I'm pleased to announce that I will be presenting Enterprise Vault Administrators' Secrets at Vision 2013 in Las Vegas!  Come join us on Monday 15 April at 2:15 pm as we discuss these tricks and tips collected during my 7 year tenure as a Business Critical Engineer for Enterprise Vault.  Ranging from reducing overall storage needs to helping better acquaint end users with the Enterprise Vault client functions, there's bound to be something for everyone!   Please join us for this look at practical, zero-dollars solutions for your Enterprise Vault environment!

Are you interested in seeing first hand the new advancements around virtualization backup and recovery coming in NetBackup 7.6?  Well, we've decided to host a Google Hangout as a sneakpeak into the latest and greatest, and broadcast it live from Vision 2013 in Las Vegas on 4/17.  This Hangout is open to the public and we're encouraging everyone to come check it out!

We'll be showing you things like how to backup 300 VMs in 3 minutes, backing up 3TB of data in 15 minutes, and much more.

Broadcasting live from the Expo Hall floor of the MGM Grand on April 17th from 12:00pm to 1:15pm Pacific time.  

RSVP on our Google + page:Protecting 300 VMs in 3 min

We'll be taking questions from panel members as well as those submitted through Google + and Twitter.  So, add us to your G+ circles and follow us on Twitter to take part in the discussions.

'See' you there!

Disclaimer:

Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions.

Symantec Web Security.cloud blocks web-borne virus, spyware and phishing threats and controls web traffic through URL filtering, enabling enforcement of Web acceptable use policies. Download the attached data sheet to learn more.

Symantec Web Gateway gives you better protection, greater control, and easy management of data coming in and out of your network. Learn more in the attached data sheet.

We recently observed a small spam campaign that was targeting random users. The campaign focused on users in India.  

Figure 1. Heatmap of compromised computers related to the spam campaign

The emails contained a malicious attachment, detected as Spyware.Redpill, which is used by the bad guys to steal confidential information.

Spyware.Redpill is not new by any means; back in 2008 we created a signature for Spyware.Redpill to protect users. Redpill was designed to collect information for people wishing to know if their partner had been cheating on them. The name “red pill” was a nod to the Matrix film franchise, the red pill and its opposite, the blue pill were the choice between the blissful ignorance of illusion (blue) and embracing the sometimes painful truth of reality (red).

Opening the attached file will display an error message in order to hide the malicious purpose of the file and trick the user into thinking that the file is corrupted.

Figure 2. Error message displayed when the file is opened

In this particular case, the user might think that nothing happened, but unfortunately the malware has been executed and has already begun to steal information.

In the background the malware installs itself on the compromised computer by creating the following files:

• %ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\ad.dll
• %ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe

Moreover, in order to be executed whenever Windows starts it creates the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “[RANDOM CHARACTERS REGISTRY ENTRY]” = "%ProgramFiles%\[RANDOM CHARACTERS FOLDER NAME]\[RANDOM CHARACTERS FILE NAME].exe "

Subsequently, the threat begins to record keystrokes and take screenshots.

The stolen information is sent to an email account hardcoded into the program. In our investigations we found details of the email account used by the attacker to receive the stolen data—for instance it received over 12,000 emails in March 2013. It is clear from this that the people behind this scheme are not looking for information on hundreds of cheating spouses, but are instead after valuable personal information and account details.

What kind information was being stolen?

• Credentials for various social networking accounts
• Bank account details
• Emails written on the compromised computers
• Screenshots of documents

Interestingly the malicious email account also has a backup email address. We have traced that email address to a member of an underground forum where this person was looking to buy email accounts, possibly in order to create and ship new malware variants with different hardcoded credentials built in.

Figure 3. Attacker looking to buy email account

In order to avoid this kind of attack, we recommend that users do not open unknown attachments and make sure that best security practices are followed. Ensure that the most up-to-date software patches are in place, and use the latest Symantec technologies and virus definitions for the best protection against threats.

Hi

i am blogging this because , this KB Article is very hidden in Symantec Tech Note and very difficult to find but very important for Upgrading

And this Document is very Helpful when upgrading to Netbackup 7.5 from 6.5 

Can I control the move of image_header information into NBDB when upgrading to NetBackup 7.5 ?

Prior to NetBackup 7.5  the image header files where located in the following directory.

WINDOWS : <install-path>\VERITAS\NetBackup\db\images\

UNIX :  /usr/openv/netbackup/db/images

During the  upgrade process to Netbackup 7.5,  this information will no longer be kept here,  but instead will be moved into the NetBackup NBDB database.   To ensure the upgrade to NetBackup 7.5 does not take too long,  only a small subset of images will be moved into NBDB during the actual upgrade.  The rest of the images will be moved during the next cleanup job,  after the upgrade is complete.  

