Java の脆弱性は、サイバー犯罪者（悪用ツールキットの作成者）の間で常に悪用の対象となってきました。Java はオペレーティングシステムやブラウザの種類を超えて動作し、大量のユーザーに感染させられる可能性が非常に高いためです。

4 月 16 日に Oracle 社は、サポート対象の多数の製品で見つかった脆弱性に対処する 2013 年 4 月版の Java Critical Patch Update（CPU）をリリースしました。興味深いことに、それらの脆弱性のひとつ CVE-2013-2432は、この翌日に公表され、続く 4 月 20 日に Metasploit の概念実証が公開されています。

悪用ツールキットの作成者は、一般に公開されたこの脆弱性をさっそく悪用し始めています。現在確認されているのは、Redkit と Cool 悪用ツールキットが今回の新しい Java 脆弱性を利用するケースですが、その他の悪用ツールキットにも波及するものと予測されます。

Redkit と Cool 悪用ツールキットを使ってこの脆弱性を悪用する攻撃を遮断するために、以下の侵入防止シグネチャ（IPS）が提供されています。

• Web Attack: Suspicious Executable Image Download)
• Web Attack: Cool Exploit Kit Website 3
• Web Attack: Malicious Java Download 14
• Web Attack: Java CVE-2013-0431 RCE
• Web Attack: Red Exploit Kit Website
• Web Attack: Java JMX RCE CVE-2013-0422
• Web Attack: Java CVE-2013-2423 RCE 2

シマンテックのウイルス対策技術では、これらの悪質なファイルは Trojan.Maljavaとして検出されます。

現在この脆弱性は重大度が高いと考えられているので、Oracle 社からリリースされている Java Critical Patch Update を適用することをお勧めします。また、上記のように、脅威を未然に検出する新しい IPS シグネチャがリリースされていますので、シマンテックのセキュリティ製品を更新して最新のセキュリティコンポーネントをインストールすることもお勧めします。ただし、ソフトウェア更新やパッチに偽装するマルウェアに注意して、パッチは必ず公式 Web サイトからダウンロードしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

寄稿: Avdhoot Patil

フィッシング詐欺師は、混迷の続くシリア情勢を依然として悪用しています。メッセージは書き換えられていますが、使われているのは定番のフィッシング用テンプレートです。3 月には、以前のフィッシングサイトで確認されたのと同じ、湾岸諸国の組織の Web サイトが偽装されました。ただし、偽装の内容は、シリアの反対運動を支持するものではなく、シリア国民を支援する国連の計画です。フィッシングページはアラビア語で書かれており、サイトは米国のテキサス州ダラスに置かれたサーバーでホストされていました。

つい最近も、フィッシング詐欺師はシリア現政権を糾弾してユーザーを誘導しようとしましたが、今回は特に、バッシャール・アル・アサド大統領が利用されています。シマンテックが確認したフィッシングサイトには、シリア大統領を戦争犯罪人として糾弾することに賛同するよう求めるメッセージが、アラビア語で書かれています。そこに、賛同するか賛同しないかを投票するオプションがあり、投票できるのは 1 回だけという注意書きまでありました。
 

図 1.バッシャール・アル・アサド大統領の糾弾に賛同するかどうかの投票
 

賛同するオプションを選択すると、次のページでは、投票を送信して有効票として認識させるために、4 種類の電子メールサービスプロバイダから 1 つを選択するよう求められます。
 

図 2. 投票するために電子メールサービスプロバイダを選択
 

いずれかを選択すると、その電子メールサービスプロバイダのログインページに偽装したフィッシングページにリダイレクトされます。ログイン情報を入力すると、フィッシングページから確認ページにリダイレクトされ、投票が正常に処理されたことと、結果が 2013 年 4 月 5 日に発表されることが伝えられます。不幸にも、このフィッシングサイトに騙されたユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。
 

図 3.投票の確認ページ
 

フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

• 電子メールメッセージの中の疑わしいリンクはクリックしない。
• 電子メールに返信するときに個人情報を記述しない。
• ポップアップページやポップアップ画面に個人情報を入力しない。
• 個人情報や口座情報を入力する際には、鍵マーク、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
• ノートン インターネットセキュリティなど、オンラインフィッシングを防止するセキュリティソフトウェアを頻繁に更新する。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

For people that have used Enterprise Vault to archive Exchange environments sometimes introducing another aspect of Enterprise Vault, such as File System Archiving, requires them to learn a few new tricks. For example when, and how items that are archived are turned in to placeholders. These are the FSA equivalent of a shortcut.

In lab environments it's common to have the Vault Store set to not keep safety copies. But in a production environment it is recommended to have the safety copy setting to 'After Backup'. This means that the items when archived, aren't immediately turned in to 'shortcuts'.

It's also worth remembering that in the FSA world there is no need to worry about MSMQ. That's not used for passing information between stages of the archiving process.

For FSA at a high level the steps are this:

Do archiving run

Allow a reasonable sized window to get lots of files archived (that of course is open to debate!)

Do Backups

Start backups by ..

