Banking, education, services, insurance, retail in addition to other industries in Lebanon are using Backup Exec 2012 to protect their data and consequently their business. It is widely used to backup databases, mailbox stores, files, virtual images, active directory and others platforms. It can be used to protect servers, personal computers and laptops.  Backup Exec 2012 offers an easy to use, user friendly interface with a step by step wizard to configure multiple options.  

Initially when I installed Backup Exec 2012, I was really disappointed to find out that some configurations did not work the same way that they did in 2010.  There were major changes to the interface and menus as well as the backup scheme switched from multiple selections/servers in one job to resource centric backup jobs.

On the other side, I was extremely happy to see simplified wizards to configure full and incremental jobs by using the easy add stage while configuring backup jobs. The simplified configuration settings added give you the option to duplicate to another destination in a very easy way, much easier than configuring policies in 2010.

The performance is definitely not a question here. Backup Exec 2012 is able to maintain top performance and speed for backup across different versions of their product.

So going back to the resource centric thing that is annoying some administrators, I have done multiple implementations for Backup Exec 2012 and I have a good number of satisfied customers. Many of them mentioned that they prefer to backup server by server as this will help them apply the data retention period individually and more specifically to each environment they backup instead of applying the same retention for all servers. This will definitely help in reducing storage and space over time.

In any case, the option for bundling multiple servers will return in the next update. Consequently, you will have the option to either use it or to keep utilizing the resource centric configuration methods.

I know, I thought the same thing you’re probably thinking. Why should I create an account on yet another social channel? And why should I use more of my precious time figuring it out? Aren’t Facebook, Twitter, LinkedIn, YouTube and [insert the name of any other of the innumerable social sites here] enough?  Well, maybe not.

Google+ is another social channel, but has features that others don’t that can help you connect with customers, peers and industry leaders. For example, you can create a circle of contacts and communicate directly with those circles, unless you make your posts ‘public’. Contact segmentation at its finest. If you’re wondering about the ‘circle’ equivalent on other social channels, think ‘follower/following’.

Your sister (who you’ve put in your ‘Family’ circle) may not care about the latest virtualization certification you’ve earned, but those in your ‘Virtualization Jedi’ circle will! Your dear sis won’t receive that update because you haven’t shared it with your Family circle. Eureka! Finally you can hone your social sharing to your true audience.

Here’s a shot of some of the circles I use:

You could create a circle for your company’s area of focus so you can stay on top of the latest news.

Hangouts. This is one of my favorites! These are video chats and there are two types. One is private and can have up to 10 participants (including yourself). The other is called ‘Hangouts on Air’. There isn’t a limit on the number that can watch, but they won’t all be on camera. You can select a panel of people on camera, have a discussion and broadcast it. This also has a chat function where the audience can interact. The best feature is that you record them as YouTube videos and use for marketing material that can be promoted across your other vehicles. Think customer success stories or product feature discussions.

Below is a sample of what you see when you do a hangout.

My colleague Matt Stephenson (@PackMatt73 on Twitter, or Matthew Stephenson on G+ - pictured above) shared this great source for hangout tips. Check it out if you want to learn more: https://plus.google.com/+FraserCain/posts/PaeeynDx34L

Actually reach your followers. Those that choose to circle you will receive all of the updates you choose to share with them. That’s not the case with Facebook.

Connect with those who share your interests, even if you don’t know them. Those 200 friends on Facebook may not share your passion for trending IT developments, but you can find and ‘circle’ 200 people on Google+ who do. Just go to ‘Explore’ on the left nav and search for your interests. From there, knowledge is easily shared and great conversations can happen.

I’ve barely scratched the surface with all the great info on Google+. If you want to learn more, just Google it for more resources than you can imagine. After all, that’s another benefit of this channel – it’s fed by Google, the master of all data!

What now? If you don’t have a Google+ account, get started. Once you’re all set up, circle Symantec, then join us for our first hangout on January 16 at 9am PT/12pm ET – titled, “Cut the FUD…Debunking the common misconceptions about Backup Exec 2012”. Check back here for the link on the 16th and you can watch and submit your questions. See you then!

A real crisis is happening now and if we really want to reduce losses for our organization then we will need to adjust our focus.  We don’t have to wait for any pandemic or catastrophe to strike; organizations are experiencing losses that range between $35 billion and $500 billion per month.  If these losses are the result of best practices that are intended to protect our organizations from crisis, then some might even consider these regulations and best practices to be gravely dysfunctional.   

Compliance with federal, state, and international privacy and security laws and regulations often is more an interpretive art than an empirical science—and it is frequently a matter for negotiation.  When business metrics are applied to compliance, many companies decide to deploy as little technology or process as possible—or to ignore the governing laws and regulations completely. Every company weighs the cost of protecting personal data with the cost of what it would take to notify customers if a breach occurred.

It is not rational to promote best practices and guidelines that do not meet the real needs of today’s technologically-rich organization.

