Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Bitcoin Boom Prompts Flood of Virtual Bank Robberies

0
0

The value of Bitcoin has surged dramatically in recent weeks, fuelling fears that a bubble is forming around the virtual currency. As investors pile in, a crash in Bitcoin prices isn’t the only thing they have to worry about. There has been a spate of incidents in recent weeks in which Bitcoin wallet and banking services have been attacked and millions of dollars worth of the currency stolen.
 

Bitcoin Thefts 1.png

Figure 1. Size of recent Bitcoin heists (US$ value on November 29)
 

Multi-million dollar heists

The current round of attacks began on November 7, when Australian Bitcoin wallet service Inputs.io announced that it had closed its doors after two attacks resulted in around 4,100 Bitcoins (US $4.34 million at the time of writing) being stolen. Inputs.io said the attackers were able to bypass two-factor authentication due to a flaw on the server host side. The attacks left the site unable to pay all of its user balances.

Why did people keep their Bitcoins with Inputs.io? One of the services it offered was that it "mixed wallets up", swapping Bitcoins around between users. It effectively was a type of anonymizing service, making Bitcoin transactions harder to track. However, giving Inputs.io that level of access to Bitcoin wallets may have left it more vulnerable to attack.

Inputs.io was run by a young Australian who goes by the moniker of TradeFortress. Following the theft, he gave an interview to Australia's ABC news, denying that he taken the Bitcoins himself. Interestingly, he said that he wasn't going to report the incident to the police. "The police don't have access to any more information than any user does when it comes to Bitcoin. Some say it gives them control of their money," he said.

Within days, there was another incident, this time in China. GBL, a Bitcoin exchange, suddenly closed its doors on November 11. Approximately US $12.7 million in investors' money disappeared along with the site. A closer look at GBL revealed that it wasn't all it claimed to be. It asserted it was licensed by the Hong Kong government, but it transpired that it was simply registered as a business there and had no license to operate as a financial services company.

This incident was quickly followed by news of an attack on Czech exchange, Bitcash.cz. Roughly 4,000 people were affected by the breach, which saw the equivalent of $514,000 taken by attackers. Obviously this haul wasn't enough as the attackers then used Bitcash.cz email addresses to send emails to site users, claiming that they were using a U.S. recovery firm to retrieve the stolen money and asking for 2 Bitcoins from each user to cover the costs. 

The most recent incident involved BIPS, a Danish Bitcoin payment processor and wallet provider, which this week confirmed it was the target of a coordinated attack that resulted in a breach of its systems. The company said that several consumer wallets had been compromised. It is estimated that around 1,295 Bitcoins (worth approximately US $1.37 million) were taken in the attack, but most of the Bitcoins stolen belonged to the company itself rather than customers. Following the attacks, BIPS has said that it will close its consumer wallet services to focus on merchant processing.
 

Protecting your investment

While Bitcoin is commonly talked about as being secure, that, in essence, refers to the fact that it cannot be counterfeited, at least not yet. However, it doesn’t mean that it can't be stolen, as these recent thefts have illustrated.

What can Bitcoin owners do to prevent theft? Given the kind of attacks we have witnessed, proper due diligence on where you are storing Bitcoins should be a priority. For example, GBL claimed that it was licensed in Hong Kong, but it wasn't. Similarly, while Inputs.io's service of mixing wallets up might have appealed to the privacy conscious, the level of access it had to user funds was a possible security risk.

After Inputs.io was attacked, its owner TradeFortress said: "I don’t recommend storing any Bitcoins accessible on computers connected to the internet". The attack on BIPS also prompted its chief executive Kris Henriksen to change his opinion on the security of online wallets. He went as far as to advise his customers to avoid online wallets altogether.

While a lot of people think that the only way to store Bitcoins is in online, virtual wallets, it is also possible to store them offline. This involves creating a wallet that is stored on an offline device, such as a USB key and then sending your Bitcoins to this wallet address. The best practice procedure for creating an offline wallet is somewhat lengthy, but it is, in theory at least, safer than online storage. Technically, the Bitcoins themselves remain online. What is being taken offline is the means of accessing them, the private key.

