One of the central challenges of what we call 'consumerisation' is to balance the benefits of employees using their own devices and applications with the risks. Looking at device compliance for example, organisations may be concerned whether a device is jailbroken, whether it is running applications which could put corporate data at risk and so on, or indeed, whether it would pass basic security checks - 60% of mobile device users don't have a pin code!

At the same time, mobile access to data and services helps make people more productive. Take away someone's smartphone and that's not going to help anyone as, in many organisations, even personal devices have become mission critical. At Symantec we've been working hard to resolve the conundrum of how to get content to people as quickly as possible to ensure they can do their jobs, potentially using their own devices, at the same time as assuring the protection of corporate assets. 

The Symantec Sealed program works at the application level, rather than the device level, meaning that services and data are protected whatever the state of the device. Developers can embed Symantec security and management directly into their apps, without having to restrict functionality; device users can then select protected apps from the Symantec App Center in the same way as they would use the App Store. The Symantec Sealed program allows developers to create applications that are protected already and can be easily brought into the Symantec App Center allowing a company to apply policies to how users use that app and manage its rollout.

By working directly with applications, we are changing the game from "how can you manage a device" to "how can you secure the experience". This not only assures data security but also enables features such as remote wipe of a single application, for example if a mobile phone is left in a bar. We already have an email app available, and we are currently looking at inter-app communications - for example enabling a secured PDF reader to open an email attachment. We're also looking at adding VPN and remote gateway capabilities so device users can access corporate services from an 'untrusted' device. 

Organisations can choose the level of security they want according to their own corporate policies - for example to decide whether a document can be read but not emailed, or whether to integrate with Data Leakage Protection. By offering a range of facilities, Symantec Sealed aligns with the evolving need to empower users while managing risks, rather than simply trying (and potentially failing) to lock down anything IT-related. 

At the same time, device users have broader options for how they access corporate data, and therefore increased control. Users can decide the trade-offs for themselves, becoming willing self-managers to gain freedom and access to the tools they need to do their jobs. We are in a new era - of user empowerment - but with Symantec Sealed, consumerisation of mobile device usage does not have to result in increased risk to the business. 

I’m excited to share that our Corporate Responsibility Report for fiscal year 2013 has been published. This annual report provides an opportunity to review our goals from the previous year, acknowledge successes, and reflect on how we can continue to refine our corporate responsibility strategy. We hope that you will take a look and let us know what you think (in exchange for your opinions, we're giving you a chance to vote on how we should direct a $50,000 USD grant - so be sure to visit our stakholder feedback survey!)

We're also hosting our first-ever live stakeholder call on Wednesday, September 18th at 1pm Pacific - I hope you can join us to learn more.

The explosion of information and its accessibility to people all over the world is creating more opportunities to learn, grow, work, and play than ever before. Our mission is to protect and manage that information, which means our business goals are tied to the greater social purpose of helping to make people, businesses and governments safer in a complex digital world. In our approach to corporate responsibility, we focus on this interconnected nature of society, along with our internal culture and core business strengths, to define the three pillars of our strategy: Our People, Your Information, and The World. Below, we highlight some of the specific achievements we’ve made in each of these areas.

Our People (employee satisfaction, talent management and diversity and inclusion):

• We’ve put our commitment to employees in writing through our Employee Value Proposition (EVP), outlining what they can expect in return for building their careers with Symantec. Our EVP framework is specifically designed to allow more fluid communication between employees working at different levels in the company. It encourages employees’ pursuit of career paths that move vertically (increasing seniority) as well as horizontally (increasing scope of responsibility).
• We saw a 41 percent increase in employee volunteer hours, as corporate responsibility is becoming more embedded within our company culture.
• Women in leadership is up from 25 percent to 27 percent, consistent with the overall percentage of employees who are women.

Your Information (cybersecurity, online safety and privacy):

• Symantec regularly releases studies and findings that aid the public and law enforcement in understanding the state of cybersecurity.
  • This year we released our first Digital Information Index, which highlights the significant impact that cloud computing and mobility are having on businesses today. The 2012 State of Information Report reveals the benefits but also the growing challenges of "information sprawl" as organizations increase the level of information stored and accessed outside of their firewalls.
  • Our Internet Security Threat Report, Volume 18, highlights issues such as an increased focus on social media and mobile device malware and small business targeted attacks.
  • The annual Norton Cybercrime Report, with findings based on self-reported experiences of more than 13,000 adults across 24 countries; the 2012 edition of the Norton Cybercrime Report calculates the direct costs associated with global consumer cybercrime at US $110 billion over the preceding 12 months.
• We continued to make Norton Family software globally available, free of charge, in 25 languages. We have launched Norton Family Premier in 50 countries so far.
• We successfully implemented privacy and information security training for all employees and made it company policy for these trainings to be repeated every 18 to 24 months.

The World (climate change, responsible sourcing and community investment):

• We donated more than USD $24 million in cash and software to organizations worldwide, demonstrating our continued commitment to our nonprofit partners and philanthropic initiatives.
• We made significant commitments to supportingscience, technology, engineering and math(STEM) education, cyber awareness and literacy around the world, particularly in ways that contribute to equal opportunity for girls and women.
• We continued to implement GHG emission/energy reduction strategies to reduce our carbon footprint.
• We received three LEED certifications in FY13, including our first Platinum, and one new ENERGY STAR certification; we now have 20 LEED certified facilities and 16 certifications.
• In FY13, we expanded sub-metering to 73 percent of the square footage of our owned and long-leased lab and data center facilities.
• We completed integration of human rights language from International Labour Organization (ILO) core conventions into standard training for all employees in FY13, and issued a revised human rights policy statement addressing the principles set forth in the Universal Declaration of Human Rights.