*** Enter backup mode for Vault Store and Indexes
*** Backup DB's, index volumes, and Vault Store Partition data
*** Exit backup mode

Another Archiving Run

NEXT archiving run those items which were archived, and secured (ie backed up) will then be turned in to shortcuts/placeholders along with data which will then be archived.

Two Run Deal?

So you can see it's a two-run deal with FSA. During the archiving run things are in fact archived, but aren't turned in to placeholders because of the 'safety copy' setting.

In my test, I created a file called testfile.txt with just some text in it. When I do an archiving run the resulting report file shows:

CREATESHORTCUTIMMEDIATELY ShortcutNotCreated

But remember the item HAS been archived. When the task runs the first time you'll also see 'ARCHIVE' 'Archived'

When the task runs the next time after you've done a backup, you'll see 'ARCHIVE' 'ArchivedBackedUp', and then you'll see CREATESHORTCUTIMMEDIATELY followed by 'ShortcutCreated'.

Remember the thing you're backing up in order to work through this process is the Vault Store partition data, not the target file server.

I. BACKGROUND:
We have been receiving a few scattered cases of outbreaks from a file labeled snkb00ptz.exe or snkb0ptz.exe, but it seems to be on the rise.

It's normally considered poor troubleshooting to use the file name for any type of identification of a threat, but recent examples have made this practical. Even though these files were detected as many different threat names and families (Trojan.gen, w32.IRCBot.NG, Downloader, etc), the cases all reported the same behavior and symptoms.

After some additional investigation, Symantec Security Response has broken out detection for W32.Inabot. That's short for the Insomnia IRC bot. More information is available from the makers of this threat in their manual, here: http://pastebin.com/dvpu8Zwb

For those of you familiar with W32.Changeup, much of this threat's behavior should seem familar.

II. THREAT DETAILS: Note this section is being updated with new information as we find it. (BN)

• Creates the following registry entry so that it runs every time Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM KEY]" =
"%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe"

• Gathers information from the compromised computer and sends it to the remote attacker.
• Perform the following actions:
  • Spread itself through removable drives
  • Spread itself through network shares
  • Download and execute other malicious files
  • Perform distributed-denial-of-service (DDoS) attacks through UDP or TCP flooding

Known Aliases:

• Win32/Dorkbot.AM [Microsoft]

How it spreads: Note this section is being updated with new information as we find it. (BN)

• W32.Inabot uses AutoPlay (autorun.inf) files to launch remotely. 
• W32.Inabot copies itself to open shares, hides legitimate folders, and then imitates folders in the share.
• W32.Inabot current iteration does not appear to be also using vulnerabilities to spread.

Common file names:

• snkb00ptz.exe
• snkb0ptz.exe

Communication for the current w32.Inabot campaign:

• e.eastmoon.pl
• gigasbh.org
• gigasphere.su
• h.opennews.su
• o.dailyradio.su
• photobeat.su
• s.richlab.pl
• uranus.kei.su
• xixbh.com
• xixbh.net

Symantec Endpoint Protection:

Antivirus Signatures

• W32.Inabot
  W32.Inabot!gen1

Intrusion Prevention System

• TBD

Applying the 5 Steps of Virus Troubleshooting to a W32.Inabot OutbreakAKA
Inabot Battle Plan

Step 1. Identify the threat

• See above, but don't guess. Submit the files if you're not sure.

Step 2. Identify infected machines:

• Machines with Auto-Protect alerts should be scanned with up-to-date definitions.
• The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
• Traffic on the ports or to known W32.Inabot domains is a good indicator of a potentially infected machine. See W32.Inabot
• Protecting and managing fileservers is often the key to solving any outbreak scenario. - unprotected NAS devices are at risk!

Step 3. Quarantine the infected/unprotected/under protected machines: 

• Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
• Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

Step 4. Clean the infected machines:

• Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
• Don’t forget file servers. This bears repeating.
• Folders may have to be manually renamed or unhidden
• These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.

Step 5. Prevent future outbreaks:

• AutoPlay is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well.
• An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
• Remove write-access on shares from users not needing this level of access.
• Maintain a strict patching regimen. Inabot and threats like it often add new capabilities in response to new vulnerabilities.
• Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
• Upgrade to SEP 12.1 with SONAR and Download Insight

It's well-known the built-in Administrator account is windows 7 a free account which has full access and permission on the pc, and won't be motivated by UAC. Unlike the windows XP administrator account, this administrator account in windows 7 is hidden or disabled automatically. If you wish to make use of this default administrator account, you are able to enable it via command prompt the following.

* Let the hidden administrator account

1. Sign in to windows together with your regular user account.
2. Click Start and kind cdm within the text box, and press Enter. Then open an order prompt in administrator mode by right-clicking and selecting Run as administrator.
Note: When motivated to permit the Command Processor to operate, click "Yes".
3. Once the command prompt seems, type the next command onto it and press Enter.
internet user administrator /active:yes
4. You will notice a note the command completed effectively. Should you log out, you'll now begin to see the Administrator account around the windows 7 logo design screen.