Are Ineffective controls the result of:       

• Too Many or Confusing Regulations?
• Dysfunctional Best Practices, Guidelines and Processes?
• Inferior Internal Controls?
• Mediocre, Ineffective and Inadequately trained Audit Oversight?
• IT Complexity?
• Lack of Risk Awareness?
• Focus on the wrong Risks?
• Probability Neglect?
• Heuristic Bias?
• Subjective and Intuitive Judgment Error?
• Combination of all of the above

Regulatory Landscape:

• There is a plethora of regulatory compliance rules that companies must be aware of and mitigate the risk of non-compliance is exhausting. The regulatory landscape is full of compliance land mines for the unaware organization. From Sarbanes-Oxley, HIPAA, Basel II, Graham-Leach-Bliley, SEC Rules 6835 & 17-a, TREAD Act, FCC-LSOG, USA Patriot Act, California Security Breach Notice Law and the list may as well go on ad infinitum.  There are services that organizations now subscribe to just to keep up with all the regs.
• In addition, there are a large group of guidelines and best practices that are intended to protect our organizations from crisis i.e. BCM Institute, British Standard BS25999, ISO 22301, HB 221:2004, HB 292:2006, NFPA 1600:2007, MS 1970:2007, ISACA, CObIT, ASIS, ITIL. 

State of the Technology:

• The Ponemon Institute estimates that worldwide organizational are losing over $35 Billion monthly from data center downtime. 
• Meta Group estimates that businesses lose an average of $1 million in revenue for every hour of downtime.  
• Nicholas G. Carr point out in his seminal Harvard Business Review article IT Doesn’t Matter, “today, an IT disruption can paralyze a company’s ability to make products, deliver its services, and connect with its customers, not to mention foul its reputation … even a brief disruption in availability of technology can be devastating.”
• Roger Sessions also attempts to quantify the problem in his The IT Complexity Crisis: Danger and Opportunity, in which he calculates that IT failures are costing businesses $6.18 trillion per year worldwide. The cost of IT failure is paid year after year, with no end in sight. If this trend continues, within another five years or so a total IT meltdown may be unavoidable.

BCM must begin to apply the principals of ‘Prospect Theory’ and loss aversion to promote better decisions regarding operational resiliency, high availability and disaster recovery.

In the interest of transparency, incomplete information was posted on this page on Friday, January 3, 2013. As of that date, Symantec was made aware of claims about arbitrary code vulnerabilities affecting its PGP Whole Disk Encryption product. Symantec’s policy is to investigate these claims thoroughly before providing information. Investigation of these claims is underway, and we will post additional accurate information as soon as we are able.

今月のマイクロソフトパッチリリースブログをお届けします。 今月は、12 件の脆弱性を対象として 7 つのセキュリティ情報がリリースされています。 このうち 3 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

• ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
• ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
• 未知の、または疑わしいソースからのファイルは扱わない。
• 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
• 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 1 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms13-Jan

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

1. MS13-001 Windows 印刷スプーラコンポーネントの脆弱性により、リモートでコードが実行される

   Windows 印刷スプーラコンポーネントの脆弱性（CVE-2013-0011）MS の深刻度: 緊急

   Microsoft Windows が、クライアントの要求に対する印刷スプーラの不正な形式の応答を処理する方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が任意のコードを実行できる場合があります。

2. MS13-002 Microsoft XML コアサービスの脆弱性により、リモートでコードが実行される

   MSXML 整数の切り捨ての脆弱性（CVE-2013-0006）MS の深刻度: 緊急

   Microsoft Windows が XML コンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者がログオンユーザーのコンテキストで任意のコードを実行できる場合があります。

   MSXML XSLT の脆弱性（CVE-2013-0007）MS の深刻度: 緊急

   Microsoft Windows が XML コンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者がログオンユーザーのコンテキストで任意のコードを実行できる場合があります。

3. MS13-003 System Center Operations Manager の脆弱性により、特権が昇格される

   System Center Operations Manager Web コンソールの XSS の脆弱性（CVE-2013-0009）MS の深刻度: 重要

   クロスサイトスクリプティング（XSS）の脆弱性が System Center Operations Manager に存在するため、サーバーになりすまして特別に細工されたスクリプトコードが実行される可能性があります。これは非持続的なクロスサイトスクリプティングの脆弱性であり、攻撃者がこれを利用して、標的とするユーザーのコンテキストで System Center Operations Manager サーバーにコマンドを発行する可能性があります。

   System Center Operations Manager Web コンソールの XSS の脆弱性（CVE-2013-0010）MS の深刻度: 重要

   クロスサイトスクリプティング（XSS）の脆弱性が System Center Operations Manager に存在するため、サーバーになりすまして特別に細工されたスクリプトコードが実行される可能性があります。これは非持続的なクロスサイトスクリプティングの脆弱性であり、攻撃者がこれを利用して、標的とするユーザーのコンテキストで System Center Operations Manager サーバーにコマンドを発行する可能性があります。

4. MS13-004 .NET Framework の脆弱性により、特権が昇格される

   System Drawing の情報漏えいの脆弱性（CVE-2013-0001）MS の深刻度: 警告

   .NET Framework の Windows Forms が非管理対象のメモリの場所を示すポインタを処理する方法に、情報漏えいの脆弱性が存在します。

   WinForms のバッファオーバーフローの脆弱性（CVE-2013-0002）MS の深刻度: 重要

   .NET Framework の Windows Forms がメモリ内のオブジェクトを配列にコピーする前に、そのオブジェクトの数を検証する方法に、特権昇格の脆弱性が存在します。