In the coming years, we will continue to address the underrepresentation of women in technology fields by working with our philanthropic partners and making STEM education opportunities more accessible to girls and minorities. As cyber threats become more sophisticated, so will our cybersecurity initiatives to match these threats. And as our company continues to grow in its global presence, so will our pledge to green IT, resource conservation, responsible sourcing and human rights.

Because we are a company whose mission is to protect and manage information, our very business goals are tied to the greater social purpose of helping people, businesses and governments secure their information in a complex digital world. I’m so proud of the work we have done to date, and I can’t wait to see where we’re going.

For more information on our CR work and to view our complete 2013 Corporate Responsibility report, please click here.

Cecily Joseph is Symantec's Senior Director, Corporate Responsibility.

Next in this series: Game Plan: Keeping Your Family Safe Online, a look at Symantec’s cybersecurity and online safety initiatives …

Organizations considering Microsoft Office 365 will need to use third party offerings to either supplement or replace some of the capabilities in Microsoft’s offering.

Tune in to the next installment of our Google+ Hangout Virtual Vision series for a question and answer session with Michael Osterman of Osterman Research. We’ll share what drives organizations to adopt Office 365, discuss the archiving limitations and provide Symantec’s recommended approach so you can make the best decision for your organization. 

Get your questions answered live by our expert panelists during the event by submitting your questions to the hashtag #SYMCHangout or Google+ events page.

Panelists:

Michael Osterman— President, Osterman Research, Inc—@Mosterman

Neelum Khan— Senior Product Marketing Manager, Symantec

Matt Stephenson— Community Mgr, Symantec Global Brand—@PackMatt73

Mark your calendars:

Title:  Why do you need third party archiving capabilities with Exchange and Office 365? Q & A with Michael Osterman

Date: Wednesday, September 18, 2013

Time: Starts at 9:30 a.m. PT / 12:30 p.m. ET

Length: 1 hour

Where:  Google+ Hangout: http://bit.ly/15zp01k

今月のマイクロソフトパッチリリースブログをお届けします。今月は、47 件の脆弱性を対象として 13 個のセキュリティ情報がリリースされています。このうち 13 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

• ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
• ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
• 未知の、または疑わしいソースからのファイルは扱わない。
• 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
• 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 9 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms13-Sep

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

1. MS13-068 Microsoft Outlook の脆弱性により、リモートでコードが実行される（2756473）

   メッセージ証明書の脆弱性（CVE-2013-3870）MS の深刻度: 緊急

   Microsoft Outlook が、特別に細工された S/MIME 電子メールメッセージを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

2. MS13-069 Internet Explorer 用の累積的なセキュリティ更新プログラム（2870699）

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3201）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3202）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3203）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3204）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3205）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3206）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3207）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3208）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3209）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

   Internet Explorer のメモリ破損の脆弱性（CVE-2013-3845）MS の深刻度: 緊急

   Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

3. MS13-067 Microsoft Sharepoint Server の脆弱性により、リモートでコードが実行される（2834052）

   SharePoint のサービス拒否の脆弱性（CVE-2013-0081）MS の深刻度: 重要

   Microsoft SharePoint Server にサービス拒否の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるバージョンの SharePoint Server 上で W3WP プロセスが応答しなくなる可能性があります。その場合、SharePoint サイトや、このプロセスの下で実行されているその他のサイトが使用できなくなり、このプロセスの再起動が必要になります。

   MAC 無効の脆弱性（CVE-2013-1330）MS の深刻度: 緊急

   SharePoint Server が未割り当てのワークフローを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、W3WP サービスアカウントのコンテキストで任意のコードを実行できる場合があります。

   SharePoint XSS の脆弱性（CVE-2013-3179）MS の深刻度: 重要

   Microsoft SharePoint Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、クロスサイトスクリプティング攻撃を実行し、ログオンユーザーのセキュリティコンテキストでスクリプトを実行できる場合があります。

   POST XSS の脆弱性（CVE-2013-3180）MS の深刻度: 重要

   Microsoft SharePoint Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、クロスサイトスクリプティング攻撃を実行し、ログオンユーザーのセキュリティコンテキストでスクリプトを実行できる場合があります。

4. MS13-072 Microsoft Office の脆弱性により、リモートでコードが実行される（2845537）

   XML 外部エンティティ解決の脆弱性（CVE-2013-3160）MS の深刻度: 重要

   外部エンティティを含む特別に細工された XML ファイルを Microsoft Word が解析する方法に、情報漏えいの脆弱性が存在します。

   Word のメモリ破損の脆弱性（CVE-2013-3847）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3848）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3849）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3850）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3851）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3852）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3853）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3854）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3855）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3856）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3857）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

   Word のメモリ破損の脆弱性（CVE-2013-3858）MS の深刻度: 重要

   Microsoft Office ソフトウェアが、特別に細工されたファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