OPTION 1:  Before upgrade to NetBackup 7.5

   If you want to choose to move all image header information into the NBDB database :

   Prior to upgrade to NetBackup 7.5 with previous version of NetBackup still installed,  create touch file

            Touch File:  MERGE_ALL_IMAGE_HEADERS

            Windows :  <install-path>\VERITAS\NetBackup\bin\

            Unix :  /usr/openv/netbackup/bin

OPTION 2: Post upgrade to NetBackup 7.5

    Instead of creating the touch file,  run a catalog cleanup manually after the upgrade to start the move of all images into NBDB.

Windows : <install-path>\Veritas\NetBackup\bin\admincmd\bpimage -prunetir -allclients -cleanup

Unix :  /usr/openv/netbackup/bin/admincmd/bpimage -prunetir -allclients -cleanup

OPTION 3: Post upgrade to NetBackup 7.5

   You can use cat_import command to import all image metadata for all clients or individual clients in parallel. 

   To import all clients:

    Windows:   <install-path>\Veritas\NetBackup\bin>cat_import  -all  -delete_source -base <install-path>\NetBackup\db

    Unix :  /usr/openv/netbackup/bin/cat_import -all -delete_source -base /usr/openv/netbackup/db

   To import 1 clients images at a time:

      Windows:   <install-path>\Veritas\NetBackup\bin>cat_import  -client  <clientname>  -delete_source -base <install-path>\NetBackup\db

       Unix :  /usr/openv/netbackup/bin/cat_import -client  <clientname>  -delete_source -base /usr/openv/netbackup/db

In the famous Kenny Rogers song Lucille, a scorned husband confronts his cheating wife in a bar and publicly shames her by reminding her that she “…picked a fine time to leave me Lucille, with four hungry kids and a crop in the field.” (my apologies if that song is now stuck in your head).  While shaming did not work in that song, can it be an effective tool in enforcing security policy?  Surprisingly, the answer may be yes. 

Forbes Magazine just released a study of trends in cyber security and one of the surprising things they found is that people are more concerned about their Facebook or Twitter accounts being compromised than they are about someone getting a hold of their credit cards.  This concern stems in part from the public shame associated with your friends and followers finding out that you have been hacked.  If a hacker gets your credit card information, that is between you and your bank.  If that same hacker gets control of your Facebook page or Twitter feed all of your friends will know about it, and it will probably be one of your friends who tells you about it.

How do you translate shaming into a corporate policy? Mark Harris, of the University of South Carolina, presented a paper at the 2012 Southern Association for Information Systems (SAIS) Conference entitled “Shaming as a Technique for Information Security Policy and Training Adherence”  [PDF].  In it, he argued that some types of shaming can be effective in enforcing IT Security Policy.  As part of his research, Professor Harris described an IT Security Policy violation and surveyed a group of people about their opinions on the harshness of a range of punishments for that violation.  Firing was rated the most harsh, but the surveyed group felt that "A photo of you and others that made the mistake is posted on company bulletin boards and in break rooms” was almost as harsh.  In fact, that version of public shaming was deemed harsher than being demoted and getting written up by a manager. 

Of course, there are concerns associated with engaging in shaming behavior that users consider near equivalent to firing.  But, other forms of peer shaming, such as “A list of those that made the mistake is sent to everyone in the company via e-mail”, were deemed harsh but not in the same realm as firing. Given the increase in the number of successful attacks that start with phishing attempts, finding ways to control user behavior is critical to the success of an organization's security team.  Perhaps more research should be done into shaming techniques.

Taken from : http://security-musings.blogspot.ca/2013/01/symante-o3-cloud-based-single-sign-on.html

Thursday, 10 January 2013

Over the course of the past decade and a half, I have worked with several different "Single Sign-On" or at least "Reduced Sign-On"  Solutions. All from large reputable companies, like IBM, Oracle, Sun, Quest, Microsoft...
 

 

Most of these were limited to one or two authentication types, and relied heavily on infrastructure, placing large Capex and Opex constraints squarly on your shoulders.   Most relied on a client side app to connect to Active Directory, LDAP, or basic auth web services. They would then store your obsfucated credentials in a "Wallet" or local store for seamless authentication to these target apps.  Others were simply "Authenticating Reverse Proxies"  and provided a unified way to aggregate various websites and portals that require authentication.

 

 None provided for a complete holistic end user experience.

 

Enter Symantec with O3:

 

Over the past year and a half, Symantec has been quietly cultivating a sleeping giant. 

Imagine a scenario where you could manage your user's profiles in such a manner that would only expose applications/portals/sites or specific views of those, depending on: 

1. The users' network location  (Corporate - Home - Public Internet )
2. The device the user is connecting from, (Corporate Laptop or tablet, Personal  device, public kiosk)
3. The users own credentials.  (Username / Password, or add 2 factor RSA for apps requiring additional controls.

 Each application exposed would have it's own defined directory store / authentication source including Internal Corporate apps leveraging Active Directory or LDAP, Business Partner applications requiring SAML or true Cloud Services such as Amazon, Workday or SalesForce.

 

Symantec's O3 Cloud Authentication service has virtualized the function of authenticating an end user into a multitude of systems and services.  It provides an authentication gateway to allow you to securely expose internal corporate services and directory stores, and to assign them to user profiles along with very robust connectivity to most of the major Cloud services players!

