By Joe Bertnick, Director of Product Management, Symantec Corp.

On the battlefield, a general’s responsibility is to coordinate different bodies of soldiers whose commanders may not know what the others are doing. The complete picture of the battle only emerges when these individual reports can be combined and analyzed, yielding a strategy to ensure victory. Just as modern war has come to involve smaller bodies of soldiers carrying out specific missions, our security tools in the data center are addressing new and unique risks to different parts of the security ecosystem. In this world, the CISO is the general directing our overall efforts, merging the “in the trenches” technical details with the overall strategic direction of the business. And they need to be able to gather this intelligence anywhere, at any time, because security incidents aren’t limited to office hours. And while technology such as smartphones and tablets can present challenges, mobile devices are also an ideal way for management to keep up with business risks in real time.

It seems that every week we hear about a new security incident exploiting a previously unknown vulnerability, which is quickly followed by a new security tool or patch. This presents three challenges when it comes to protecting the organization’s resources:

• First, timing is critical. Minutes in risk management can translate into millions of dollars in damage if issues are not identified and resolved as quickly as possible. CISOs need instant access to risk information in the office, at home or on the road.
• Second, unifying a large group of discrete data sets into a whole picture can be difficult. Because different units within the company often operate in silos, a potential security situation detected in one area may rely on permissions from a different group to address the issue. In addition, two separate indicators detected by different departments might represent a different threat from either one alone. Bringing together this intelligence into one unified view that can be accessed on a mobile device is important for the most accurate assessment of risks.
• The third challenge is translating the technical data into business terms that stakeholders can use to make informed decisions. C-level executives will have different levels of technical expertise, and stakeholders may not understand the impact that one missing patch on servers can have. Instead, they need to hear the potential business impact– that the situation can lead to an attack bringing down the e-commerce site.

Visibility into individual risks and their overall effect on the business will become increasingly critical in the coming years, particularly as we take more advantage of technologies such as mobility and clouds. In addition to expanding our security needs, these tools also present new opportunities to simplify the monitoring and remediation of our current risk state, with solutions that can be accessed from anywhere to provide unified, current information. Today’s CISO should look for tools that will supplement the existing elements of their security infrastructure and provide a prioritized view of threats, translated into plain language that will provide decision-makers with the visibility they need to protect information moving forward. With the clearest, most up-to-date intelligence, today’s CISO – the general on the cyber-battlefield – will have the tools they need to win the war.

Learn more about how to manage business risk in real time at Symantec Protection Center’s home page.

Hello,

We have an immediate opening for an Altiris admin in Redwood City. CA.   If you would like additional details, please contact me directly @ scurran@informatica.com. 

Thank you,

Sean

Hello All,

Please find the link to this weeks webcast focused on "How to Virtualize Microsoft Office".

https://www-secure.symantec.com/connect/blogs/marc...

Are you an Acer computer user and Have you ever come across such forgotten Acer password issue? If so, how can you reset lost Acer Password? Actually, you can still make use of the third-party tool to recover Acer password totally. Here recommend 3 most popular windows password rest program.

1. Ophcrack

Ophcrack is a totally free Acer recovery password that helps you reset lost Acer password by using LM hashes through rainbow tables. Only you need to do is downloading a 496MD LiveCD image file with a little long time.

Note: on one hand, it can’t crack passwords more than 14 figures. On the other hand, if you are a newbie, it’s not recommended as it requires some computer skills and the password recovery rate is not guaranteed.

2. Offline NT Password Registry Editor

Offline NT Password & Registry Editor is a free program which allows you to recover or reset any Windows password on Acer computer.
You do not need to know the old password to set a new one which makes this ideal for users who have forgotten their passwords or were locked out by someone else. Unlocking locked or disabled accounts is also supported.

This tool comes in the form as a bootable CD ISO image but can also be made to boot from a USB drive. The application is Linux-based technician tool and shouldn’t be used by people without Linux skills and experience.

3. Windows Password Recovery Tool 3.0

Windows Password Recovery Tool 3.0 is an effective windows password reset app which enables you to reset Acer password by burning a bootable CD/DVD and USB memory stick.

It is not necessary to understand that old password and have some computer skill. It is easy to operate even by computer newbie who forgot their Windows password on Acer laptop. If you use it to do Acer recovery password, you just need to take a few minutes in 4 easy steps.

1. Install Windows Password Recovery Tool 3.0 from http://goo.gl/CZuaV.
2. Burn a bootable Compact disc/DVD or USB memory stick.
3. Boot from Compact disc/DVD or USB.
4. Reset lost Acer password under Windows PE.

Source: How to Reset Lost Acer Password?

40 security and technology-savvy enthusiasts have participated in Symantec’s first Cyber Readiness Challenge on Belgian soil, last week at Belgium’s Infosecurity 2013 fair in Brussels Expo. The interactive ‘capture the flag’ style competition is designed for all levels of technical expertise and puts participants in the role of a hacker seeking to infiltrate and exploit an organization.

The CRC experience is intended to help participants better understand the targets, technology tricks and thought processes of a cyber criminal - with an ultimate goal of enabling them to be more effective in their work.

IT security is an industry where you are supposed to defend yourself against attacks that you can’t rehearse for. There’s no practice that you go to after school to attack other people in a safe and clean learning event – this is exactly what an event like the Cyber Readiness Challenges offers the IT security community.

The Brussels event provided participants and onlookers with a rare opportunity to implement theoretical knowledge, while sharpening their skills, expanding their security awareness, and competing in an exciting challenge against their peers.