   S.DS.P のバッファオーバーフローの脆弱性（CVE-2013-0003）MS の深刻度: 重要

   .NET Framework の System.DirectoryServices.Protocols（S.DS.P）がメモリ内のオブジェクトを配列にコピーする前に、そのオブジェクトのサイズを検証する方法に、特権昇格の脆弱性が存在します。

   ダブルコンストラクションの脆弱性（CVE-2013-0004）MS の深刻度: 重要

   .NET Framework がメモリ内の特定のオブジェクトの権限を検証する方法に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。

5. MS13-005 Windows カーネルモードドライバの脆弱性により、特権が昇格される

   Win32k の不適切なメッセージ処理の脆弱性（CVE-2013-0008）MS の深刻度: 重要

   Windows カーネルがウィンドウブロードキャストメッセージを正しく処理しない場合に、特権昇格の脆弱性が存在します。

6. MS13-006 Microsoft Windows の脆弱性により、セキュリティ機能が回避される

   Microsoft SSL Version 3 および TLS プロトコルのセキュリティ機能回避の脆弱性（CVE-2013-0013）MS の深刻度: 重要

   Microsoft Windows の SSL/TLS（Secure Socket Layer および Transport Layer Security）が SSL Version 3（SSLv3）および TLS プロトコルを処理する方法に、セキュリティ機能回避の脆弱性が存在します。この脆弱性により、攻撃者が特別に細工されたコンテンツを SSL/TLS セッションに挿入した場合、セキュリティ機能を回避できる可能性があります。

7. MS13-007 Open Data プロトコルの脆弱性により、サービス拒否が起こる

   置換サービス拒否の脆弱性（CVE-2013-0005）MS の深刻度: 重要

   OData の仕様にサービス拒否の脆弱性が存在するため、サービス拒否が起こる可能性があります。この脆弱性により、サーバーやサービスが応答を停止し、再起動する可能性があります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

寄稿: Jeet Morparia

出会い系サイトは大きな市場です。2012 年、アメリカでは 4,000 万人が出会い系サイトを訪問または利用しました。ある統計では、出会い系サイト業界は 10 億ドル規模になっています。別のデータによれば、全世界で 30 億ドル規模にも上ります。事実、出会い系サイトは実入りの良いビジネスなので、サイバー犯罪者の関心を引いたとしても不思議ではありません。
 

図 1. Downloader.Ponik スパム活動の分布図
 

シマンテックが最近確認した悪質なスパム活動の中にも、出会い系サイトで誘い込むタイプのものがあります。対象範囲が広く、世界中のユーザーを標的にしていますが、特に狙われているのは米国、英国、そしてオーストラリアのユーザーです。
 

図 2. Downloader.Ponik 出会い系スパムメールのサンプル
 

このスパムで使われる電子メールには、「Kat」と名乗る人物からのメッセージが記載されています。次のように、メッセージの件名にはいろいろなバリエーションがあります。

• It's a pleasure to meet you here（ここで会えるなんてうれしいね）
• Write me again, ok? I really need your advice（またメールをくださいね。あなたのアドバイスが必要です）
• How are you today? What are you doing now?（元気? 今何しているの?）
• You dont know me, so Im here to fix it!（私のことは知らないでしょう。だから、知ってもらうためにメールを送りました）
• Hey how are you?（元気?）
• Hello there!（こんにちは!）
• Im glad to see you!（お会いできてうれしいです）
• Hola!（こんにちは!）
• How do you do?（はじめまして）

メッセージの本文は、どのメールでも同じです。

Hello from Kat. I got some information about you from a=dating site. I found out that you are looking for a woman for LTR. I’m expec= to find a perfect match. Also I wish to exchange photos with you and may=e try to know you better. I will be waiting for your reply with impatience.
（こんにちは、Kat です。ある出会い系サイトであなたのことを知りました。長く付き合える女性を探しているんですね。私も完璧な相手が見つかるんじゃないかと期待しています。写真を交換して、もっとあなたのことを知りたいなと思います。返事をいただけるのをずっと待っています。）

ここで目を引くのは、標的に関する情報を出会い系サイトで入手したと書かれていることです。

どのメッセージにも、photo.zip というファイルが添付されており、脅威（Downloader.Ponikとして検出）が含まれています。Downloader.Ponik は、いくつかの脅威を一緒に運んでくることが判明していますが、今回の場合は次のマルウェアをダウンロードします。

• Trojan.Zbot
• Trojan.Zeroaccess.C
• W32.Sality

いつものように、不明な送信者から送られてきた電子メールの添付ファイルを開く際には注意してください。皆さんにとって、長く付き合いたいとはとても思えない相手と言ってよいでしょう。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Yes, it’s that time of the year again, when industry analysts and commentators make their predictions about IT in general, and security in particular. We can expect all the usual – the main industry trends such as cloud and mobile will of course be in the bag, as well as potential recurrences of major security breaches – user data leaks from online sites, defacement or denial of service attacks on high-profile web sites and so on.
 


While it’s the same every year, this period is also a good moment to reflect on the security landscape and how well prepared we are for the year to come. While all of the above are symptoms, security breaches tend to be caused by people so a good starting point is to get into the heads of the perpetrators – the mad, bad and sad individuals that cause our organisations so much grief.
 


