今年 5 月、攻撃者が巧妙な手口を使って、大手のインターネットホスティングプロバイダに侵入し、内部の管理システムへのアクセスに成功しました。この攻撃者は、ユーザー名、電子メールアドレス、パスワードなどの顧客情報を狙っていたようです。内部の管理システムから顧客情報にアクセスしていましたが、攻撃が露見し、一定のセキュリティも実装していたため、侵害の範囲は抑えられました。顧客のパスワードはアクセス可能でしたが、ハッシュ化と salt 処理が行われていたため大量クラッキングは困難な状態でした。また顧客の財務情報にもアクセス可能でしたが、暗号化されていました。残念ながら、暗号化キーへのアクセスを防ぐことはできません。企業に対するデータ侵害と顧客データの大量ダンプがほぼ毎日のように報告されていますが、今回の攻撃はこれまでよりはるかに巧妙です。

攻撃者は、標的の環境が通常は十分に保護されていることを把握していました。特に、疑わしいネットワークトラフィックやファイルのインストールがあるとセキュリティ確認のきっかけになることがあるため、そのようなトラフィックやインストールを回避する方法が必要でした。その巧妙さを示すように、攻撃者はステルス性を備えた独自の Linux バックドアを考案し、セキュアシェル（SSH）や他のサーバープロセス内に自身を忍ばせていました。

攻撃者は、このバックドアを利用して（リモートコマンドの実行など）通常の機能を実行できますが、ここではネットワークソケットを開いたり、コマンド & コントロール（C&C）サーバーへの接続を試みたりすることはありません。代わりに、バックドアコードを SSH プロセスにインジェクトし、ネットワークトラフィックを監視してコロン、感嘆符、セミコロン、ピリオド（:!;.）という文字のシーケンスを探します。

このパターンが見つかると、バックドアは残りのトラフィックを解析し、Blowfishで暗号化され Base64 エンコードされたコマンドを抽出します。

図.インジェクトされるコマンドの例

こうすると、攻撃者は SSH やその他のプロトコルを介して通常の接続要求を行い、正規のトラフィック内に秘密のシーケンスを埋め込んで検出を回避できるようになります。コマンドが実行されると、結果が攻撃者に送り返されます。このバックドアコードは、セキュリティレスポンスがこれまでに解析してきた他の Linux バックドアと類似性はありません。

断片化されたファイルがライブラリを共有し、多くの関数をフックしているようです（read、EVP_CipherInit、fork、ioctl など）。コードが実行されると、以下の操作が実行されます。

• 以下の形式で、攻撃者が発行した任意のコマンドを実行する。
  exec sh -c '[攻撃者のコマンド]' >/dev/null 2>/dev/null
• 事前に設定されたコマンドのいずれかを実行し、そのコマンドから出力を取得する。
• 個々の SSH 接続から以下のデータを取得する。
  • 接続しているホスト名、IP アドレス、ポート
  • ユーザー名とパスワードまたは SSH キー
• 盗み出したデータまたはコマンドの応答を blowfish で暗号化し、攻撃者に送信する。

このバックドアがネットワークに存在するかどうかを特定するには、":!;." という文字列（引用符を除く）が含まれるトラフィックを探してください。この文字列を含むトラフィックは、SSH ログには記録されません。SSHD プロセスをダンプし、その中から以下の文字列を検索する方法もあります（[値] はさまざまな値を示します）。

key=[値]
dhost=[値]
hbt=3600
sp=[値]
sk=[値]
dip=[値]

シマンテックは、このバックドアを Linux.Fokirtorとして検出し、お客様を保護します。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I was speaking to a customer earlier this week who wanted to get up to speed on our VMware capabilities and needed some basics as well. While I know there have been some great posts in the forums, I thought I'd start out sharing these links. If you have other favorites please share them.  This was meant to be quick and dirty.