It was a pleasant surprise to have a 22 year old student Applied Computer Science (at the Belgian university KU Leuven) beat a masterclass of seasoned IT security specialists and win a ticket to Nice for the European CRC later this year. Congratulations, @tomvangoethem!

Tom is specializing in web security, currently writing a thesis on the state of online security in Belgium. However, it is rather the broad range of the CRC that made the game compelling he believes: “It featured every security aspect, from web app security to system security, even with a bit of cryptography. You can certainly use your expertise, but there are also a few hidden gems where you really have to think like a cyber criminal. I guess I got a bit lucky in the end to have read about recent techniques to solve a few challenges. It allowed me to beat the runner-up in speed, with levelled scores.”

The Brussels challenge is one of many Cyber Readiness events to be hosted by Symantec around the world. Upcoming events will be held in Paris, France; Las Vegas, US; Prague, Czech Republic; London, UK; Nashville, US and Rome, Italy.

To learn more about the challenge, visit: http://www.symantec.com/theme.jsp?themeid=cyber-readiness-challenge.

El mundo de las redes sociales ha despegado a un ritmo vertiginoso. Sí, se ha vuelto «viral», y tal vez esto sea solo el comienzo. Ahora que millones de personas se han apresurado a comprar los smartphones más innovadores (no hay más que ver cuánta gente los muestra con orgullo en la oficina), se empieza a apreciar el alcance de este fenómeno.

Por todas partes, la presencia de las redes sociales se percibe cada vez más: en los bares, la gente se conecta con el ordenador portátil; en los trenes, con los smartphones; en casa, con ordenadores de sobremesa, portátiles o smartphones; y en el trabajo, con todo tipo de dispositivos independientes y conectados a Internet. La consecuencia es que ahora la seguridad está en peligro más que nunca.

No es de extrañar que a muchos departamentos informáticos les asuste la avalancha de las redes sociales, pues es difícil gestionar esta invasión aparentemente imparable y, al mismo tiempo, garantizar la protección de los datos empresariales. Pero ¿de qué peligros hablamos exactamente? Los hay para todos los gustos: amenazas físicas de todo tipo, ataques de suplantación de la identidad (phishing), código dañino (malware), datos confidenciales desprotegidos al alcance de cualquiera, robos de propiedad intelectual...

Parece lógico que la mayoría de las infecciones de las redes sociales se produzcan al seguir enlaces publicados en redes sociales. Basta con cometer un error y visitar un sitio web dañino para que el malware se instale en el dispositivo, sin que ni siquiera haga falta descargar un archivo o un programa. Además, los sitios web legítimos también pueden esconder peligros, pues los hackers suelen colocar trampas en páginas con información sobre personajes famosos o noticias sensacionalistas de rabiosa actualidad.

Otra técnica a la que recurren a veces los cibercriminales es crear sus propios sitios web sobre famosos para atraer a sus víctimas. Por ejemplo, la mayoría de los eventos deportivos destacados que han tenido lugar recientemente han ido acompañados de engaños de todo tipo, como venta online de entradas falsas o ataques de phishing consistentes en enviar mensajes de correo electrónico en los que se informa a los destinatarios de que han ganado unas entradas gratuitas.

¿Le parece que estos mensajes no son verosímiles? Pues no se imagina cuántas personas se los creen y caen en estas estafas. De hecho, según el informe sobre el crimen cibernético de Norton elaborado por Symantec en 2012*, uno de cada cinco internautas adultos ha sido víctima de cibercrímenes al usar las redes sociales o las tecnologías móviles. Entre las actividades más frecuentes cabe mencionar el robo de información, el envío de mensajes de texto fraudulentos e hipervínculos falsos y el hacking de cuentas.

Según los cálculos del informe, solo durante el pasado año el cibercrimen mundial movió aproximadamente 388 000 millones de dólares y afectó aproximadamente a 556 millones de personas, mientras que el coste de los ataques para las víctimas superó los 274 000 millones de dólares en total.

Obviamente, la mayor victoria para un cibercriminal es acceder a sus datos, lo cual puede tener consecuencias catastróficas: pérdidas económicas (para usted, para la empresa, para los empleados o para los clientes), robos de datos confidenciales, multas por incumplimiento de las normativas, espionaje industrial, daños a la reputación...

Veamos qué puede hacer para evitar que le pase algo así.

MEDIDAS PERSONALES

• No guarde datos confidenciales en ningún dispositivo que se conecte a Internet, a menos que esté protegido con una contraseña.
• Use siempre contraseñas seguras, formadas por una combinación de letras mayúsculas y minúsculas, números y caracteres especiales.
• En los sitios web de las redes sociales, opte siempre por la configuración de máxima seguridad y comparta la menor cantidad posible de datos personales.
• Instale un paquete completo de software de seguridad en Internet y, antes de escribir datos personales en sitios web, asegúrese de que aparece el símbolo del candado y la indicación «https» en la barra de direcciones.
• Compruebe la identidad de las personas con las que se escriba. En Internet, es muy fácil hacerse pasar por otra persona.
• No descargue automáticamente contenidos procedentes de un sitio web o de un mensaje de correo electrónico, ni haga clic en enlaces contenidos en mensajes de correo electrónico que parezcan proceder de sitios web de redes sociales. Para consultar los mensajes, visite directamente el sitio web en cuestión.
• Instale solo programas procedentes de sitios web conocidos y de confianza. El software «gratuito» a veces esconde malware.

