I attended a webinar recently which was talking about the move from physical to virtual servers in large corporations. The analogy used was that today, approximately 70% of all servers can be virtualised very quickly, but the remaining 30% can take several years of effort. Hypervisor vendors are working hard to sort this problem out, but the interesting finding was that a large section of that problematic 30% of servers are running legacy applications or are indeed legacy operating systems.

This is odd as you would think that any IT operations person would want to migrate a legacy server from physical to virtual hardware as soon as humanly possible.

Legacy systems are still around for a few reasons.

1 Laziness

2 Applications cannot be modified to work on newer OS platforms

3 Software Developers have long since left the company ( relates to point 2)

4 Legacy systems are connected to business critical servers, with little or no downtime allowed.

5 Systems have been stand-alone, or deployed in segregated networks

6 They run just fine Thank you very much, why upgrade at huge expense or business risk?

7 Security tools can sometimes eat resources on older hardware and platforms, affecting overall performance

8 IT security did not want Hypervisors being used in exposed networks, such as DMZ, so physical systems ruled the day which meant the legacy systems lived on.

There are some key security principles being broken in that list as we can all see, but let me highlight just a few;

-Unpatched and legacy systems are prime targets for hackers, as native security features are non-existent or have very well-known exploits that are difficult to defend against.

-Legacy operating systems are no longer supported by most Security tools including Endpoint protection products, client firewalls and Host intrusion prevention or detection products

-Stand-alone systems are more likely to be updated by USB drives than any other media.

For those sites where they have migrated some legacy applications, Virtualisation has effectively extended the system lifecycle significantly.  Whereas previously, servers were upgraded in  3 or 5 yearly schedules that related to hardware warranty cycles, this problem no longer exists, so the justification of upgrading from Windows 2003>2008 for example can sometimes be hard to swallow; servers can be forgotten about after the virtualisation process has completed.

So how can Symantec help with these legacy systems?

Fortunately Symantec Critical System Protection (CSP) still works with many legacy operating systems. In fact a recent CSP release actually added a feature (EMP Enhanced Memory Protection) that specifically applies to legacy 32bit operating systems like Windows XP and Win7 32bit.

On the Windows front, we support NT4, XP, 2000, and 2003 for example which are still in frequent use today ( especially Windows XP and XP embedded). But platform support (see here http://www.symantec.com/business/support/index?page=content&id=DOC6408&key=52463 ) is not the only reason customers choose this product on older systems. CSP also has very low performance overhead compared to most other products on the market, with CPU overhead figures between 1-6% and using as little as 25MB of RAM. I recently installed a CSP agent on a Windows NT4 server with 192 MB of total system RAM using a Pentium 3 500mhz CPU, and it works well with little or no impact to the running applications or OS.

CSP can also lock down these legacy systems reducing or even removing the requirement for patching, assuming that patches are just not available any more. In some cases CSP will prevent costly downtime and reduce the risk of breaches due to server misconfiguration. Protecting the OS and applications from memory based attacks, stopping devices like USB keys from being used inadvertently, and limiting access to critical configuration files or sensitive data is all still achievable on these legacy systems using CSP.

CSP can also be used to secure management layers within Virtualisation infrastructures to ensure that the correct tools are being used by the correct administrators or engineers, and it can secure critical configuration files such as SSL keys too. Symantec also has a tool called Virtualisation Security Manager, a component of our Control Compliance Suite (http://www.symantec.com/theme.jsp?themeid=control-compliance-suite-virtualization-security-manager ), which effectively acts as a security and administration “proxy” between your administrators and the management servers- great for enforcing security controls and for auditing and monitoring usage.

More info here> http://www.symantec.com/content/en/us/enterprise/other_resources/critical_system_protection_use_case_catalog_01152013.en-us.pdf

デジタル署名を無効化することなく攻撃者が正規の Android アプリに悪質なコードをインジェクトできるマスターキー脆弱性が発見されたことは、今月の初めにお伝えしたとおりです。シマンテックは、悪用が容易であることから、この脆弱性がすぐに利用されるだろうと予測していましたが、残念ながらその予測のとおりになっています。

ノートン モバイルインサイト（何百というマーケットプレイスから Android アプリを採取して自動的に解析するシマンテックのシステム）によって、この脆弱性が実際に悪用されている初めての例が検出されたのです。シマンテックは、問題のあるアプリを Android.Skullkey として検出します。

今回、2 つのアプリが悪質な処理に感染していることが確認されました。どちらも、病院を検索して予約できる正規のアプリであり、中国の Android マーケットプレイスで公開されているものです。
 

図 1.感染した 2 つのアプリのスクリーンショット
 

攻撃者は両方のアプリを取得して、デバイスのリモート制御、IMEIや電話番号といった重要な情報の窃盗、プレミアム SMS メッセージの送信などを可能にするコードを追加しています。また、いくつかの中国製モバイルセキュリティソフトウェアアプリがインストールされている場合には、ルートコマンドを使ってそれを無効にします。
 

図 2. インジェクトされるコードのスニペット
 

攻撃者は、この脆弱性を悪用して元の Android アプリを改変し、新しい classes.dex ファイル（Android アプリのコードを含むファイル）と、新しい Android マニフェストファイル（許可を指定しているファイル）を追加しています。
 

図 3. Android アプリのパッケージに含まれるファイル
 

攻撃者は今後も、この脆弱性を悪用して無防備なユーザーのデバイスへの感染を続けると予測されます。アプリは、信頼できる Android アプリマーケットプレイスからのみダウンロードするようにしてください。ノートン モバイルセキュリティを使用すると、他の脅威と同様にこの脅威からも保護することができます。また、Norton Halt（英語版）を使用すると、モバイルデバイスがこの脆弱性の影響を受けやすくなっている場合に警告が表示されます。