Solution Overview Level

ESG Lab Validation – NBU 7.6 for VMware

http://www.esg-global.com/lab-reports/symantec-netbackup-76-for-vmware/

Technical Basics

Google+ Hangout replay on Virtualization and NBU 7.6

http://www.youtube.com/watch?v=U_8_lTRcudM

VMware Basics for NBU administrators - from our local vExpert - @abdulrasheed123

http://www.mrvray.com/netbackup-101-for-vmware-professionals/

NBU backup for VMware benchmarks

1)      http://www.slideshare.net/symantec/bco5851-winter-googlehangoutas (currently PPTX only - 2013)

2)      http://eval.symantec.com/mktginfo/enterprise/white_papers/b-nbu_cisco_vmware_backup_perf_21157021_WP.en-us.pdf (2010 - old but good for lower versions of NBU)

Forward Thinking Virtualization - vCD

VMware – What’s the difference between vCD and VADP – this is the story of how to backup a Virtual Data Center from Symantec (preview NetBackup 7.6 features)

https://plus.google.com/events/co2hddgrt2oi3o5svoosvsmri34

Let me know if you have other favorites. 

ここ最近、いくつものゼロデイ脆弱性が矢継ぎ早に出現しており、セキュリティ業界も世界中の IT 管理者も、その対応に追われています。集中攻撃の後で一息つく暇もなく、また新しいゼロデイ攻撃が登場し、問題を起こそうとしています。その対象は主として日本のユーザーです。今回の脆弱性は、日本のワープロソフトウェア「一太郎」に存在するからです。

一太郎の開発元、ジャストシステム社は先日、「複数の一太郎製品に存在する未解決のリモートコード実行の脆弱性」（CVE-2013-5990）により任意のコードが実行されることを発表しました。シマンテックは、2013 年 9 月にこの脆弱性の悪用を試みる攻撃が活動中であることを確認しましたが、シマンテックのテスト環境では、その悪用は機能せず、システムへの侵入は果たせませんでした。いつものとおり、シマンテックはこの発見に続いて、必要な脆弱性開示の手続きを取りました。

シマンテックの解析によると、今回の攻撃で Trojan.Mdropperとして検出されるサンプルにはすべて、Backdoor.Vidgrabとして検出される同じバックドア型のトロイの木馬が含まれていることが判明しています。悪用に成功すると、理論上はシェルコードが実行され、簡体字中国語版のメモ帳が投下されて起動する一方、システムが危殆化してバックドアがリモートサイトに接続します。これと同時に、同じ Backdoor.Vidgrab の亜種が、「Microsoft Internet Explorer のメモリ破損の脆弱性」（CVE-2013-3893）を悪用する水飲み場型攻撃のペイロードとして使われていました（この脆弱性に対しては 2013 年 10 月にパッチが公開済み）。このことから、Internet Explorer の脆弱性を悪用する攻撃と、一太郎の脆弱性を悪用する攻撃の背後には、同じマルウェアグループ、あるいは密接な関係にある別のグループが関与していると考えてもよさそうです。Backdoor.Vidgrab はアジア太平洋地域を狙っており、特に政府関連機関が主な標的となっていることがトレンドマイクロ社の調査によって明らかになっています。シマンテックの遠隔測定も、その見解と矛盾しません。

標的に Trojan.Mdropper が送信される際、電子メールには一太郎のファイル拡張子である .jtd の付いたファイルが添付されていますが、これは実際には .rtf（リッチテキスト形式）ファイルです。.jtd は一太郎専用のファイル形式なので、Microsoft Word でこのファイルを開くことはできません。この攻撃活動で注目に値するのは、マルウェアグループが電子メールに使っている件名も本文も、一般的な標的型攻撃の場合とは異なっていることです。この標的型攻撃で使われている電子メールの例を以下の図に示します。

図.標的型攻撃に使われている電子メール

この電子メールは、日本で人気のあるオンラインショッピングサイトで各種の商品を購入するようユーザーを誘導します。また、会員が購入した場合にはもれなく通常の 2 倍のポイントを獲得でき、送料も無料になると謳っています。電子メールの添付ファイルは、一太郎の悪用コードを含むチラシです。

2013 年 6 月、シマンテックは .jtd 拡張子を使う類似の Trojan.Mdropper の亜種を確認しましたが、その送り先も上記のマルウェアを受け取った組織でした。異なっているのはファイル形式で、今回の攻撃ではリッチテキスト形式が使われていますが、以前の攻撃では Microsoft Graph グラフを埋め込んだ Microsoft Word 文書が使われていました。特別に細工された Word 文書は、簡体字中国語版の Microsoft Office で作成されたものです。シマンテックの調査によると、この悪用コードも脆弱性の悪用に失敗しています。悪用に成功していれば、シェルコードによって以下の URL からマルウェアがダウンロードされるはずでした。

http://googles.al[削除済み]my.com/index.html

このドメインをホストしているサーバーは、Mandiant 社が「APT12」と呼ぶグループに関連しており、そのマルウェア自体は Trojan.Krastとして検出されます。