MEDIDAS EMPRESARIALES

• Disponga normas sobre los datos empresariales que se pueden compartir en blogs o perfiles de redes sociales, y tome medidas para garantizar que se cumplan.
• Proteja la red de ordenadores con un sistema de seguridad de varias capas que incluya un certificado SSL para proteger la información confidencial.
• Informe a los empleados sobre las amenazas presentes en las redes sociales y dígales qué hacer para evitar las pérdidas.
• Fije normas y procedimientos relativos a los sistemas de detección de intrusiones en las redes de la empresa.
• Avise a los empleados de las consecuencias que puede tener su comportamiento en Internet para la empresa.

• Organice periódicamente sesiones de formación sobre seguridad para los empleados.
• Pídales que comuniquen de inmediato cualquier incidente sospechoso.

Siga estos consejos y su empresa se convertirá en un lugar más seguro.

Para obtener más información sobre la seguridad en los sitios web, descargue el informe de seguridad web de Symantec.

Wie eine Naturgewalt sind die sozialen Medien über uns hereingebrochen. Sie sind allgegenwärtig, und doch ist ihre derzeitige Beliebtheit vielleicht nur der Anfang. Mit welchem Einsatz Millionen Menschen um das jeweils aktuelle Smartphone kämpfen – sehen Sie sich nur um, wie viele Ihrer Kollegen stolz das neueste Gerät präsentieren –, lässt das unglaubliche Ausmaß dieses Trends erkennen.

Wo auch immer Sie hingehen, stoßen sie auf Beweise: Im Café steht der Laptop neben der Kaffeetasse, im Zug wird auf dem Smartphone gesurft, zu Hause haben Sie wahrscheinlich mehrere Desktop-Rechner, Laptops und Smartphones und im Büro kommt alles zusammen – ohne und mit Internetverbindung. Die Kehrseite der Medaille sind die zahlreichen Angriffspunkte, von denen es heute mehr denn je gibt.

Kein Wunder also, dass IT-Abteilungen allerorten die Begeisterung für soziale Medien fürchten, fällt ihnen doch die undankbare Aufgabe zu, diese anscheinend unkontrollierbare Flut zu steuern und zugleich die Unternehmensdaten zu schützen. Wovor? Zunächst einmal vor physischen und Verbindungsgefahren, Phishing-Angriffen, Schadprogrammen, laxen Datenschutzeinstellungen und dem Diebstahl geistigen Eigentums.

Die meisten Infektionen durch soziale Medien kommen natürlich aus dem Web. Sie brauchen noch nicht einmal eine Datei oder ein Programm herunterzuladen, denn Sie können sich schon einen Schädling einfangen, wenn Sie nur einmal den falschen Link anklicken. Auch seriöse Websites können infiziert sein: Websites mit Klatsch über Stars oder brandheißen Nachrichten werden oft von Cyber-Kriminellen gehackt.

Daneben locken Hacker auch mit eigenen Fan-Websites Opfer an. Zum Beispiel boten Kriminelle für die meisten großen Sportveranstaltungen der jüngsten Zeit online Tickets an oder verschickten Phishing-E-Mails, die den Empfänger über einen angeblichen Ticketgewinn informierten.

Sie meinen, darauf falle längst niemand mehr herein? Leider irren Sie sich. Mehr als genug Menschen gehen den Betrügern nur zu gern auf den Leim. Laut dem 2012 Symantec Norton Security Cybercrime Report* wurde jeder fünfte erwachsene Internetbenutzer schon einmal Opfer eines über soziale Netze oder Mobilgeräte eingefädelten Betrugs. Die im Bericht genannten Beispiele reichen von Informationsdiebstahl über fingierte SMS und gefälschte Hyperlinks bis zu geknackten Konten.

Dem Bericht zufolge machten die Cyber-Kriminellen im letzten Jahr eine Beute von rund 388 Milliarden US-Dollar. Allein in diesem Jahr wurden etwa 556 Millionen Menschen Opfer cyberkrimineller Machenschaften, die sie insgesamt über 274 Milliarden US-Dollar kosteten.

Vor allem aber wollen die Cyber-Kriminellen Ihre Daten in die Finger bekommen, was für Sie bittere Folgen haben kann: finanzielle Einbußen (für Ihr Unternehmen, Ihre Mitarbeiter, Ihre Kunden und Sie selbst), Vertrauensverlust, Bußgelder wegen Nichteinhaltung von Vorschriften, Industriespionage und Imageverlust.

Können Sie sich davor schützen? Ja. Wir haben einige Tipps für Sie zusammengestellt.

Tipps für Verbraucher

• Speichern Sie vertrauliche Informationen auf keinem Gerät mit Internetverbindung, das nicht mit einem Kennwort geschützt ist.
• Verwenden Sie sichere Kennwörter mit Groß- und Kleinbuchstaben, Ziffern, Satz- und Sonderzeichen.
• Setzen Sie die Sicherheitseinstellungen in sozialen Netzen immer auf die strikteste Stufe und geben Sie nur die absolut notwendigen personenbezogenen Informationen bekannt.
• Installieren Sie ein lückenloses Softwarepaket für die Internetsicherheit und geben Sie auf Websites nur personenbezogene Daten ein, wenn Ihr Browser ein symbolisches Vorhängeschloss zeigt und der Webadresse „https“ vorangestellt ist.
• Vergewissern Sie sich, dass Sie wissen, mit wem Sie online kommunizieren. Im Internet ist es nicht schwer, sich als jemand anderer auszugeben.
• Unterbinden Sie in E-Mails und auf Websites das automatische Herunterladen oder Beantworten von Inhalten. Klicken Sie nicht auf Links in E-Mails, die angeblich von einem sozialen Netz stammen. Rufen Sie die Website stattdessen direkt auf und lesen Sie die Nachricht dort.
• Installieren Sie Anwendungen und Programme nur von bekannten und vertrauenswürdigen Websites. Seien Sie bei kostenloser Software doppelt wachsam. Sie enthält oft Schadprogramme.