It is also possible go one step further in offline storage, by taking electronic devices out of the equation entirely and creating a paper wallet. However, a paper based wallet bears the same risk as cash. It needs to be stored somewhere securely.

Online service providers have also begun to beef up their own security. Mt.Gox, ones of the world’s biggest Bitcoin exchanges, has implemented an additional layer of security by introducing a One Time Password (OTP) card, which will be shipping to all of its users immediately. The company said that the card can be used on its own or in conjunction with other two factor authentication methods, such as a Yubikey, a USB key the user must insert to verify their identity.

Once the user has input the card into their preferences on Mt.Gox, they can configure their account to require an additional password on login. Pushing a button on the card will generate a unique password for every login.
 

Bitcoin’s explosion in value

The upsurge in Bitcoin theft is more than likely linked to the fact that the value of the currency has shot through the roof in recent weeks. At the time of writing, one Bitcoin was valued at approximately $1,060. Its value has grown by more than 45 times this year and much of the gains have come in recent weeks. One month ago, it was trading at around $190.

The result of this boom is that what were once relatively minor holdings of Bitcoin can now be quite valuable. Nothing illustrates this better than the story of the IT professional who realized he had thrown out a laptop with a wallet containing 7,500 Bitcoin. He had mined the Bitcoins himself in 2009 and at the time they were only worth a few dollars.
 

Bitcoin Thefts 2.png

Figure 2. Bitcoin/US$ exchange rate for the past six months (Credit: bitcoincharts.com)
 

Since then, their value has increased dramatically, with occasional dips along the way. When Silk Road, the underground drugs bazaar was shut down by the FBI in early October, it led to some speculation that the value of Bitcoin would plummet, since the currency is widely used in the underground. While there was a sell-off in the immediate aftermath of the bust, Bitcoin recovered within days and then began to climb quickly.

Part of the surge may be attributable to the fact that regulators are beginning to take the currency more seriously. For example, the U.S. Senate’s Homeland Security and Governmental Affairs Committee last week held a hearing on virtual currencies, at which the Department of Justice's representative described Bitcoin as a “legal means of exchange”. Committee chairman Tom Carper meanwhile said Congress and government needed to develop "smart, sensible, and effective policies" around the currency.

However, Bitcoin’s steep appreciation has led to widespread fears that a bubble is forming. One look at the graph charting its dollar exchange rate is enough to prompt questions. While the number of businesses accepting Bitcoin as a form of payment has undoubtedly grown, it has not been at the same rate as its appreciation. Instead, speculation appears to be driving much of the current boom and, as history has shown; such buying frenzies can often end in tears.


Not a Twitter Experiment: Scammers Capitalize on Twitter Recommendations

0
0

Yesterday, a number of Twitter users were duped into following fake Twitter accounts known as @VerifiedReport and @MagicReports.  Both accounts claimed to be part of a Twitter experiment between users, news organizations, and journalists, and followed a number of Twitter users while tweeting the following, “This is a Twitter experiment. We are changing the way users interact with journalists and news organizations.”
 

Twitter Exp 1.png

Figure 1. MagicRecs notification about @VerifiedReport
 

Many users who discovered these accounts did so through a legitimate Twitter account known as @MagicRecs.
 

Twitter Exp 2.png

Figure 2. MagicRecs, an experimental Twitter account
 

MagicRecs is an experimental account developed by Twitter that “sends personalized recommendations as direct messages (DMs) when something interesting happens in your network.” This service was recently integrated as a feature in  Twitter’s mobile applications, and Twitter states, “With this new feature, you’ll receive personalized recommendations when multiple people in your network follow the same user or favorite or retweet the same Tweet.”

Users who have used @MagicRecs swear by it, which is why it makes sense that scammers would try to create fake experiments as they tap into the credibility of the legitimate service.

Some users did question the validity of both accounts, while others, including Twitter employees followed them, especially after @MagicRecs recommended it.