APT12 グループに属していると思われる攻撃者は、BackdoorVidgrab も開発した可能性があり、同一ではないものの類似の標的を執拗に狙って、一太郎の悪用を試みているようです。この攻撃者は、悪用コードがうまく動作するかどうかをテストするための実験材料として標的を利用している可能性もあります。また、今回の攻撃はただの前哨戦であり、電子メールの効果的な本文や件名、たとえば標的を欺いて悪質な添付ファイルを開かせるだけの説得力がある本文や件名を見つけるために実施されたテストである可能性もあります。

今回ご報告した .jtd ファイルは Trojan.Mdropper として検出されます。また、シマンテックの .Cloud 製品でも、悪質な一太郎ファイルが添付された電子メールは安全に遮断されます。

一太郎をお使いのユーザーは、感染を防ぐために、ジャストシステム社から最新のパッチをダウンロードして適用するようにしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Today I've been troubled by a pesky random issue with our ImageInvoker. Sometimes, we have network problems which throw the ImageInvoker service into a fit.

ImageInvoker works by exchanging files across a file share as communication 'envelopes'. The client saves a .ini file to the express share to ask the server a question, and the server saves an .rsp file which is the reply that the client reads.

The problem seems to be that sometimes the .ini file isn't accessable at the moment ImageInvoker process attempts to read it. So I ammended the code to combat this, but then wondered how to simulate this rare problem.

My first approach was to use the following vbscript to open the file and lock it for editing. This is what I thought would most closely resemble an open file handle from a slow write on a contended network,

Dim fs0,ts

Dim myfile

Set fso = CreateObject("Scripting.FileSystemObject")

 

Myfile="C:\Program Files\Altiris\eXpress\Deployment Server\Temp\ImageInvoker_In\000c291f60bf.ini"

 

Const OpenFileForWriting = 2

Const OpenFileForAppending = 8

Set ts = fso.OpenTextFile(myfile, OpenFileForAppending,True)

msgbox "Locked"

 

ts.close

Today—National  Philanthropy Day—and every day, we are so pleased to celebrate our relationship with Symantec.

“I am the first person in my family to be educated,” said Anita, a graduate of Room to Read’s Girls’ Education program. “I felt very proud when I was able to read some documents for my father recently and prevent us from being cheated by our neighbors. Perhaps this was the day when my father too realized the value of my education. He told my mother that he was proud of me.”

Anita had to fight for her parents’ blessing when completing secondary school and again when pursuing a university education.  Anita’s parents came close to forcing her to drop out of school in the 9th grade to prepare for marriage, but with the help of Room to Read, teachers, and friends, she was able to convince her parents of the importance of her education. Now in her final year at a university in Delhi, Anita looks forward to having her own career and family. After completing the program, Anita said that she will ensure that her future daughter will have the same opportunities as her future son.

Room to Read’s mission is to reach students like Anita and empower them to receive the quality education they deserve. There are 774 million illiterate people in the world today; two-thirds are female and over 90 percent live in developing countries. Room to Read works in ten countries across Asia and Africa to promote literacy and gender equality in education, and our programs provide primary and secondary school children with the tools, resources, and instruction necessary to complete secondary school. Through strong partnerships with investors like Symantec, we have benefited almost eight million children in their pursuit of a quality education.

We are so thankful that since 2008, Symantec has invested crucial support to Room to Read through our School Libraries and Girls’ Education programs in Sri Lanka and India. Together, we are proud of what we have accomplished for hundreds of communities. Symantec's investment in our Girls’ Education program includes providing 160 Sri Lankan girls and 382 Indian girls with support for their education, so they can complete secondary school with the skills necessary to negotiate key life decisions. In addition, Symantec has ensured the establishment of 127 school libraries across India which will impact approximately 22,800 children! This reach extends even further to thousands of family and community members who see first-hand how their children are transformed through the power of education.