Tipps für Unternehmen

• Definieren Sie Richtlinien darfür, welche Informationen über das Unternehmen in Blogs und auf privaten Seiten in sozialen Netzen veröffentlicht werden dürfen, und setzen Sie sie konsequent um.
• Richten Sie im gesamten Computernetzwerk mehrere Sicherheitsstufen ein und schützen Sie vertrauliche Daten mit einem SSL-Zertifikat.
• Schulen Sie Ihr Personal in Gefahren, die von sozialen Medien ausgehen, und in sicherem Verhalten.
• Definieren Sie Richtlinien und Verfahren für Intrusion-Detection-Systeme in Firmennetzwerken.
• Machen Sie Ihren Mitarbeitern bewusst, dass ihr Online-Verhalten Folgen für das Unternehmen haben kann.

• Veranstalten Sie für Ihr Personal regelmäßig Sicherheitsschulungen.
• Bringen Sie Ihren Mitarbeitern bei, verdächtige Vorfälle sofort zu melden.

Wenn Sie diese Grundlagen beherrschen, ist Ihr Unternehmen auch im Zeitalter sozialer Medien viel sicherer.

Ausführliche Informationen über die Website-Sicherheit finden Sie im Symantec Website Security Threat Report.

A lot of malware modify themselves to either hide from security software when they copy themselves to the compromised computer or to hinder engineers attempting to analyze the malware by executing the decrypted memory area and reading the decrypted memory value. This blog examines the behavior of Trojans that modify themselves by sharing memory.

The malware process follows the red line in Figure 1.
 

Figure 1. Code showing the threat process
 

Address ebx-4 indicates the top of the .data section. Initially, ebx-4 is a zero so if it is compared to 31h and 32h, it fails.

The code writes 31h to address ebx-4 and the Trojan executes itself by executing the WinExec function with its own file name. It then uses the ExitProcess function to end itself. It appears that the program just executes and quits repeatedly since the value at ebx-4 is always 0 at execution, but it does perform malicious activities. Here’s the trick.
 

File structure

This file sample has the following .data section structure.
 

Figure 2. File structure of the file sample
 

The characteristic rw- d0000040 is an unusual configuration and has the following settings.
 

The memory value is shared because of the IMAGE_SCN_MEM_SHARED setting.
 

Actual behavior

When the malware runs for the first time, the address ebx-4 is zero so the code writes 31h to the address and executes itself again. When it runs again, because ExitProcess has not yet executed, it shares memory that has 31h at the address.
 

Figure 3. Process follows different route when run again
 

The newly executed program writes 32h at the address and executes itself again. The new program shares memory that has 32h at the address.
 

Figure 4. Process reaches decryption routine
 

Because the address is 32h, it executes the _decrypt function, decrypts encrypted code, and jumps to the esi address. The behavior is shown below in sequential order:

1. Windows loads the file
2. The address has 0 as its initial value from the file
3. Modifies the value to 31h
4. Executes itself
5. Windows loads the file image except shared memory; the original file still has 0 on the disk image
6. The program runs with the value 31h
7. Exits the first process
8. Modifies the value to 32h
9. Executes itself
10. Windows loads the file image except shared memory the original file still has 0 on disk image. The program reaches to decryption routine and the computer is now compromised
11. Exits the second executed process

Figure 5. Behavior shown in sequential order
 

Process behavior in a sandbox

I believe the attacker tried to hide the malicious behavior from automated threat analysis systems. I submitted a sample file to eight websites that host automated threat analysis systems and the following are the results:

1. ThreatExpert logged the created file, registry modifications, and unexpected network access. Therefore, I recognized the sample behavior and decided that the file is malicious.
2. Three websites logged that the process executed but nothing else.
3. The other four websites did not log anything.

It seems that automated threat analysis systems only monitor the red section shown in Figure 5. We often see this type of specialized code to bypass these automated systems.

Symantec will continue to monitor the type of malicious code and the techniques outlined in this blog. We also recommend that users do not run suspicious programs and keep their operating system and antivirus software up to date.

Backup Exec 2012 v14.0 Rev 1798 (64Bit)

Problem:  I used live update to install the 201596 hotfix on my CAS last week.  The update showed successful, but after the reboot there were problems.  The following three services were set to disabled after the reboot, Backup Exec Deduplication Engine, Backup Exec Deduplication Manager and PostgreSQL Server 8.3.  Also, all disk storage was missing (Local Backup to Disk Storage, Local Deduplication Storage and Network Disk Storage).  Only tape storage remained.

Troubleshooting: I tried to add a disk storage location back and re-catalog the sets, but that operation failed with a duplicate key error.  I deleted that disk storage and then was unable to see it as a storage location choice to add again.

I uninstalled the hotfix through the windows 2008 R2 uninstall utility.  The storage was still gone.  I reapplied and the hotfix with no change.  Those three services were automatically set to disabled on each uninstall and install of the hotfix.

Resolution:  I uninstalled the hotfix and recovered the sql database to the last backup before the 201596 hotfix.  All of my storage returned.  I can only conclude that the hotfix deleted my disk storage information from the database.

Some server agents acted strangely, but I've since been able to resolve those issues.