 

In Symantec words:

"Symantec O3 is a cloud information protection platform that provides context-based access control, information security and information management “as a service” for users of cloud applications and services. It supports any endpoint, including mobile. It provides compliance information for access and information events that supports audits and forensics."

 

 

 

 

  

With a simple B2B VPN connection between your Corporate Network and  Symantec's O3 gateway service you have the ability to authenticate against any application or data store requiring: 

• Kerberos, NTLM, or SPNEGO Integrated Windows Authentication
• Active Directory Federation Services (ADFS)
• OTP (One Time Password) Tokens, such as RSA fobs for 2 factor authentication
• LDAP
• SAML
• HTTP Basic Auth 

Integrating any of these is a straight forward task within the adminstration portal. The Administration portal provides templates and drop downs for an authentication type, and dozens of Cloud Partners are configured "out of the box".

Working with Symantec and their O3 team has been inspiring to say the least.

References:

Secure Cloud Computing - Symantec O3

Single Sign-on for Safe Clouds Adoption:
Symantec O3 Focuses on the Cloud

 

RSA Conference: Symantec inaugurates O3 cloud-based single sign on

 

Symantec O3 Offers Three Layers of Cloud Security | Sci-Tech Today
darkreading.com - single-sign-on-mythbusting

Taken from: http://security-musings.blogspot.ca/2013/02/manage-security-where-data-resides.html

Friday, 15 February 2013

NERD ALERT:  This particular blog is a technical discussion rather than executive roadmapping.  That said, I still look forward to any comments from the Pointy Haired Bosses.

 

As I've ranted... er... discussed in my previous blogs;  we, as an industry, have spent the past two decades building logical security controls at the perimeter where our corporate network interfaces with either the Internet or Business Parner networks.

 

This model, although supported and backed by our friends in Risk/Compliance/Audit, assumes that everything inside those pearly gates is protected. 

 

This is a risk statement that you cannot accept. 

 

  With today's move to virtualization, convergence of Data Center and Cloud Services, and a greater ability for Business Units to outsource/offshore development and hosting of critical applications, the line between Inside and Outside of your perimeter is vanishing.

(Read:  2013: The year to forget everything you know about Perimeter Security!  )

 

Additional threats facing us daily include un-patched and legacy systems, zero-day malware attacks, advanced persistent threats, malicious insider breaches, as well as administrator human error.

 

According to the 2012 Verizon Data Breach Investigations Report , and contrary to popular belief, 94% of all data compromised involved servers.

 

 

 

Moving forward, we must assunme that our internal network has already been compromised, or at minimum is quite vulnerable, and that to protect the corporate data assets, we must move our security controls as close as we can to that data.

  

 

This not as onerous a task as it sounds.  There are many good vendors in this space already, and the field has matured significatly over the past five years.  All commercial solutions are centrally managed, come with a library of out-of-the-box templates, integrate seamlessly with your logging/reporting systems and provide for flexible workflow.

 

 Before we discuss the players and what they bring to the table, lets talk about what we need to do, and how it can be achieved.

1. Prevent Unauthorized Access to critical assets.
2. Prevent Unauthorized  Changes to critical assets even for those with legitimate access.
3. Protect against Zero-Day Malware attacks.

To achieve this you need to have something that manages local security policies across all servers that can provide:

• File Integrity Monitoring
• Process Monitoring
• System Registry Monitoring
• Local Firewall
• Intrusion Detection
• Intrusion Prevention
• Comprehensive Logging
• Security Policy Management

Note: This discussion is completely agnostic to whether a server is physical or virtual. The requirements are identical.

To start, create specific server "roles".  A server role, defines it's function or purpose within your network. A role does not have to be OS specific - Windows/UNIX/Linux all provide for every role in the stack.

 Any particular server could be an Authentication Server such as an Active Directory Domain Controller.  It could be an Infrastructure Server, such as mail, ftp, or DNS.  It could be a Database or File Server.  It could be An Application or Web Server.  

Typically, you will find that any one server may host several roles.  In any case,  you will want to create and apply a consistent Policy Template that will define the protection model for each role. In the template, you would identify resources to protect, such as directories, files, registry keys that are used to configure, maintain, and operate that application. (All commercial products in this space provide hundreds of such templates "out-of-the-box")

Once you have identified the roles, you will want to group your server assets into units, possibly by Line of Business (My line of business depends on these servers), or by Application (this application uses these web servers, these app servers, and this database server), or both.  This way, you can create policies establishing the allowed channels of communication.
 (App1 webservers can only talk to App1 application servers on tcp ports 80 and 443, and App1 application servers can only talk to App1 database servers on tcp port 1433)

 

 

 

Any attempt at communication outside of these rules would be prevented/denied, and result in alerts sent to the appropriate security focal through any of a number of channels (email, snmp, SMS...). 
By putting the security policies locally on the servers, close to the data, you significatly reduce the potential for data exfiltration.  That said, this is not a Data Loss Prevention solution unto it's own, as it is not aware of the context of the data it is protecting, but can provide valuable feeds into your DLP infrastructure.