 

 

Twitter has since suspended both of the accounts. However, there are some other suspect accounts that still remain active. These include @MagicFavs, @MagicSmacks, and @MagicSext, which was recommended by @MagicRecs and has nearly 1000 followers.

Symantec found that neither account attempted to send us links through direct messages. While it’s still unclear what these accounts were created to do, it serves as a reminder that scammers continue to experiment with new ways to scam unsuspecting Twitter users into clicking on links to steal login credentials or make money through affiliate program schemes.

When using a legitimate service like @MagicRecs, be skeptical about which accounts you choose to follow. Check to see if Twitter has verified the account, especially if it claims to be owned by Twitter. Remember, if it sounds suspicious, there’s a good chance that it is.

systems can be infected without network!!!

0
0

can transmit information between computers using high-frequency sound waves inaudible to the human ear. The duo successfully sent passwords and more between non-networked Lenovo T400 laptops via the notebooks’ built-in microphones and speakers. Freaky-deaky!
The infected victim sends all recorded keystrokes to the covert acoustical mesh network. Infected drones forward the keystroke information inside the covert network till the attacker is reached.

ref:
http://www.pcworld.com/article/2068525/researchers...

クリスマスを狙うフィッシングにご用心

0
0

クリスマスシーズンは、いろいろなものが緩みがちな季節です。それが「なぜ」かは明白ですし、「どこ」かといえば財布のひもに決まっています。

笑いごとではなく、計画を立てて支出を見直しましょう。手持ちの資金に限りがあることは自分が一番よくわかっていますが、あなたの次にその価値をわかっているのは、あなたのことをいろいろと詮索している何者かです。その手口は驚くほど簡単です。ちょっとした欲や、ほんの少しの不安、わずかばかりの緊急性を煽り立てるだけで、固い決心などすぐに吹き飛んでしまいます。うかうかと騙されてしまった直後に後悔しても後の祭りです。クリスマスに向けて一所懸命に貯めていた大切なお金を一瞬にして盗み取られてしまいます。ここまでの話が遠回しに思えてピンとこなかった場合でも、次のようなフィッシングのサンプルを少し解析してみればよくわかるでしょう。

フィッシングメールのヘッダーは以下のとおりです。

件名: [Brand name] is giving you a chance to shop for free!([ブランド名] で無料のお買い物ができるチャンス!)
差出人: "[Brand name] Card" [name]@[domain].com("[ブランド名] カード" [名前]@[ドメイン].com)

figure1_1.png
図 1.クリスマスを狙うフィッシング攻撃に使われているスパムメール

この電子メールは、有名な金融機関から送られてきたように見え、クリスマス向けに「無料クーポン券」を進呈すると謳っています。また、クーポン券を受け取るためと称して「Kindly Click here now(ここをクリックしてください)」と書かれたリンクも含まれており、2013 年 12 月 31 日までの期間限定だと書かれています。

このクーポン券はユーザーが確認した後に送られてくるという点に特に注意してください。つまり、このクーポン券を受け取るには、まずクリックする必要があるということです。ためらわずにクリックしてしまうことは簡単ですが、まず用心しなければなりません。クリスマスともなれば、至るところ詐欺のワナだらけです。

金銭を伴う取引には十分に注意し、不審な点がないかどうか確認したうえで、確実に安全だとわからない限り、電子メールに記載されたリンクはクリックしないでください。騙されないように、電子メール中のリンクが本当に記載どおりの金融機関のものであることを確かめる必要があります。パスワードは定期的に変更し、予測のできない強力なものを使用してください。また、パスワードを他人に知られないようにしてください。

こうした宣伝文句は魅力的ですが、結局は金銭的な被害を受けることになるだけです。後からいくら嘆いても、失ったものを取り戻すことはできません。シマンテックは、オンラインの不正行為やフィッシング攻撃からユーザーを保護するために全力を尽くしますが、詐欺などの犯罪行為を防ぐために基本的なセキュリティ対策(ベストプラクティス)に従うことをお勧めします。