I'm sorry that it took me a week to post this, but this 2012 version depresses me.  I used to do more than deal with backups before BE2012.  I didn't see anyone else post about this kind of thing happening for this hotfix, so maybe it doesn't matter.

We've been discussing this topic across a number of threads lately, so I thought I'd drop it here for all to see.

The development team has been extremely focused on quailty enhancements, as reflected in the last Hotfix released February 20th. It's had over 20,000 downloads without logging a single traceable support event.

Next up are two Service Packs, about to drop as beta code. Both are arriving at the same time; both are automatically delivered via the auto-update server when they reach General Availabilty and both apply to the software and the appliance.

They are called:
Backup Exec 2010 R3 SP3
Backup Exec 2012 SP2

The public beta release is in May and it represents the largest production-ready, white-glove, on-site testing activity that we have ever done. For more information or to join the nearly 2000 users that are already signed up, check out the beta blog.

Both are expected to hit General Availability in July.

Questions and comments welcome, and be sure to watch out for pre-release information and events coming here on Connect as well as on Spiceworks, Twitter, Reddit and Google+.

My last few cases were cluster related. It's funny, but some customers (and even engineers)  always forget how to manage NBU when it's under cluster control. They also believe that they can easily bring NBU up by same old start\stop scripts  during the cluster's problem. It wouldn't work out. As soon as we place NBU under Cluster  control it means that it's being controlled by cluster Agent. But Agent's functions aren't limited by start\stop\monitor routines.  Let's look at possible scenario. We've upgraded both nodes and want to perform a switchover to the another node for the check. It fails. What would we do? Everyone knows that first of all we need to understand why we can't start application in the cluster. Is it NBU's problem or is it cluster related issue? We can disable AutoFailover and switch NBU's service group to the problem node again. It'll stop in OFFLINE|FAULTED state on it. What's next?

1. Mount shared volume
2. Bring up common IP.
3. Start NBU manually.

But  NBU will not start.

# bp.start_all
Starting nbatd...
Starting vnetd...
Starting bpcd...
Starting nbftclnt...
NetBackup will not run without /usr/openv/db/bin/NB_dbsrv running.
Starting nbazd...
Starting nbevtmgr...
Starting nbaudit...
Starting spad...
Starting spoold...
Starting nbemm...
Starting nbrb...
Starting ltid...
Starting bprd...
Starting bpcompatd...
Starting nbjm...
Starting nbpem...
Starting nbstserv...
Starting nbrmms...
Starting nbkms...
Starting nbsl...
Starting nbars...
Starting bmrd...
Starting nbvault...
Starting nbsvcmon...
Starting bmrbd...

Is it a problem with configuration? No.

When we're installing NBU as a cluster master server at the last steps installer calls configuration script which guides us through service group configuration and it also creates   /usr/openv/netbackup/bin/cluster/NBU_RSP file.  It keeps some cluster related information. Let's have a look at my lab NBU_RSP file:

#DO NOT DELETE OR EDIT THIS FILE!!!
NBU_GROUP=nbu
SHARED_DISK=/opt/VRTSnbu
NODES=nbu-node1
VNAME=nbu-srv
VIRTUAL_IP=10.1.5.188
CLUTYPE=VCS
START_PROCS=NB_dbsrv nbevtmgr nbemm nbrb ltid vmd bpcompatd nbjm nbpem nbstserv nbrmms nbsl nbvault nbsvcmon bpdbm bprd bptm bpbrmds bpsched bpcd bpversion bpjobd nbproxy vltcore acsd tl8cd odld tldcd tl4d tlmd tshd rsmd tlhcd pbx_exchange nbkms nbaudit nbatd nbazd

PRODUCT_CODE=NBU
DIR=netbackup mkdir
DIR=netbackup/db mv
DIR=var mkdir
DIR=var/global mv
DIR=volmgr/mkdir
DIR=volmgr/misc mkdir
DIR=volmgr/misc/robotic_db mv
DIR=kms mv

LINK=volmgr/misc/robotic_db
LINK=netbackup/db
LINK=var/global
PROBE_PROCS=nbevtmgr nbstserv vmd bprd bpdbm nbpem nbjm nbemm nbrb NB_dbsrv nbaudit
DIR=netbackup/vault mkdir
DIR=netbackup/vault/sessions mv
LINK=netbackup/vault/sessions  

As we can see there are  some  LINK records. They are the root cause of manual NBU start problem.  After cluster installation some folders are just  symlinks to the shared disk's folders and normally  we need to use Agent to recreate them. But we're in the middle of troubleshooting and need to recreate them manually. After that NBU will start normally.

What symlinks need to be recreated:

# ls -la /usr/openv/netbackup/
total 170
drwxr-xr-x  12 root     bin          512 Mar 27 23:56 .
drwxr-xr-x  16 root     bin          512 Mar 27 23:29 ..
drwxr-xr-x   3 root     bin          512 Mar 27 23:13 baremetal
drwxr-xr-x  14 root     bin         4096 Mar 27 23:57 bin
-rw-r--r--   1 root     root         295 Mar 27 23:56 bp.conf
drwxr-xr-x  16 root     root         512 Mar 27 23:14 client
lrwxrwxrwx   1 root     root          25 Mar 27 23:56 db -> /opt/VRTSnbu/netbackup/db
drwxr-xr-x   4 root     bin          512 Mar 27 23:14 db.org
drwxr-xr-x   2 root     bin          512 Mar 27 23:28 dbext
drwxr-xr-x   3 root     bin          512 Mar 27 23:28 ext
drwxr-xr-x   6 root     bin          512 Mar 27 23:28 help
drwxr-xr-x   5 root     bin          512 Mar 27 23:52 logs
-rw-r--r--   1 root     bin         8957 Mar 27 23:29 nblog.conf
-rw-r--r--   1 root     bin         8957 Feb  4  2011 nblog.conf.template
-rw-r--r--   1 root     bin         1071 Feb  4  2011 nblu.conf.template
-rw-r--r--   1 root     root        1913 Mar 27 23:57 nbsvcmon.conf
drwxr-xr-x   4 root     bin          512 Mar 27 23:28 sec
drwxr-xr-x   3 root     bin          512 Mar 27 23:56 vault
-r--r--r--   1 root     bin          101 Feb  4  2011 version
-rw-r--r--   1 root     bin        20379 Feb  4  2011 vfm.conf
-r--r--r--   1 root     bin        25232 Feb  4  2011 vfm_master.conf