Of course this would not be complete without talking about the basics of creating a hardened server in the first place.  

• Patch, patch, and patch....
• Disable/remove/rename default administrator accounts - at the OS, Application, and Database layer
• Turn off / Disable / Uninstall all services not required for the role of the server
• Place your Application Server / Database Server files on a separate volume from your OS
• Where possible, enable logging for everything
• Consult your vendor for additional recommendations per server role.

Examples of like Server Roles:  (Apologies if I left out your personal favorite!)

Authentication and Directory Services Servers:  

• Active Directory Domain Controllers  / LDAP Servers
• Radius Servers / Reverse Proxy
• NIS/Yellow Pages servers / RACF/ACF2
• Domino Name and Address Book
• VPN / Access Gateways (Citrix) / RSA 2 factor

Infrastructure Services:

• DNS / DHCP / NTP
• Mail Services SMTP, POP/IMAP, Exchange Server, Domino
• FTP / SFTP / ESB

File and Database Servers:

• Microsoft SQL / Oracle / DB2 / Sybase
• MySQL / PostgreSQL / NoSQL
• CIFS / SBM / Samba

Application Servers:

• CRM / ERM / SCM
• Oracle / WebSphere / JBoss / Tomcat /.Net /Weblogic

Web Servers:

• Microsoft IIS / Apache / Zeus

 

 So?  Who are the players in this field? 
 

Symantec Critical System Protection   - To date, Symantec CSP provides the widest coverage for server roles across the most Operating Systems - Both Physical and Virtual.  Their System Protection Console cleanly integrates their Security and Malware product suites into a single pane of glass.

TripWire Enterprise File Integrity Monitor - TripWire has been the industry leader in this space for over a decade, and is perfect for small to medium enterprises.
McAfee File Integrity Monitor - McAfee provides a suite of tools that are well integrated for protecting Windows Based Servers and Databases..
IBM Tivoli Virtual Server Protection - VMware ESX protection suite.

SafeNet Data Protection Suite
NewNetTechnologies NNT
Splunk Change Monitor

Cimtrak File Integrity Monitoring

nCircle File Integrity Monitoring

 

Further Reading:

http://www.infosecurity-magazine.com/view/30067/51-of-uk-networks-compromised-by-byod
http://www.novell.com/docrep/2010/03/Log_Event_Mgmt_WP_DrAntonChuvakin_March2010_Single_en.pdf
http://www.acunetix.com/websitesecurity/webserver-security/
http://www.symantec.com/page.jsp?id=protection-center
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/09/25/protect-objects-from-accidential-deletion-in-windows-server-2008.aspx
http://eval.veritas.com/mktginfo/enterprise/white_papers/ent-whitepaper_protecting_active_directory.pdf

http://technet.microsoft.com/en-ca/magazine/2006.05.smarttips.aspx

http://msdn.microsoft.com/en-us/library/ff648657.aspx  

 http://www.sans.org/reading_room/analysts_program/mcafee-server-protection-june-2010.pdf
http://www.newnettechnologies.com/tripwire-alternative.html?gclid=CO3A8cn1uLUCFShgMgodLloAtw

This month, Symantec is celebrating Earth Day by exploring our commitment to environmental responsibility. Today we hear from Kelly Shea, Symantec's global sustainability program manager, on the successful LEED certification of our 20th office facility.

With buildings accounting for 40 percent of global energy use and over one third of global greenhouse gas emissions, we recognize our responsibility to play a role in decreasing these impacts.

We are therefore very proud to announce that we have just LEED-certified our 20th facility! This certification, for one of our Mountain View, CA buildings, is part of Symantec’s ongoing goal to obtain LEED and Energy Star certifications for all owned or long-leased facilities. This 20th certification brings our green building square footage to approximately 2.5 million square feet (79 percent of our owned real estate portfolio) and 59 percent of our owned or long-leased facilities.

LEED – an international program of the United States Green Building Council (USGBC) – is the most widely recognized and widely used green building program in the world.  The standard guides new construction and renovation, and addresses impacts across the entire lifecycle including energy efficiency, GHG emissions, operational waste, tenant health and safety, and more.

In comparison to the average commercial building, LEED certified buildings:

• Consume 26 percent less energy
• Have 13 percent lower maintenance costs
• Have 27 percent higher occupant satisfaction
• Emit 33 percent fewer greenhouse gas emissions

Through our participation in LEED we join business leaders worldwide who recognize the need for and benefits of green building. Today LEED certification includes nearly 50,000 projects, comprising more than 8.9 billion square feet of construction space.

It is also an extremely valuable tool as it enables our team to use a common environmental language, creating consistency and providing a platform for effective measurement and continuous improvement.  Certification is part of our goal to benefit our employees, the environment, and our bottom line:

• Employees: Environmentally healthy buildings and productive work environments with more natural light, fresh filtered outside air, fewer chemicals (due to sustainable materials), etc.
• Customers: Decreases our overall impacts, reducing our customer impacts and making us a more sustainable choice over competitors
• Bottom line: LEED facilities provide productive, healthy work environments for employees, which contributes to increased business sales. Additionally, more efficient operations reduces operational costs, directly impacting our bottom line.