Note: If you wish to disable the default administrator account in windows 7, you may also use command prompt to attain it.
Make certain you're drenched on as the regular user account, after which open webmaster mode command prompt as above. Type the next command:
internet user administrator /active:no

* Password Safeguard the Administrator Account

Even though the administrator account is enabled, it's not password protected. It's highly recommended that you ought to give a password for this account now. It'll only set you back a couple of seconds.
1. Log onto the administrator account without password.
2. Open User Accounts by clicking the beginning button, clicking User Interface, clicking User Accounts and Family Safety, after which clicking User Accounts.
3. Click Produce a password for the account to include a windows 7 administrator password.

Tip: Be sure to produce a windows 7 password totally reset disk to just in case that you simply cannot recall the administrator password.
Additionally to make use of command prompt, you may also active the hidden windows 7 administrator account through Local Customers and Groups or Local Security Policy, which we'll discuss in other articles.
In addition, should you didn't remember windows 7 password by accident, you'll be able to get windows password unlocker, a helpful password recovery windows 7 tool for customers to totally reset their forgotten or lost windows password, which will help you produce a password recovery DISK, Compact disc/DVD or USB memory stick is supported.

Windows 7 password recovery is really not a big problelm,there are many vedio tutorials on youtobe that teach you how to reset windows 7 password.
 

The backups have begun to fail consistently with the following error:
Error bpbrm (pid=16758) db_FLISTsend failed: system call failed (11)
 

I have found that the directory, /opt/openv/netbackup/db/images, is pegged at 100%. What suggestions might you have to recover from this situation?

Thank you,

Russ 

Recently, I discovered a back door Trojan horse program that does not work on Microsoft Windows XP. I would like to present some of the details of this threat, especially as the malware author encoded a special trick into the functionality of the Trojan. The trick appears to have been designed to allow the threat be used in targeted attacks.

The fseek function

In this threat, the author uses the fseek function, which is unusual as it is normally used to process data. For example, if the program reads 100 bytes of data from the top of the file, the fseek function process is used to move the 100 bytes.

Figure 1. The fseek code trick used by the malware

However, in the case of this Trojan, there are three functions that continue in a loop:

1. Append one string to another string (strcat)
2. Move zero bytes from the end of the file (fseek)
3. Split a string into tokens (strtok)

Usually, code reads or writes data after the fseek function, but in this case this process does not happen. It is also strange that such a function is written in a loop.

Looking at the code in greater detail, the fseek function works with a NULL pointer as a file handle. This means that there is no file to control. Because the fseek function controls a non-existent file, the threat crashes when it is executed on Microsoft Windows XP.

Figure 2. The threat crashes when it runs on Microsoft Windows XP

If the file is executed on Microsoft Windows Vista or later, it works fine. So what is the difference between Microsoft Windows XP and later versions of Windows?

According to the MSDN Library for Microsoft Visual Studio 2005 or later, the fseek function is documented as follows:

"If stream is a null pointer, or if origin is not one of allowed values described below, fseek and _fseeki64 invoke the invalid parameter handler, as described in Parameter Validation. If execution is allowed to continue, these functions set errno to EINVAL and return -1."

However, there is no mention of this in the Microsoft Visual Studio .NET 2003 MSDN Library.

I think the fseek code changed when a file handle with a NULL pointer is passed as a parameter to the function. The malware author used this change intentionally in order to create a program that doesn't run on Microsoft Windows XP.

Microsoft Windows XP has just under 40% usage share of the operating system market as of March 2013. If a malware author creates a program that doesn't run on Microsoft Windows XP, valuable opportunities to compromise a large number of computers will be lost. So, why would someone create malware such as this?

Why not run on Microsoft Windows XP?

One possibility is an attempt to avoid revealing the true behavior of the threat in sandboxes. I submitted a sample file to eight Automated Threat Analysis Systems found on the Internet and none of these systems logged the sample file behavior. I believe the reason for this is that the malicious code is found after the fseek function trick. If the sandboxes used for testing samples ran on Microsoft Windows Vista, or rather any operating system later than Microsoft Windows XP, they may not have logged the malware's behavior. (Please see this blog for further details regarding how Automated Threat Analysis Systems are used by antivirus companies to analyze malware.)

If malware runs without performing any destructive or disruptive activities in silence, it can continue to compromise computers for a long time, for which the merits to the malware author cannot be overstated.

Back door Trojan horse programs usually check the operating system, CPU clock, and the installed antivirus product, if any. This threat is unusual because it also gathers the following information:

• Whether the compromised computer has a wireless network card
• The dynamic random-access memory (DRAM) type, such as Synchronous DRAM, Cache DRAM, 3DRAM, or SDRAM
• The BIOS manufacturer settings, serial number, and version
• The printer caption
• The battery description and device ID

Normally malware authors wouldn't worry about the battery on the computer. However, the author of this threat evidently has a strong interest in the targeted company.

Conclusion

At the time of writing this blog, Symantec has only received two samples of this threat from large customers and no major infections have been recorded.