5. MS13-074 Microsoft Access の脆弱性により、リモートでコードが実行される（2848637）

   Access のメモリ破損の脆弱性（CVE-2013-3155）MS の深刻度: 重要

   Microsoft Access が Access ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Access のメモリ破損の脆弱性（CVE-2013-3156）MS の深刻度: 重要

   Microsoft Access が Access ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Access のメモリ破損の脆弱性（CVE-2013-3157）MS の深刻度: 重要

   Microsoft Access が Access ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

6. MS13-073 Microsoft Excel の脆弱性により、リモートでコードが実行される（2858300）

   Microsoft Office のメモリ破損の脆弱性（CVE-2013-1315）MS の深刻度: 重要

   Microsoft Excel が Excel ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   Microsoft Office のメモリ破損の脆弱性（CVE-2013-3158）MS の深刻度: 重要

   Microsoft Excel が Excel ファイルのコンテンツを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

   XML 外部エンティティ解決の脆弱性（CVE-2013-3159）MS の深刻度: 重要

   外部エンティティを含む特別に細工された XML ファイルを Microsoft Excel が解析する方法に、情報漏えいの脆弱性が存在します。

7. MS13-071 Windows テーマファイルの脆弱性により、リモートでコードが実行される（2864063）

   Windows テーマファイルのリモートコード実行の脆弱性（CVE-2013-0810）MS の深刻度: 重要

   Windows が特別に細工された Windows テーマファイルを処理する方法に、リモートコード実行の脆弱性が存在します。この脆弱性により、特別に細工された Windows テーマを適用するよう攻撃者が誘導した場合に、任意のコードが実行される可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

8. MS13-077 Windows サービスコントロールマネージャの脆弱性により、特権が昇格される（2872339）

   サービスコントロールマネージャのダブルフリーの脆弱性（CVE-2013-3862）MS の深刻度: 重要

   Windows サービスコントロールマネージャ（SCM）がメモリ内のオブジェクトを処理する方法に脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、任意のコードを実行し、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

9. MS13-070 OLE の脆弱性により、リモートでコードが実行される（2876217）

   OLE プロパティの脆弱性（CVE-2013-3863）MS の深刻度: 重要

   ユーザーが特別に細工された OLE オブジェクトを含むファイルを開いた場合に、リモートでコードが実行される可能性のある脆弱性が OLE に存在します。攻撃者がこの脆弱性の悪用に成功すると、ログオンユーザーと同じユーザー権限を取得する可能性があります。ユーザーが管理者ユーザー権限でログオンしている場合は、影響を受けるコンピュータを攻撃者が完全に制御する可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

10. MS13-078 FrontPage の脆弱性により、情報漏えいが起こる（2825621）

    XML の情報漏えいの脆弱性（CVE-2013-3137）MS の深刻度: 重要

    FrontPage に情報漏えいの脆弱性が存在するため、標的となったシステム上のファイルの内容を攻撃者が開示できる場合があります。

11. MS13-075 Microsoft Office IME（中国語版）の脆弱性により、特権が昇格される（2878687）

    中国語版 IME の脆弱性（CVE-2013-3859）MS の深刻度: 重要

    特権の低いユーザーが自らの特権を昇格できる可能性のある特権の脆弱性が、中国語版の Office IME に存在します。

12. MS13-076カーネルモードドライバの脆弱性により、特権が昇格される（2876315）

    Win32k の複数フェッチの脆弱性（CVE-2013-1341）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の複数フェッチの脆弱性（CVE-2013-1342）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の複数フェッチの脆弱性（CVE-2013-1343）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の複数フェッチの脆弱性（CVE-2013-1344）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の複数フェッチの脆弱性（CVE-2013-3864）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の複数フェッチの脆弱性（CVE-2013-3865）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

    Win32k の特権昇格の脆弱性（CVE-2013-3866）MS の深刻度: 重要

    Windows カーネルモードドライバがメモリ内のオブジェクトを正しく処理しない場合に、特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、特権が昇格し、任意の量のカーネルメモリが読み取られる可能性があります。

13. MS13-079 Active Directory の脆弱性により、サービス拒否が起こる（2853587）

    リモートの匿名 DoS の脆弱性（CVE-2013-3868）MS の深刻度: 重要

    Active Directory の実装にサービス拒否の脆弱性が存在するため、管理者がサービスを再起動するまで、サービスが応答しなくなる可能性があります。この脆弱性は、LDAP サービスが特別に細工されたクエリーの処理に失敗した場合に起こります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I’m excited to share that our Corporate Responsibility Report for fiscal year 2013 has been published. This annual report provides an opportunity to review our goals from the previous year, acknowledge successes, and reflect on how we can continue to refine our corporate responsibility strategy. We hope that you will take a look and let us know what you think (in exchange for your opinions, we're giving you a chance to vote on how we should direct a $50,000 USD grant - so be sure to visit our stakholder feedback survey!)

We're also hosting our first-ever live stakeholder call on Wednesday, September 18th at 1pm Pacific - I hope you can join us to learn more.

The explosion of information and its accessibility to people all over the world is creating more opportunities to learn, grow, work, and play than ever before. Our mission is to protect and manage that information, which means our business goals are tied to the greater social purpose of helping to make people, businesses and governments safer in a complex digital world. In our approach to corporate responsibility, we focus on this interconnected nature of society, along with our internal culture and core business strengths, to define the three pillars of our strategy: Our People, Your Information, and The World. Below, we highlight some of the specific achievements we’ve made in each of these areas.