LEED is a very challenging certification which takes strong leadership and teamwork. As sustainably manager, I oversee the green building strategy and processes while our facilities project team and local facilities managers implement these challenging projects. Karminder Singh, Senior Project Manager, led this particular certification and was central to its success.

We look forward to bringing you more news on our progress towards 100 percent LEED certification!

Kelly Shea is Symantec's Global Sustainability Program Manager.

You’ve seen the headlines and heard your friends buzzing about it, but have you checked out Reddit? Everyone from U.S. President Barak Obama to Microsoft founder Bill Gates is using it to engage, answer questions and promote initiatives. But have you considered how to incorporate it into your social media program as a Symantec partner?

If you are unfamiliar with Reddit, it is an online social media community where users vote on content. There are sub-communities, or subreddits, that any user may create that are independent and moderated by a team of volunteers. Some subreddits cater to a more technical audience – such as r/sysadmin and r/vmware subreddits. Reddit users submit links to online content and vote on which stories and discussions are important. Anyone can join Reddit. Anyone can participate.

Why should you care? Last month alone, Reddit had 55,024,811 unique visitors from more than 175 different countries, according to the company’s page. On March 23, 2013, Reddit powered 4,206 active communities consisting of more than 2,094,953 logged in redditors casting over 16,121,282 votes. It’s a growing platform with an engaged technical audience.

One of the most popular Reddits is IAmA ("I am a"), where a user can post "AMAs" (for "Ask Me Anything"). AMAs are open to all Reddit users and use the site's comment system for both questions and answers.

Recently, Symantec’s Backup Exec Product Management and engineering virtualization specialists held a Reddit AMA. The team knew its audience was active, technical and not interested in slick marketing or advertising campaigns—they want to talk to real people, get real answers and engage. Reddit was designed for this type of interaction. The team believed that for a technical brand like Symantec, a Reddit AMA would give credibility and improve the “brand” among the IT geek elite.

According to Backup Exec’s Matt Stephenson (aka @PackMatt73), “The most important thing was the direct line into our users. The transcript has been a topic in meetings with Product Marketing, engineering and QA. The issues brought up have been discussed in internal conversations, but getting confirmations from the ‘wild’ is helpful.”

Like other social communities, Reddit requires a commitment and isn’t for everyone. But, if you’re looking to connect with a technical audience to understand their needs, what they’re looking for and how you can help, you might want to check it out.

Here are a few recommendations on how to use Reddit to connect with your customers:  

• Frequent Reddit. Join the community, ask questions and participate in AMAs. Once you’re ready, start your own AMA. In Reddit, like in other social communities, the more you give, the more you get out of your experience. Also, it’s best to engage in others’ AMAs before you can start your own.
• Be real. It needs to feel like a real person (or people) is participating in the AMA, not a robot(s). Avoid using marketing speak or jargon. Involve knowledgeable people who can respond quickly. Gather your company’s experts in a conference room and coordinate responses to questions together.
• Be prepared. You must be able to answer—or acknowledge—all questions. If you don’t know the answer, it’s okay. Don’t try to change the conversation to the topics you want to focus on—this has backfired on many individuals and brands as they look to promote only a specific project, not talk about past issues. Don’t believe me? Check out what happened to U.S. actor Woody Harrelson.

Have you used Reddit? Will you? Share your experiences with the Symantec partner community on our Facebook, Twitter or LinkedIn group and page.

__________________________________________________________________________________________________________________________

See the complete Symantec Partner Social Media Series.

シマンテックは最近、ランダムなユーザーを標的にする小規模なスパム活動を確認しました。主に狙われているのは、インドのユーザーです。

図 1.スパム活動に伴って感染したコンピュータの分布図

電子メールに悪質なファイルが添付されており（Spyware.Redpillとして検出されます）、攻撃者はその添付ファイルを利用して個人情報を盗み出します。

Spyware.Redpill は決して新しいマルウェアではありません。シマンテックでは、Spyware.Redpill からユーザーを保護するためのシグネチャを 2008 年に作成しています。Redpill が情報を引き出そうとする相手は、配偶者が浮気しているかどうかを知りたいと思っているユーザーです。「Red Pill（赤い薬）」という名前は、映画『マトリックス』シリーズにちなんだもので、赤い薬を飲むか青い薬を飲むかというのは、何も知らずに至福の幻想世界に生きるか（青）、それとも痛みを覚悟して真の現実と向き合うか（赤）という二者択一を意味しています。