From what I can gather from my analysis of this threat, it was used in a targeted attack and the author knew that the targeted company uses Microsoft Windows Vista or later on their computers and hence attempted to infect their network with malware that does not work on Microsoft Windows XP.

If the administrator of the targeted company were to notice suspicious behavior in a suspect file and decide to test it on an Automated Threat Analysis System, it is possible that malicious activity may not be seen at all during the testing and the administrator would be none-the-wiser about the file's true behavior.

Symantec will continue to monitor malicious code and techniques outlined in this blog. We also recommend that users not run suspicious programs and keep their operating system and antivirus software up to date.

Join Symantec Security Response experts Kevin Haley and Paul Wood on Twitter (using the #ISTR hashtag) on Tuesday, April 30, at 9 a.m. PT / 12 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report (ISTR), Volume 18.

The ISTR, which covers the major threat trends observed by Symantec in 2012, reveals a significant increase in cyberespionage attempting to gain access to confidential information and valuable intellectual property, and shows how criminal methods of obtaining this information are shifting. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them, representing a threefold increase from 2011.

Mark your calendars to join the #ISTR chat and plan to discuss the latest attack vectors and techniques used by cybercriminals to gain access to your intellectual property.

Topic: Internet Security Threat Report: Volume 18 – What does the data tell us?

Date: Thursday April 30, 2013

Time: Starts at 9:00 a.m. PT / 12:00 p.m. ET

Length: One hour

Where:  Twitter.com – Follow hashtag #ISTR

Expertparticipants:

• Kevin Haley, Director, Symantec Security Response, Symantec – @kphaley
• Paul Wood, Cyber Security Intelligence Manager, Symantec – @paulowoody

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.
 

Figure 1. .pw TLD URL spam message increase
 

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:
 

Figure 2. TLD distribution list - last 90 days
 

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:
 

Figure 3. TLD distribution list - last 7 days
 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. 

These are the top ten subject lines from .pw URL spam over the last two days:

• Subject: How to sell your Timeshare
• Subject: Reusable K Cup for Keurig or single-brew coffee maker
• Subject: Reusable single-brew coffee cup you can fill with your coffee blend.
• Subject: Are your home possessions covered in case of a  catastrophe?
• Subject: Elmo's Learning Adventure Gift Package
• Subject: Make Learning Fun - With Elmo & the Sesame Street Gang!
• Subject: Are your appliances and home systems covered?
• Subject: Refinance Today, Save Tomorrow
• Subject: Nothing is more EFFECTIVE for High Blood Pressure
• Subject: Mortgage Rates

Figure 4. .pw URL spam message example
 

Symantec will continue to monitor this trend and create additional filters to target these attacks.  In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.

In my last blog, I talked about how the 2012 Internet Security Threat Report points out the vulnerabilities common for small- and medium-sized businesses, and because of their mistakes for the larger enterprises that do business with them. So let’s talk about some good practices to address these risks.

First and most important is education. Employees need to understand what the company rules are on how to be secure, and understand each of their individual roles in the process. In turn, the roles and responsibilities need to support good security policies including separation of duties, access controls, and the idea of 'least privilege'. For anyone new to the concept, least privilege is illustrated most simply that a temporary secretary shouldn’t have access to the same databases at the same level of information sharing as the head of HR. People need information, but they only need data required for them to function in their everyday duties. Consumers and customers also need to be trained on the many vectors of attack, including social media, links, and the possibility of malware in attachments via email. Buyers are also increasingly looking for indications of security like the green URL bar for Extended Validation certificates, the padlock, HTTPS:// and trust marks. Have a good security policy, then follow up by telling everyone what it is and how you are protecting their data.

Second is doing business securely. While true that a small business may not be able to defend against the newest zero-day attack, or even be able to spell APT, it is the old attacks that are still the bulk of the vulnerability.  Communication and data flowing in and out of a network needs to be encrypted. If the company creates apps or proprietary code to distribute, the code should be signed with a digital shrink-wrap to assure end users that it wasn't tampered with en route. The PCI’s eCommerce Guide recommends SSL to secure your payment information, and recommends EV wherever possible for transactions.

Third is to protect your customers, your partners, and your employees by securing your websites. Review the results of all the malware scans and vulnerability assessments of your website that can be conducted by third parties. Symantec enabled malware scanning and vulnerability assessments as part of our SSL certificates, because we believe strongly that it's a basic security measure for any organization securing their website. Make sure your security policy includes deadlines for patching critical vulnerabilities.

The online security ecosystem is doing its part to code a better internet: Protocols are constantly under revision to remove vulnerabilities as they are found. Browsers have enabled the green bar to show where a company chose a higher level of SSL authentication for their identity, and they display warnings when content is served up insecurely on an encrypted page. Social media sites are leading some of the way toward an always on SSL approach, where the connection is encrypted from user log on through the entire site experience. App stores are joining the always on movement for SSL too. 

The Threat Report doesn't paint a bleak picture. More people are living and doing business online, and the world of eCommerce is growing annually. But the attackers are getting smarter, and no one can afford to say, "It'll never happen to MY Company." Because that's exactly what the bad guys want you to think. Lock your doors.