Our People (employee satisfaction, talent management and diversity and inclusion):

• We’ve put our commitment to employees in writing through our Employee Value Proposition (EVP), outlining what they can expect in return for building their careers with Symantec. Our EVP framework is specifically designed to allow more fluid communication between employees working at different levels in the company. It encourages employees’ pursuit of career paths that move vertically (increasing seniority) as well as horizontally (increasing scope of responsibility).
• We saw a 41 percent increase in employee volunteer hours, as corporate responsibility is becoming more embedded within our company culture.
• Women in leadership is up from 25 percent to 27 percent, consistent with the overall percentage of employees who are women.

Your Information (cybersecurity, online safety and privacy):

• Symantec regularly releases studies and findings that aid the public and law enforcement in understanding the state of cybersecurity.
  • This year we released our first Digital Information Index, which highlights the significant impact that cloud computing and mobility are having on businesses today. The 2012 State of Information Report reveals the benefits but also the growing challenges of "information sprawl" as organizations increase the level of information stored and accessed outside of their firewalls.
  • Our Internet Security Threat Report, Volume 18, highlights issues such as an increased focus on social media and mobile device malware and small business targeted attacks.
  • The annual Norton Cybercrime Report, with findings based on self-reported experiences of more than 13,000 adults across 24 countries; the 2012 edition of the Norton Cybercrime Report calculates the direct costs associated with global consumer cybercrime at US $110 billion over the preceding 12 months.
• We continued to make Norton Family software globally available, free of charge, in 25 languages. We have launched Norton Family Premier in 50 countries so far.
• We successfully implemented privacy and information security training for all employees and made it company policy for these trainings to be repeated every 18 to 24 months.

The World (climate change, responsible sourcing and community investment):

• We donated more than USD $24 million in cash and software to organizations worldwide, demonstrating our continued commitment to our nonprofit partners and philanthropic initiatives.
• We made significant commitments to supportingscience, technology, engineering and math(STEM) education, cyber awareness and literacy around the world, particularly in ways that contribute to equal opportunity for girls and women.
• We continued to implement GHG emission/energy reduction strategies to reduce our carbon footprint.
• We received three LEED certifications in FY13, including our first Platinum, and one new ENERGY STAR certification; we now have 20 LEED certified facilities and 16 certifications.
• In FY13, we expanded sub-metering to 73 percent of the square footage of our owned and long-leased lab and data center facilities.
• We completed integration of human rights language from International Labour Organization (ILO) core conventions into standard training for all employees in FY13, and issued a revised human rights policy statement addressing the principles set forth in the Universal Declaration of Human Rights.

In the coming years, we will continue to address the underrepresentation of women in technology fields by working with our philanthropic partners and making STEM education opportunities more accessible to girls and minorities. As cyber threats become more sophisticated, so will our cybersecurity initiatives to match these threats. And as our company continues to grow in its global presence, so will our pledge to green IT, resource conservation, responsible sourcing and human rights.

Because we are a company whose mission is to protect and manage information, our very business goals are tied to the greater social purpose of helping people, businesses and governments secure their information in a complex digital world. I’m so proud of the work we have done to date, and I can’t wait to see where we’re going.

For more information on our CR work and to view our complete 2013 Corporate Responsibility report, please click here.

Cecily Joseph is Symantec's Senior Director, Corporate Responsibility.

Next in this series: Game Plan: Keeping Your Family Safe Online, a look at Symantec’s cybersecurity and online safety initiatives …

With the summer coming to an end and the analyst event season on the horizon, the AR Team at Symantec is looking forward to seeing many of you in person over the next few months.  We will be reaching out at shows, in person and over the phone to discuss product announcements, roadmaps relevant to our leading products and the new offerings we announced as part of Symantec 4.0. We'll also update you on important organizational news.

With those organizational updates in mind, I think it's worth repeating here recent news you may have missed.  Symantec has nominated not one but two new independent members to join the company’s board.  Both nominees have a wealth of experience and fascinating backgrounds.

The two nominees are

• Major General Suzanne Vautrinot, retiring commander of the 24th Air Force, the Air Force Service Component of the United States Cyber Command;
• Anita Sands, PhD, group managing director, head of change leadership and a member of the Executive Committee of UBS Wealth Management Americas.

You can read more about the nominees at the link below.

http://www.symantec.com/about/news/release/article.jsp?prid=20130828_01

It's a move that some sources (see the link below) means good news for Symantec in many ways.

http://www.30percentclub.org.uk/press/companies-with-women-board-members-may-have-an-edge-in-performance-and-stock-price/

Voting will take place at Symantec’s Annual Meeting on October 22, 2013 and my team and I will be sure to keep you informed on the announcement. 

More news and views to come in my blog next week where I will be sharing with you an insight in to our vertical offerings and the progress we are making.

Here we are, 24 hours away from M6 Mobility Xchange in San Diego.   I am very excited to attend this event for the first time and I cannot write enough about how proud we are to share with you about the activity lineup we have at M6.

Ever since Symantec’s 4.0 strategy was announced, there has been a huge culture, mindset shift within the company.  Products and people were reorganized to align with the  “jobs” that our customers are trying to solve; instead of grouping them way we developed the products.  One of the “peaks” of the solutions that was formed in the new Symantec world is User Productivity and Protection.  The solutions that are mapped into this peak are all those that protect the users, their data, their devices and enable them to stay productive.  And, of course, Enterprise Mobility solutions fall into this peak.