2013 年 7 月 24 日更新 - 同じ攻撃によって感染したさらに 4 つの Android アプリが、サードパーティのアプリサイトで公開されていることが確認されました。アプリの種類は、人気のあるニュースアプリ、アーケードゲーム、カードゲーム、ギャンブル/宝くじアプリの 4 つです。これらのアプリはすべて、中国語ユーザー向けに開発されたものです。

また、Android.Skullkeyは、デバイスに登録されているすべての連絡先に対して、hldc.com にあるモバイルゲームへのリンクが掲載されたテキストメッセージを送信することがわかっています。このサイトは現在は停止しています。
 

図 4.すべての連絡先に送信されるテキストメッセージ。#name# には連絡先の名前が入る。
 

中国語のメッセージの翻訳: 「[連絡先の名前]、[URL] からゲームをダウンロードしてください。一緒にゲームで PK を仕掛けてポイントを稼ごう。」
 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

In a recent blog, I mentioned how the triple alliance of Physical, Virtual and Cloud can help you to deliver what every business strives for – maximum Service Availability at minimum cost. If you use that triple alliance to this end, you might well decrease CapEx , because you will be investing in less physical hardware.

One key factor I touched on in the previous blog was the ‘25% sticking point’. Namely that, once the low-hanging fruit has been duly harvested, you must then make a choice – and it’s a critical one: “Do I continue down the path to nearly 100% virtualisation?” Or “Do I go beyond virtualisation alone and incorporate cloud-scale operations as the next step in my virtualisation and IT strategy?”

But there’s another major consideration that needs to be addressed at this ‘sticking point’.

Exactly how is the business going to pay for shared services?

 The upshot of not understanding how to pay for shared or cloud services means that any investment in shared infrastructure becomes nothing more than a wasteland. Indeed, the notion that persuades many organisations to think: “If I build it, they will come” is a highly flawed one, for the simple reason that the concept derived from the ‘Field of Dreams’ does not apply to building shared IT services.

So, what is the right approach? The first thing to remember is that, if you are building shared services, the business must be able to consume. The traditional approach for IT investment is to orientate that investment around a business project. The aim of shared services/ cloud is to provide low start-up cost, rapid scale-up, if things are good, or scale-back, if not so good approach. Combine this with a lower level of initial investment (risk), the business now has the ability to look at projects they would not have been considered in the past.

That’s all well and good, if your business is well versed in this new way of working. But, if it is not, they may be tempted to continue down the project-based procurement route, ending up with a pot of capital to invest in IT – which is not easy to spend on an Opex-based shared infrastructure. They want to spend money on assets!!

Bringing the three elements of the triple alliance – Physical, Virtual and Cloud – into a single financial model will be vital in creating a harmonious whole. However, in order to get that triple alliance to work in the first place, the business must buy into the shift from project-based procurement to flexible consumption-based procurement.

The good news is that, once that business understands the additional value to be gained (start-up cost, flexibility, agility etc), it really is a ‘no brainer’. However, unless someone actually explains how that ‘new model’ works and the huge benefits it can deliver, the business will almost certainly continue to operate in the way that it always has. Making sure your business isn’t one of those that fail to embrace such opportunities for change.

Hear from our existing customers how we support them and visit the Customer Success Stories section on our site.

Connect Lotus Notes Client to Exchange Server Conveniently

In order to connect Lotus Notes client to Exchange Server, there might be a number of methods ranging from manual method, via inbuilt utility, as well as with third party tool. The only difference is that a reliable way to connect the data from Lotus Notes into Exchange Server is feasible through an external application like Mail Migration Wizard. The application has been designed in a way that Lotus to Outlook, Lotus to Exchange, Domino to Outlook and Domino to Exchange conversion procedures are all offered under it. The best part is that it comes with a freeware trial edition that makes sure you get to preview its functioning before purchase itself. That way, you can understand the procedure followed to do Lotus Notes client to Outlook conversion and can perform it confidently later on with the licensed edition.

How To Connect Lotus Notes Client To Exchange Server?

The statement basically makes difference in what is being discussed over here. Connecting the client with a server is a different thing while transferring the data from client to server based environment is different.

Lotus Notes client is basically Domino Server dependent and when it comes to its functioning, it is observed that a large number of users don’t prefer the complications it comes with. Although, when compared to Lotus Notes; Exchange Server proves quite convenient and user friendly at usage. In addition to that, the server maintenance as well as updation charges are also very less in Exchange in comparison to the Lotus Domino client.

Hence, one of the biggest reasons why users carry out Lotus Notes to Exchange migration is because of the inconvenience they get to face while using Lotus.

Here is the procedure to be followed for connecting the data from Lotus Notes client into Exchange Server based Outlook client.

• Choose the Bulk Conversion for Lotus Notes to Exchange Server Mailbox.
• Now choose either “add file” option or “add folder” to select the data which has to be migrated; click on next.
• In the next window, a range of selection criteria’s will be provided; choose the desired data type to be migrated, the range in which you have to migrate them, the items which have to be excluded, calendar filter, etc. Click on export to proceed.
• A new pop up window will ask for a desired destination location for saving the migrate data; browse the partitions and choose the location where you would want the resultant data to be stored.
• Notes for Exchange migration status will be displayed i.e. the number of files converted, their respective size and, the duration consumed while converting the file.
• You can also save the report for the procedure to connect Lotus Notes client to Exchange Server in a CSV format file which can be used later on for all the details.

Symantec already has some of the strongest talent in the industry and that roster is growing – including several new senior executive roles that I’m very excited to announce today. These new team members will bring a fresh perspective and help drive innovative thinking as we solve critical customer problems.