Additionally, Symantec has helped us scale through the expansion into new regions in need.  Through Symantec's funding, Room to Read was able to launch programs in Maharashtra, India—first in Mumbai city and later this year into Raigad. This expansion has allowed us to reach 106 needy schools with libraries, training and quality reading materials that will serve thousands of students during three years of Room to Read support!

Finally, we are thankful for Symantec's commitment to help us more deeply engage with our larger donor community. Through the company's sponsorship of galas in Tokyo and Mumbai, we were able to leverage Symantec's generous investments to raise even more funding for our programs around the world.

Room to Read is thrilled to see the sheer number of children using the Symantec libraries, and the girls who are succeeding further every day because of Symantec's support.

Thank you for all you do for the children on our programs!

Dr. Geetha Murali is Chief Development Officer for Room to Read.

On October 23rd the Internet Corporation for Assigned Names and Numbers (ICANN) announced the roll out of the first 4 gTLDS under its New gTLD Program. The new domains could pose a potential security threat to your organization.

gTLD stands for Generic Top Level Domain, these are widely used domains that are open to anyone who wants to register one like .com, .net, and .org.  gTLD domains are distinct from Country Code Top Level Domains (ccTLD) like .us, .uk, and .nz in that ccTLD often have some restrictions in place as to who can register a domain and they are maintained by the individual country's Network Informatin Center (NIC) -- though this task is often outsourced. 

Prior to the announcement of the New gTLD Program initiating a new gTLD was a costly and laborious task, in fact the last set of new gTLDs to roll out (.aero, .travel, .jobs) we largely seen as a failure.  With the launch of the New gTLD program ICANN expects to increase the number of gTLDs from 14 to more than 2200.

What does that mean for your organization from a security perspective?  It means there is now a wider security footprint that you have to monitor.  Someone shopping for shoes on their lunch break might be going www.amazon.com, www.shoes.amazon, or www.amazon.shoes and wind up at the same place, or one of those domains could be fraudulent. 

While there is a vetting process for setting up a gTLD and the traffic is monitored by ICANN for the first 30 days after that there are no security precautions in place, but each new gTLD remains part of the root name server ecosystem. 

A private organization who makes it through the vetting process and passes the 30 days test is now able to do whatever it wants with the domains under its gTLD and it has the visibility of the whole world. 

ICANN, and others, tout the benefits of the New gTLD Program, saying, "In the weeks and months ahead, we will see new domain names coming online from all corners of the world, bringing people, communities and businesses together in ways we never imagined. It's this type of innovation that will continue to drive our global society."

While all of that may be true, it also has the potential to add to the security headaches of your organizations. 

Welcome back! In our last installment we started planning our horizontal password guessing attack by identifying the ten most common passwords. Hopefully none of those terrible passwords are scrawled on little sticky notes anywhere in the vicinity of your cubicle! But what about usernames?  What usernames should we guess? If the target application employs an established username format, you can easily predict common usernames. For example, consider an application that constructs the username by combining the user's first initial and last name. For example, the username for John Doe would be "jdoe". According to the Social Security web site, these are the top ten male names issued during the 1980's (http://www.ssa.gov/OACT/babynames/decades/names1980s.html):

      1. Michael
      2. Christopher
      3. Matthew
      4. Joshua
      5. David
      6. James
      7. Daniel
      8. Robert
      9. John
    10. Joseph

Why the 1980's, you ask? We'll guess that our median user is in their 30's. But more importantly, the 1980's featured unbelievable songs like "Come On Eileen" and "Total Eclipse Of The Heart". In any case, we can deduce that the most common male and female first names start with the following letters:

      1. Smith
      2. Johnson
      3. Williams
      4. Brown
      5. Jones
      6. Miller
      7. Davis
      8. Garcia
      9. Rodriguez
    10. Wilson

I bet poor Tom Hanks still misses #10. In any case, we now have all the right ingredients to brew our secret sauce. We can write a script to enumerate the most common 100 usernames by sequentially combining the ten most common first initials with the each of the ten most common last names. For example:

      1.  asmith/password
      2.  asmith/123456
      3.  asmith/12345678
      4.  asmith/abc123
      5.  asmith/qwerty
            . . .
   996.  swilson/monkey
   997.  swilson/ letmein
   998.  swilson/dragon
   999.  swilson/111111
 1000.  swilson/baseball

Voilà! We now have an optimized list of 1,000 usernames and passwords to feed into our password guessing tool. But I know what you're thinking. Does it really work? The answer is a definitive YES! I have personally implemented this technique with excellent results while conducting penetration tests for Symantec clients. Just modify the username format to fit your needs (for example "first.last" or "first_last") and let your password guessing tool rip!