添付ファイルを開くとエラーメッセージが表示されますが、これはファイルの悪質な意図を隠蔽し、ファイルが破損していると思い込ませるための手口です。

図 2.ファイルを開いたときに表示されるエラーメッセージ

この例でも、ユーザーは何も起きていないと思いがちですが、実際にはすでにマルウェアが起動して、情報を盗み始めています。

マルウェアは、バックグラウンドで侵入先のコンピュータに自身をインストールします。そのときに作成されるのが、以下のファイルです。

• %ProgramFiles%\[ランダムな文字のフォルダ名]\ad.dll
• %ProgramFiles%\[ランダムな文字のフォルダ名]\[ランダムな文字のファイル名].exe

さらに、Windows の起動時に実行されるように、以下のレジストリエントリも作成します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[ランダムな文字のレジストリエントリ]" = "%ProgramFiles%\[ランダムな文字のフォルダ名]\[ランダムな文字のファイル名].exe"

続いて、Redpill はキーストロークの記録とスクリーンショットの取得を開始します。

盗み出された情報は、プログラムにハードコード化されている電子メールアカウントに送信されます。シマンテックの調査により、盗み出されたデータの受信に使われている電子メールアカウントの詳細が明らかになりました。たとえば 2013 年 3 月には 12,000 通を超える電子メールを受信しています。こうした事実からも、この攻撃の背後にいるグループが、浮気をしている数百人もの配偶者の情報を探しているわけではなく、重要な個人情報や銀行口座情報などを狙っていることは明白です。

盗み出される情報の種類

• 各種のソーシャルネットワークアカウントのログイン情報
• 銀行口座の詳細情報
• 侵入先のコンピュータで作成された電子メール
• 文書のスクリーンショット

興味深いことに、悪質な電子メールアカウントにはバックアップ用の電子メールアドレスも用意されています。その電子メールアカウントを追跡すると、アンダーグラウンドフォーラムのメンバーにたどり着きますが、このメンバーは電子メールアカウントを購入しようとしていました。おそらく、別のアカウントをハードコード化した新しい亜種を作成し、拡散しようとしていたのでしょう。

図 3.電子メールアカウントを購入しようとしていた攻撃者

この種の攻撃を防ぐために、不明な添付ファイルは開かないようにし、基本的なセキュリティ対策（ベストプラクティス）に従うことをお勧めします。また、ソフトウェアの最新パッチをインストールすると共に、最新のシマンテック製品とウイルス定義をお使いいただくことで、これらの脅威から保護することができます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I have been working with a large media company over the past twelve months. I have been assisting in showing which parts of their business Symantec can help them better deliver their Service levels.  The organization in question has a very large estate comprising like most of both virtual and physical and the normal split of Linux and Solaris. For their new applications Linux is the default building block. Solaris is used for the high performance compute as and when needed as an exception. They have 4 service levels ranging from 4 x 9999 to 1 x 9. I set about mapping our Business Continuity products to their SLA’s. For each of the SLA’s I needed to assume both a virtual and a physical solution and list our advantages over our competitors. I sometimes forget what a comprehensive portfolio we have because I am very familiar with it. But I was able to suggest solutions ranging from a one node cluster or application HA all the way up to Storage Foundation for Oracle RAC and campus clusters.  I had to dig into to some of the requirements and understand that the SLA’s are guidance and typically these must be beaten.

On initial inspection I had thought there may be little we could offer until we got into the higher 9’s for criticality. But after discussing this with the teams even throughout the lower levels there was an appetite for automation for simplicity and standardization. I have had to remove the SLA table and replace the customer name, but the document is attached if anyone is interested.

How to Get Updates From Symantec >Symantec keeps you up to date with email subscriptions to support content.  

Well i got a lots of help from this TECH Note , As i need HOT FIXES OF New Version 7.5.0.5 and i donot know the link, Then Symantec Helps me

Thanks a lot Symantec 

NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.

7.5 Late Breaking News

Next week will be very busy for the MSP team here at Symantec.

If you're heading to Varnex please join us for any of the three breakout sessions where we'll discuss the 4 pillars of the MSP program in detail.   If you miss the session come talk to us at the exhibit where we'll be demoing the Partner Management Console.    More information can be found at the Varnex event.

If you're in the Boston area meet us at the ASCii event Wednesday and Thursday.  We'll present during one of ASCii's keynotes on the MSP program as well.    registration https://symantecevents.verite.com/28684

Also in Boston on Wednesday is our 3 hour MSP training.  Here's the agenda:

• Accidental Entrepreneur, how it relates to managed services
• Industry analysis,  MSP business continues to grow
• Symantec MSP program, 4 pillars and benefits to partnersAnne Stobaugh – Brave New World – changing mindset from VAR to MSP model
• PMC demo
• Brave New World of Managed Services : Best Practices
• Proactive Data Protection - guide to rolling out Symantec security and backup as a service
• Malicious Activity Assessment, overview
• 30,60,90 plan, action items

LiveUpdate's task is to keep Backup Exec fit, healthy, and up to date.

Times to run LiveUpdate:

For new installations:

When having issues with Backup Exec

Periodically during scheduled times

When upgrading Backup Exec:

• Run LiveUpdate following a new installation.

Note: Keep checking for LiveUpdates until LiveUpdate is completely up to date and there isn’t any updates left to install (Reboot as necessary).

