organizations were hit by the W32.Disttrack (Shamoon) threat which caused a similar type of damage by wiping hard disks.  

There are currently no indications of the source of this attack or how the attackers infiltrated the affected parties. The real motives of the attack are also unclear but in recent times there has been a ramping up of political tensions in the Korean peninsula and these attacks may be part of either a clandestine attack or the work of nationalistic hacktivists taking issues into their own hands.

Symantec will publish further information as it becomes available.

Today, the Laboratory of Cryptography and System Security (Crysys) at Budapest University of Technology and Economics, released their research ­around a targeted attack they have identified, named TeamSpy. Symantec has had protections in place for this threat since 2011, and we currently detect this threat as Backdoor.Teambot. We also have the following IPS protections in place:

• System Infected: Backdoor.Teambot Activity
• System Infected: Backdoor.Teambot Activity2

This attack abuses the popular TeamViewer remote administration tool to control the malware running on victim machines. The Trojan packages the legitimate application along with a malicious DLL and uses an encrypted configuration file containing parameters to communicate with command-and-control (C&C) server.

And Backdoor.Teambot has evolved during the past two years. The most current version has been observed with modules performing significantly more surveillance, for instance. The code found on the C&C server also shows minor modifications to support changes in communication techniques.

Based on our data since 2011, a number of countries have been impacted by this threat.
 

Figure 1. Countries affected by Backdoor.Teambot
 

A control panel on one of the C&C servers displays a list of compromised clients along with information about their Teamviewer credentials.
 

Figure 2. Backdoor.Teambot C&C server control panel
 

We also observed compromised machines from as early as 2011.
 

Figure 3. Some Backdoor.Teambot 2011 compromised machines
 

To ensure that your machine is protected from Backdoor.Teambot and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.

Thanks to all who attended today's Webcast focused on "How to Virtualize Microsoft Office".

Special thanks to Jordan Sanderson for his great presentation! Slides from today's webcast are attached to this blog.

Download or play the webcast recording here:
https://symantec.webex.com/symantec/lsr.php?AT=pb&SP=EC&rID=58374262&rKey=cb5252553610c7f7

Also, be sure to check out these links:

• Best Practices Guide for Virtualizing Microsoft Office
   
• Download or Listen to previous Webcasts

• Application Virtualization Smackdown White paper

• Symantec Workspace Virtualization Won Editor's Choice Award

• Apply to participate in the SWV/SWS 7.5 Beta

Our next webcast will be in May. More details coming soon!

Earlier today we published our initial findings about the attacks on South Korean banks and local broadcasting organizations. We have now discovered an additional component used in this attack that is capable of wiping Linux machines.
 

Figure 1. Bash wiper script targeting remote Linux machines
 

The dropper for Trojan.Jokra contains a module for wiping remote Linux machines. We do not normally see components that work on multiple operating systems, so it is interesting to discover that the attackers included a component to wipe Linux machines inside a Windows threat. The included module checks Windows 7 and Windows XP computers for an application called mRemote, an open source, multi-protocol remote connections manager. The mRemote application keeps a configuration file for saved connections at the following path:

%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
 

Figure 2. Parsing mRemote path information
 

The dropper for Trojan.Jokra parses this XML file for any connection with root privileges using the SSH protocol. It then extracts the parameters used in the connection.
 

Figure 3. Parsing mRemote configuration file connection details
 

The dropper then spawns another thread, which drops a bash script to %Temp%\~pr1.tmp then uploads and executes this temporary file as /tmp/cups on the remote Linux computer with the connection information parsed from mRemote’s configuration file.
 

Figure 4. Remote command execution
 

The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.

Symantec is continuing to investigate this attack and will provide further updates as they become available.

Facebook をお使いであれば、3 月 19 日頃、Facebook Black というアプリについて友達からの投稿が増えたことに気づかれたかもしれません。
 

図 1. Facebook の写真用プラグイン「Faecbook Black」（タイプミスがあることに注意）
 

これまでの詐欺と同様、ユーザーがタグ付けされた写真に、外部 Web サイトへのリンクが仕掛けられています。この例では、リンクは説明欄ではなくコメント欄にあります（図 1）。
 

図 2. iframe によってランディングページにリダイレクトされるが、一瞬だけこのページが表示される
 

Facebook へのリンクをクリックすると、Facebook ページにリダイレクトされます。リダイレクト先のページには iframe が設定されており（図 2）、何度かのリダイレクトを経て最終的に行き着くページでは Facebook Black のインストールを促されます。