So, why do security breaches continue to happen? The first, well-documented reason is that there is financial gain to be had (as illustrated by the criminal who, when asked, “Why do you rob banks?” simply responded, “Because that’s where the money is!”). The black market for personal information or intellectual property is thriving, and organisations continue to be held to ransom by hackers.
 


The second reason – which has re-emerged over the past few years – is to attack sites simply to make a point. While participants in ‘hacktivist’ groups such as Anonymous may be painted as ‘martyrs to the cause’ it is difficult to ignore the likely buzz of impressing peers that goes with such high-profile attacks.
 


The third main reason is simple ‘having a go’, through malice or stupidity. Insider threats fall into this category, from IT support staff finding a back door into the HR database, for example, or bank clerks checking an ex-partner’s financial records, or sending inappropriate content to other employees, or examples of fraud or misappropriation of identity by ex-employees. Equally, people can take simply idiotic actions, such as running poorly designed scripts with admin privileges, or indeed, leaving computer systems wide open to external attack.
 


It – IT – was ever thus. So while we talk about the threat landscape becoming more complex (which it is) and the nature of breaches finding unexpected ways through our protective measures, the one certainty we have is that people will continue to act in similar ways to how they have always acted. You can expect Murphy’s Law to apply, in that the one area of security that you have inadvertently ignored will be the one that the bad guys use to get in.
 


So, organisations should continue to be vigilant, spare some time to think about what might go wrong and ensure they have suitable contingency plans in place, for both the services and data they rely on.

Please also take a look at my video where I talk about my predictions for the year ahead. I look forward to your comments.

Why is server security different from other endpoint security? If you’re considering a solution to protect one or all of the endpoints in your environment, it's important to understand the security requirements for laptops and desktops, how they differ from servers, and why servers have greater needs for security and compliance. 

Symantec partnered with eWeek to create Security Differentiators for Servers, Laptops: 10 Best Practices. Read about the best practices here: http://www.eweek.com/security/slideshows/security-differentiators-for-servers-laptops-10-best-practices/

Thanks for reading!

-Neelum

The use of zero-day exploits in attacks has not been too far from the headlines of late. Today, Kafeine from Malware don't need Coffee has released a blog detailing yet another Java zero-day active in the wild and distributed through the Cool Exploit pack. The good news however—for Symantec customers who use our intrusion prevention signature (IPS) technology—is that Symantec proactively blocked the JAR file containing the exploit from the Cool Exploit Kit with IPS signature Web Attack: Malicious JAR File Download 11. Symantec telemetry also shows the Cool Exploit Kit beginning to serve the exploit as of January 9, and it being proactively caught by our products. There are also new reports of other Exploit kits containing this exploit that Symantec is actively investigating.
 

Figure 1. Cool Exploit Kit attack serving new Java zero-day
 

The use of a zero-day in the Cool Exploit Kit does not come as much of a surprise. There has been a lot of coverage of late in relation to the Cool Exploit Kit author (supposedly the same author as the Blackhole exploit kit) having a large budget for buying up new zero-days. If this is the case, this may be the first zero-day in a string of zero-days to come from the Cool Exploit Kit.

While an advisory from Oracle has not been released yet, in tests Symantec confirmed that the zero-day was successful in exploiting the latest version of Java (1.7.0_10) available from their website.

Symantec has the following IPS signatures in place that specifically protect against the Cool Exploit Kit:

• Web Attack: Cool Exploit Kit Website
• Web Attack: Cool Exploit Kit PDF Download

Symantec detects the JAR file that contains the exploit as Trojan.Maljava and our analysis is ongoing.

There is a rise in zero-days being seen in the wild recently. To aid in protection against zero-day attacks, Symantec recommends that you employ the latest Symantec technologies.

Almost every enterprise IT environment is running a virtual machine, and in recent years, small and medium-sized businesses (SMBs) have shown a strong interest in virtualization.  They read about it and see other businesses enjoying the benefits, but are unsure exactly how it works and how to successfully adopt it within their own organizations. The 2012 Symantec Disaster Preparedness Survey revealed that SMB are beginning to understand and implement virtualization technologies but still have a long way to go.

Join Symantec’s SMB and virtualization experts, as well as Anita Campbell of Small Business Trends on Thursday, January 17 at 1:00 p.m. PT / 4:00 p.m. ET to chat about what SMBs need to know about going virtual with their technology.

SMBs need to understand virtualization—the advantages, how to develop a strategy, and how to secure virtual environments and protect their data.  Our SMB and virtualization experts will cover the following:

• Benefits of going  virtual with your technology
• Challenges of adopting virtual solutions
• Steps SMBs should take to secure their virtual environments
• Data backup in a virtual environment
• Virtualization best practices

Mark your calendars:

Title:  Going Virtual with Your Technology—What SMBs Need to Know

Date: Thursday, January 17, 2013

Time: Starts at 1:00 p.m. PT / 4:00 p.m. ET

Length: 1 hour

Expert participants:

• Dan Nadir, senior director of Product Management, SMB and Symantec.Cloud, Symantec – @SymantecSMB
• Elias AbuGhazaleh, director of Engineering, Backup Exec, IMG, Symantec - @BE_Elias
• Anita Campbell, Small Business Trends – @Smallbiztrends

Where:  On Twitter.com.  Follow the hashtag #SMBchat

Passwords must die.

