On August 4, websites hosted by Freedom Hosting, a service provider that offers anonymous hosting through the Tor network, began to host malicious scripts. This follows media reports from August 3 about US authorities seeking the extradition of the man believed to be the head of Freedom Hosting. 

The scripts that were found take advantage of a Firefox vulnerability that was already fixed in Firefox 22 and Firefox ESR 17.0.7. It is thought that this vulnerability was chosen because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Symantec detects these scripts as Trojan.Malscript!html.

Figure. Attack steps

If successfully exploited, the attacker is able to retrieve the unique MAC address of the network card and the local hostname from the compromised computer and send that data back to IP 65.222.202.54. An example of the data sent back follows. The host is the local computer name and the cookie ID is actually the MAC address.

GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1
Host: PXE306141
Cookie: ID=0019B909D908
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip

A unique cookie is also left on the system after visiting the website. An attacker can use the unique MAC address, local computer name, and cookie to help locate the systems involved in this attack. If these methods were used by law enforcement, it could potentially allow them to track down the system by tracing who the network card was sold to. There is plenty of speculation about who is doing this and why they are doing it, but at this time nothing has been confirmed.

While the Tor network is meant for personal privacy and designed to conceal a user’s location or usage from traffic analysis and network surveillance, this attack method shows that it is possible to track down those who use the Tor network.

Dennis Technology Labs offers a range of testing services that are focussed on performance benchmarking hardware and software products.

Highlights

• The effectiveness of free and paid-for anti-malware security suites varies widely.

• Blocking malicious sites based on reputation is an effective approach.

• Some anti-malware programs are too harsh when evaluating legitimate software.

Simon Edwards’ full report can be found here.

Building a traditional backup solution can result in a high level of complexity where the processes are often too siloed and too unreliable to be trusted with your company’s most valuable asset. But, complexity does not need to be the normal state of affairs. The Backup Exec 3600 Appliance mitigates the problems of complexity, cost, and risk associated with traditional backup solutions by delivering a combined hardware and software solution in a single package.

Join our next On Air Google+ Hangout on Wednesday, August 14th when our experts will discuss the turnkey advantages of the Backup Exec 3600 Appliance. It provides a Backup Server, 5.5TB of back end storage as well as “all-you-can-eat” Backup Exec 2012 Agents and Options, including the Deduplication Option, all in one pre-configured box.

This Hangout will assist partners, service providers and end-users as they design and implement a data protection strategy. We will take an in-depth look at the Backup Exec 3600 Appliance and answer your questions about the technology, implementation and best practices.

Tune in and get your questions answered live by our expert panelists during the event by submitting your questions to the hashtag #SYMCHangout.

Mark your calendars:

Title:               What Can the Backup Exec 3600 do to Improve your Data Protection Strategy?

Date:                Wednesday, August 14, 2013

Time:               Starts at 9:30 am PT

Length:            1 Hour

Where:             Google+ Hangout: http://buex.ec/VV3600

Panelists include:

• Michael Gallagher, Product Manager
• Mike Garcia, Product Manager
• John Damon, Product Marketing Manager
• Matt Stephenson, Product Marketing Manager

Building a traditional backup solution can result in a high level of complexity where the processes are often too siloed and too unreliable to be trusted with your company’s most valuable asset. But, complexity does not need to be the normal state of affairs. The Backup Exec 3600 Appliance mitigates the problems of complexity, cost, and risk associated with traditional backup solutions by delivering a combined hardware and software solution in a single package.

Join our next On Air Google+ Hangout on Wednesday, August 14th when our experts will discuss the turnkey advantages of the Backup Exec 3600 Appliance. It provides a Backup Server, 5.5TB of back end storage as well as “all-you-can-eat” Backup Exec 2012 Agents and Options, including the Deduplication Option, all in one pre-configured box.

This Hangout will assist partners, service providers and end-users as they design and implement a data protection strategy. We will take an in-depth look at the Backup Exec 3600 Appliance and answer your questions about the technology, implementation and best practices.

Tune in and get your questions answered live by our expert panelists during the event by submitting your questions to the hashtag #SYMCHangout.