安全で楽しいクリスマスをお過ごしください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

「ワードサラダ」でポール・ウォーカーさんを悪用するスパム

0
0

ワードサラダは、ベイジアンスパムフィルタを回避するためにスパマーが考案した手法です。スパマーの教科書に載るような古典的な手口ですが、この戦術も最先端のスパム対策フィルタリング技術によって、効果が激減しています。

ベイジアンポイズニングの一種であるワードサラダは、まったく無関係な単語が並んだ文字列です。ごく正常で、一般の文章でも見かけるような単語だけが使われているので、ベイジアンフィルタからすれば、ワードサラダを用いた電子メールには、正常なデータが大量にあるにすぎません。ワードサラダがよく使われるのは HTML 形式です。無意味なタグで URL が分断されているため、スパムと思しき URL をアナライザで追跡するのが困難になります。ワードサラダでは、最新ニュースや間近に迫ったイベントなど最新のキーワードを追加するのが最近の傾向です。

映画『ワイルド・スピード』シリーズへの出演で知られるポール・ウォーカーさんの逝去も、スパマーが悪用している最近の一例です。ポール・ウォーカーさんの悲報の数時間後には、「PAUL WALKER」という名前をワードサラダに使った「かんじきスパム」、つまり一撃離脱タイプのスパムが確認されています。ファンがやきもきしながら検死報告を待っていたこともあって、彼の名前は検索キーワードとしても上位を占めています。当初は、命を取り留めたという誤報も流れたほどでした。

figure1_3.png

図 1.ワードサラダで「PAUL WALKER」というキーワードを使った電子メールの本文

該当するスパムは、このワードサラダ部分を除けば、ポール・ウォーカーさんに関するニュースとはまったく無関係です。プレビューされるのは、テレビや電話、インターネットの広告スパムであり、件名は以下のとおりです。

件名: Cheap Cable-TV, Internet & Phone - Free Equipment, Premium Channels & Install(ケーブルテレビ、インターネット、電話を格安で - 機材も設置も有料チャンネルも今なら無料)

差出人: ~CABLETVSpecialS* <[name]@[domain].com>(~CABLETVSpecialS* <[名前]@[ドメイン].com>)

figure2_1.png

図 2.スパムのプレビュー

ポール・ウォーカーさんを悼む一方で、これもスパマーがスパムを拡散するためにはどんな手段もいとわないという格好の例であることを忘れないようにしてください。

ポール・ウォーカーさんに謹んで哀悼の意を表します。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

スパムチャット: Snapchat ユーザーを狙うポルノスパムと「隠れファン」スパム

0
0
この 1 週間というもの、フォトメッセージアプリ Snapchat のユーザーは、スパムスナップ(Snapchat では写真をスナップと呼ぶ)の数が急増したことにお気付きのことでしょう。Snapchat サービスには現在、無数のスパムアカウントが入り込んでいて、胸を露出した女性のスパムスナップがばらまかれています。
 
figure1_4.png
図 1. Snapchat 上のスパムアカウント
 
Snapchat ユーザーの元には今、「[女性の名前]snap_####」という形式の似たような名前のアカウントから次々と申請が届いています。どの申請にも、スパムアカウントから保留中のスナップが添付されています。Snapchat アプリにはプライバシー設定があり、友人からのスナップのみを受け付ける設定も可能ですが、それでも不明なユーザーから追加申請は届きます。シマンテックが確認した一部の Snapchat ユーザーからも、この 1 週間でこうした申請が増えたという指摘がありました。
 
figure2_1.png
図 2.胸を露出した女性が写っているスパムスナップの例
 
このような申請を承認すると、裸の女性のスパムスナップが送られてきます。写真は同じではありませんが、どのスナップにも「Add me on KIK for nudes swap(Kik に私を追加して、ヌード写真を交換しましょう)」というコメントがあり、モバイルデバイス用のインスタントメッセージアプリ Kik Messenger のユーザー名が添えられています。
 
Kik Messenger に切り替えると、スパマーにポルノボットを利用する隙を与えてしまいます。これは、ヌード写真をもっと送ると約束する所定のセリフを使ってユーザーとのつながりを持とうとするスパムアカウントです。
 