At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation

For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.

Given all the password problems we’ve seen lately, it’s time to rethink the situation. Passwords are clearly limited. So what’s the alternative to traditional passwords?

The good news is that technology is catching up to the password problem. A variety of solutions are available from Symantec and others that take advantage of strong authentication technology to keep user accounts and information secure. In fact, these have been around for years, since the days of the first security tokens that generate one-time passwords on a small, portable device. These keep risks lower even in the event that a hacker gains access to a machine, minimizing the opportunity to steal information. But now that we have nearly every employee in the enterprise accessing resources remotely, some organizations feel if everyone carried around a token, they would constantly be lost or stolen, and it would be too hard to manage.

One of today’s commonly used strong authentication alternatives is the use of knowledge-based systems. We’ve all seen this at work on websites such as our bank, where in addition to our password we are asked other security questions based on something you know. This is better than a password alone, but there are certainly shortcomings. With the large amount of personal data we are making public on social media profiles in particular, it’s often not too difficult to find the name of your pet. This limits the value of knowledge-based authentication. Just ask Mat Honan whose attackers were able to piece together information from daisy-chained accounts in order to successfully take over his digital life.

A new system employed by Symantec is risk-based authentication. The risk-based method analyzes user behavior to determine the proper amount of security to apply depending on the current situation. For example, it will analyze the user’s location and the device being used to attempt logging in. When it’s the user’s workstation in corporate headquarters, and they are accessing relatively unimportant information, this would be considered a “low-risk” situation and little or no additional security is required. But if the user is requesting access on an unknown device from an IP address in another country, or trying to access financials or intellectual property, that will send up red flags, depending on the parameters enabled in the system. The user can then be required to perform additional authentication measures, in addition to entering a password, in order to be granted access.

There are a few other promising methods of strong authentication on the horizon that are making their way into the real world. “Somewhat continuous” authentication not only looks at behavior while logging in, but during the session itself to make sure you remain the person in control, which is useful in cases of highly sensitive information in the world of espionage. And other biometric-based methods are in development to further ensure user identity.

Gartner probably had a point.  The days of exclusively using simple password protection may be numbered. We’ve seen enough examples to know that it’s not a matter of if a password-only protected account will be compromised, but when. We’re already seeing large consumer services go this route, with the Googles and Yahoos of the world allowing users to turn-on optional two factor authentication. That said, moving to a world where these alternative authentication systems are the norm won’t happen quickly, so don’t be surprised to see attackers entering networks with legitimate, albeit compromised, access credentials for the time being. Moving forward, businesses can’t afford to take any chances, and it’s time that we find the strong authentication system that will work best for us. Until then, most will continue relying on a security control that doesn’t work. Peace of mind will only begin where simple passwords end.

User Facing: Desktop

• Created a new tool that gives users the ability to generate a link to a filtered list page and share that link with their teams. The tool lets you generate links to download pages, for example, that are tagged with topic X and with topic Y. (You really have to try it to appreciate it.) We've added a link to the tool and some brief instructions to the Connect FAQ.
• Added the ability for users who receive email notifications to click a link in their notification email and unsubscribe to future notifications that are related to the target thread.
• Improved the language filter on blog listing pages so if the user changes the UI language, to Spanish for example, the list of blog posts will refresh to only show those posts in the Spanish language. Once the UI language is changed, if the user then wants to view the target blog's posts in another language, they can do so by using the blog language filter in the right sidebar. In this scenario, the user can have the UI set to Spanish while choosing to view blog posts in German.
• Improved code so pages that include the Facebook and Twitter share widgets will load for users behind firewalls that block access to Facebook and Twitter.
• Fixed an issue with custom a custom HTML version of a featured article not being visible on the Endpoint Management overview page.

Admin Facing

• Improved the code admins use to merge duplicate accounts to migrate existing Certification and Accreditation records from the source account to the target account during a merge.

ゼロデイ脆弱性を悪用した攻撃についてこのブログでご報告したのは、つい最近のことです。本日、ブログ「Malware don't need Coffee」の Kafeine 氏が投稿した記事によれば、現在さらに別の Java ゼロデイ攻撃が Cool 悪用ツールキットパックを通じて拡散され、活動中ということです。と言っても、シマンテック製品で侵入防止シグネチャ（IPS）の技術をお使いのお客様は心配ありません。Cool 悪用ツールキットによる脅威に利用される JAR ファイルは、IPS のシグネチャ Web Attack: Malicious JAR File Download 11によって感染前に遮断されます。シマンテックの遠隔測定では、Cool 悪用ツールキットが 1 月 9 日の時点でこの悪用を開始し、シマンテック製品によって未然に捕捉されていることも確認済みです。一方、シマンテックが鋭意調査中であるこの脅威が、他の悪用ツールキットでも使われているという報告も受けています。
 

図 1.新しい Java のゼロデイ脆弱性を利用する Cool 悪用ツールキット
 

Cool 悪用ツールキットでゼロデイ脆弱性が利用されていることは、まったく意外ではありません。Cool 悪用ツールキットの作成者（Blackhole 悪用ツールキットの作成者と同一と目されています）については、新しい脆弱性を買い占めるほど潤沢な資金を持っていることが、最近も頻繁に報じられています。だとすれば、Cool 悪用ツールキットによるゼロデイ攻撃は、今回を皮切りに今後も続く恐れがあります。