One of the most important objectives for any leader is to build a strong and empowered team; if you do this right, I believe you can accomplish greatness. Joining us from other innovative technology brands like Google, Amazon and Microsoft, these new leaders share this team-building philosophy and possess deep expertise in areas spanning security, cloud, end-user sensibility and customer experience.

Symantec welcomes:

• Manny Kostas, Chief Marketing Officer (CMO) will be leveraging a broad base of experience to lead our global marketing organization to reimagine the Symantec brand, while leveraging new frontiers of digital and traditional marketing. Manny joins us from Polycom, where he led the Worldwide Product and Program Management organization, after more than two decades in senior leadership roles with HP. In his role as SVP of marketing and strategy for HP, Manny guided their printing and web services business from $11B to $26B, with leading market positioning in every category.
• Colleen Lacter, Chief Communications Officer (CCO) will be responsible for enhancing our corporate reputation, product awareness and thought leadership equity by influencing stakeholder perceptions. She has a track record for delivering results, strategic planning, engaging storytelling and creative problem solving. Colleen left Waggener Edstrom, Microsoft’s agency of record, where she served as a member of the executive leadership team where she launched many key products, including Windows 95, Internet Explorer, MSN and Bing.
• Julie Talbot-Hubbard, Chief Security Officer (CSO) will establish and drive strategy for maintaining our information security, business resiliency and physical security programs to ensure that our resources, infrastructure and assets are properly protected – with our products. She recently left her post as chief information security officer for The Ohio State University to join Symantec. Julie was a Symantec customer at Cardinal Health and Bank One/JP Morgan Chase and has deep firsthand knowledge about implementing and using our products.
• Matt Lynch, Senior Vice President of eBusiness will be responsible for shifting and broadening Symantec’s online experience with customers, prospects and partners as we make the transition from eCommerce into eBusiness. Matt brings knowledge from one of the leading brands in cloud computing and has a customer-centric mentality and experience in eBusiness. He was most recently COO at IMDb.com, an Amazon.com subsidiary. Matt has held other management positions at Amazon.com, as well as at Microsoft and General Mills.
• Stephen McHenry, Senior Vice President of Cloud Platform Engineering will be responsible for building Symantec’s global cloud infrastructure and offerings, including our scalable cloud infrastructure strategy. Steve has held titles of CIO and CTO as well as engineering chancellor at Google. His responsibilities at Google included leading the security engineering teams responsible for ensuring the 24/7 operations of 42 different infrastructure services. Prior to Google, he also held roles at Silverturn Internet, Netflix and Emasys Corporation.

Are you ready to tap into the growing $670 million data loss prevention (DLP) market? Find out how Symantec Data Loss Protection 12 can boost your profits and enhance your credibility with new, industry-leading solutions that improve your ability to protect your customers' confidential information.

READ MORE

I've been doing a lot of testing just recently with Exchange 2010 (and Archive Shuttle and Enterprise Vault).  One of the things that I have needed to do is to create hundreds of mailboxes, populate them with the data, do some testing, then delete all the mailboxes and actually get rid of them.

In Exchange 2010 deleted mailboxes are not quite gone.  There are a couple of extra steps which are needed.  Let's see:

Firstly, my Exchange Management Console looks a bit like this:

But I want them all to be gone.  I can right click and choose ‘Remove’:

But, check here in the management console:

So now fromthe Exchange Management Shell I would run:

$mailboxes = Get-ExchangeServer | Where-Object {$_.IsMailboxServer –eq $true} | ForEach-Object { Get-MailboxStatistics –Server $_.Name | Where-Object {$_.DisconnectDate –notlike ‘’}} | select displayname, mailboxguid, database

Followed by:

$mailboxes | ForEach { Remove-Mailbox -Database $_.Database -StoreMailboxIdentity $_.MailboxGuid -confirm:$false }

And now back in the Exchange Management Console it looks like this:

Happy :)

User Facing: Desktop

• Launched the new 'Managing Mobility' Community.
• Added a new Site Help area where we can document Connect's features for new users.
• Fixed an issue with links to new forum comments not working correctly.
• Fixed an issue with the "See full discussion" links in the forum tool-tips pointing to incorrect target pages.
• Fixed an issue with broken links to auto-generated thumbnail images.
• Fixed an issue with encoded characters in activity feeds on user profile pages.
• Fixed an issue with encoded characters in activity feeds on group home pages.

Admin Facing

• Reconfigured the Security Response Blog workflow to publish, by default, new blog posts. (Old behavior was to save new blog posts as drafts.)

Performance Wins

• Improved the code behind looking up usernames when adding officers to Groups. The code was identified by our performance monitoring system as being some of the slowest on the site. We've optimized the query behind the lookup to greatly improve the response time.

User Facing: Mobile

• Fixed an issue with malformed login and register links on the mobile version of the "access denied" page.

Behind the Scenes

• Added a step to our 'clear caches on update' code that clears mobile versions of a page from the Akamai caches when the desktop version of the page is updated.
• Upgraded Browscap module - Security update.
• Upgraded Flag module - Security update.

In case anyone missed the news, with the recent release of NetBackup 7.5.0.6, one of the new features included was certified backup support for SAP HANA. 

We've done a lot to promote this functionality with webcasts, Google+ Hangouts and collateral.  If anyone has missed anything, here are the important links to all the information around of HANA integration, including our newest technical whitepaper:

http://www.symantec.com/content/en/us/enterprise/fact_sheets/b-better-backup-for-big-data_DS.pdf (NetBackup Datatsheet-Better Backup for Big Data)

http://www.symantec.com/business/support/index?page=content&id=TECH208919 (NetBackup White Paper-Protecting SAP HANA)

https://plus.google.com/events/cbema8ptl25e4bpsv4pebj8nlj4#events/cbema8ptl25e4bpsv4pebj8nlj4 (Google+ Hangout Event--Is Big Data TOO Big to Backup?)