• SSH Server – Avoid passwords whenever possible. For example, implement SSH public key authentication.
• Financial web application – Supplement passwords with two factor authentication. For example, deploy VeriSign VIP tokens (https://idprotect.verisign.com/learnmoretoken.v).
• Webmail application – Ensure passwords adhere to stringent password length and complexity requirements. For example, require passwords to be eight characters in length and include uppercase letters, lowercase letters, numbers, and special characters. In addition, implement account lockout. Furthermore, educate user about password management tools such as Bruce Schneier's outstanding Password Safe (http://passwordsafe.sourceforge.net/).

​If security is a heavy duty chain, what's the weakest link? I'll give you a hint, it might be scribbled on a little yellow sticky note stuck on your monitor or stashed under your keyboard! That's right, passwords are the culprit! Brute force password guessing attacks are a favorite technique of malicious attackers everywhere. Whether the target is an SSH server, a financial web application, or a webmail application, as you read this sentence an attacker somewhere is launching a brute force password guessing attack. And before you finish this blog post, that attacker has likely cracked a password or two.

So what's the solution? Account lockout is widely regarded as an effective deterrent to brute force password guessing attacks. After a certain number of unsuccessful login attempts within a certain amount of time, the target user account is locked out for a certain amount of time. For example, after three unsuccessful login attempts within one hour, the target user account might be locked out for 15 minutes. Account lockout accomplishes two important goals. First, account lockout throttles how quickly attackers can guess passwords. In this example attackers can only 12 passwords per hour. A typical wordlist might contain thousands of potential passwords. Factor in substitution rules (for example substituting the "@" character for the "a" character) and suffix rules (for example appending a "1" to the password) and the number of required guesses could take a loooooooong time to process. Second, account lockout alerts administrators that an attack is currently under way. Savvy administrators could implement countermeasures such as implementing incrementing pauses between failed login attempts or even blocking the offending source IP address entirely.

So what's a shrewd attacker to do? As Olivia Newton-John once crooned, "there's nothing left to talk about unless it's horizontally!" Horizontal password guessing attacks eliminate both of the aforementioned nuisances and allow attackers to get the biggest bang for their buck. Instead of trying a long list of passwords against a single account (a vertical password guessing attack), a horizontal password guessing attack entails trying just a few common passwords against a long list of username. Account lockout is almost always enforced per username, not per password, so limiting the number of login attempts per username allows attackers to sidestep account lockout.

Let's step into the shoes of a malicious attacker and brainstorm a horizontal password guessing attack. Grab your Cheetos and Mountain Dew and let's get this party started. The first question is simple. What passwords should we guess? Every year SplashData compiles a list of the most common passwords identified as a result of security breaches. The 2012 list was compiled from security breaches at major sites including Yahoo, LinkedIn, and eHarmony (http://www.splashdata.com/press/PR121023.htm). Here are the worst of the worst, the ten most common passwords in the wild:

      1. password
      2. 123456
      3. 12345678
      4. abc123
      5. qwerty
      6. monkey
      7. letmein
      8. dragon
      9. 111111
    10. baseball

That's our list of ten target passwords! In addition, to be even stealthier we can break this list into five groups, trying only two of the passwords each hour. This conservative timetable will allow us to fly under the radar and almost certainly evade account lockout. Like a ninja! Well that's great for passwords, but what about usernames? We'll tackle this question in the next blog post! Stay tuned!

Folks,

Symantec Celebrates success for new release netbackup 7.6 and appliance 2.6

First Availability (FA) Program Update

The NetBackup 7.6 First Availability Program launched in October 2013. It has been a success, with more than 900 customers signing up, and over 150 reported installations.
 

Customer feedback is overwhelmingly positive on the focus we have placed on quality. 

NetBackup Appliances

- The Symantec NetBackup™ 5230 Appliance in a new 14 TB configuration with NetBackup 7.5 embedded will be available in early December.