Symantec came a long way in Mobility.  Our foray into this space was with a Mobile Device Management product.  This was back in those days when a “mobile solution” still meant locking the devices down so that only the devices that are authorized to do so, access confidential data.  However, with the plethora of mobile apps in the app stores, everyone realized that authorizing the device does not mean securing the data.  Protecting the applications and the data that is accessed by these applications was a much more critical aspect of enterprise mobility.  To address this aspect, Symantec acquired Nukona, the pioneer in application wrapping technology.  Ever since, we have not looked back in the Enterprise Mobility space.  Whether it was wrapping and distributing applications at a much more granular level, or integrating the mobile productivity solutions with the relevant security solutions – Symantec has the proven to have the right vision and strategy to be the winner.

Here’s a quick glance at our presence at M6:

Keynote (7.50-8.35am, Sep 17)

• Speaker: Michael Lin, Vice President, Product Management, Enterprise Mobility, Symantec
• Topic: Mobility Challenge: Optimizing mobile devices, protecting your information, and providing a great customer experience

General Session Executive Panel (8.35-9.30am, Sep 17)

• Moderator: Maribel Lopez, Conference Chair
• Panelists: Phil Buckellew, VP, Enterprise Mobile, IBM Software Group; Sam Lakkundi, Chief Mobile Officer, Kony; Dave Lowe, VP, Samsung Telecommunications America;  Dan Mahowald, VP Enterprise Mobility, SAP Americas; Michael Lin, VP, Product Management, Mobility, Symantec

Case Study Presentations

If you are attending M6 and want to chat with me, either walk up to me or ping me on Twitter.

See you there!

People who have been around Enterprise Vault for quite a while will have heard of the Enterprise Vault Converters. In this post I'll explain a little bit about the converters, what they do, and why they're needed in a product like Enterprise Vault.

A long time ago, in a far away place, the converters were also known as Outside In Converters. I *think* (but a Bing search just now didn't help) that it was a separate company that was eventually purchased by Oracle. Oracle is certainly the home now:

http://www.oracle.com/technetwork/middleware/content-management/oit-all-085236.html

Essentially what the converters do is to take content like Microsoft Word documents, PDF files and so on, and convert them to HTML (or text). For a product like Enterprise Vault, and it's archiving activities, what this means is that Enterprise Vault can 'obtain' from a message, or file system, or SharePoint, etc, a file, pass it to the converters and get back either HTML or text parts/equivalent of the file. This can then be added to the Enterprise Vault index, for our friendly users to search against. OIT can convert about 600 different file formats, according to the Oracle web site.

From time to time there are updates to the converters. This usually happens from Enterprise Vault version to version, sometimes from service pack to service pack, and *very* occasionally more 'needy' updates like this one:

http://www.symantec.com/docs/TECH167455

You normally see the converters running as a process (or a number of processes) called EVConverterSandbox.  Take a look on your Enterprise Vault server, during an archiving run, and you'll see them busily converting content for your items. 

By Dr. Rose Quijano-Nguyen, Principal Certification Strategist – Global Vertical Offerings, Symantec Corp.

As remote working arrangements and “bring your own device” programs become more and more common, both the public and private sectors have an increasing need to protect confidential data on mobile devices against mounting cybersecurity threats. Symantec App Center is a mobile application and content management solution that secures corporate data on iOS and Android mobile devices. To allow the public sector to take advantage of the latest mobile technologies in a secure manner, the Symantec App Center Cryptographic Module recently achieved a certification known as the Federal Information Processing Standard (FIPS) 140-2 validation.

In a growing number of countries, FIPS 140-2 validation is considered the benchmark for security, enabling government agencies to provide the highest level of protection for sensitive information and comply with strict government regulations, while minimizing risk. It is issued by the Cryptographic Module Validation Program and is a joint effort of the National Institute of Standards and Technology and the Communications Security Establishment Canada.

Securing this certification for Symantec App Center is important, as App Center offers advanced technology that enables user productivity on mobile devices, regardless of their ownership, while protecting enterprise data. Additionally, App Center offers enterprise-grade security on a per-app basis, without requiring any source code changes or SDK embedding.

Several other Symantec solutions have also achieved recent certifications, including:

• The Altiris IT Management Suite, which has achieved an international evaluation standard for IT security products called the Common Criteria Assurance Continuity at Evaluation Assurance Level 2 (EAL2+). This certification is mandated for all IT solutions purchased by the U.S. federal government and is recognized by more than 20 countries around the world, including the United States, United Kingdom, Canada, Germany and Australia. This designation conforms to the International Standards Organization’s requirements, and like the FIPS certification, is backed by rigorous independent testing.
• Symantec Endpoint Protection Small Business Edition, Symantec Network Access Control and Symantec Web Gateway, which all have achieved certification from the Ministry of Public Security in China – the No. 1 mobile market in the world, according to mobiThinking.
• Symantec NetBackup and Backup Exec 2012, which received certification from Russia’s Federal Service for Technology and Export Control (FSTEC), which governs the handling and processing of confidential information in Russia.