If there are any questions regarding our SAP HANA certification, please don't hesitate to reach out to me at:

kyle_drake@symantec.com

Thank you.

As you search, and surf online; from time to time you may well come across a warning from your browser like the one you see below saying the site contains malware or perhaps that the connection is untrusted.  A recent study from UC Berkeley and Google, called Alice in Warningland, indicates that many of us choose to ignore these warnings on a daily basis. So if you do encounter these warnings what should you do?  What do they mean?  Let me guide you quickly through these and give some solid advice for staying safe online. 

The Website Ahead Contains Malware (Chrome); Reported Attack Page (Firefox)

Response:  STOP! Do Not Proceed!

What this means:  The site or individual page has been infected with Malware. Malware is malicious software that can do a variety of things most of them bad so you definitely want to steer clear of an infected site.  Malware can take over a page’s advertising functions to show rogue ads,  it can upload viruses, trojan horses, worms and even keystroke loggers (to capture your user name and passwords) to your computer.  Ignoring the browser warning and clicking through to the page may make your computer vulnerable.  Even with the reassurance offered by anti-virus software, such as Norton, you really don’t want to take such an unnecessary risk..

This Connection is Untrusted (Firefox); This is Probably Not The Site You Are Looking For (Chrome)

Response:  Is this a site you are entering information into? (e.g. passwords, webmails, payment info, social networking etc.)?  If so Do Not Proceed!

What this means:  The SSL connection for the site is down either because of a service failure, perhaps the SSL certificate has expired, or it was revoked (which means you are potentially on a bad site).  SSL is the encryption protocol used on websites to secure the transfer of data.  It helps you to stay safe online by ensuring that no one can see your data when you send it over the internet.  [Learning about what SSL does is a key part of staying safe online so, later in the post, I will give you a short lesson so you can figure out if a webpage has SSL within 10 seconds or less.]

A Short Lesson on SSL

Pay attention; there is a short test afterwards to help you hone your new skills.

Take a look at the address bar for this blog entry.  There are up to four things to look for.  The first is the address begins with “https.”  The “s” is for “secure.” You can see an https connection if the site you are visiting has an SSL certificate from a Certificate Authority like Symantec.  Secondly, look for the padlock.  It should either be to the left or right on the address bar.  A third thing you may notice is that the address bar is green or has green lettering.  Green address bars are the result of using an Extended Validation SSL certificate which means the website owner went through an extensive vetting process to before the certificate was issued all to ensure that you feel safer on their site.  Fourthly, look for a security seal when you are on pages that require the transferring of information, namely payment information.  Anyone can make their own fake seal or post an image of a real one so take a look for the padlock and “https” to know if it’s real (you can click on it too).  The Norton Secured Seal is the internet’s most trusted seal.

People who would like more information can click on the padlock.  This gives you all the details about which company issues the certificate and when it expires.  Security people like myself read this but you don’t have to… just like how you don’t have to know how to chop vegetables to eat a salad.

Test Time; click the examples below and look for the first three things I mentioned above.

Which examples have SSL and which do not?  Answer the following three questions with a bonus question for being thrown into the deep end.  Scroll way down for the answers

1. Does example 1 have SSL?    Yes or No
2. Does example 2 have SSL?  Yes or No
3. Of the four things listed above to look for how many does example 3 have?  1, 2, 3, or 4?
4. Bonus:  You don’t need to speak a foreign language to see if you are secure or not.  Check out this Japanese political party’s page and answer this bonus question.  Is this the real website of this political party or possible spoof site?  Real or Fake

Answers:

1. No, since you are only viewing pictures of LOLcats it may not be needed. 
2. Yes, anyone potentially eavesdropping on your search for LOLcats will only see a garbled set of data that is nearly impossible to hack.
3. 4; It has “https”, the lock, green address bar, and did you notice the small security seals on the bottom right hand corner?  Click the yellow circle with the check mark; it’s from Symantec.  It will lead you to the Norton Secured Seal check page.  I recommend reading it if you have 3 minutes to spare.
4. Real, since the website operator wants to display to constituents that this is the real site they went through Extended Validation authentication to get the green bar from Symantec (Formerly known as VeriSign).

Security consultant Fran Brown has created a hacking tool that can capture data from RFID badges from up to three feet away—a worrying development considering that up to 80 percent of US companies that use RFID access control systems still employ the vulnerable technology hacked by Brown.

What is RFID?

Radio frequency identification, or RFID for short, is used in a wide variety of everyday applications from the tracking of animals and humans to motorway toll collection and contactless payment systems. While some people may not know much about RFID, the chances are they have more than likely used it at one stage or another without even knowing it. If your dog has a microchip implant or you use an ID card to gain access to work then, whether you knew it or not, you have used RFID technology.

RFID uses radio waves to transfer data in order to automatically identify objects, or people or animals associated with those objects. An RFID system consists of at least one tag and one reader and there are several variations of both but one of the most common types of tags, and the type that is discussed in this blog and Brown’s research, is the 125KHz tag. Readers are two-way radio transmitter-receivers that send a signal to the tag and read the response. The tag contains a radio frequency transmitter and receiver that receives the signal from the reader and responds by sending back whatever information is stored on it, such as a unique code for accessing a secure building for example. Tags are very small and can be placed inside ID cards, passports, DVD or CD cases, or even just under the skin.
 