Mark your calendars:

Title:                What Can the Backup Exec 3600 do to Improve your Data Protection Strategy?

Date:                Wednesday, August 14, 2013

Time:               Starts at 9:30 am PT

Length:            1 Hour

Where:             Google+ Hangout: http://buex.ec/VV3600

Panelists include:

• Michael Gallagher, Product Manager
• Mike Garcia, Product Manager
• John Damon, Product Marketing Manager
• Matt Stephenson, Product Marketing Manager

This article is written based on wide spread Internet reports from Black Hat Conference at Las Vegas.

Recent advances in math and cryptology research in the academic field indicate that there might be mathematical algorithms or solutions in place to break RSA and Diffie-Hellman based encryption without obtaining the secret key and without the need of massive computing resources for significant durations of time within the next four to five years. These encryption schemes are widely on the Internet today for keeping sensitive date private right from encrypting Internet communications used for electronic commerce to securing software updates to encrypting global corporate and government networks.

The key to the security today is that there are no practical ways or efficient algorithms which can break these encryptions without obtaining the secret keys. The day such algorithms are found the encryption and hence the trust on which the Internet works will be broken.

The good news is that there are alternate encryption schemes available today which are more secured. Eliptic Curve Cryptography (ECC) whose patents are now owned by Blackberry is said to be a very secured method which is also recommended and used both by the NSA as well as the Russian Government.

Although the chances of an efficient algorithm being found to break RSA and Diffie-Hellman is still low, it a a very big risk and transitioning to ECC or some other more secured encryption standard before such an eventuality would be advisable. There is also speculation that such algorithms already exists and this was demonstrated by the highly advanced flame malware which used a new mathematical technique to ,masquerade as though it was a Microsoft update.

For those who are interested here is the original presentation from the Black Hat conference http://www.slideshare.net/astamos/bh-slides

References: -

https://www-secure.symantec.com/connect/blogs/flam...

http://www.technologyreview.com/news/517781/math-a...

8 月 4 日、Freedom Hosting（Tor ネットワークを介して匿名ホスティングサービスを提供するサービスプロバイダ）が運用する Web サイトで、不正なスクリプトのホスティングが見つかりました。これは、Freedom Hosting の代表と見られる人物の引き渡しを米国当局が要請したことに関する、8 月 3 日のメディアレポートに続くものです。

見つかったスクリプトは、Firefox の脆弱性を悪用します（この脆弱性はすでに Firefox 22 と Firefox ESR 17.0.7 で修正済みです）。この脆弱性が選ばれた理由は、Tor Browser Bundle（TBB）が Firefox ESR-17 をベースにしているためと思われます。シマンテックでは、これらのスクリプトを Trojan.Malscript!htmlとして検出しています。

図:攻撃のプロセス

攻撃者は侵入に成功すると、当該コンピュータからネットワークカードの固有 MAC アドレスとローカルホスト名を取得し、そのデータを IP 65.222.202.54 に返送します。返送されるデータの例を以下に示します。Host はローカルコンピュータ名を表し、Cookie ID は実際には MAC アドレスを表しています。

GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1
Host: PXE306141
Cookie: ID=0019B909D908
Connection: keep-alive
Accept: */*
Accept-Encoding: gzip

また、Web サイトを訪れた後に、システム上に独特な Cookie も残されます。攻撃者は固有 MAC アドレス、ローカルコンピュータ名と Cookie を使って、攻撃対象のシステムを特定します。これらの手法が法執行によって使われたならば、ネットワークカードの購入者を追跡してシステムを特定することが可能でしょう。誰がこれを行っているのかとその理由については様々な憶測が飛び交っていますが、現時点ではまだ何も確認されていません。

Tor ネットワークは個人のプライバシーを尊重し、ユーザーの場所や利用状況をトラフィック分析やネットワーク監視から隠すように設計されていますが、この攻撃手法によって、Tor ネットワークの利用者を特定できることが明らかになりました。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

It may sound strange, but one surefire sign that the economy is on the mend is an increase in stock spam. Yes, stock spam is a bellwether signal of an economic revival and if you want proof, check your email. Scattered in your bulk folder, you may find a myriad of such spam promising you ‘an opportunity of a life time.’ Rearing its ugly head every time there is a hint of an economic recovery, stock spam never misses an opportunity to try and con victims out of their hard-earned cash.