- Appliances are expected to ship with NetBackup 7.6 on a USB stick in the beginning of 2014, which will enable customers to perform upgrades. 

News from symantec

Folks,

NetBackup 7.5 Adoption Rate

Telemetry data reveals customers continue to move to our latest versions of 7.5 software.  Note the 7.5 adoption chart below:

ServiceDesk Pack for Altiris™ IT Analytics 7.5 from Symantec™ User Guide is available here:

ServiceDesk Pack for Altiris™ IT Analytics 7.5 from Symantec™ User Guide

Best regards

Elena

The Deployment Solution Agent (7.x) comes in as an all or nothing bundle. Once installed the agent will run all of its tasks whenever it finds it suitable, without giving administrators a chance to control what should or should not be done.

The iLO inventory is one such task that the Deployment Agent runs everytime the agent is started. Given you can't disabled the inventory process you cannot either prevent the events related to running the task.

This means that if you have 10,000 computers starting on Monday morning all with the Deployment Agent installed you will get 10,000 RILOE Capture Event messages sent to the SMP.

As previously stated with the DS Agent it's an all or nothing deal, but thankfully some Agent built-in feature can be used here to prevent the undesired messages from living the workstation:

The Altiris Agent Transport Filters. These filters are normally delivered to the managed machine with its client policy and are stored in the registry under "HKLM\SW\Altiris\Altiris Agent\Transport\Filters". But any registry key that exist in the given location (whether it cames from the agent policy or not) will be read and used to filter out events that should not be sent to the SMP.

The filters are xpath queries. The query needed to filter out iLO capture event message is shown below.

Xpath event filter registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Transport\Filters]

"Connect Filter iLO capture events"="/message/to[. = '3737c829-1634-4e1c-85f6-757d532be374']"

Sample iLO capture event message:

<?xml version="1.0"?>
<message>
<to>3737c829-1634-4e1c-85f6-757d532be374</to>
<priority>0</priority>
<msgId>{C11A81CF-9922-46E0-98F9-F4E032619430}</msgId>
<time>20131118151711.270000+000</time>
<from>
                <resource typeGuid="{2C3CB3BB-FEE9-48DF-804F-90856198B600}" guid="{0D9AEFAD-0EE6-49C1-9145-82169BF62791}" name="SQL-W2K8-01">
                                <key name="name.domain" value="SQL-W2K8-01.EPM"/>
                                <key name="fqdn" value="SQL-W2K8-01.EPM.local"/>
                                <key name="uniqueid" value="r/+IgVv6FE2fIRFlN5TxSg=="/>
                                <key name="uniqueid" value="uPG8ZqqMCuMYq41gEI0Z/Q=="/>
                </resource>
</from>
<body>
                <inventory>
                                <dataClass name="Agent Plugin Inventory">
                                                <data>
                                                                <resource partialUpdate="false">
                                                                                <row c1="None" c2="No Asset Tag" c3="True" c4="False" c5="True" c9="440BX Desktop Reference Platform" c10="VMware, Inc." c11="VMware Virtual Platform" hash="2S7ZjS3z7SfTo1LJren+vg=="/>
                                                                </resource>
                                                </data>
                                </dataClass>
                </inventory>
</body>
</message>

Pessoal,

Essa documentação ajuda no passo a passo da instalação do SWG , está bem detalhado e é uma boa ajuda. Podem aproveitar.

http://www.symantec.com/docs/DOC6298

ITMS 7.5 Hotfix 7.1 is now available!

Attend this Symantec webcast for a refresher on the core value of archiving. The presenters will take you through common use cases and scenarios that showcase how archiving can help reduce costs and improve operational efficiencies across your organization.

We’re happy to announce Mobile Web Access for Symantec Enterprise Vault.cloud. With Mobile Web Access, access your archive from whatever device you’re on without downloading an application. It’s easy to use and lets you search and access your archived information from anywhere. Mobile Web Access is available to existing Enterprise Vault.cloud Personal Archive customers at no cost.

“As the proliferation of devices takes organizations by storm, end users are increasingly leveraging smartphones and tablets to get work done on-the-go. However, they find themselves limited when it comes to searching for older information required to do their job that is not available on the device they have at hand,” said Christopher Moreau, Principal Product Manager, Information Management at Symantec. “Enterprise Vault.cloud Mobile Web Access gives these users a simple way to access and search archived information they find critical to their daily business activities. In addition, since the archive is accessed via a secure web interface, end users and administrators don’t have to worry about downloading, installing, or maintaining an application on multiple devices.”