Long-range hacking tool

125KHz tags are some of the most common and need to be placed in close proximity, 10cm or less, to the reader in order to receive and send a signal. In order to skim and then clone one of these cards, a malicious actor would need to either have access to the card or be extremely close to it which makes it a difficult thing to do. However, Brown has managed to modify an RFID reader so that it can read RFID tag data from a relatively long distance—up to three feet. What this basically means is that anyone with one of these readers could place it in a pocket and take a walk around a company car park for instance, collecting data from workers’ ID badges as they walk by. The badges could then be cloned and the attacker would have the same access as the owner of the cloned badge.

The customization of the RFID reader was done by creating a small printed circuit board that can be inserted into most commercial readers. The stolen tag information is stored on a micro SD card. The code Brown wrote, as well as all the details of the hack tool and customization will be made available after this year’s Black Hat security conference in Las Vegas, where Brown will present his research.

While this idea has been around for some time, Brown says that his method “is the difference between a practical and impractical attack.” Past research has consisted of theories and ideas with little if any actual working tools. He also states that, in tests, his tool has a hundred percent success rate.

125KHz tags are considered out of date these days and have no security guarding the information they contain. The data sent is not encrypted so once it is received by an attacker, all they have to do is clone a new tag. While there are newer options available that encrypt the data stored on the tag and also secure the communication between the tag and reader or use challenge response authentication methods, organizations are slow to migrate to the new technology. This may be due to cost and/or organizations not being aware of the security risks associated with 125KHz tags.

Brown says that his long-range RFID reader is “targeted toward the Fortune 500 security professional” but that “[a]s with any penetration testing tool, this […] can be turned malicious.”

Given this development, organizations using RFID access control solutions may want to look again at their existing systems and think about upgrading or introducing additional access control measures such as biometrics

Last month Symantec posted few blogs (here and here) on an increase in spam messages with .pw URLs.

Since then the volume of URLs with .pw domains has considerably decreased. At the beginning of May the peak volume .pw domains accounted for about 50 percent of all spam URLs. Currently, .pw domains account for less than 2 percent for the last seven days.

Figure 1. .pw TLD appearance in spam messages

The decrease in .pw domains is the result of a close collaboration between Symantec and Directi in reporting and taking down the .pw domains associated with spam.

The latest evidence from the Global Intelligence Network shows that even with such a small presence of former country top-level domains for Palau, .pw spammers don’t give up and start using different tactics. They keep an eye on the latest news from around the world and convert hot news headers into domain names.

One such example is the domain name babykingishere.pw, which was registered on July 24 by a registrant from Panama. The name chosen by spammers was based on the big news from the UK, the birth of future king. While the world is celebrating, spammers have definitely tried to take advantage of the event.

So far, the spam domain was only observed within promotional hit-and-run spam. One of the main characteristics of this type of spam is the use of "throw away" domains, which the babykingishere.pw domain is.

Sample “From” lines taken from observed Hit and Run spam with the babykingishere.pw domain:

• From: "Cable Internet" <CableInternet@babykingishere.pw>
• From: "Medical Billing and Coding Education" <MedicalBillingandCodingEducation@babykingishere.pw>

Figure 2. Sample spam message with links containing the babykingishere.pw domain

Currently, both samples are blocked by Symantec with IP reputation and content filtering. Symantec will continue to monitor .pw domains and any appearance of "Royal Baby" spam.

セキュリティコンサルタントのフラン・ブラウン（Fran Brown）氏は、最大約 90cm 離れていても RFID バッジからデータを読み取れるハッキングツールを開発しました。RFID アクセス制御システムを使っている米国の企業のうち 80% 近くが、同氏にハッキングされた脆弱な技術を今でも採用していることを考えると、これは気になるニュースです。

RFID とは?

電波による個体識別（Radio Frequency Identification）、略して RFIDは、動物や人間の追跡から、高速道路の料金所、非接触型決済システムまで、日常的にさまざまな用途に使われています。RFID についてよく知らない人もいるでしょうが、そのような人でも知らないうちにいろいろな場面で RFID を利用している可能性は大いにあります。飼い犬にマイクロチップが埋め込まれている場合でも、勤務先の出入りに ID カードを使う場合でも、知らず知らずのうちに RFID 技術を使っているからです。

RFID は、電波を利用してデータを転送し、物体、またはその物体に関連付けられた人や動物を自動的に識別します。RFID システムは 1 つ以上のタグと 1 つの読み取り機で構成されます。タグにも読み取り機にもさまざまなバリエーションがありますが、最も一般的なタイプのタグは、このブログでもブラウン氏の研究でも取り上げている 125KHz のタグです。読み取り機は双方向の無線送受信機で、タグに向けて信号を送信してその応答を読み取ります。タグには、無線周波送信機が組み込まれており、読み取り機からの信号を受信して、格納されている情報、たとえば部外者立ち入り禁止の建物に入るときに必要な重複のないコードなどを返信します。タグはごく小さいものなので、ID カード、パスポート、DVD や CD のケースなどに取り付けることも、皮膚の下に埋め込むことさえも可能です。
 

長距離ハッキングツール

125KHz タグはごく一般的なもので、信号を送受信するには読み取り機からおよそ 10cm 以内の距離に置く必要があります。そのようなカードを読み取って複製するためには、カードを手に入れるか、ごく近くまで接近しなければならないので、悪用は困難です。ところがブラウン氏は、RFID 読み取り機を改良して比較的長い距離、最大約 90cm の距離からでも RFID タグを読み取れるようにしました。つまり、何者かがこの読み取り機をポケットに忍ばせ、たとえば会社の駐車場を歩き回れば、そばを通り過ぎるだけで従業員の ID バッジからデータを収集できるということです。あとは、そのバッジを複製すれば、攻撃者は元のバッジの持ち主とまったく同じアクセス権を手にすることができます。