Over the years, stock spam has evolved, honing its method of psychologically hustling a victim into buying a particular stock that will ‘imminently’ be pumped up by some sort of syndicate. Stock spam creates an unwarranted urgency and promises a pot of gold at the end of it all.

Stock spam relies on a strategy called ‘pump and dump,’ where spammers create pseudo hysteria, beckoning victims to invest in penny or sub-penny stocks that would give astronomical returns overnight. It takes full advantage of a widespread human trait, greed.

After millions of these spam emails are dispersed, the stock in focus suddenly increases in value and then falls drastically, leaving investors stranded. Stocks are then dumped after creating hysteria and subsequently bought back at a lower price, which means more profit for the manipulators rather than those invested who are trapped at higher levels.

From a spam perspective, the modus operandi has been constant – create hype, make a profit, then disappear into oblivion! This is done systematically, keeping the sociopolitical situation in mind.

The subject lines used are altered and recycled with a few cosmetic alterations in order to evade spam filters. The following are some sample subject lines used in stock spam:

• I would love this stock to fill in gap...
• A Sleeping Giant May Have Been Awoken!
• IT MAKES A MOVE!
• NEW Pick Out at Midnight!
• This Stock is my new NASDAQ alert! This thing can fly!
• Decoded: Don't Risk Missing an Issue
• We`re going to see some xtreme moves this week
• A bottom buster rocket this morning
• The Only Way To Make Reliable Monthly Income From The Stock Market!
• This Company is our New "First-Class" Alert! Don`t Miss Out!

The email body contains some brief information on the targeted stock and its trading ticker ID (which is usually obfuscated).

Figure. Sample stock spam email

So, what’s the best practice here?

The next time you see unsolicited emails cluttering your mailboxes, make sure that you don’t fall for this type of scam. Remember, if something sounds too good to be true, it usually is!

Symantec advises users to update their antispam signatures regularly. We are closely monitoring these spam campaigns and will continue monitoring this trend to keep our readers updated.

To the pilot who knows no storm! Thanks Samir.

Updates deployed to the Connect production servers as a result of the code sprint that ended 06 August 2013.

User Facing: Desktop

• Added [brackets] around group names when they appear in the subject lines of email notifications. This enables users to organize their mailboxes with rules that detect group names enclosed in brackets.
• Added the ability for users -- who've been granted the translator role -- to add translations of comments to Connect. Translators can already translate forum posts, now they can translate the replies to those posts.
• Fixed a few IE8 and Firefox navigation issues with the new Help Center.
• Fixed an issue with incorrect solved counts under the Trusted Advisors tab on the Community overview pages.

Admin Facing

• Resolved a permissions issue that was allowing underprivileged users to promote content to a featured state.
• Fixed emails sent to site admins when they created private groups. Verification emails now include details about the newly-created group.
• Fixed a problem with the monthly userpoints (Connect Rewards) report timing out before it finished processing.

Performance Wins

• Discovered several thousand duplicate URL aliases in one of our database tables that were impacting performance. The developers wrote a script that identified the duplicate entries and removed them.

怪訝に思われるかもしれませんが、株関連のスパムの増加は、経済回復の確かな兆しの 1 つです。こういったスパムは、経済が回復してくると真っ先に表れるものです。その証拠に、最近届いたメールを確認してみてください。迷惑メールフォルダには、「一世一代のチャンス」を謳うこの種のスパムがいくつも届いていることでしょう。経済回復の兆候が見られるたびに、大切なお金を騙し取ろうとする悪質なスパムが必ず現れます。

株関連のスパムは何年にもわたって進化してきました。ある組織によって株価が急騰すると謳って特定の株を買わせようと心理的に誘導する手法はますます巧妙になっています。株関連のスパムは不当に切迫感を煽り、最後には必ず儲かると約束します。