Contributor: Avhdoot Patil

Phishers have recently gained a lot of interest in football. Various phishing attacks using football were observed in 2012. Phishers have already shown their interest in the 2014 FIFA World Cup, football celebrities, and football clubs. Scam for LIONEL MESSI Fans and Scam for FC Barcelona are good examples of phishers using football celebrities and football clubs. Fraudsters understand that choosing celebrities with a huge fan base offers the largest amount of targets which could increase their chances of harvesting user credentials. In April 2013, the trend continued with phishers using the same strategy. The phishing sites were in French on a free web hosting site.

The phishing sites prompted users to enter their Facebook login credentials on pages designed to highlight Lionel Messi, FC Barcelona, or Cristiano Ronaldo. The phishing pages contained images of Lionel Messi, FC Barcelona, or Cristiano Ronaldo and tried to create the false impression that they were the official Facebook page for either Messi, FC Barcelona, or Ronaldo. Some of the fake sites were titled, “first social networking site in the world”. Users were prompted to enter their Facebook login credentials in order to connect to the Facebook page. After a user's login credentials have been entered, users are redirected to a legitimate Lionel Messi, FC Barcelona, or Cristiano Ronaldo community page to create the illusion of a valid login. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes.
 

Figure 1. Fake Facebook phishing page featuring Lionel Messi
 

Figure 2. Fake Facebook phishing page featuring FC Barcelona
 

Figure 3. Fake Facebook phishing page featuring Cristiano Ronaldo
 

Internet users are advised to follow best practices to avoid phishing attacks:

• Do not click on suspicious links in email messages
• Do not provide any personal information when answering an email
• Do not enter personal information in a pop-up page or screen
• Ensure the website is encrypted with an SSL certificate by looking for the padlock, “https”, or the green address bar when entering personal or financial information
• Use comprehensive security software such as Norton Internet Security or Norton 360, which protects you from phishing scams and social network scams
• Exercise caution when clicking on enticing links sent through email or posted on social networks
• Report fake websites and email (for Facebook, send phishing complaints to phish@fb.com)

Small and Medium Businesses (SMBs) are rapidly and dynamically evolving into technological and informational savvy businesses. The technology and free flow of information creates tremendous opportunities for these businesses, but also creates great risk.

At risk, is their data.  If it is lost, it can be disastrous for a small business owner and all the people they employ.

Symantec’s new SMB site is designed to help SMBs navigate through solutions to protect their critical information. From studies, we’ve found that there is a process by which SMBs evaluate new products. They first strive to understand, then once they’re comfortable with it, they like to try, and then buy.

The new SMB site was designed with this in mind. We’ve designed the site to focus on understanding right up-front. This greatly differs from the previous site where the user was dropped directly into the SMB store in order to procure a purchase without any real information for the SMB customer to understand the product first. Now, directly from the SMB landing page, we take the user on a different path of Understanding > Liking > Trying > Buying.

A few other key design decisions we’ve made with the new SMB site was to leverage the Symantec.com Enterprise site’s general structure, and look and feel, but opened it up and simplified it for this particular user. As many SMBs are closely related to a Consumer archetype rather than an Enterprise archetype, we’ve made the content and how the content is displayed more welcoming, friendly, and a more engaging experience.

We are excited to be a part of developing a more SMB user-friendly experience on symantec.com/small-business.

We are here to help protect the small business as well as the enterprise.

L’ECC AU SERVICE DE L’OPTIMISATION DE VOTRE VPN SSL

Les utilisateurs exigent désormais de pouvoir accéder à leurs données sur les terminaux mobiles les plus divers, tant dans la sphère privée que professionnelle. Face à cette nouvelle donne, l’importance de la sécurité n’a d’égale que sa complexité.

Or, la solution réside au cœur même de l’environnement de travail des entreprises. Et dans un contexte d’évolution constante des nouvelles technologies, il est important de toujours conserver un coup d’avance.

Les réseaux privés virtuels (Virtual Private Network, VPN) constituent actuellement un moyen répandu de sécuriser les communications Internet de manière simple. Élément fondamental des systèmes distribués, les VPN permettent la création de tunnels sécurisés pour la transmission cryptée de données vers des sites ou hôtes distants. Objectif : préserver la sécurité et l'intégrité de ces données lors de leur transit sur Internet. En ce sens, les VPN permettent à vos collaborateurs mobiles d'accéder à vos ressources réseaux stratégiques via une connexion cryptée et sécurisée.

Or, cette pratique soulève plusieurs questions importantes : quel type de VPN utiliser ? Et comment conjuguer simplicité et sécurité ? La réponse passe le plus souvent par les VPN SSL (Secure Sockets Layer), des VPN compatibles avec tous les navigateurs Web standard, sans installation de logiciel client spécifique sur l'ordinateur de l'utilisateur. Un VPN SSL se compose d’un ou plusieurs équipements VPN auxquels l’utilisateur se connecte à l’aide de son navigateur Web. Pour crypter les échanges entre le navigateur et l’équipement VPN, le dispositif fait appel au protocole SSL – voire au TLS (Transport Layer Security).