ブラウン氏は、RFID 読み取り機をカスタマイズするために商用のほとんどの読み取り機に装着できるプリント基板を作製しました。盗み出されたタグ情報は、マイクロ SD カードに保存されます。ブラウン氏がプログラミングしたコードや、ハッキングツールとカスタマイズの詳しい情報は、ラスベガスで開催される今年の Black Hat セキュリティカンファレンスでこの研究を発表した後に公開される予定です。

このアイデア自体は以前からあったものですが、ブラウン氏は今回の手法が「実際の攻撃と理論上の攻撃の違いである」と述べています。過去の研究は理論と概念だけで組み立てられており、実際に動作するツールを伴わなかったからです。またブラウン氏は、このツールをテストしたときの成功率が 100% だったとも語っています。

最近では、125KHz タグは旧式と見なされており、格納されている情報を保護するセキュリティは講じられていません。送信されるデータは暗号化されていないので、攻撃者は受信さえできれば簡単に新しいタグを複製できることになります。タグに格納されたデータを暗号化し、タグと読み取り機との間の通信も保護する、あるいはチャレンジレスポンス認証を使うなど、新しいオプションも考案されていますが、新しい技術への移行はなかなか進んでいないのが現状です。コストも一因ですが、125KHz タグに付随するセキュリティ上のリスクを企業が認識していないという要因もあるでしょう。

ブラウン氏は、この長距離 RFID 読み取り機について、「Fortune 500 社のセキュリティ専門家を対象にした」ものだが「あらゆるペネトレーションテストツールと同様、（中略）悪用される可能性もある」と述べています。

今回の結果を踏まえると、RFID アクセス制御ソリューションを利用している場合は、既存のシステムを改めて見直して、アップグレードや、生体認証といった別のアクセス制御方式の導入を検討した方がよいでしょう。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

シマンテックは過去数カ月の間に、正規の Google 翻訳サービスを使ってスパム対策フィルタをすり抜けようとする、医薬品関係のスパム攻撃を確認しています。

受信されたサンプルのほとんどは、人気の高い無料メールサービスで乗っ取られた電子メールアドレスから送信されたものでした。
メッセージの件名の大半は、オンライン医薬品販売や、バイアグラ、シアリスといった有名な錠剤を宣伝しています。また、スパムフィルタへの対策として、英語以外のランダムな文字や単語が件名の先頭または末尾に挿入されている例も確認されています。

図 1. 件名のサンプル

メッセージの本文には、Google 翻訳へのリンクと、Web サイトで医薬品を注文することのメリットを説明した広告文が記載され、ディスカウント用のコードが書かれている場合もあります。

図 2. スパムメッセージのサンプル

リダイレクトの仕組みは、かなり複雑です。リンクをクリックすると、リンクに埋め込まれた 2 番目のアドレスが Google 翻訳で取得され、そこから医薬品 Web サイトにリダイレクトされます。

確認されたサンプルの場合、最終的なリンク先は以下の医薬品サイトでした。

• [http://]www.magic-pharm.com

以前のスパマーは、リンクの 2 番目の部分（リダイレクトリンク）に無料 Web や URL 短縮サービスを使うのが一般的でしたが、最近では IDN ドメイン名を使ったトップレベルドメイン、特にキリル文字の .рф ドメインが利用されています。リダイレクトリンクの中では、キリル文字のドメインは Punycode で表されています。

スパムメールで表示されるリンクは、たとえば以下のような形式になっています。

• [http://]www.google.com/t%72ans%6C%61%74e_p?hl=%65%6E&u=pnfd.fr.%78n--8%%330%61%66%61f0asd%62%63g.%78n-p1a%69/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI+.aspx

Windows-1251 でデコードすると、以下のようになります。

• [http://]translate.google.com/translate?hl=en&u=http://pnfd.fr.xn--80afaf0asdbcg.xn--p1ai/tipfa6eeAFLSinIMyxPMzA3NDMwMDAEACeKBEI%2520.aspx

Punycode でデコードすると、以下のようになります。

• [http://]translate.google.com/translate?hl=en&u=[http://]pnfd.fr.конггандон.рф/ipf24aeAGzLC8vs0zJMzA3NDQ0NzAEACbKBDs .aspx

シマンテックは、Google 翻訳を利用したリダイレクトスパムの大多数の亜種を安全に遮断しており、Google 翻訳サービスがスパムメールで悪用されている他のケースについても厳重な監視を続けています。この悪用は今のところ、スパム活動に使われているだけで、マルウェアの拡散に使われている例はまだ確認されていません。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Last week we announced Symantec Data Insight 4.0 to help IT administrators take back control of dark data. Lack of insight into this information is due to the rapid growth of unstructured dark data, which is generally poorly managed and stored. Many data centers literally have petabytes of unstructured information (documents, presentations, spreadsheets and emails) that an organization accumulates over time and is in the dark when it comes to its content, ownership and usage.

With this latest version of Data Insight, Symantec continues to integrate its storage and security offerings, providing organizations a unified approach to data governance. Data Insight 4.0 represents the progress on Symantec’s commitment to integrate solutions, making it easier for organizations to protect and manage their information.

Symantec Data Insight helps organizations improve unstructured data governance through actionable intelligence into data ownership, usage and access. Data Insight’s reporting, analytics and visualization capabilities give organizations an understanding of what data exists, how the data is used, who owns the data and who has access to the data. These insights drive efforts in efficiency and cost reduction across the data lifecycle as well as drive protection of sensitive data and compliance, resulting in reduced risk.

With Data Insight, organizations can:

• Identify business owners of data
• Understand what unstructured data they have to drive efficiencies and reduce cost
• Maintain regulatory compliance for information access, use and retention
• Ensure information is protected from exposure to unauthorized individuals

These insights will help IT organizations engage the business, drive remediation efforts and create effective information governance policies to deal with unstructured data growth.