# ls -la /usr/openv/var/
total 26
drwxr-xr-x   6 root     bin          512 Mar 27 23:57 .
drwxr-xr-x  16 root     bin          512 Mar 27 23:29 ..
-rw-r--r--   1 root     root          11 Mar 27 23:56 clear_cache_time.txt
lrwxrwxrwx   1 root     root          23 Mar 27 23:56 global -> /opt/VRTSnbu/var/global
drwxr-xr-x   3 root     bin          512 Mar 27 23:14 global.org
drwxr-xr-x  11 root     root         512 Mar 27 23:54 host_cache
-rw-r--r--   1 root     root         848 Mar 27 23:17 license.txt
-rw-------   1 root     root         903 Mar 27 23:57 nbproxy_jm.ior
-rw-------   1 root     root         903 Mar 27 23:57 nbproxy_pem.ior
-r--r--r--   1 root     bin          543 Feb  4  2011 resource_limits_template.xml
-rw-r--r--   1 root     root          11 Mar 27 23:56 startup_time.txt
drwx------   4 root     bin         1024 Mar 27 23:57 vnetd
drwxr-xr-x   5 root     bin          512 Mar 27 23:47 vxss

# ls -la /usr/openv/netbackup/vault/
total 8
drwxr-xr-x   3 root     bin          512 Mar 27 23:56 .
drwxr-xr-x  12 root     bin          512 Mar 27 23:56 ..
lrwxrwxrwx   1 root     root          37 Mar 27 23:56 sessions -> /opt/VRTSnbu/netbackup/vault/sessions
drwxr-xr-x   2 root     bin          512 Mar 27 23:14 sessions.org

# ls -la /usr/openv/volmgr/misc/
total 12
drwxr-xr-x   3 root     bin          512 Mar 28 00:43 .
drwxr-xr-x   6 root     bin          512 Mar 27 23:56 ..
-rw-r--r--   1 root     root           0 Mar 28 00:43 .ltisymlinks
-r--r--r--   1 root     bin          340 Feb  4  2011 README
lrwxrwxrwx   1 root     root          35 Mar 28 00:42 robotic_db -> /opt/VRTSnbu/volmgr/misc/robotic_db
drwxr-xr-x   2 root     bin          512 Mar 27 23:14 robotic_db.org
-rw-------   1 root     root          16 Mar 28 00:43 vmd.lock

Hope this saves someone's time.

Situation:

The App Center Icon appears on the home screen.
The device is not visible in the App Center yet because the agent software has been dispatched but the rollout of the device has not been started yet.
Clicking on the App Center icon at the home screen results after some seconds (up to 20 sec) in to the error: Unable to Download Application.

Possible cause:

Network connection is too slow and so communication has been timed out.

Not like TECH202938: Unable to Download Application" error when installing App Center clientwhere an expired Distribution Certificate is cause of the issue. (The error message is a bit different)

We recently launched a redesign of our Symantec.com mobile website.

With the redesign, users can now enjoy a more consistent look and feel on the mobile site as on the desktop version of the site. The visual execution and user interface elements are more closely aligned from web to mobile thereby, providing a more familiar and recognizable experience for users from one form factor to the next.

Some of the main changes include:

• the addition of a quiet site selector at the top of the site which matches our desktop design
• the inclusion of a side-scrolling carousel for site-wide promotions
• visual responses to taps/clicks
• a minimized display of links which contains options to “show more/show less”
• “jump to top” at the bottom of each page to minimize scrolling
• increased leading for improved readability
• larger targets for ease of access

While the site still showcases minimal content, it provides access to some of the key areas users find useful such as products, purchasing, support, news, etc.

Disasters strike when you least expect. 

Total disaster recovery of your NetBackup  appliances requires that you have  a secure and reliable way to recover your data when you need it.  Learn how Symantec Consulting  can help you implement, DR easy, ( not push button but close)  52X0 appliances disaster recovery steps ( Onsite/Offsite) and business continuity best practices for your organization.   Whether you are planning to use  NetBackup PureDisk Storage, NetBackup  AIR (Auto Image Replication), SLP’s/ Tape Storage,  NBU OST Cloud storage providers or leveraging a  qualified NetBackup OST DISK (datadomain,Quantum,HP,FalconStor,IBM…) as part of your DR plan, Symantec professional services  has the blueprint to help you succeed with your DR Scenarios.

 We will discuss Best Practices and lesson learned on these topics. Furthermore, Symantec Professional Services is extremely excited ,for the 1st time, to  distribute a 52X0 appliances CheatSheet/CL Poster as a small token of PS team appreciation to all attendees!!

 Join us!! 