これまでにシマンテックで確認され、Facebook Black のランディングページへ誘導されるサイトの例を以下に示します。

• photocurious.com
• phototart.com
   

図 3. Facebook Black のページ

次にユーザーは、Google Chrome 拡張機能をインストールするよう誘導されます（図 4）。

図 4. Facebook Black の偽の Chrome 拡張機能

この拡張機能を使い、Amazon の Simple Storage Service（Amazon S3）にホストされている 2 つの JavaScript ファイルがダウンロードされます（図 5）。

図 5.拡張機能によりさらにファイルがダウンロードされる
 

これらの JavaScript ファイルは、被害者のアカウントを通じて詐欺を拡散し続けるために使われます。そのために、被害者のアカウントに新しい Facebook ページを作成します。このページに、ユーザーを Facebook Black のランディングページへリダイレクトするページへの iframe が含まれています（図 6 と図 7）。

図 6. ユーザーアカウントに新しいページが追加される

図 7. 新しく作成された Facebook ページに iframe によるリダイレクトが含まれている（［Welcome］タブ）

最終的に、この Facebook 拡張機能をインストールしたユーザーには、一連のアンケート詐欺が表示され（図 8）、詐欺師はここから利益を得ようとしていることがわかります。
 

図 8. 拡張機能のインストール後に表示されるアンケート詐欺
 

シマンテック製品をお使いのお客様は、Web Attack: Fake Facebook Application 3の IPS シグネチャでこの攻撃から保護されています。偽の Chrome 拡張機能は、Trojan Horseとして検出されます。

Google は、Chrome 拡張機能のいくつかをすでに削除しており、悪質な拡張機能に対する自動検出をさらに改善するとしています。この詐欺に引っかかってしまったユーザーは、Chrome 拡張機能をアンインストールし、作成された Facebook ページを削除してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Good news from Symantec CEO Steve Bennett has arrived in the form of a Customer and Partner letter.

The important bit for us is that Endpoint Management is explictly listed as being a critical part of the Symantec portolio moving forward. This is something which was not clear in the previous company strategy annoucement.

He closes by saying,

"Despite any rumors to the contrary, all of these technologies remain a critical part of our product development and overall portfolio. We believe that through greater alignment of these technologies, Symantec will improve our product integration to help you improve and simplify your end users’ IT experiences"

I'm blogging this out as I know there are many Altiris Administrators out there who will let out a huge sigh of relief on this one.

Kind Regards,
Ian./

By Cheryl Tang, Senior Product Marketing Manager, Symantec Corp.

In today’s global economy, it’s no secret that many organizations rely on third parties for critical business activities. While outsourcing isn’t a new concept, the rise of readily available cloud-based and everything-as-a-service solutions is rapidly increasing an organization’s liability and risk landscape – often with limited IT oversight.

Unfortunately many enterprises relying on third-party vendors often assume that these third parties properly protect their sensitive employee, customer and business data. Sadly, this is not always the case. Consider these data points:

• Only 24 percent of respondents require third-party suppliers or partners to comply with baseline security procedures.[1]
• Although 84 percent of senior IT decision makers [were] concerned or very concerned about the risks associated with IT security breaches, 55 percent of CIOs have not tested cloud vendors’ security systems and procedures.[2]

These numbers are shocking when you think about the potential risks that third parties can introduce to an organization’s reputation, business and customers. High profile third-party data breaches have impacted a larger number of major brands beyond the initial breach. According to the Ponemon Institute’s Cost of a Data Breach study, 41 percent of organizations had a data breach caused by a third party. And data breaches caused by third parties increased cost by $26 per compromised record.

With so much at stake how do you ensure that your data is appropriately protected? According to research from the IT Policy Compliance Group, the best performing companies go beyond the contracts to actively manage and hold vendors accountable to requirements. These companies routinely collect information including online surveys and log data on a monthly basis. In addition, the majority of best performing companies automate the process of gathering and assessing vendor information. This automation facilitates a larger number of more frequent assessment requests.

Without ongoing visibility and management of vendor risk, there is no way of telling if your enterprise’s information is adequately protected. Organizations need to consider vendor risk management solutions that can provide the continuous vendor oversight required to protect sensitive data and reduce overall business risk. They allow CISOs to gain visibility into their vendor risk, automate vendor risk assessments and deliver up-to-date information in a timely manner.