Data Insight 4.0 integrates with Data Loss Prevention to secure high value data and with Enterprise Vault for archiving and retention to provide unified data governance. Through integration with Symantec Data Loss Prevention (DLP), Data Insight provides proactive protection of intellectual property across collaboration repositories such as file shares and SharePoint. Organizations can use Data Insight’s analytics to secure collaboration through tracking and monitoring of sensitive data usage, detecting outlier users and insider threats, and securing access to sensitive data.

Data Insight also helps fulfill compliance requirements by auditing access for confidentiality and integrity, identifying data owners and then holding them accountable for compliance on data access requirements. Organizations can also quickly discover orphan or stale data and manage archiving and retention using Symantec Enterprise Vault, or create custom actions that delete or migrate the data to reduce cost and footprint.

With Data Insight, organizations can shine the light on the black hole of unstructured dark data, helping it to provide the proper business value it should.

Learn more about Symantec Data Insight at: http://go.symantec.com/datainsight

Resources:

• Data Sheet: Data Insight 4.0
• Solution Brief: Information Governance Solution from Symantec
• SlideShare: Data Insight
• Product Page: Symantec Data Loss Prevention
• Product Page: Symantec Enterprise Vault

Earlier this week, the Chiba Prefectural Police in Japan arrested nine individuals for distributing spam that included emails with links to download Android.Enesoluty - a malware used to collect contact details stored on the owner’s device. The arrested men include Masaaki Kagawa, the 50-year-old president of the Koei Planning, an IT firm located in Shibuya, Tokyo. He is also apparently known as an avid poker player who participates in poker tournaments worldwide and has earned over a million US dollars in these competitions. He appears to be the main player running the operation. His passion for taking chances and risks has paid off in the game of Poker, but it’s not looking good for his gambling with Android malware. Kagawa and his associates now await a likely prosecution.

From our observations, the operation began around September, 2012 and ended in April, 2013 when authorities raided the company office. We confirmed around 150 domains were registered to host the malicious apps during this time span. According to media reports, the group was able to collect approximately 37 million email addresses from around 810,000 Android devices. The company earned over 390 million yen (approximately 3.9 million US dollars) by running a fake online dating service called Sakura site in the last five months of the spam operation. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.

Symantec has closely followed the Enesoluty scam since July, 2012. Details of events can be found in the following blogs:

• Anime Character Anaru Exploited to Help Steal Android Contact Details: Published on July 27, 2012.
  Symantec ‘s observation of the operation began with a discovery of the variant used to run a testing phase. Development of the scam appears to have begun around June, 2012.
• Anaru Malware Now Live and Ready to Steal: Published on September 07, 2012.
  The operation then went live with two fake apps being hosted on fake Google Play sites around the beginning of September, 2012.
• Fake Antivirus App Steals Contact Data on Mobile Devices: Published on September 25, 2012.
  A new malicious app was developed and added to the line-up.
• Android Malware Continues to Thrive in Japan: Published on December 03, 2012.
  Enesoluty scammers continued their malicious deeds even after the arrests of two different groups stealing contact details using Android malware.
• Android.Enesoluty Adds a User Agreement: Published on December 10, 2012.
  A EULA was added to the fake Google Play app pages to evade a potential action by law enforcement.
• Lime Pop: The Next Android.Enesoluty App: Published on March 25, 2013.
  The fifth malicious app was developed and added to the line-up.

We also believe Android.Maistealer and Android.Enesoluty share common source code with another malware, called Android.Uracto, and that a different group of scammers were maintaining the latter, as the distribution strategy of the malware differs considerably. It is believed that this other group has yet to be identified, so there will probably be another few twists and turns to this story in the future. Details of the scams performed by Android.Uracto can be found in the following two blogs:

• Android.Uracto Used to Trick Mothers, Anime Fans, Gamers, and More
• Android Malware Spams Victims Contacts

To conclude this blog, we would like to commend the Chiba Prefectural Police for making this arrest. Symantec has been working in cooperation with the investigators to make this arrest happen and will continue to assist in the prosecution and sentencing of the criminals as needed.

Symantec’s Internet Security Threat Report (ISTR) is an annual report which provides an overview and in-depth analysis of the online security landscape over the previous year. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyze, and provide commentary on emerging trends in cyberattacks, malicious code activity, phishing, and spam as well as the wider threat landscape trends in general.

The latest release, ISTR volume 18, may be considered the most comprehensive and detailed to date. Among other findings, the report incorporated up-to-date data and analysis on targeted attacks, data breaches, malware, spam, vulnerabilities, and mobile malware.

Everyone in Symantec is extremely proud of the ISTR; however, this is no time to rest on our laurels. We are constantly looking to improve the quality of our products and services. This includes the ISTR. To that end, we would like to elicit the help of our readers with the first ever ISTR readership survey. Through engaging with the ISTR readership, we hope that we can better tailor future reports to better suit your needs and wants.

For example, would you like to see more in the report on data breaches? Perhaps you want to see an even wider focus on targeted attacks? Now is your chance to tell us your preferences, which parts you enjoy and which parts you may skip over. While we will always endeavor to provide you with the best information about the most pertinent threats, we want to know what this means to our individual readers, and the businesses they may represent, in order to better understand how the report is being used.

We also want to find out whether you would prefer to receive more frequent ISTR-style reports in addition to the annual publication. Now is your chance to share your thoughts on all things ISTR. As the saying goes, help us to help you.

You can do so by completing our ISTR user survey. It is quick, easy to complete, and will be invaluable to us as we strive to improve the quality of our output. We would also encourage you, if you can, to share the survey with as many of your ISTR reading friends or colleagues as possible.

Thanks for reading and for helping out. We look forward to collecting your responses and making the ISTR a more responsive, tailored, and user friendly report and hope that you will continue to enjoy reading the report well into the future.