Theo Caylo, Senior Manager, IT Infrastructure at Source Interlink Corp, one of the organizations that participated in the Beta Program for Mobile Web Access commented, “Our large media portfolio demands that our employees have access to information no matter where they are. Mobile Web Access affords our end-users quick and easy access to their archived content from any smartphone without having to download an application."

For more information about Enterprise Vault.cloud go to http://go.symantec.com/evc.

Cheers!
Neelum 
Symantec Product Marketing

Last week, the United Kingdom’s National Crime Agency (NCA) warned that tens of millions of customers were being targeted by the Cryptolocker malware through a mass spam campaign.

According to the alert, millions of UK customers received malicious emails, but the primary targets seem to have been small and medium businesses.

A recent Symantec blog examined a threat named Trojan.Cryptolocker and how it is an aggressive evolution of the ransomware family of threats. Cryptolocker thrives by encrypting files on a victim’s computer and holding the decryption key for ransom. Interestingly, Symantec predicted this rise in ransomware in its most recent Internet Security Threat Report.
 

Figure 1. Example email from spam campaign leading to Cryptolocker
 

This recent spam campaign uses various lures to target its victims. For instance, we have seen emails claiming to be a voicemail message from an unknown number as well as an outstanding unpaid invoice.
 

Figure 2. Another example spam message leading to Cryptolocker
 

The malicious attachments themselves are downloaders, used to retrieve other threats, such as Trojan.Zbot, which ultimately lead to a Cryptolocker infection and ransom demand.
 

Figure 3. Payment request for decryption key
 

According to the NCA alert, they have observed samples of Cryptolocker requesting a payment of two Bitcoins (worth £653 as of November 18, 2013). Some of the samples Symantec analyzed requested only one Bitcoin.

Symantec customers using Email Security.cloud are protected from these spam messages using our built-in Skeptic™ technology. In addition, Symantec has the following security signatures in place to detect these samples:

Symantec continues to protect against the latest developments in the Cryptolocker malware and we strongly encourage users to routinely back up their files as a way to mitigate any potential damage that may occur from a Cryptolocker infection. For guidance on file recovery using built-in tools, please visit the following support article: Recovering Ransomlocked Files Using Built-In Windows Tools.

英国の国家犯罪対策庁（NCA）は先週、大量スパム攻撃によってきわめて多くのユーザーが Cryptolocker マルウェアの標的になっていると警告しました。

この警告によると、英国内で数百万人ものユーザーが悪質な電子メールを受け取っており、その主な標的は中小規模の企業のようです。

Trojan.Cryptolockerについては最近のブログでも取り上げており、ランサムウェアに類する脅威の活発な進化の状況を報告しました。Cryptolocker は、侵入先のコンピュータ上のファイルを暗号化し、復号鍵を取引材料として身代金を要求する手口で増加しています。シマンテックは、『インターネットセキュリティ脅威レポート』の最新号で、このようなランサムウェアの急増を予測していました。
 

図 1. Cryptolocker に誘導されるスパムメールの例
 

このスパム攻撃では、被害者を狙うさまざまなワナが使われています。たとえば、覚えのない番号から発信された音声メッセージや、未払いの請求書などに偽装した電子メールが確認されています。
 

図 2. Cryptolocker に誘導されるスパムメッセージの別の例
 

悪質な添付ファイル自体はダウンローダであり、それを使って Trojan.Zbotなど他の脅威が取得されます。それが最終的に Cryptolocker の感染を引き起こして身代金を要求します。
 

図 3.復号鍵に必要な支払いの要求画面
 

NCA の警告によると、2 枚の Bitcoin（2013 年 11 月 18 日時点で 653 ポンドに相当）を要求する Cryptolocker のサンプルが確認されています。シマンテックが解析したサンプルの中には、Bitcoin を 1 枚だけ要求するものもありました。

シマンテックの Email Security.cloudをお使いのお客様は、組み込みの Skeptic™ テクノロジにより、このスパム攻撃から保護されています。また、シマンテックはこれらのサンプルに対して以下のセキュリティシグネチャを用意しています。

シマンテックでは、今後も Cryptolocker マルウェアの最新版に対して保護対策の提供を続けていきますが、お客様の側でも、万一 Cryptolocker に感染した場合に予想される損害を最小限に抑えるための対策として、ファイルを定期的にバックアップすることを強くお勧めします。組み込みツールを使ってファイルを復元する方法については、「Recovering Ransomlocked Files Using Built-In Windows Tools（ランサムウェアでロックされたファイルを Windows の組み込みツールで復元する）」（英語）と題したサポート記事を参照してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Whispers.