株関連のスパムは「パンプアンドダンプ」と呼ばれる戦略を用いています。スパマーは擬似的に投機熱を作り出し、一晩で大儲けできると誘ってペニーストック（安値の小型株）への投資を誘います。多くの人間が持っている金銭欲につけ込むのです。

このようなスパムメールが何百万通もばらまかれると、当該株の株価は急騰し、その後大幅に下落します。そして後には多くの投資家たちが取り残されます。投機熱が上がると、今度は一転して当該株は売られ、低株価に戻ります。つまり、株価の操縦者は、高値で買わされた投資家よりも多くの利益を得ることになります。

スパムの観点から言えば、誇大な宣伝をして、荒稼ぎしたら姿を消すという手口は変わっていません。社会政治的な状況も踏まえて体系的に行われます。

メールの件名は、スパムフィルタをすり抜けるために若干の変更を加えつつ使い回されます。株関連のスパムに使われる件名の例を以下に示します。

• I would love this stock to fill in gap...（この株で穴埋めができる...）
• A Sleeping Giant May Have Been Awoken!（眠れる巨人が目を覚ましたかも!）
• IT MAKES A MOVE!（動きあり!）
• NEW Pick Out at Midnight!（真夜中の新規有望株!）
• This Stock is my new NASDAQ alert! This thing can fly!（NASDAQの新規注目株! これは買い!）
• Decoded: Don't Risk Missing an Issue（解説: 損するリスクはありません）
• We`re going to see some xtreme moves this week（今週大きな動きあり）
• A bottom buster rocket this morning（今朝の株価急騰）
• The Only Way To Make Reliable Monthly Income From The Stock Market!（株式で確実に儲ける唯一の方法）
• This Company is our New "First-Class" Alert! Don`t Miss Out!（この会社は新たな大注目株! お見逃しなく!）

メールの本文には、対象株に関する概要と銘柄コードが含まれています。銘柄コードは、通常、不明瞭化されています。

図.株関連のスパムメールサンプル

では、このようなスパムにどのように対処すればよいでしょうか?

この種のスパムメールが受信ボックスに届いても、決してだまされないように注意してください。うますぎる話には必ず裏があることを忘れないでください。

スパム対策のシグネチャは定期的に更新することをお勧めします。シマンテックではこのようなスパム活動を厳重に監視しており、この傾向の監視を続けて読者の皆様に最新の情報をお届けする予定です。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Triple Pundit, one of the leading media platforms that reports on corporate responsibility and sustainability news, has featured Symantec’s Senior Director of Corporate Responsibility, Cecily Joseph, in its weekly column Women in CSR.

The column features interviews with leading female CSR practitioners highlighting what inspires them and how they found their way to careers in sustainability. Following is an excerpt from the article where Cecily discusses the evolution of CSR at Symantec:

3p: How has the sustainability program evolved at your company?

CJ: I have been with Symantec for about eight years, and during this time have seen our sustainability program evolve to become more formal and fully integrated with the company’s business purpose. When I first joined Symantec, there were some great teams conducting work on a regional level, but we lacked a global, cohesive approach. We worked to develop a more intentional, international approach, while also being careful to preserve a regional outlook. We are very sensitive to the fact that different regions have different priorities and needs when it comes to creating sustainability programs.

In order to take our sustainability program to the next level, we joined the United Nations Global Compact, a strategic policy initiative for businesses committed to aligning their operations and strategies with ten universally accepted principles in the areas of human rights, labor, environment and anti-corruption. We adopted this framework as our global approach to sustainability.

From there, we began official reporting to identify material issues and focus areas. Through these efforts we began to develop individual programs relevant to Symantec, building out our own enhanced environmental framework and program pillars – IT infrastructure and green IT, conservation, transportation, software packaging and delivery. We built green teams, created a stewardship council and conducted Carbon Disclosure Project (CDP) reporting. Through these strategic efforts we developed programs with measurable outcomes, regional areas of focus and a global framework to tie all initiatives together. We have taken this approach not only for sustainability, but also for our other CR focus areas.