Oracle 社からのセキュリティ勧告はまだ発表されていませんが、今回のゼロデイ攻撃は、Oracle 社の Web サイトで公開されている最新版の Java（1.7.0_10）も悪用できることが、シマンテックのテストで確認されています。

シマンテックは、Cool 悪用ツールキットから保護するために以下の IPS シグネチャを提供しています。

• Web Attack: Cool Exploit Kit Website
• Web Attack: Cool Exploit Kit PDF Download

今回の脅威を含む JAR ファイルをシマンテックは Trojan.Maljavaとして検出しますが、解析は引き続き進行中です。

最近、ゼロデイ脆弱性を悪用する活動は増加傾向にあります。ゼロデイ攻撃に対する万全の備えとして、シマンテックの最新技術（英語）をお使いいただくことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Risk assessment today must focus on the data – not devices, in  new ways due to consumerization, patient engagement and changes in the care delivery and IT delivery models.

David Finn, Symantec’s Healthcare IT Officer, sits down with Bernie Monegian, editor  of Healthcare IT News, at the HIMSS’ Privacy and Security Forum in Boston. 

http://www.healthcareitnews.com/video/david-finn-symantec-2012-privacy-and-security-forum

http://www.youtube.com/watch?v=9yQ6dYzI0xo

I have been trying in vain to create an image file that I can use on a range of Dell equipment (Latitude laptops, Precision and Optiplex Workstations), but to no avail.

When I used XP it was easy. Build the OS how you want it, create the sysprep.ini and in there provide the locale info and a path to all the drivers.

With Windows 7, I tried the same, but editing the unattend.xml. This has caused three issues for me:

1. The drivers are ignored. It always installs the Standard VGA Adpater driver, not the specific ones I provide.

2. The network type is ignored. It always asks me to select Work or Public etc.

3. The locale settings cannot be changed easily. I used to pull up the image, then use Ghost Explorer to delete the pubkey.crt to allow it work on another Ghost Server, then edit the locale settings in the sysprep.ini. Last time I tried that with the unattend.xml, I changed the local in the file in sysprep folder and C:\Windows\Panther and it said the file could not be parsed and the system would no longer boot.

I have been hacking at this for 6 months on and off and getting a bit fed up. There is no real help on this ANYWHERE, and I would appreciate some help on what I am doing wrong, or pointers to some info. Also, which unattend.xml is actually used? There is one in C:\sysprep and one in C:\Windows\Panther, but I don't get the difference.

Below are screenshots of my settings and the unattend.xml that was built

.

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">

     <settings pass="offlineServicing">
      <component name="Microsoft-Windows-PnpCustomizationsNonWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <DriverPaths>
            <PathAndCredentials wcm:keyValue="1" wcm:action="add">
               <Credentials>
                  <Password>*******</Password>
                  <Username>administrator</Username>
               </Credentials>
               <Path>C:\Drivers</Path>
            </PathAndCredentials>
         </DriverPaths>
      </component>
   </settings>
    
   <settings pass="oobeSystem">
      <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <OOBE>
            <HideEULAPage>true</HideEULAPage>
                <NetworkLocation>Work</NetworkLocation>
                <ProtectYourPC>3</ProtectYourPC>
                <SkipMachineOOBE>true</SkipMachineOOBE>
                <SkipUserOOBE>true</SkipUserOOBE>
         </OOBE>
            <TaskbarLinks>
                <Link0>%windir%\system32\services.msc</Link0>
             </TaskbarLinks>
      <AutoLogon>
         <Password>
            <Value>genesys</Value>
            <PlainText>true</PlainText>
         </Password>
         <Username>Administrator</Username>
         <Enabled>true</Enabled>
      </AutoLogon>
     <UserAccounts>
         <AdministratorPassword>
            <Value>*****</Value>
            <PlainText>true</PlainText>
         </AdministratorPassword>
      </UserAccounts>
<!--
         <Display>
            <ColorDepth>32</ColorDepth>
            <DPI>120</DPI>
            <HorizontalResolution>1024</HorizontalResolution>
            <RefreshRate>60</RefreshRate>
            <VerticalResolution>768</VerticalResolution>
         </Display>
-->  
          <RegisteredOwner>*</RegisteredOwner>
            <RegisteredOrganization>*</RegisteredOrganization>
            <TimeZone>GMT Standard Time</TimeZone>

      </component>
        <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <InputLocale>en-GB</InputLocale>
            <SystemLocale>en-GB</SystemLocale>
            <UILanguage>en-GB</UILanguage>
            <UserLocale>en-GB</UserLocale>
        </component>
   </settings>
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
           <CopyProfile>true</CopyProfile>
           <ComputerName>*</ComputerName>
            
        </component>
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <JoinWorkgroup>WORKGROUP</JoinWorkgroup>
            </Identification>
        </component>
        <component name="Microsoft-Windows-IE-InternetExplorer" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <DisableFirstRunWizard>true</DisableFirstRunWizard>
            <Home_Page>http://www.genesyslab.com/GU/evals/</Home_Page>
        </component>
    </settings>
    