Les avantages du VPN SSL : polyvalence, configuration facile et contrôle renforcé pour un large éventail d’utilisateurs et de terminaux, y compris mobiles. Dernier atout, et non des moindres, ce dispositif reste particulièrement abordable.

Pionnier de la sécurisation des connexions et communications sur les réseaux, Symantec a parcouru un long chemin En ce sens, Symantec n’a de cesse d’actualiser sa gamme Website Security Solutions (WSS), un ensemble complet de solutions innovantes destinées à répondre aux besoins croissants de sécurité et de performance des entreprises en ligne. Ses principaux objectifs : offrir une protection optimale aux entreprises, respecter les exigences de conformité, contribuer à l’amélioration des performances et réduire les coûts globaux d’infrastructure.

Symantec vient également d’annoncer la sortie des premiers certificats SSL multi-algorithmes, dotés de nouvelles options de cryptage ECC (Elliptic Curve Cryptography) et DSA (Digital Signature Algorithm). Nous comptons ainsi renforcer la protection de vos écosystèmes, avec à la clé une hausse de votre cote de confiance sur le Net. En 2013, ces options seront disponibles pour tous les clients, nouveaux comme existants. Ainsi, sur la base des pratiques informatiques actuelles, les clés ECC de 256 bits seront 10 000 fois plus complexes à décoder que les clés RSA de 2 048 bits. En d’autres termes, un certificat Symantec ECC offre le même niveau de sécurité qu’un certificat RSA de 3 072 bits. Mieux encore, un serveur avec un certificat ECC améliore considérablement les performances serveurs en chargement, dans la mesure où ils peuvent traiter plus de requêtes en moins de temps, sans oublier leur plus grande évolutivité dans plusieurs cas de figures :

• Pics d’affluences – l’efficacité de l'algorithme ECC augmente en cas de volumes importants
• Hausse d’activité – ECC gère davantage de connexions simultanées

Comme toujours, notre objectif reste d’offrir des solutions d’une grande fiabilité, à votre entreprise comme à vos clients. C’est pourquoi nous innovons sans cesse afin de vous proposer les meilleures solutions de sécurité en ligne du marché.

Pour en savoir plus sur le fonctionnement des certificats SSL, consultez notre infographie sur le sujet

SSL-VPN bieten zahlreiche Vorteile

Benutzer erwarten heute, dass sie ständig Zugriff auf Unternehmens- und persönliche Daten haben, auch wenn sie unterwegs sind. Eine rasant wachsende Vielfalt von Mobilgeräten ermöglicht diesen Zugriff, doch war die Gewährleistung der Sicherheit dadurch noch nie so wichtig oder so schwierig.

Hinzu kommt, dass es nicht genug ist, wenn Unternehmen diese Herausforderung in ihrer IT-Umgebung nur bewältigen. Sie müssen vielmehr dem ständigen technischen Fortschritt immer einen Schritt voraus sein.

Virtuelle private Netzwerke (VPN) sind heute eine weit verbreitete und einfache Methode zur sicheren Kommunikation über das Internet. VPN-Dienste sind ein unverzichtbarer Bestandteil verteilter Systeme, denn sie ermöglichen die Einrichtung sicherer Datentunnel zu entfernten Standorten bzw. Systemen. Vor der Übertragung werden die Daten mit kryptografischen Verfahren verschlüsselt, um sie vor dem unbefugten Lesen zu schützen und ihre Sicherheit und Integrität zu gewährleisten. Durch den Einsatz von VPN können Unternehmen ihren mobilen Mitarbeitern sichere, verschlüsselte Verbindungen zu den geschäftskritischen Netzwerkressourcen des Unternehmens zur Verfügung stellen, die sie zur Erledigung ihrer Aufgaben benötigen.

Zunächst müssen jedoch die folgenden Fragen beantwortet werden: Welcher VPN-Typ erfüllt Ihre Anforderungen am besten? Welcher Typ ist am benutzerfreundlichsten und sichersten? SSL-VPN (virtuelle private Netzwerke mit Secure Sockets Layer) sind am weitesten verbreitet. Dieser VPN-Typ kann mit jedem gängigen Webbrowser genutzt werden, ohne dass dazu spezielle Client-Software auf dem Computer des Benutzers installiert werden muss. Ein SSL-VPN besteht aus einem oder mehreren VPN-Geräten, mit denen der Benutzer über seinen Webbrowser kommunizieren kann. Die zu übertragenden Daten werden mit dem SSL- bzw. TLS-Protokoll (Transport Layer Security) verschlüsselt.

Zu den Vorteilen eines SSL-VPN gehören Vielseitigkeit, eine relativ einfache Bereitstellung für eine Reihe von Benutzern, die über verschiedenste Computer auf Ressourcen an beliebig vielen Standorten zugreifen können, und umfassende Kontrollmöglichkeiten. Darüber hinaus sind die Anschaffungskosten relativ niedrig.