Time: Monday, Apr 15, 3:30 PM - 4:30 PM

Session #:   IA B55

Session Title: A Step-By-Step Disaster Recovery Blueprint & Best Practices for Your NetBackup Appliances & Beyond (Onsite/Offsite)

 Session Description:  In this technical session we will share a few customer tested blueprints for implementing DR strategies with NetBackup appliances showing support for onsite and offsite disaster recovery.  This includes the architecture design with Symantec best practices, down to execution of the wizards and command lines needed to implement the solution.  In addition, we discuss how to use OpsCenter as a Swiss army tool to benchmark and enhance the appliance’s DR experience.

Speakers: David Little  (Author of Implementing Backup and Recovery) NetBackup strategist , Symantec

David  Couture Principal Technical Architect , Symantec 

Ramin Arvand  Principal Technical Architect , Symantec 

マルウェアの多くは、自身を変化させる機能を持っています。侵入先のコンピュータに自身をコピーするときにセキュリティソフトウェアの目を逃れること、あるいは解読したメモリ領域を実行したり解読したメモリ値を読み取ったりしてマルウェアを解析しようとするエンジニアの試みを阻害することが目的です。今回のブログでは、メモリを共有して自身の姿を変えるトロイの木馬の動作について説明します。

マルウェアのプロセスは、図 1 の赤線のように進みます。

図 1.脅威のプロセスを示すコード
 

ebx-4 というアドレスは、.data セクションの先頭を示しています。初期状態では、ebx-4 は 0 なので、31h や 32h と比較すると失敗になります。

コードによってアドレス ebx-4 に 31h が書き込まれると、トロイの木馬は自身のファイル名を使って WinExec 関数を実行し、自身を実行します。次に、ExitProcess 関数を使って自身を終了します。実行時には ebx-4 の値が常に 0 なので、プログラムは単に実行と終了を繰り返しているだけのように見えますが、実際には悪質な処理を実行しています。ここが、このマルウェアの巧妙なところです。

ファイル構造

このファイルのサンプルには、以下のような構造の .data セクションがあります。
 

図 2.ファイルサンプルの構造
 

Characteristics の rw- d0000040 は異例な構成で、以下のように設定されています。

IMAGE_SCN_MEM_SHARED 設定が行われているのでメモリ値が共有されています。

実際の動作

このマルウェアが初めて実行されたときには、アドレス ebx-4 が 0 のため、コードはこのアドレスに 31h を書き込んで自身を再実行します。再実行されたときには、ExitProcess の実行前なので、このアドレスで 31h を保持しているメモリが共有されます。
 

図 3.再実行されるとプロセスは異なるルートを進む

新しく実行されたプログラムはこのアドレスに 32h を書き込み、自身を再実行します。新しいプログラムは、このアドレスで 32h を保持しているメモリを共有します。
 

図 4.プロセスが復号ルーチンに達する
 

アドレスが 32h なので、プログラムは _decrypt 関数を実行し、暗号化されたコードを復号したうえでアドレス esi にジャンプします。この動作を順に示すと、以下のようになります。

1. Windows でファイルがロードされる。
2. アドレスはファイルの初期値として 0 をとる。
3. 値を 31h に書き換える。
4. 自身を実行する。
5. Windows で共有メモリを除くファイルイメージがロードされる。元のファイルのディスクイメージでは 0 のまま。
6. 値 31h でプログラムが実行される。
7. 最初のプロセスを終了する。
8. 値を 32h に書き換える。
9. 自身を実行する。
10. Windows で共有メモリを除くファイルイメージがロードされる。元のファイルのディスクイメージでは 0 のまま。プログラムが復号ルーチンに達し、コンピュータが危殆化する。
11. 2 度目に実行されたプロセスを終了する。

図 5. 実行順で示した動作
 

サンドボックスでのプロセスの動作

攻撃者は、自動の脅威解析システムから悪質な動作を隠そうとしていると考えられます。自動の脅威解析システムを搭載している 8 つの Web サイトにサンプルファイルを送信してみたところ、結果は以下のとおりでした。

1. ThreatExpertでは、ファイルの作成、レジストリの改変、予想外のネットワークアクセスが記録されました。この結果からこのサンプルの動作を特定し、マルウェアであると判定しました。
2. 3 つの Web サイトでプロセスの実行が記録されましたが、そのほかの異常はありませんでした。
3. 残る 4 つの Web サイトでは、何も記録されませんでした。

自動の脅威解析システムは、図 5 の赤い枠線で示したセクションしか監視していないようです。このタイプの特殊コードが自動の解析システムをすり抜けることは、たびたび確認されています。

シマンテックは、このタイプの悪質なコードと手口を引き続き監視していく予定です。疑わしいプログラムは実行しないようにし、オペレーティングシステムとウイルス対策ソフトウェアは最新の状態に保つことをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Symantec's dedication to the MSP community has once again been confirmed by our partners.

The MSP program's "4 Pillars" allows partners to more efficiently add Symantec solutions to MSP offerings.

1. Subscription based licensing

2. Enhanced management options

3. Advanced support

4. Broad Symantec portfolio and Global Intelligence Network

For more info contact MSP@Symantec.com

Contributor: Avdhoot Patil

New methods to entice victims into handing over their personal information are always being devised by the people behind phishing websites and the use of fake social networking applications is always popular.

During the past month, phishing on social media sites consisted of 8.6 percent of all phishing activity. Among the phishing sites targeting social media, 0.8 percent consisted of fake applications offering features such as free cell phone airtime, adult videos, video chatting, adult chatting, etc.

In March 2013, phishers used a fake Asian chat application on a phishing site hosted on a free web hosting site.