    <settings pass="generalize">
        <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <PersistAllDeviceInstalls>false</PersistAllDeviceInstalls>
        </component>
        <component name="Microsoft-Windows-Security-Licensing-SLC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <SkipRearm>1</SkipRearm>
        </component>
    </settings>

  <cpi:offlineImage cpi:source="wim:c:/vista/x64/image.wim#Windows Vista ULTIMATE" xmlns:cpi="urn:schemas-microsoft-com:cpi"/>
 </unattend>

While Symantec’s corporate mission is cyber-security, its survival depends on broader measures of safety – including the long term welfare of its employees and customers. That’s a major reason why Symantec stands tall with 23 other major U.S. firms, including Nike, Starbucks and eBay, with (BICEP) Business for Innovative Climate & Energy Policy coalition* of companies supporting meaningful federal policy on climate and energy.

Yet with federal progress largely stalled on Capitol Hill, it is the states that have been leading the way on greening our energy and transportation systems. An historic example is California’s Low Carbon Fuel Standard (LCFS). Enacted in 2007, it’s a performance-based strategy to shift our fuel mix to low-carbon sources. It requires a modest ten percent reduction in carbon by 2020. And since it doesn’t mandate a specific technology or fuel, it drives innovation in the free-market, a boon to both the environment and the economy.

Oregon enacted its own fuel-standard law three years ago and other states are planning to follow.  The European Union and British Columbia have adopted similar legislation. Yet today these pioneering laws are under attack from the oil industry. The petroleum lobby claims the Clean Fuel Standard in Oregon is too costly, despite independent analysis showing that it’s not only affordable, but can be met with existing technologies, including natural gas, biofuels and electricity.

For Symantec and other forward-thinking firms that are paying attention to the US energy crisis, national security means reducing our dependence on oil and exposure to price volatility, protecting Americans from air and water pollution and avoiding the worst impacts climate change. It also means guarding America’s global economic leadership, at a time when clean-energy technologies have become a $260 billion market. Any one of these reasons alone would be sufficient to support innovative state policies such as the California and Oregon clean fuel standards.   Together, they make an airtight case.

Anne L. Kelly is Director of BICEP (Business for Innovative Climate & Energy Policy) at Ceres.

* BICEP members include Annie’s Inc, Anvil Knitwear, Aspen Skiing Company, Avon Products, Ben & Jerry’s, CA Technologies, Clif Bar, eBay, Eileen Fisher, Gap Inc, Jones Lang LaSalle, KB Home, Levi Strauss & Co., Limited Brands, New Belgium Brewing, Nike, The North Face, Outdoor Industry Association, Portland Trail Blazers, Seventh Generation, Starbucks, Stonyfield Farm, Symantec, and Timberland. 

A common issue that administrators face when managing the software update process involves situations in which:

• An application was originally installed with customized settings;
• The vendor releases an update to the application in the form of an installation that installs a completely new version of the application rather than just incrementally updating just those files that are affected by a security vulnerability or bug

In such cases, the update packages created by application vendors often are not sophisticated enough to preserve the customizations that were made when the application was originally installed.

For example, an adminstrator may roll out Adobe Reader 9.4.0 using the .MSI provided by the vendor together with an .MST transform file that customizes the application's settings (e.g. turning off the auto-update feature).  If the administrator later uses the Patch Management Solution to update computers to Adobe Reader 9.5.0 using the update package provided by the vendor, customizations to the application settings will be overwritten (e.g. the auto-update feature will be turned on after Adobe Reader 9.5.0 is installed).  This is because:

• Adobe packaged the update to Reader 9.5.0 as an MSI that installs a completely new version of the application rather than releasing an MSP patch that just makes incremental updates to the application; and
• The MSI for Reader 9.5.0 is not intelligent enough to preserve the configuration settings for previously installed versions of the software

In order to preserve such customizations of this nature, it may be necessary for administrators to do such things as creating a custom command line to install the update and adding additional files (e.g. a transform file) to the update package.  For more details on the above example, please see article TECH201229 in the Knowledgebase:  http://www.symantec.com/business/support/index?page=content&id=TECH201229

Please note that this KB article is only intended to serve as an example illustrating how one particular setting for one specific application can be preserved when distributing an update that installs a completely new version of an applciation.

The method for preserving customizations will differ from one application to the next and may depend on the particular customization that was made when originally installing the application.  It may be possible to preserve some customizations by simply making changes to the command line used to install an update without having to add additional files to the update package.  For example, some packages are constructed in such a way that it is possible to automate acceptance of the End User License Agreement via the command line used to install the application, so that the EULA does not get displayed the first time that an end user opens the application.

Because the customizations that each organization makes to application settings are likely to differ, it is not feasible for Symantec to provide an "out of the box" solution to situations of this nature.  In order to ensure that software updates do not overwrite customizations to application settings, administrators need to be cognizant of the customizations that were made when originally installing applications in their environment, understand how such customizations are made (e.g. via command line or transform file), and be aware of how the Patch Management Solution can be configured to ensure that such customizations are preserved when installing software updates.