“These efforts are just one way we’re working to make it easier for both the public and private sectors to deploy devices with confidence, even in the most demanding environments,” said Cheri McGuire, Vice President of Global Government Affairs & Cyber Security Policy at Symantec. “Providing top-notch security while protecting user privacy is something we take seriously, and we know that governments and businesses do too. Our solutions provide clients with reassurance that they are using trusted and proven technologies that meet the highest standards for data protection.”

Cybersecurity is certainly a hype word in the press at the moment. Security professionals and CSOs that are longer in the tooth are saying, "move along, nothing new here" - are they right? To answer this, we need to take into account that we have always had a sliding scale, with security at one end and usability at the other. Remember the old adage that the most secure computer is the one buried in a box, encased in concrete. 

The trouble is, users are like rivers - they will find the easiest way down the hill. If security mechanisms are too taxing, users will look for ways round them - or indeed stop using the systems altogether, for example by storing information locally rather than trying to access unusably secure corporate systems. 

The shifts we are seeing today are largely driven by the increasing speed and complexity of technological change. Not that long ago, organisations were looking to protect computers, systems and databases that were designed to last years, if not decades. Many of the capabilities we see as mainstream today didn't even exist three years ago, however. 

Just as technology continues to fragment, so are information-related attacks on citizens and institutions increasing in complexity. Whereas security used to be relatively linear - protecting a known set of systems against direct attack - the types of threat have multiplied. Threats are becoming so diverse and numerous, the overall effect is that the aggregated risk (the cyber-risk) finds whichever way it can through the barriers in place. 

This transition is taking us from information security - treating individual systems and the corporate IT environment - to cybersecurity. While 'infosec' was an IT problem, cybersecurity is a problem for individuals, for businesses, and indeed for governments as it has become the fifth domain for warfare. The problems are bigger, they happen faster and their impact can be far worse. 

As a result, we need to move from information protection to cyber resilience, readiness and response. At Symantec for example, we have a readiness and response team which fills the gap between analysing potential threats and engaging directly with what is happening at customer sites. This way, as we correlate events and detect potential new threats, we can prioritise and respond accordingly. 

Customers are also evolving from a purely infrastructure-centric view, to one which looks at what people are doing and how business activities can be protected. The sliding scale is subordinate to ensuring the business can continue to operate, that information is still available and accessible, that people can be productive even as data is protected. 

Ultimately, the user experience is paramount. By recognising this, organisations can look at what they are trying to achieve as a business and ensure it happens securely, rather than implementing security controls that are targeted more at systems than at business priorities.

Just like a web application penetration test, a mobile application penetration test is not voodoo magic, but rather an exercise in knowledge, prioritization, and efficiency. During years of hard work, penetration testers hone their methodology and develop efficient ways of applying their knowledge in order to identify specific vulnerabilities within mobile applications. The "Android Mobile Application Penetration Test Tricks" blog series will examine some techniques that you can use while performing your own penetration tests. The same concepts apply to conducting application penetration tests within Apple iOS, but obviously the implementation details are different.

In order to get your Android emulator functional, please refer to Christopher Emerson's excellent "Android Application Security Assessments" blog series. Learn how to install the Windows emulator, install the Linux emulator, configure an intercepting proxy, and install Android applications. Let's pick up where Christopher left off.

Let's hope that your Android application communicates over encrypted SSL network connections. If this is not the case, please slap the developers repeatedly. If this is the case, configuring an intercepting proxy will likely break application functionality as the intercepting proxy Certificate Authority (CA) certificate is not trusted by the emulator. Let's fix that. For the purposes of this tutorial, let's assume that you're using the Burp intercepting proxy and Android 4.2 (API Level 17, commonly known as Jelly Bean), the current version at the time of writing. Other versions of Android 4.0 (API Level 14, commonly known as Ice Cream Sandwich) and later can be configured in a similar manner.

The first step is to download your Burp CA certificate. Assuming that Burp is configured as your proxy server, you can download the certificate by browsing to http://burp/cert. The certificate is downloaded as a DER (Distinguished Encoding Rules) certificate, which is perfect for importing into the Android operating system. Just append ".der" onto the filename when you save the certificate. If you're using another intercepting proxy, you can download the certificate using your browser. For example, let's assume that you're using Firefox 19.0.2, the current version at the time of writing. Assuming that Firefox is configured to use your intercepting proxy, browse to an arbitrary SSL site and then click the padlock to the left of the address bar:

Click "More Information…", select "Security", click "View Certificate", select the "Details" tab, highlight the name of the intercepting proxy CA (not the specific site), and click "Export…":

Make your life easier by saving the certificate in "X.509 Certificate (DER)" format. Once you have downloaded the CA certificate you can start your AVD (Android Virtual Device):

    $ emulator64-arm -avd myEmulator -http-proxy http://localhost:8080

Just replace "myEmulator" with the name of your AVD and modify the Burp port "8080" accordingly. In addition, note that the "emulator64-arm" command is for Android ARM emulators running within 64-bit operating systems. Depending on your operating system and emulator processor, you might need to run one of the other emulator commands instead (i.e., emulator, emulator-arm, emulator-x86, emulator64-x86, emulator-mips, or emulator64-mips). Once your emulator is running you can copy the certificate into the emulator filesystem with the following ADB (Android Debug Bridge) command:

    $ adb push cacert.der /mnt/sdcard
    13 KB/s (712 bytes in 0.052s)