Figure 1. Phishing page spoofing a social networking site

The phishing site spoofs a popular social networking site and is titled “Pakistani chat room - Pakistani girls & boys chatting room”. On the right hand side of the page are poorly worded instructions on how to join the chat room. According to the instructions, after the user enters their login information they can chat with Pakistani and Indian girls for free. The page also boasts about a feature that helps users to find and chat with friends locally and worldwide. In reality, the next page of the phishing site is a fake chat page for Asian groups including Pakistani, Indian, and Arab.

Redirecting users to a fake site containing the previously offered application is a common strategy used in phishing attacks to avoid suspicion. This particular fake site has wallpapers of Indian film actresses and links to fake chat rooms. If users take the bait, the attackers would have successfully stolen their login information.

Figure 2. Fake chat site that user is redirected to after entering their details

Users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages
• Do not provide any personal information when answering an email
• Do not enter personal information in a pop-up page or screen
• Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
• Update your security software (such as Norton Internet Security which protects you from online phishing) frequently

Authentication is one of the oldest problems of the information security, and it is always a living matter. Getting a user password is the easiest way to gain access to critical systems, steal confidential information, etc. And this is why attackers are really interested in stealing passwords. The evolution of information security brought several technologies to improve the protection of user authentication systems, but at the same time attackers improved technique and tools to steal valuable information. Not always attacks are based on technology and software. In most cases the easiest way to get a password from a user is asking. This is not a joke. Unfortunately this is the reality. Social engineering techniques evolved during the time, and nowadays a smart attacker can cheat a user telling him he needs is password to complete his work, or to fix a broken system. And this is just an example of how attackers get the password from users without using sophisticated tools. 

When social engineering is not enough software is always ready to help an attacker. There are different attacks based on software. Among these we remember:

• brute force attacks
• password reply attacks
• man in the middle

From now on I will focus on user authentication to web portals (e.g. banking systems) that allow users to complete online transactions. This is a very common scenario but not always applications protect users' information properly. Let’s see some solutions to this problem. We will cover the banking scenario, but the same solution can be applied to several applications. 

Consider a banking system that authenticates user with username and password. This is what we call Single Factor Authentication. This is really straightforward for users. We all use usernames and passwords every day. But this authentication technique is really easy to be attacked through technical (man in the middle, password bruteforcing, etc.) and social engineering attacks (phishing, shoulder surfing, etc.). This is why most banking system added a second factor of authentication. Second factor can be something that belongs to the user or something that is part of the user. The latter can be a fingerprint scan, iris scan, or something behavioral (e.g. how fast the user writes his password). These techniques are not often used in banking system, because are expensive and invasive on user experience. 

The most common second factor using by applications is what is often mentioned as “something you have”. This is usually a numeric code that can be either generated by a one-time password system or read by the user from a matrix of authentication numbers. There are several way to generate one time passwords, some of them based on proprietary algorithms and other based on public available standards. Usually we distinguish two different type of token:

• Event based
• Time based

The first family of tokens increase a counter and generates a one time password when a specific event happens. Time based tokens update a counter on a given frequency (e.g. 30 seconds) and provide a one time password valid for that time frame. Authentication based on this type of OTPs are very common in several scenarios like web applications, VPNs, etc.

2-Factor authentication is an effective technique to mitigate risks related to password oriented attacks. As attackers are evolving their techniques some advanced malware can be able to cheat the user to introduce both factors on fake websites and act as the user. When we are facing with transactions it is possible to block these attacks using transaction signing. Transaction signing calculates a value based on the user input on client and server side. Only if the values correspond the transaction can continue. Let’s say that Alice is connected to her banking portal to  transfer 1000$ to Bob. When Alice clicks confirm, the web application sends all the information to the bank that calculate a challenge (let’s say 383) based on Bob account information, transaction amount and a shared secret. At the same time Alice calculates the same value using a tool (like a calculator) provided by the bank and she submit it on the banking portal. If the 2 values correspond the transaction is confirmed. 

Let’s see what happens if Joe is an attacker that intercepts Alice’s request and change it before sending to the bank. Alice asks the bank to transfer 1000$ to Bob. Joe intercept the request and change it to “transfer 1000$ to Joe’s account”. When the bank receive the request it seems that Alice is going to transfer 1000$ to Joe, but Alice believes she is sending moneys to Bob. Now the bank calculate the challenge based on the following information:

• Amount: 1000$
• Recipient Account: Joe

Alice calculate the challenge using the following:

• Amount: 1000$ 
• Recipient Account: Bob

The requests are different, so they will produce different challenges. When Alice will send her challenge (let’say 383) to the bank, they will compare it with the calculated challenge (let’s say 385, calculated on Joe’s request) and the transaction will be cancelled. 

Even if Joe tries to intercept the request from Alice and modifies the challenge he won’t be able to create a proper challenge based on the information he provided. The challenge is calculated with transaction information and a shared secret between the bank and the client. 

The scenario described above can be implemented through a standard defined by IETF and known as OCRA (OATH Challenge-Response Algorithm). OCRA has several more features than the ones described in this post and can be extended to multiple scenarios.

Symantec 2 factor authentication services support One Time Password authentication through several types of token (hardware and software based) and  OCRA to implement transaction signing as described above. In some scenarios the OCRA calculation can be executed using an ad-hoc application running on a PC or on a mobile device (tablet, mobile phone). Usually OCRA calculation is executed out of band on a device different from the client connected to the banking portal.  This avoids attacks where a malware can intercept both the transaction request and the challenge.