This may seem like a lot of work, but this burden can be significantly reduced if those in this community will pool their efforts by sharing their knowledge and expertise with one another.  I strongly encourage each of you to use this group to share your experiences with respect to such things as:

• Specific updates that install a completely new version of an application and overwrite customizations to application settings; and
• The methods used to make changes to application settings that are commonly customized (e.g. turning off the auto-update feature or the display of the EULA)

Searching is something which I have covered in a few blog posts and articles before, but the other day when I was reading an article about how to find out which emails are taking up all your space in GMail, it suddenly struck me that the same sort of information would be useful to know about an Enterprise Vault mailbox archive.  In this post I’ll explain how to find out how big archives are, and how to find out the items taking up most space.

 

Launch Advanced Browser Search

Many people will be familiar with integrated search of Enterprise Vault from inside Outlook.  Some people may also know about Browser Search.  You can extend browser search by using Advanced Browser Search.  To do this amend the URL that you go to, as follows:

 

http://evserver/EnterpriseVault/Search.asp?Advanced=3

 

The ?Advanced=3 is the extension to the URL and will bring you a page for searching with many more options on it than normal

 

Search based on size

Part way down the search page you’ll see:

Enter the start value of the items that you want to locate.  The size is measured in Kb.

 

So in my example I’m searching for items which are bigger than 500 Kb.  You can enter any other search criteria you wish, such as searching in a particular folder, and then click on ‘Search’.

 

Review your results

The results will look something like this:

Note the size listed is the size of the item prior to archiving, and it’s in Kb.

 

When Android.Exprespam was discovered earlier this month, we quickly posted a blog warning users about the malware and discussing the details of the attack. Word spread quickly as the media, as well as the local authorities, pushed the news out to a wide audience. It seems like the scammers thought the news had reached enough people and that it was time they updated the malware and the fake market in order to start their attack afresh with new content that people are not familiar with.

The new fake market is called ANDROID EXPRESS’s PLAY (ANDROID EXPRESSのPLAY in Japanese). According to the site, it is maintained by Gcogle.

Figure 1.App page showing the name of the fake Google Play site

The domain name for the market was registered on January 7, which coincidently is the date when our blog was published. The signature of the malicious Android app is signed to be valid from January 9, 2013.

The scam, as in the past, starts off with spam emails that look like a newsletter advertising Android apps. An example email can be seen in Figure 2 below. It is worth noting that the content of the spam varies and could be updated at any time.

Figure 2. Example of a spam email

The new lineup of non-existing apps the scammers have prepared are listed in the table below.  They include some new interesting types of app such as a spam blocker, a TV viewer for phones that do not have a TV function, a database for recipes from famous chefs, and a battery discharger app.

Figure 3. Example app page from fake market

Ultimately, attempting to download any of the nine apps leads to the same malicious app called Android 専用端末アプ. Once the malicious app is executed, personal information, including the device’s phone number and the names and email addresses stored in Contacts, is uploaded to a remote location.

This group of scammers does not seem to want to go away any time soon, so we may have to continue to play this cat-and-mouse game with them for a while.  We are also aware of at least two more similar scams currently targeting Japanese Android users (Android.Enesoluty and Android.Ecobatry) although these have not updated their content on the fake market sites. 

To stay protected, please refrain from clicking on links in emails from unknown senders and do not download apps from untrusted vendors. Users who have Symantec’s security apps, such as Norton Mobile Security or Symantec Mobile Security, are protected from this threat–detected as Android.Exprespam.  For general safety tips for smartphones and tablets, please visit our Mobile Security website.

The eDiscovery frenzy that has gripped the American legal system over the past decade has become increasingly expensive. Particularly costly to both clients and the courts is the process of preserving and reviewing ESI. As a solution to these costs, many are emphasizing the concept of “proportionality.” Proportionality typically requires that the benefits of discovery be commensurate with its corresponding burdens.

Despite nearly universal agreement that eDiscovery should be governed by proportionality standards, there remains a polarizing debate that threatens to curtail the impact of proportionality. That debate is centered on disagreements over the scope of ESI preservation, the standard for permissible discovery and the use of cutting edge review technologies like predictive coding.

To better understand these issues and to explore feasible solutions, Philip Favro, Discovery Counsel at Symantec, will lead a lively discussion at LegalTech New York among industry leaders such U.S. Magistrate Judge Frank Maas, Ariana Tadler of Milberg LLP and Shawn Cheadle, General Counsel (Military Space) at Lockheed Martin Space Systems Co. The panelists will take stances on either side of difficult questions like:

·       Should proportionality standards apply to the preservation of ESI to help address the high costs of retaining so much data?

·       Will the proportionality rule ever be used to rein in lawyers and judges that have distorted the standard of discovery from reasonableness to perfection?

·       Can predictive coding facilitate proportional discovery when lawyers are unwilling to share their training set of documents?

While our expert panelists are well-versed in both sides of the proportionality debate, we had a little fun imagining what they might be going through before they take the stage on Tuesday, January 29th.  Watch this video to get an exclusive behind-the-scenes look into the LTNY Locker Room.  

In addition, don’t miss our microsite for the complete plenary session description and a look at Symantec’s LTNY 2013 presence. We hope you stay tuned from now until the show to hear what Symantec has planned for the supersessions, our special event, contest giveaways and product announcements.