ポルノボットが謳っているヌード写真を見るためには、先にモバイルアプリをインストールするためのリンクをタップしなければなりません。ユーザーが間違いなくそのアプリをインストールしたことを確かめるために、ボットは、写真を送る前に証拠としてアプリのスクリーンショットを送信するよう求めてきます。
 
figure3_1.png
図 3. Kik Messenger 上のポルノボットの例
 
リンクをタップすると、アフィリエイトプログラムを通じて何回かリダイレクトが発生し、最終的には Apple 社の iOS App Store や Google Play ストアに登録されているゲームのページに移動します。移動先のアプリのひとつに、Snapchat スパムについて言及しているレビューがありました。
 
figure4_0.png
図 4. App Store のレビューで指摘されている Snapchat スパム
 
これらのスパムは、インストールが実行されるたびに報酬が支払われるアフィリエイトプログラムを通じて儲けを上げる仕組みになっています。チャットのセリフの中でポルノボットがインストールの証拠を求めているのもこのためです。シマンテックの調査によると、複数の短縮 URL で少なくとも 30,000 件のクリックスルーが発生しましたが、複数の短縮 URL を使って複数の攻撃が行われている可能性を考えると、この数字はさらに多くなるかもしれません。
 
以前のブログ(リンク 1リンク 2)でも指摘したように、サービスの人気が上がると、スパマーはそれを見逃しません。Snapchatでは毎日 3 億 5,000 万件ものメッセージが送信されているので、スパマーが狙うのも当然です。
 
ポルノスパムとは別に、「secret admirer(隠れファン)」というエサを使って Snapchat ユーザーを狙い、SnapCrush という Web サイトに誘導しようとするスパム攻撃も出現しています。この Web サイトはユーザー名を収集し、同じように一連のアフィリエイトプログラムを通じてユーザーをリダイレクトします。ユーザーを欺いてモバイルアプリをインストールさせるという目的も同じです。
 
figure5.png
図 5. Snapchat 上の新たなスパム攻撃
 
今のところ、Snapchat ユーザーがアプリ内からこのようなアカウントをスパムとして報告できる機能はありません。当面の間、スパムアカウントを報告するには、Snapchat のサポートサイトで「Report Spam」セクションを利用してください。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Latest Storage Foundation High Availability Solutions, Data Insight & VOM patches

0
0

 