Take Survey

There are deep and disturbing sides to the Internet where businesses should fear to tread, if they want to keep themselves safe. So called ‘dark’ search engines, for example, certainly need to be approached with extreme caution.

Take Shodan, a search engine that navigates the Internet's back channels. It's akin to a ‘dark’ Google, helping hackers to find out the servers, webcams, printers, routers, systems, networks etc… that are vulnerable to tampering.

Shodan has been designed to help users track down certain types of software and hardware, determine which applications are most popular, identify anonymous FTP servers, or investigate new vulnerabilities and what hosts they could infect. All good stuff and useful to know. But Shodan also serves as a window into millions of unsecured online connections; and you definitely wouldn’t want those connections to be yours. It’s similar to a bank opening up for business in the morning and leaving the safe ajar by the front door – an open invitation to enter the inner workings of your organisation and see what riches are there to be had.

Shodan, it seems, runs non-stop, collecting data from hundreds of millions of connected devices and services each month. Through a simple search, a user can identify a number of systems that either have no security measures in place or generic passwords that can be hacked easily, leaving unwary organisations open to hazardous attacks.

There are accounts of one independent security penetration tester confirming that, amongst a number of unsecured systems he located using Shodan, were: a carwash that could be turned on and off remotely; an ice hockey rink in Denmark that could be defrosted with a click of a mouse; and a traffic control system for an unnamed city that could be put in ‘test mode’ with one command entry. But that is by no means the worst. Cybersecurity researchers are also said to have located command and control systems for nuclear power plants and a particle-accelerating cyclotron, using Shodan. Even allowing for apocryphal stories and a degree of hyperbole, that has to be worrying.

The biggest security flaw, argues Shodan’s creator John Matherly, is that many of these susceptible systems should not even be connected to the web. “Of course, there’s no security on these things. They don’t belong on the Internet in the first place,” he says. Many systems can now be controlled by computer, so IT departments hook them up to a server, instantly making systems and devices available to anyone with an Internet connection. It’s all part of that great unknown sometimes referred to as ‘The Invisible Web’ – the area of the WWW that isn’t indexed by the search engines. And it’s a high-risk place to be, if you don’t have the right protections in force.

Indeed, tightly targeted cyber-espionage attacks, designed to steal intellectual property, are hitting the manufacturing sector and small businesses with ever greater venom, warns Symantec’s latest ‘Webiste Security Threat Report’, with the latter, highly vulnerable, organisations the target of 31% of such attacks – a threefold increase on 2011. Targeted attacks overall have seen a massive 42% surge during 2012, compared to the previous year.

It’s also worth noting that in many cases protecting yourself, your company and your intellectual property online is not difficult, as long as you start with solid foundations such as securing your websites, intranets, extranets etc… with the latest encryption technologies from Symantec.

Using Symantec SSL is a cost-effective security measure for websites; when SSL is deployed site wide in a persistent manner it helps to protect the entire user experience from start to finish, making it safer to search, share and shop online. This encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorised viewing, tampering or use. The Online Trust Alliance is one leading organisation calling for websites to adopt the use of persistent SSL on websites (which is also known as ‘Always-On SSL’), with some of the world’s most successful names having successfully implemented it, including Google, Twitter and Facebook.

You might also want to look at Symantec Validation and ID Protection Service when shoring up your defences. This is a powerful cloud-based authentication service that enables enterprises to secure access to networks and applications, while keeping out malicious, unauthorised intruders. A unified solution providing both two-factor and risk-based tokenless authentication, VIP is based on open standards and can integrate readily into your enterprise applications.

With solutions such as these firmly in place, you should have the foundations in place be able to make light of even the Internet’s darkest places but don’t stop there. And as a colleague of mine writes here….”As we near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action. “

There is no time like the present to review what you do and take the appropriate steps to ensure your organisation is protected both now and in the future.

Symantec’s Internet Security Threat Report (ISTR) is an annual report which provides an overview and in-depth analysis of the online security landscape over the previous year. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyze, and provide commentary on emerging trends in cyberattacks, malicious code activity, phishing, and spam as well as the wider threat landscape trends in general.

The latest release, ISTR volume 18, may be considered the most comprehensive and detailed to date. Among other findings, the report incorporated up-to-date data and analysis on targeted attacks, data breaches, malware, spam, vulnerabilities, and mobile malware.

Everyone in Symantec is extremely proud of the ISTR; however, this is no time to rest on our laurels. We are constantly looking to improve the quality of our products and services. This includes the ISTR. To that end, we would like to elicit the help of our readers with the first ever ISTR readership survey. Through engaging with the ISTR readership, we hope that we can better tailor future reports to suit your needs and wants.

For example, would you like to see more in the report on data breaches? Perhaps you want to see an even wider focus on targeted attacks? Now is your chance to tell us your preferences, which parts you enjoy, and which parts you may want to skip over. While we will always endeavor to provide you with the best information about the most pertinent threats, we want to know what this means to our individual readers and the businesses they may represent in order to better understand how the report is being used.

We also want to find out whether you would prefer to receive more frequent ISTR-style reports in addition to the annual publication. Now is your chance to share your thoughts on all things ISTR—as the saying goes, help us to help you.

You can be heard by completing our ISTR user survey. It is quick and easy to complete, and your contributions are invaluable to us as we strive to improve the quality of our output. We would also encourage you, if you can, to share the survey with as many of your ISTR reading friends or colleagues as possible.

Thanks for reading and for helping out. We look forward to collecting your responses and making the ISTR a more responsive, tailored, and user friendly report, and we hope that you will continue to enjoy reading the report well into the future.

Take the survey

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car's functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.

Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car's functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.

Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.