Now we can finally install the certificate. There are a few ways to do this. The easiest is to browse to the certificate file with a file manager such as ASTRO File Manager. You can download the APK (Application Package) for ASTRO File Manager 3, the most stable version at the time of writing, from http://www.metago.net/downloads/. Alternatively, you can obtain the APK by from a physical Android device. You can install the APK within your emulator with the following ADB command:

    $ adb install ASTRO_3.1.427.std.apk
    3018 KB/s (2915424 bytes in 0.943s)
            pkg: /data/local/tmp/ASTRO_3.1.427.std.apk
    Success

Now you're cooking with gas! Launch ASTRO File Manager and click "MANAGE MY FILES" and you should see the certificate in the /mnt/sdcard directory:

Click on the certificate and you'll be prompted to name the certificate. Enter a name and select "OK". You'll then be prompted to configure a lock screen pattern, PIN, or password in order to enable credential storage. Complete this step and the certificate will be installed. You can view the installed the certificate by selecting "Settings", "PERSONAL / Security", "CREDENTIAL STORAGE / Trusted Credentials", and "USER". You can click on the certificate in order to view certificate details.

Alternatively, instead of using ASTRO File Manager you can install the certificate by selecting "Settings", "PERSONAL / Security", and "CREDENTIAL STORAGE / Install certificates from SD card". However, your mileage may vary as in my environment the emulator does not consider the /mnt/sdcard directory to be a SD card within this context. In this case you'll receive the error message "No certificate file found in the SD card." Hopefully future emulator versions will fix this bug.

Your intercepting proxy CA certificate is now trusted by the emulator, so you can now proceed with your mobile application penetration test! Well that's all for this installment of the "Android Mobile Application Penetration Test Tricks" blog series. In our next installment we'll get busy with BusyBox!

We have written this short blog post about how to set up and test the Norton Secured Seal in a website development environment after recieveing a question about it on Twitter @nortonsecured 

Customers can test the Norton Secured Seal in their development environment following these steps:

• Set up a development environment where the domain name matches their production website that is secured by a Symantec SSL certificate. E.g. If the production website is www.abc.com, the development environment could be test.abc.com
• Generate the Seal script from Symantec's Seal Install page at http://www.symantec.com/ssl/seal-agreement/install.jsp (script needs to be generated using the domain name of the website in test environment e.g. test.abc.com)
• Update the web page in the development environment to include the generated seal script

Since the development environment will, in most cases, not have an exact match of domain name with production environment, customers would see a generic seal splash page in their test/development environments

For the past few years, reports have continued to emerge detailing the activities of actors behind various targeted attacks or Advanced Persistent Threats (APTs). Here at Symantec Security Response, we’ve been keeping our eyes on a group that we believe are among the best of breed. We’ve given them the name of Hidden Lynx—after a string that was found in the command and control server communications. This group has a hunger and drive that surpass other well-known groups such as APT1/Comment Crew. Key characteristics of this group are:

• technical prowess
• agility
• organized
• sheer resourcefulness 
• patience

These attributes are shown by the relentless campaigns waged against multiple concurrent targets over a sustained period of time. They are the pioneers of the “watering hole” technique used to ambush targets, they have early access to zero-day vulnerabilities, and they have the tenacity and patience of an intelligent hunter to compromise the supply chain to get at the true target. These supply chain attacks are carried out by infecting computers at a supplier of an intended target and then waiting for the infected computers to be installed and call home, clearly these are cool calculated actions rather than impulsive forays of amateurs.

This group doesn’t just limit itself to a handful of targets; instead it targets hundreds of different organizations in many different regions, even concurrently. Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that are contracted by clients to provide information. They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets.

We also believe that to carry out attacks of this scale, the group must have considerable hacking expertise at its disposal, perhaps 50 to 100 operatives are employed and organized into at least two distinct teams both tasked with carrying out different activities using different tools and techniques. These types of attacks require time and effort to carry out, some of the campaigns require research and intelligence gathering before any successful attacks can be mounted.

At the front line of this group is a team that uses disposable tools along with basic but effective techniques to attack many different targets. They may also act as intelligence collectors too. This team we call Team Moudoor after the name of the Trojan that they use. Moudoor is a back door Trojan that the team uses liberally without worry about discovery by security firms. The other team acts like a special operations unit, elite personnel used to crack the most valuable or toughest targets. The elite team uses a Trojan named Naid and are therefore referred to as Team Naid. Unlike Moudoor, the Naid Trojan is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option.

Since 2011, we have observed at least six significant campaigns by this group. The most notable of these campaigns is the VOHO attack campaign of June, 2012. What was particularly interesting about this attack was the use of the watering hole attack technique and the compromise of Bit9’s trusted file signing infrastructure. The VOHO campaign was ultimately targeting US defense contractors whose systems were protected by Bit9’s trust-based protection software but when the Hidden Lynx attackers’ progress was blocked by this obstacle, they reconsidered their options and found that the best way around the protection was to compromise the heart of the protection system itself and subvert it for their own purpose. This is exactly what they did when they diverted their attention to Bit9 and breached their systems. Once breached, the attackers quickly found their way into the file signing infrastructure that was the foundation of the Bit9 protection model, they then used this system to sign a number of malware files and then these files were used in turn to compromise the true intended targets.