Concerning gender and diversity, for example, we adopted the Women’s Empowerment Principles, created goals around the various principles, and therein became much more formal and intentional around our approach to increase diversity at Symantec and empower women to work in technology.

Cyber awareness is a major focus for Symantec, given our business purpose of managing and protecting information online. We plan a variety of community events around Cyber Security Awareness Month and cyber awareness in general, using every opportunity to educate people about how to be safe online and protect themselves against cybercrime. We provide a variety of educational tools and information to empower individuals and support victims of cybercrime. While this endeavor may simply seem like good business, it extends beyond that into CR when we provide free products, software and support to help protect the people who matter to us and their information.]

The full article is available at: http://www.triplepundit.com/2013/07/women-csr-cecily-joseph-symantec/

Lora Phillips is Symantec's Senior Manager, Corporate Responsibility.

Understanding HIPAA Compliance

The Security Rule and Data Backup

Technical Safeguards Required

One of the most persistent security issues for mobile and web users is phishing - that’s when thieves try to fool you into giving away your personal data. Fake links can be used to persuade you to part with credit card details, PIN numbers and passwords. Sometimes, thieves are even more brazen, simply asking for your information out right.

Phishing attacks are usually easy to spot. By looking at the originating email address one can often spot there’s something wrong. Reputable companies don’t use cloud addresses, for example. Which means you shouldn’t get a message from your bank without the official bank email address having been used.

Sometimes, the email itself looks questionable, but the email address could appear legitimate. It may originate from a domain with the bona fide company name used somewhere in the address. Or the email may appear to come from the company itself. This is called “spoofing”, a practice where the originating address of an email message is faked.

Email spoofing has been around for a long time. Spoofers simply change the email address in the “From” field so that, with a cursory look, a message might appear to originate from somewhere else. Though some email clients flag this up, not all do - and most mail servers don’t stop this behaviour.

It’s fairly easy to spot if you suspect an email isn’t quite as it seems. If you look at the full header of a message, you should see the real origination point in the “Received” section.

In the smartphone age, email spoofing isn’t the only thing we need to look out for. There is also a rise in SMS or text message spoofing. Like emails, text messages are sent with extra information called a “header” that tells the network where to deliver the message, where it came from and where to send the reply to. It’s this “Sender ID” field that can be most vulnerable as some services treat it as the origin point.

Spoofed SMS messages can, in turn, exploit vulnerabilities in any service that allows you to send updates to it via text message. For example, Twitter recently updated SMS authentication in response to this discovery, but some users may still be vulnerable. If your Twitter account has SMS enabled you should check your user settings and make sure you have the PIN code setting enabled - or that you disable SMS services with Twitter altogether.

In a survey last year, Symantec discovered that the Google Play store contained around 200 applications capable of spoofing SMS headers, with millions of combined downloads. Once spotted, the malicious apps are added to the Norton Mobile Security database - so some protection can be achieved by making sure you’ve installed it. But it pays to remain vigilant.

By Richard Clooke on August 01, 2013

It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers.
 

Figure 1. Malicious tweets from compromised accounts
 

The series of compromised accounts appears to have started around the beginning of July and has affected users globally. A broad range of accounts have been compromised for weeks and many users have yet to notice that their accounts are sending out malicious tweets, even though hundreds of tweets may have already been sent.
 

Figure 2. Compromised account sending legitimate and malicious tweets
 

If you are worried about accidently clicking on malicious links coming from accounts you follow, you might be safe if you do not understand Russian. This is because the tweets are in Russian and you might ignore them if you see them on a friend’s account. If you understand Russian and are following users who regularly tweet in Russian, you should be wary.

After a user clicks on the link, sites hosting malware will be opened in the browser. A typical browser will render the page to trigger an automatic download of the app.
 

Figure 3. Malware hosting sites opened in browsers
 

Even though the apps are downloaded automatically, users will need to manually install the app.
 