Symantec sichert schon seit langer Zeit Verbindungen und Datenaustausch.

Die Palette der Website-Sicherheitslösungen von Symantec wird fortlaufend aktualisiert und mit innovativen Funktionen bereichert, um die wachsenden Sicherheits- und Leistungsanforderungen moderner, im Internet tätiger Unternehmen zu erfüllen. Die wichtigsten strategischen Ziele, die Symantec mit seinen Website-Sicherheitslösungen verfolgt, sind der bestmögliche Schutz von Unternehmen, die Einhaltung gesetzlicher Bestimmungen, die Unterstützung von Bemühungen zur Leistungssteigerung und die Senkung der Infrastrukturkosten.

Vor Kurzem hat Symantec darüber hinaus die Einführung der branchenweit ersten SSL-Zertifikate mit mehreren Algorithmen angekündigt. Diese verbessern den Schutz Ihrer Infrastruktur durch einen zweiten Algorithmus, wahlweise entweder ECC (Elliptische-Kurven-Kryptografie) oder DSA (Digital Signature Algorithm), und stärken damit die Basis des Online-Vertrauens. Die neuen Algorithmen sind ab 2013 für alle neuen und bestehenden Kunden verfügbar. Das Knacken der von Symantec erstellten 256-Bit-ECC-Schlüssel erfordert bei branchenüblichen Rechenverfahren 10 000-mal so viel Rechenaufwand wie das Knacken von 2048-Bit-RSA-Schlüsseln. ECC-Zertifikate von Symantec bieten ein vergleichbares Sicherheitsniveau  wie RSA-Zertifikate mit 3072-Bit-Schlüssel. Sie belasten Server jedoch deutlich weniger, da die ECC-Software Anfragen erheblich schneller bearbeiten kann und sehr gut skalierbar ist. Das zahlt sich insbesondere in den folgenden Situationen aus:

• Lastspitzen: Die Effizienz von ECC steigt mit größerem Anfragevolumen.
• Unternehmenswachstum: ECC unterstützt eine größere Anzahl gleichzeitiger Verbindungen.

Symantec treibt die Entwicklung seiner Website-Sicherheitslösungen ständig voran, um Ihnen, Ihrem Unternehmen und Ihren Kunden die bestmöglichen und zuverlässigsten Lösungen anbieten zu können.

Weitere Informationen zur Funktionsweise von SSL-Zertifikaten finden Sie in unserem Leitfaden „SSL erklärt“.

Vivimos en una época en la que la accesibilidad de la información empresarial y personal es importantísima, pues la gente cuenta cada vez con más dispositivos móviles y quiere consultar los datos esté donde esté. Todo esto hace que la protección sea algo esencial y, a la vez, complejo.

La gestión de los entornos de trabajo empresariales no puede sustraerse a esta nueva realidad. Hay que estar al tanto de los avances tecnológicos e ir siempre un paso por delante de los demás.

A la hora de proteger los datos que se transmiten por Internet, las redes privadas virtuales (VPN) son uno de los métodos más sencillos y habituales. Los servicios VPN son, por ejemplo, un componente fundamental de los sistemas distribuidos, pues crean túneles seguros que transmiten los datos a los hosts o sitios remotos. Las redes privadas virtuales cifran los datos y los hacen ilegibles para que su seguridad e integridad no corran peligro mientras se transmiten por la Red. Esto hace que sean muy útiles para aquellas empresas cuyos empleados se desplazan con frecuencia y necesitan acceder a los recursos de la red interna mediante una conexión segura y cifrada.

Antes de adoptar esta solución, hay que pensar bien qué tipo de VPN se necesita y cuál ofrecerá el mejor equilibrio entre sencillez y seguridad. Las redes privadas virtuales con tecnología SSL (del inglés Secure Sockets Layer) son la opción más difundida, ya que pueden utilizarse directamente con los navegadores más habituales sin necesidad de instalar un cliente en el equipo del usuario. Cada red consta de uno o varios dispositivos VPN a los que el usuario se conecta desde un navegador web. El tráfico entre el navegador y el dispositivo VPN se cifra mediante los protocolos SSL o TLS (Transport Layer Security).

Las redes VPN con tecnología SSL son asequibles, versátiles y fáciles de configurar. Además, permiten controlar a diversos usuarios que se conectan desde equipos y lugares distintos.

Symantec cuenta con una larga trayectoria en la protección de conexiones y comunicaciones. Básicamente, siempre hemos estado ahí. Desde la época de Netgate (para quienes la recuerden), nuestras soluciones han ido volviéndose más avanzadas y seguras sin perder nunca su esencia: la simplicidad.

Recientemente, Symantec ha puesto al día su gama de soluciones Website Security Solutions (WSS), cuyas funciones completas e innovadoras satisfacen las necesidades de las empresas conectadas en materia de seguridad y rendimiento. Sabemos que el nivel de exigencia de estos clientes cada vez es mayor y queremos estar a la altura con una estrategia que les ofrezca la máxima protección y les ayude a cumplir la normativa, mejorar el rendimiento y reducir el coste general de la infraestructura.