• Run LiveUpdate before and after a Backup Exec upgrade.
• Schedule LiveUpdate at convenient times when there aren’t any jobs scheduled.  The Backup Exec services are restarted during updates.

Note:  Avoiding SQL Conflicts: When Backup Exec is installed use Backup Exec own inbuilt SQL instance (SQL Express) to host the Backup Exec database.  Do not use a SQL instance that is used in production. When updates are ran LiveUpdate requires several restarts of the Backup Exec services including the SQL Backup Exec service.

Running LiveUpdate: 

• Make sure no jobs are running
• In the Backup Exec Console click on the Backup Exec Button (located in the upper left corner)
• Select LiveUpdate.
• In “Welcome to LiveUpdate” click ‘Next’ After searching for updates that are available the updates will be displayed when the list is expanded 
• click Next to install. 

Note: Find information about available Hotfixes and Service Packs at the Technical Support Website in the Downloads section. 

     Following Live Updates:  Push-install the Agent for Windows to remote computers after you install any live     

     updates on the Media server to keep the remote computers updated to the same level.

Install the Agent for Windows on Remote Servers (Push Install from the Media Server)

2 Methods:

I .

• Go to Backup and Restore tab
• Select Add (from the ribbon menu) - Select Microsoft Windows computer - click Next.
• Select 'Allow Backup Exec to establish a trust with the servers.' - click Next   .
• Browse / Add a server name(s) - click Next.
• Select/Add a system logon account - click Next.
• Select "Upgrade the Symantec Backup Exec Agent for windows to the current version automatically"  (if Agent for Windows is not installed/up to date).

Note: 'Restart the remote computer automatically after installing the Symantec Backup Exec Agent for Windows when a restart is required' can be selected in case a down time is planned for the target server(s).

• Click on Install 

II.

On the top left of the console click on the Backup Exec button :

• Go to Installation and Licensing - select Install Agents and Backup Exec Servers on Other Servers. On the Remote Computers section - select Add  

• Choose Add a Single Computer (if remote agent needs to be installed on only one machine).

OR

• Choose Add Multiple Computers with the Same Settings (to select multiple servers for remote agent installation).
• On the Select the Remote Product screen - select Agent for Windows and click Next.
• Enter the Remote Computer name or select Browse Remote Computers to select a remote machine. Enter the Remote computer credentials (type the user name, password and domain of the account that has administrative rights on Server).      Click Next.
• The destination location for Remote Agent install files can be changed under Destination Folder section if required.  Click Next.
• On the Remote Agent Publishing screen:  Check the box which says 'Enable remote agent to publish the IP address and name of the remote computer and the version of the Remote Agent to media server'.
• If the Media Server name or IP address (or both) isnt already there, click Add and enter then OK.

Click Next.

Note: You can check the checkbox to ‘Save the server list for future remote install sessions’.
Click Next when the screen shows ‘Ready to install the Agent for Windows’ beside the server name(s).

Click Install to begin the installation.

 Local (manual) installation - When an automated (push) installation of Agent for Windows fails - steps to perform a local installation.

Two ways to do a local Installation:

2 Methods:

I .

• Copy the appropriate RAWS32 (32 bit) or RAWSX64 (64bit) and MSXML folder from the Media Server to the remote computers local drive.
• Note: The default path for the above mentioned folders is 'C:\Program Files\Symantec\Backup
• Exec\Agents'
• Go to the remote computer and open the RAWS32 or RAWSX64 directory which is copied on the remote server. Run the Setup.exe file.

Note: Turn off User Access Control (UAC) for Windows 2008, Vista or 7.
It is recommended to right-click on Setup.exe file and select 'Run as Administrator' to avoid any access issues during the installation process.

• Click Next on the Welcome screen.

Select Local Install and click Next.
Select 'Agent for Windows' - click Next.

Note: The destination location for Remote Agent install files can be changed if required by clicking on the 'Change' button.

On the Remote Agent publishing screen:

• Check the box which says 'Enable remote agent to publish the IP address and name of the remote computer and the version of the Remote Agent to media server'.
• Click Add and enter the Media Server name or IP address (or both) and press OK.

Click Next.
Click Install to begin the installation.

Important: After a manual Remote Agent for Windows install it is necessary to establish a trust with the Backup Exec Media server.

Note: The server needs to be added if it is not listed in the Servers list under Backup and Restore tab

• Open Backup Exec 2012 console - go to Backup and Restore tab.
• Locate and right-click on the desired server name.
• Select Establish trust.

OR

II.

Install from the Backup Exec 2012 DVD or other installation source.

•  From the installation source run Browser.exe
• Select Install Products from the Home menu.
• Expand Backup Exec Agent for Windows and select Install.
• Click Next and select Local Install for the remote agent.
• The destination location for Remote Agent install files can be changed under the Destination Folder section if desired - click Next.
• Check the box which says 'Enable remote agent to publish the IP address and name of the remote computer and the version of the Remote Agent to media server'.
• Click Add and enter the Media Server name or IP address (or both) and press OK.
• Click Next to continue with the installation.
• Click Install to begin the installation.