Figure 4. Automatically downloaded app
 

Interestingly, a free version Asphalt 7 appears to be available from these malicious tweets. Double check that you are downloading and installing the authentic version of the app because although it appears to be free the malicious version, unlike the official Asphalt 7 app, will send premium SMS in the background. The charges will be much more expensive than the cost of the real app.
 

Figure 5. Fake download site for Asphalt 7
 

There are also tweets with intriguing images to entice users to click on the link and download malware onto their device. The accounts are not always compromised and may have been prepared by the scammers. Keep an eye out for this type of scam.
 

Figure 6. Scam with intriguing images
 

Symantec is working with Twitter to help those who have been compromised. To confirm if an account has been compromised, check if your accounts have made tweets you do not recall and check if you are following accounts you do not remember following. To prevent your accounts from being compromised, use difficult passwords, watch out for phishing scams, and protect your computers and devices from being compromised by malware that steals account information by following security best practices such as keeping the operating system and all installed software patched and using up-to-date security software. To avoid visiting malicious sites, stay away from unusual messages, even from people you know. It is always advisable to install security software such as Norton Mobile Security or Symantec Mobile Security. Symantec detects the malware discussed in this blog as Android.Opfake.

PST files are a bit of a paradox- they’re equally great and painful. End-users love them because they are in total control of how and where they save their valuable messages for easy access later. IT departments hate them due to their unstable nature (especially when they grow into the multiple GB territory) and their ability to consume vast quantities of File Server resources.

This is an age old problem and one that Symantec Enterprise Vault has been helping resolve for many years. It is better for everyone if end-users make use of a centralized, managed archive for their long term message retention needs and allow IT departments to remove the need for PST files, which helps free up the disk, backup and support desk overhead associated with PST usage. End-users are happy, and IT departments are happy. How often can you say that?

At Symantec, we recognize that PST eradication is difficult. To try and make this process as easy as possible, we have made a number of enhancements in our recent Enterprise Vault 10.0.4 release to help make PST eradication less of a “pipedream” and more of a reality.

It is now easier for Enterprise Vault to:

• Find computers that contain PST files on your network.
• Locate PST files ready to migrate and then remove them.
• Allow end-users to tell IT departments where their PST files are.
• Allow end-users to see how their PST migration is progressing.
• Send "migration status" email communication to end-users
• Control which PST files get migrated and when.
• Prioritize the migration of PST files.

If PST migration is a headache you’re wrestling with, then check out details of the Enterprise Vault 10.0.4 release-

Documentation:
http://www.symantec.com/docs/DOC6282

Feature Briefings:
http://www.symantec.com/docs/DOC5619

Also, don’t forget to download the new PST migration whitepaper which offers guidance and tips on performing PST migrations: http://www.symantec.com/docs/DOC6625

I  know from experience that there many, many registry keys that are public knowledge relating to Enterprise Vault, and also from my 6+ years in Enterprise Vault Engineering there are a whole load of non-public registry keys as well. The public ones though do sometimes still have strange surprises left to be revealed. Take for example the following situation:

In Enterprise Vault 10.0.3 a user clicks on a folder, and then clicks on 'Store in Vault', in order to store the whole folder in their archive. Nothing unusual so far. But it might not work, it might fail with an error. And the issue comes about because of a server side registry key relating to fixing up orphaned shortcuts.

Odd?! Definitely. It should be something that is quite rare to happen, because of course at the end of the article that talks about orphaned shortcuts it does categorically say to remember to remove the registry key — but there will be a really small percentage of people who will no doubt forget this, and then might encounter the issue described in the article.

Have a read of the article yourself, and, if you have ever used the FixOrphanedShortcut registry key now might be a good time to check that the key was removed.

http://www.symantec.com/docs/TECH206042

3D printers are fascinating devices that are becoming affordable and widely available.  Many people love to experiment with them, bringing innovation to many different fields. There are so many things that one can do with 3D printing, from controversial ideas like printing weapons to creating copies of security keys. And we’re not just talking about cheap plastic copies. Newer machines can sinter titanium and other materials to create extremely durable objects.