The most important message to take away from this post is to not leave your third-party security to chance. In addition to monitoring how third-parties are managing data, it is important for organizations to have the right risk management solutions working for them that monitors and protects information that is internal as well as external to the organization. It only takes a few simple steps to protect your organization’s business assets and reputation. It is time to take the reins. Learn more about how to manage third-party security at Symantec Control Compliance Suite’s home page

Consumerisation of information technology is forcing IT to take a new look at security. And, if you run a small to mid-sized company, with limited resources, it’s adding pressure.. With social media and BYOD (Bring Your Own Device) changing  the whole working landscape, how do you protect yourself against the ever growing number of security threats – data breaches through the network, data leakage by employees, malware attacks and lost hardware?

Not long ago, no doubt, everything would have seemed that much clear cut to you, with the boundaries between people’s personal and work lives quite distinct. Now, that has all been turned on its head. Those boundaries have been torn down – with the estimated 22.5% of the time that we now spend online (according to social media watchdog Nielsen in ‘State of the Media: The Social Media Report’), putting enormous pressure on security.

You’ve probably all heard the hype that surrounds mobile devices and the ‘bring your own’ culture. In fact, most of you will already have dealt, or be dealing, with such challenges right now.

Much of that hype is depressingly negative, sadly, often with dire predictions of how organisations are going to be ever more dangerously exposed to the outside world of data muggers – lurking in the shadows and ready to pounce as soon as anyone dares to plug their smartphone or other treasured gadget into the corporate network.

As a result, the language often used about BYOD is both highly emotive and scary. Some businesses have reacted by banning such devices altogether. Others accept that it is inevitable and have opened their doors to it, seeking to turn it to their advantage.

The former of these camps – the naysayers – could be storing up big trouble for themselves. Because BYOD is here to stay and perhaps become more widely embraced, until it’s as pervasive a force within any organisation as the PC itself.

Why do they say no to BYOD? The perceived disruption and inconvenience have a lot to do with it. As does fear. At its worst, in their eyes BYOD has an element of the wild west about it. You bring in your devices and all hell breaks loose. They see it as something that will spiral out of control and compromise network security, no matter how many marshals they swear in to keep the peace.

And their fears are not without justification, as some companies are clearly better at curtailing the worst excesses of BYOD than others. Some countries, too. One report  released by Imation Mobile Security recently says half of the German respondents to a survey claimed they always followed company rules around BYOD, as opposed to only 36% of those polled from the UK. In fact, 18% of UK-based respondents admitted to ignoring the guidelines, even though they were aware of them. I wonder how many people reading this are surprised/unsurprised by those statistics?

However, the figure of blame doesn’t point only at the workforce. The Imation Mobile Security study suggests that, for most UK businesses, security checks have not been made mandatory and 92% of IT managers do not require employees to regularly change passwords on their devices used for work. Not the best way to handle BYOD, you might think.

The reality is that businesses really do need to evaluate whether BYOD is the right approach for their organisations, and implement company-wide BYOD policies and procedures to minimise potential security risks, if they choose to do so. One of the big concerns is that confidential, work-related information increasingly passes from work computer to personal device. So, yes, while it’s certainly a trend that can enhance the productivity of employees, it needs to be carefully managed as well. As soon as a device connects to a business's system, it should be subject to the same security safeguards as company equipment. A fully integrated BYOD scheme and policy is vital.

For more information on website security download the Symantec website security threat report

Contributor: Ayub Khan

Symantec has been constantly monitoring phishing sites hosted on compromised Indian websites. In 2011, our study detailed these compromised sites and we did a similar study of phishing sites in 2012.

From August 2012 to November 2012, 0.11% of all phishing sites were hosted on compromised Indian websites. Phishers continue to target Indian sites across many disciplines to host their phishing sites. These Indian sites were classified in various categories. The most targeted sites were information technology (14.40%), education (11.90%), product sales and services (9.80%), industrial and manufacturing (7.30%), and tourism, travels and transport (5.80%). The figures for secure websites such as government, telecommunication, and ISP were low and at the bottom of the list. This offers evidence that phishers opt to target more vulnerable websites.
 

Figure 1. Indian website categories compromised by phishers
 

It is interesting to note that education was at the top of the most targeted websites in 2011, but fell to second place in 2012. Nonetheless, the education category, which includes schools and colleges across India continues to be a phisher favorite. The states in India where the education category was most prevalent were Rajasthan, Andhra Pradesh, Delhi, Maharashtra, and Punjab. The top cities were Jaipur, Hyderabad, Delhi, Chandigarh, and Bangalore.

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages
• Do not provide any personal information when answering an email
• Do not enter personal information in a pop-up page or screen
• Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
• Update your security software (such as Norton Internet Security 2012) frequently, which protects you from online phishing