Important: After a manual Remote Agent for Windows install it is necessary to establish a trust with the Backup Exec Media server.

Note: The server needs to be added if it is not listed in the Servers list under Backup and Restore tab

• Open Backup Exec 2012 console - go to Backup and Restore tab.
• Locate and right-click on the desired server name.
• Select Establish trust.

References:

 Backup Exec 2012 Agent for Windows Installation

Big Data is an emerging, evolving technology. It’s the new thing holding the promise to help make sense of the terabytes, petabytes, and exabytes of data being generated. In today’s 24 hours a day, seven days a week information driven economy, how can they quickly find and extract those key strategic nuggets of data to make their business more agile, make better business decisions, and give them that next competitive advantage?

Big Data today, as expressed by many, is simply the daily challenge virtually every enterprise IT organization faces when managing the protection of exploding data growth within shrinking backup windows, growing compliance requirements, and working hard to transform their data centers. Whether it’s growing multi-terabyte databases, data warehouse appliances bursting at the seams, or simply 100s of millions, or billions of files that need both fast protection and recovery, big data is Big

Data and in its many forms and applications, needs to be protected.

But like any amount of information, what is deemed necessary to back up?  How much of it do you need to protect? Can you even back it up?

Come to Symantec Vision 2013 in Las Vegas the week of April 15th, and in our session “Is Big Data too Big to be Backed Up”, we will challenge school of thought saying this is not possible, and will show how the NetBackup platform can help you secure all of the data, regardless of the volume, velocity and variety. Watch demonstrations to see increased performance, lower cost and simplified backup of large data sets. In addition, hear about NetBackup being the first backup vendor certified for backing up SAP HANA, an In Memory Database (IMDB) appliance capable of ultra-high performance for real-time analytics, generating large amounts of data that need protection.

The session time is:

• Tuesday April 16th at 5:00-6:00pm PST

For more details on this session and others, please visit our Vision Session site at:

Symantec Vision 2013 Session Search Catalog

Action Plan:

1. This week:  Attend our session
2. 30 days:  Stay tuned for collateral and information about what’s coming in NetBackup 7.6.  Look for our new collateral on our new 5030 and 5230 appliances available May 6th   
3. 60 days: Engage your Symantec Sales and Specialist teams for discussions and lunch and learns around how NetBackup for SAP HANA can benefit your Big Data strategy.

Not attending Vision?  There’s still time to register here:

http://www.symantec.com/vision/registration/?locid=las_vegas

More Information on NetBackup 7.5:

http://www.symantec.com/netbackup

www.netbackupdemo.com

http://www.symantec.com/backup-appliance

https://www-secure.symantec.com/connect/downloads/netbackup-activities-vision-2013-las-vegas-nv-april-15th-18th

Enterprises have been going through numerous transformations over the years to save on storage costs, energy costs, administrative overhead, mistakes…anything that lowers their risk and responsibility as well as overall CapEx and OpEx.  Many are now looking to offload some of their data center responsibilities to service organizations, while others are moving not just some, but ALL of it to the cloud. 

If you’ve thought about moving your data to the cloud, you’ve probably asked yourself the questions " How will I get my data back?” and “Will I be able to protect my applications in the cloud?”. NetBackup can help.  Why should you think about NetBackup and the cloud?

• Industry trends show cloud as a popular emerging technology that many are adopting for reasons mentioned above
• NetBackup’s platform approach for cloud can help solve your fundamental data protection challenges
• NetBackup offers unified integration with industry-leading cloud storage providers Amazon Web Services (AWS), AT&T, Nirvanix, and Rackspace

Come to Symantec Vision 2013 at the MGM Grand in Las Vegas the week of April 15th, and learn more about NetBackup’s cloud story.  In this session “Get Your Head in the Cloud with NetBackup”, we’ll explain how end users and service providers can confidently move to the cloud with NetBackup. Learn about our solutions that help move protected data to the cloud, protect applications in the cloud and allow service providers to provide comprehensive data protection to their customers. The session time is:

• Wednesday April 17th, 3:45-4:45pm PST

For more details on this session and others, please visit our Vision Session site at:

Symantec Vision 2013 Session Search Catalog

Action Plan:

1. This week:  Attend our session
2. 30 days:  Stay tuned for collateral and information about what’s coming in NetBackup 7.6.  Look for our new collateral on cloud integration and features within the cloud.
3. 60 days: Engage your Symantec Sales and Specialist teams for discussions and lunch and learns around how NetBackup cloud features and partnerships can benefit your business.

Not attending Vision?  There’s still time to register here:

http://www.symantec.com/vision/registration/?locid=las_vegas

More Information on NetBackup 7.5:

http://www.symantec.com/netbackup

www.netbackupdemo.com

http://www.symantec.com/cloud-storage-backup

http://www.symantec.com/backup-appliance

https://www-secure.symantec.com/connect/downloads/netbackup-activities-vision-2013-las-vegas-nv-april-15th-18th