Last week, during the OHM2013 and DEFCON security conferences, two similar presentations on lock picking innovation took place. Both showcased how copies of physical keys could be created using a 3D printer. All that was needed was the keys ID number or a few good pictures of the original key. It’s worrying to think that’s all that is needed to generate a working 3D model of a security key. Some of the 3D model files used are publicly available and can easily be modified or adapted.

This is not a new concept. 3D models for handcuff keys have been publicly available for over a year. Several years ago a few publications demonstrated how to copy a key from a few photos taken with a high resolution camera.

Of course an attacker with decent skills can use ordinary lock picking tools to open those locks as well. With 3D printers becoming accessible to the masses and the corresponding key files distributed online, it becomes even easier and more accessible for a lot more people.

There are many examples where pictures of keys were shown in newspapers or TV shows which could then lead to people copying them. Firemen’s service keys, which can operate many elevators and emergency exits, or police handcuff keys for example, could make for easy targets for anyone with a suitable printer.

While this is not something most people need to worry about, it is important to note that people should be cautious about what physical property they have photographed. Of course this attack does not work with all key and lock combinations. It is kind of similar to digital crypto keys. Older, simpler implementations with weak keys can be broken and should be replaced with stronger versions, but many implementations out there still use small, weak keys and might be at risk.

We've been talking about business continuity for years. No, make that decades. While a standard for business continuity planning has only existed since 2006, organisations have been defining what happens in the case of a serious issue - fire, theft, flood or otherwise - since the last millennium. 

Surely then, that means the topic is already dealt with! Do we really need to talk about it anymore? The answer is yes - but not because organisations are bad at it, quite the contrary. Rather, the way that it is done is costing an awful lot more than it needs. 

Consider a retail customer I spoke to recently. We picked a core application at random, which had a database size of 13GB. However, taking into account RAID, disk replication, cross-site duplication and then off-site data protection, the amount of physical disk space being  used in the name of Business Continuity was 840GB. That's over 60 times more, for a simple application with a relatively small footprint.

The problem isn't just about inefficient use of disk space, nor particularly bad architecture decisions. Rather, it can often come from different parts of the IT organisation each working in silos. In this scenario for example, resilience was implemented three times - once by the applications team, once by the infrastructure team and once by the business continuity team. Each added different techniques for data protection and included excess 'headroom' to ensure the application never ran out of space. 

How can this be changed? Business continuity has traditionally focused on ensuring the availability of equipment, which results in a '2N+1" conversation - take whatever you have, double it and add one. Today, we are looking at having more of a service availability conversation, which assures end-users have access to their IT services and can get on with their jobs. 

Rather than allowing individual groups to make their own resilience decisions, efficient service delivery requires an overview of all the links in the chain. A true business critical environment requires capabilities that were previously treated in isolation - for example security, archiving, data protection, storage management and indeed high availability - to be considered as functions of the environment as a whole. 

As part of Symantec's journey, we are reviewing our capabilities to fit with the need to deliver integrated service availability for our customers. Our three-point plan involves first simplifying and integrating the portfolio, then building a layer of service insight so customers can see where data is stored. On top of this we are looking to deliver cross-platform orchestration so that whole environments can be managed as dynamically and efficiently as possible.

This work is on-going - we will keep you informed of progress as we flesh out the Symantec Business Continuity Platform. The bottom line is that 13Gb needs to mean 13Gb. And with Symantec, it will.  

First, I just want to clarify that MAXTRANSFERSIZE is not a NetBackup-specific code/parameter.

Rather, it's a standard parameter used by Microsoft SQL virtual device (VDI) during backup/restore. Pretty much any backup tool that backs up Microsoft SQL database can use this parameter for tuning purpose. In older NetBackup version, the default value we used was 64KB (the minimum) unless user specified otherwise. Newer NetBackup version (6.5.x, 7.x.x) defaults to 4MB (the maximum) as it improves backup performance and more servers have bigger physical memory. 