https://sort.symantec.com/patch/latest

RankProductRelease typePatch nameRelease date
1Symantec File System 5.0MP2Rolling Patchfs-hpux1123-5.0MP2RP92013-12-03
2Symantec File System 6.0.1Hot Fixfs-rhel6_x86_64-6.0.3.2002013-11-29
3Oracle Disk Manager 5.0MP2Rolling Patchodm-hpux1123-5.0MP2RP32013-11-22
4Symantec Data Insight 3.0.1Rolling Patchdata_insight-3.0.1RP8a2013-11-20
5CPI 6.0.1Hot Fixcpi-6.0.1.8002013-11-17
6Symantec Data Insight 4.0Hot Fixdata_insight-win-4.0RP1HF12013-11-15
7Veritas Operations Manager 5.0Hot Fixvom-HF050001961-392013-11-15
8Veritas Operations Manager 4.1Hot Fixvom-HF040101190-202013-11-15
9Oracle Disk Manager 5.0Rolling Patchodm-hpux1131-5.0RP52013-11-12
10Symantec Storage Foundation 5.1SP2Hot Fixsfw-win-Hotfix_5_1_20084_87_3319824A2013-11-06
11CPI 6.0.4Hot Fixcpi-oel6_x86_64-6.0.4.1002013-11-05
12Symantec Cluster Server 6.0.2Hot Fixvcs-sles11_x86_64-VRTSvcsag-6.0.4.1002013-11-01
13Symantec Cluster Server 6.0.2Hot Fixvcs-sles10_x86_64-VRTSvcsag-6.0.4.1002013-11-01
14Symantec Cluster Server 6.0.2Hot Fixvcs-rhel6_x86_64-VRTSvcsag-6.0.4.1002013-11-01
15Symantec Cluster Server 6.0.2Hot Fixvcs-rhel5_x86_64-VRTSvcsag-6.0.4.1002013-11-01
16Symantec Data Insight 4.0Rolling Patchdata_insight-4.0RP1b2013-10-31
17Veritas Operations Manager 4.1Hot Fixvom-HF040101190-302013-10-30
18Veritas Operations Manager 5.0Hot Fixvom-HF050001960-382013-10-30
19Symantec FileStore 5.6Hot Fixsfs-sles10_x86_64-5.6RP1P4HF72013-10-29
20Symantec Storage Foundation 6.0.1Hot Fixsfw-win_x64-CP2_SFW_6012013-10-29
21Symantec Cluster Server 6.0.1Hot Fixvcs-win_x64-CP2_SFWHA_6012013-10-29
22Symantec Cluster Server 6.0.1Hot Fixvcs-win_x64-CP2_VCSW_6012013-10-29
23Symantec Cluster Server 6.0.1Hot Fixvcs-sol11_sparc-VRTSamf_6.0.3.2002013-10-25
24Symantec Cluster Server 6.0.1Hot Fixvcs-sol10_x64-VRTSamf_6.0.3.2002013-10-25
25Symantec Cluster Server 6.0.1Hot Fixvcs-sol10_sparc-VRTSamf_6.0.3.2002013-10-25
26Symantec Cluster Server 5.1SP1Hot Fixvcs-aix-VRTSllt-51SP1RP4P12013-10-23
27Symantec Cluster Server 6.0.4Platform Releasevcs-oel6_x86_64-6.0.42013-10-22
28Symantec Storage Foundation HA 6.0.4Platform Releasesfha-sles11_x86_64-6.0.42013-10-22
29Symantec Storage Foundation 6.0.1Hot Fixsfw-win_x64-sym_vssrdr_win2k82013-10-21
30Veritas Operations Manager 5.0Hot Fixvom-HF050001960-372013-10-21

 

Sign up to SORT notifications  to receive automatic updates on new Patches, ASLs, Agents and HCLs

Dangerous New Banking Trojan Neverquest Is an Evolution of an Older Threat

0
0
There has been recent media coverage around a new online banking Trojan, publicly known as Neverquest. Once Neverquest infects a computer, the malware can modify content on banking websites opened in certain Internet browsers and can inject rogue forms into these sites. This allows attackers to steal login credentials from users. The threat can also let attackers take control of a compromised computer through a Virtual Network Computing (VNC) server. Neverquest can replicate itself by stealing login details and spamming out the Neverquest dropper, by accessing FTP servers to take credentials in order to distribute the malware with the Neutrino Exploit Kit and by obtaining social networking credentials to spread links to infected websites. 
 
Symantec’s analysis of the Neverquest Trojan has found that the malware is the ongoing evolution of a threat family that Symantec detects as Snifula, which was first seen back in 2006. Our analysis of the Neverquest Trojan’s code has shown similarities with older samples of the Snifula family (in particular Backdoor.Snifula.D). We have also observed that network infrastructure found to be used previously by Snifula has close ties to the Neverquest Trojan. Symantec can confirm that we already had protection in place for this new threat under various different generic detection names from when we first encountered the malware back in mid-April 2013. Detection has since been broken out for this threat as Trojan.Snifula
 
Similarities
As mentioned, the code of Trojan.Snifula (also known as Neverquest) shows similarities with older samples of the Snifula family. The executables of the two threats have a different structure and functionality, but they do share some unique pieces of code that link them together. For example, the following pictures illustrate the code used to send eight bytes of data on the network, where the first four bytes contain the specific marker “26A6E848.”
 
figure1_5.png
Figure 1. Trojan.Snifula (Neverquest) code related to outbound network traffic
 
figure2_2.png
Figure 2. Backdoor.Snifula.D version of the same code from Figure 1
 
The code is nearly identical and the marker is unique, meaning that this code was not taken from a publicly available source. This is not the only resemblance of course; you can find many other similarities.
 
figure3_2.png
Figure 3. Trojan.Snifula (Neverquest) code for logging the current process ID
 
figure4_1.png
Figure 4. Same code from Backdoor.Snifula.D.
 