Symantec también acaba de anunciar los primeros certificados SSL del mercado que ofrecen la posibilidad de utilizar dos tipos de algoritmos: ECC (criptografía de curva elíptica) y DSA (algoritmos de firma digital). Así podrá proteger aún más su ecosistema e inspirar más confianza en Internet. Estas dos opciones estarán disponibles en 2013 tanto para los clientes que ya utilizan nuestros productos como para los que los adquieran por primera vez. Según los métodos de computación del sector, la clave ECC de 256 bits de Symantec será 10 000 veces más difícil de descifrar que una clave RSA de 2048 bits. El nivel de seguridad de los certificados ECC de Symantec equivale al de un certificado RSA de 3072 bits, pero esa no es su única ventaja. También mejora el rendimiento del servidor durante la carga porque se tramitan más peticiones en menos tiempo y es más fácil hacer frente a:

• los picos de tráfico (cuanto más tráfico hay, mejor funciona el algoritmo ECC);
• las consecuencias del crecimiento de la empresa, pues se permiten más conexiones simultáneas.

Nuestro objetivo sigue siendo el de siempre: ofrecerles a usted y a sus clientes soluciones dignas de confianza. Por eso innovamos constantemente, decididos a crear las mejores soluciones de seguridad para sitios web del mercado.

Si desea más información sobre el funcionamiento de los certificados SSL, eche un vistazo a la infografía SSL explained (en inglés).

When Hurricane Sandy rocked the East Coast, it did more than just damage homes, erode beaches, and flood cities. Vital data was lost, critical services went down, and system availability was compromised. Don’t let your organization face the same issues when disaster strikes next. Join our webcast roundtable on May 8th at 11 a.m. PDT to hear the lessons businesses and organizations learned in the wake of Hurricane Sandy. Symantec President of Products and Services Francis deSouza along with a panel of senior IT professionals will discuss some of the best practices IT organizations used to keep services highly available and data secure in the midst of a natural disaster.

Register Today! http://bit.ly/10GAZOd

Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.

One of the most common attacks used in such breaches is an SQL injection. This attack has ranked first place on OWASPs Top 10 faults in Web applications for many years. There are several well-known methods to prevent SQL injections, but unfortunately it is still often encountered in productive sites. Furthermore, mis-configured Web servers and vulnerabilities in remote management tools can allow attackers to gain access to systems and read potentially sensitive files.

There has long been a heated discussion about how best to store passwords and that discussion is still ongoing. Most people agree that storing passwords in clear text in a database is not a good idea. Although sadly it is still done in a lot of places, usually with the excuse of “no one has read access to the database, so what could possibly go wrong?” As history has repeatedly shown, this argument does not hold true for long.

As a user, you normally do not know how your passwords are stored on a service. One enlightening trick can be to use the password reset function. Some services will send you an email with your password in clear text, which obviously means that they store it in clear text to begin with. If in doubt, you can send the service an enquiry, but most will probably just assure you that they are using state of the art cryptography to protect your password, which does not tell you much.

But the keyword is correct, as most systems have started to use cryptographical one-way functions; so-called hash functions like MD5 or SHA1 are being used to store passwords. Note that these are not password functions, but rather functions that are normally used for creating message digests. By using them on the password and only storing the hash value, the problem of clear text passwords disappears. Unfortunately, attackers can create “rainbow tables”, with pre-computed pairs of passwords and corresponding hash values. With today’s cloud services, generating rainbow tables does not take too long and the combination values can easily be stored.  Such a set up would allow a simple lookup to break all common passwords within seconds.

To make it more difficult for rainbow tables to break passwords, services can use salt. A salt is a long random string, which is combined with the password before hashing. When used per user, this adds extra complexity as it means that even if two people have the same password (e.g. 123456) they would end up with a different hash in the table. More importantly, the attacker now needs a rainbow table for every possible salt, thereby making it a lot more cumbersome to crack the passwords of many users at once. However, brute-forcing the password of one specific user (e.g. an administrator) is still possible.

At this point, iteration or key-stretching can be introduced. By iterating hash functions over and over again, the whole process is slowed down. For normal usage during logon, a small delay does not matter much, but for brute-force attacks, this can add a few thousand years to your key breaking time. Some examples that can easily be integrated are bcrypt and PBKDF2. Of course, the bar can be raised even higher when using two-factor authentication, for example Symantec’s VIP service.

Regardless of the function that is used to store the passwords, it is always a good idea for users to utilize different passwords for different services. As if you use the same password on all services, once one of them has been broken (possibly due to a bad password storing process), then all of the others become known to the attacker as well. Whenever a data breach occurs, attackers typically try the email password combinations on other services—just to see if they’ve gotten lucky.

Needless to say that using a strong password in the first place is a must. “123456” is simply not a strong password and should not be used. If you cannot remember all of your different passwords, you can use a password manager. Your passwords can then be stored on your smartphone so that you have them with you all of the time. Of course, you have to ensure that when the smartphone is lost, no one can access your password manager, but that’s a whole other story.