The following links should hopefully help you understand the parameter better:

http://www.symantec.com/business/support/index?page=content&id=TECH33423

http://searchitchannel.techtarget.com/feature/SQL-Server-2005-Practical-Troubleshooting

http://blogs.msdn.com/b/psssql/archive/2008/01/28/how-it-works-sql-server-backup-buffer-exchange-a-vdi-focus.aspx

One of the most dangerous threats to IT security is abuse of privileged access. Preventing the exploitation of administrator privileges first requires knowledge of who has administrator access whether local or domain based. This is not only good practice, but also driven by many security standards.

One such security compliance standard is the Payment Card Industry Data Security Standard (PCI DSS) which outlines many security requirements to protect consumers’ credit card data. Requirement 8.5.1 states: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects, which clearly identifies the need to monitor and maintain control of the administrators group.

The Center for Internet Security (CIS) releases security configuration guidelines for each Operating System. For Windows 7 section 1.8 defines User Rights and who should have access to certain system capabilities. The key to the user rights defined by CIS is which users are in the administrators group. Similar to CIS security configuration guidelines, the United States Government Configuration Baseline (USGCB) also defines several security rules around user rights.

Domain administrator accounts in a Windows Active Directory environment are often the main focus for account auditing. This can be a good starting point as Domain Admins have access to GPO policies, domain utilities, and many assets as they are often a member of local administrator groups. One of the challenges in monitoring Domain groups is quickly and regularly identifying who has access due to nested groups and frequent account changes. Nested groups can be problematic as one must identify accounts that have access via a group that is granted access via membership to another Active Directory group. Additions and deletions of accounts can occur frequently and be missed through manual audits.

Unfortunately, administrator access is too often focused on Active Directory resources and fails to look at individual systems administrator access. This is understandable as local systems can require a lot of time to audit without a scalable and automated tool. Too often, systems share the same local administrator account name and passwords making it easy for someone to access any system if they know the credentials. This too can happen through malicious intrusions if local accounts passwords are cracked and those credentials used to access other systems. Finally, there is the challenge of administrators or end users creating additional local administrator accounts exposing those systems to unapproved access.

If regular administrator account discovery does not happen, there is no way of knowing if users have added either themselves or others to the administrators group. Not knowing the current status of the administrator access can lead to failed security audits and risk privilege exploitation.

Arellia Local Security Solution enables IT administrators to monitor local users/groups and domain users/groups as well as domain group auditing. Arellia can also assist IT administrators in maintaining compliance by continually enforcing group membership. By using administrator group discovery, membership enforcement, and randomizing the local administrator password organizations are compliant to security standards and secure against security threats.

Original Article on Arellia.com

In the past 6 months Microsoft has released 51 Security Bulletins addressing 121 vulnerabilities. Here’s a breakdown of the bulletins and vulnerabilities. Of the 51 Microsoft Security Bulletins released nearly 1 out of every 3 bulletins had vulnerabilities that could be used to exploit the rights of the logged on user.

Microsoft classifies the bulletins as critical, important, moderate, and low. Vulnerabilities of critical bulletins mean vulnerabilities can be exploited without the user knowing. Vulnerabilities of important bulletins will provide end users some warnings that the exploit is happening, but these warnings can be easily missed. With the classification in mind 1 out of every 4 bulletins classified as Critical contained a vulnerability that could be used to exploit user privileges.

As seen, privilege impacts the majority of critical bulletins which have the most exposure to being exploited. Privilege management is the practice of running users and applications with the least privileges needed for their task. Privilege management software can mitigate vulnerabilities by limiting rights for users and applications and thus limit the impact of vulnerabilities where the privilege of the running user determines an exploits impact.

The following table shows the vulnerabilities and bulletins for common Microsoft software where privilege exploitation applies.

The above data is in line with previous years which show that Internet Explorer is the most common Microsoft application that can benefit from privilege management, with Windows Operating Systems and Microsoft Office also having their share of privilege management issues.

Software vulnerabilities will be most dangerous to users and businesses if least privilege management best practices aren’t followed. Those best practices include removing administrative rights from end-users, running applications with lowest privileged, and securing administrator accounts. Privileged management software such as Arellia Application Control Solution and Local Security Solution can reduce the impact of vulnerabilities by securing the rights of applications and users.

Original Article on Arellia.com