For those interested in more in-depth information, we have published a whitepaper that describes the group and the attack campaigns carried out by them.

We have also put together an infographic that summarizes the key information about this prolific Hidden Lynx group.

Symantec Encryption Releases 3.3.1/10.3.1
In this release, we support Windows 8, increase our Linux platform support, and as always improve security whenever appropriate.  Here’s a summary of what’s new:

• Support Windows 8 Pro and Enterprise editions 32- and 64-bit versions, for Symantec Drive Encryption both BIOS and UEFI systems (only 64-bit for UEFI), Desktop Email Encryption, File Share Encryption, and Encryption Desktop utilities (PGP Virtual Disk, ZIP, and Shredder)
• Desktop Email Encryption compatibility with Microsoft Outlook 2013, both 32- and 64-bit versions
• Desktop Email Encryption compatibility with Microsoft Office 365 Cloud Server when using a supported email client
• Mac OS X 10.8.3 and 10.8.4 support for Symantec Drive Encryption and Symantec Desktop Email Encryption
• Symantec Drive Encryption support for Linux.  This now includes Red Hat Enterprise 5.9, 6.3, and 6.4 (32- and 64-bit).  Ubuntu 10.04 LTS (32- and 64-bit) is supported as well.

We realize we are somewhat late with Windows 8 support, but we will only release a product based on quality vs. a timeline.  As part of the quality assurance, we thoroughly tested this latest release both internally at Symantec and via our Beta program.  The public Beta consisted of a broad range of customers.  Many of these customers are large with complex environments spanning various verticals from education, health care, financial services, and even government agencies.

I still try to use my Hackintosh as much possible, though it's not quite as much as I like. Because I use it reasonably often, I now like to keep up to date with things like Office 2011 for Mac updates from Microsoft.

I saw just the other day that there is a new update. See this link:

http://www.tuaw.com/2013/09/11/microsoft-releases-fixes-critical-security-update-for-office-20/

It takes Office to version 14.3.7, and the file is 113 MB. I have downloaded it and installed it, but, as my production mailbox isn't touched by Enterprise Vault I can't tell you whether it works still with the Enterprise Vault Mac Add-in. So remember to give it a try yourself in a lab environment before the update for Office is pushed out to users.

In this month’s report we take a look at social media scams so far in 2013. What we have noticed is that fake offerings, such as bogus opportunities for discount purchases, has dominated the social landscape this year, making up 82 percent of all social media attacks.

In the realm of data breaches, August saw a decrease in the number of breaches, with seven reported during the month. However, there were a further nine breaches reported in August that had occurred earlier in the year, bringing the total to 125 breaches resulting in a total of 91 million identities being exposed in 2013 so far.

In other news, 213 new mobile malware variants were discovered this month, a modest increase since July, but nowhere near the numbers we saw in June. There were 469 new vulnerabilities discovered in August, a 13 percent increase compared to the total in August of 2012.

The global spam rate fell 2.4 percentage points from July to 65.2 percent. The top-level domain for Poland (i.e. .pl) comprised almost 48% of spam-related domains in August, topping the list two months in a row.

Finally, financial-themed phishing emails top the list of topics, comprising 66.8 percent of all phishing attempts blocked. Many of these phishing attempts appear to have come from Japan, which is responsible for 55 percent of phishing emails.

We hope you enjoy the August Symantec Intelligence Report. You can download your copy here.

On September 17, Microsoft issued an advisory reporting a new zero-day vulnerability in Internet Explorer: Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893). The advisory states that the vulnerability may corrupt memory in a way that could allow attackers to execute arbitrary code. The attack works by enticing users to visit specially crafted websites that host the vulnerability through Internet Explorer. Microsoft also states that at this time the vulnerability is known to be exploited in only a limited number of targeted attacks.

While Microsoft is yet to release a patch for this vulnerability, they have provided a temporary "Fix It” tool solution as a workaround until a security update is made available. To ensure Symantec customers are protected against this Internet Explorer zero-day, the following protection has been put in place:

Antivirus

• Bloodhound.Exploit.513

Intrusion Prevention System

• Web Attack: Microsoft Internet Explorer CVE-2013-3893
• Web Attack: MSIE Memory Corruption CVE-2013-3893 3

Symantec will continue to investigate this attack to ensure the best possible protection is in place. As always, we recommend that users keep their systems up-to-date with the latest software patches and refrain from opening any suspicious emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

Most people use the same password for email, shopping and social networking websites because their chosen password is easy to remember. This is a great risk, in fact in case of a security breach at one website will compromise all accounts.

An interesting solution to create a set of unique passwords for many websites is proposed in the SS24 website, the Multiple Password generator .

As described in the SS24 website :

So, the idea is that you memorize just one, reasonably long/secure master password and use that to generate a set of non-dictionary passwords. Copy and paste the new password(s) into the website and set your web browser to remember them.

All the websites get different passwords, but you only have to remember one!

Using a different PC you can re-generate the same set of passwords at any time by returning to this page and entering the same master password.

• All the generated passwords end in "1a", to guarantee they contain at least one letter and one number.
• Using UPPER or lower case will produce different passwords, when using this for the first time it’s a good idea to use the 'Show Password' tickbox to check for any typos.
• Most websites will send a password reset via email, so set the password for that email account to something completely different, just in case you ever forget the master password!
   

Link : SS64 Password Generator