The secret to predicting the future is to listen for the whisper.

By the time you’ve heard things in a loud, clear voice they have already come true. I’ve been listening to the whispers in 2013 and have a pretty good idea for what we’ll be hearing loud and clear in 2014. Below are my predictions of the top things we’ll hear and what they will mean for us in 2014.

• People will finally begin taking active steps to keep their information private.
• Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure.
• The “Internet of Things” becomes the “Internet of Vulnerabilities.”
• Mobile apps will prove that you can like yourself too much.

“Wait a minute…The Internet knows more about me than my own mother?”

People will finally begin taking active steps to keep their information private.

Privacy issues have littered the headlines in 2013, delivering a wake-up call to people and businesses about the amount of personal information we share and that is collected every day by everyone from your doctor to your social network. You can expect to see privacy protection as a feature in new and existing products. Then, beyond 2014, we’ll be arguing on whether or not these features actually provide any privacy protection. Expect Tor, which enables online anonymity, to become a popular application across the spectrum of Internet users. You’ll also see a resurgence of users adopting aliases and fake names on social networking sites to protect their privacy. And you know who is going to lead the way on this? Teens. They do care about privacy—and not just where their parents are concerned. Given this, more people will move to new, upstart and niche social networking sites, in an attempt to hang with their friends in obscurity. Which leads to my next prediction…

 “Adult supervision is not wanted but adult behavior may keep you out of trouble.” 

Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure.

It’s tempting to believe that you can move to a new neighborhood and all your old problems will go away. They don’t in real life and they won’t when it comes to social networking. Any new social network that attracts users will also attract scammers and miscreants. Users who feel it’s just them and their friends on these new sites are in for a big (and unpleasant) surprise. Your mother won’t be there to remind you, so let me: If something sounds too good to be true, it almost certainly is a scam. Protect yourself by using security best practices no matter where you are on the Internet, or how you connect to it. And speaking of connecting…

“Your toaster is not infected, but your security camera just robbed you blind.”

The “Internet of Things” becomes the “Internet of Vulnerabilities.”

You can expect dumb things will get smarter in 2014. With millions of devices connected to the Internet—and in many cases running an embedded operating system—in 2014, they will become a magnet for hackers. Security researchers have already demonstrated attacks against smart televisions, medical equipment and security cameras. Already we’ve seen baby monitors attacked and traffic was shut down on a major tunnel in Israel, reportedly due to hackers accessing computer systems via a security camera system. Major software vendors have figured out how to notify customers and get patches for vulnerabilities to them. The companies building gadgets that connect to the Internet don’t even realize they have an oncoming security problem. These systems are not only vulnerable to an attack – they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities. Given this, we are going to see new threats in ways in which we’ve never seen before.

“I like you, I like you, I like you... That will be $20 and your login and password, please.”

Mobile apps will prove that you can like yourself too much.

People (generally) trust those they sleep with, so it should not be surprising that with 48 percent of people sleeping with their smart phones, they are lulled into a (false) sense of security about them. In 2013, we reported on a mobile app that would secure additional “likes” for your postings on Instagram. All you had to do was hand over your login and password to some guy in Russia. More than 100,000 people saw nothing wrong with that. We trust our mobile devices and the wonderful apps that run on them to make our lives better. We suspend disbelief for that device that sits in our pocket, purse or nightstand. The bad guys are going to take advantage of this big time in 2014. I’m not even talking about malware – mobile apps are going to be behind hoaxes, cons and scams of all sorts in 2014.  

So, there you have them, my predictions for 2014. Of course, the best part of trying to predict the future is being surprised by the unforeseen and the unimaginable. I'll be right on some of my predictions. I'll be proved wrong on others. What’s certain is that I'll be listening for all the new whispers to see what 2015 will bring.