This code logs the malicious process ID along with the current time. Both the code and the string are identical in the two threats, which also make use of the CRC and Aplib algorithms and several common strings. 
 
Command-and-control infrastructure
We also got hints of a connection between the two threats by looking at the command-and-control (C&C) network infrastructure used by Trojan.Snifula (Neverquest). The IP address 195.191.56.245 was used as a C&C server by Trojan.Snifula. One of only two domains known to be hosted on that IP address is FyXqgFxUmihXClZo.org. This domain is known to be owned by Aster Ltd. In total, we know that Aster Ltd owns the following 26 domains.
  • accman.com.tw
  • afg.com.tw
  • amosw.com.tw
  • aster.net
  • asterdon.ru
  • asterltd.com
  • astervent.ru
  • bestsid.com.tw
  • countdown.com.tw
  • durpal.com.tw
  • facestat.com.tw
  • fforward.com.tw
  • fyxqgfxumihxclzo.org
  • geobiz.net
  • makumazna.com.tw
  • maskima.com.tw
  • maxward.com.tw
  • miison.com.tw
  • mssa.com.tw
  • parti.com.tw
  • pluss.com.tw
  • sparkys3.com
  • sparkys3.net
  • tdaster.ru
  • thehomeofficecatalogue.net
  • thehomeofficecatalogue.org
 
The Aster Ltd domains Pluss.com.tw and Countdown.com.tw are hosted on the IP address 195.210.47.173. Symantec has linked this IP address to an active C&C server used by Backdoor.Snifula.D in February and March of 2013. Other domains owned by Aster Ltd, such as Sparkys3.net and Facestat.com.tw, are being hosted on the IP address 195.137.188.59, another known C&C IP address for Trojan.Snifula.  
 
The Snifula family
Symantec has encountered numerous new variants of the Snifula family over the years. The arrival of Trojan.Snifula, which uses more sophisticated techniques to grow and to steal from victims, was an expected evolution of the Snifula family. Given that the Snifula threat family has been evolving and growing for years now, we don’t expect the malware to leave the threat landscape anytime soon.  
 
To protect against this threat, Symantec also has the following Intrusion Prevention System (IPS) signature.
  • System Infected: Trojan.Snifula Activity
 
Symantec will continue to monitor the Snifula threat family to ensure that the best possible protection is in place for this threat. We recommend using Norton Internet Security or Symantec Endpoint Protection to best protect against attacks of this kind.

Protecting Data from a Cyber Attack

0
0

As most of us have come to realize not all data is created equal and it should not be protected equally. Lets face it treating everything equal equals nothing but failure, frustration and a big bite out of your budget.  That being said we do need to protect our most valuable data appropriately based on risk and value or possible compliance requirements from cyber attacks.  What would happen if the most important data was encrypted by malware and held for ransom?  There is a very nasty piece of malware named cryptolocker that is doing just that.

Cryptolocker is a very nasty piece of malware that is encrypting Windows files shares and locking users out of their files.  The malware encrypts Office documents and other commonly used documents then denies access to the files.  Users are required to pay $300 for to have the files unencrypted and have a limited time to do so, 72 hours, before the private key is destroyed.  Researchers at Symantec estimated that one ransomware syndicate clear about $ 5 million per year.

I have been discussing this recently with a few customers and have come to some conclusions.  The general user segment cannot be trusted.   We must segment our networks to protect our most precious data and only allow access through secure means.  This may be a virtualized environment where the data never enters the enduser machine or move that user and their resources into the segment with higher security controls.  Again this is not for all users but only for those with access to the keys to the kingdom.

In some environments segmentation may not work if they are very decentralized.  In these cases increased controls on the workstation must be utilized including forcing users to classify data and advanced threat protection.  If they are forced to tag on creation and a data loss solution can monitor we have a chance, this must be combined with encryption and multifactor authentication.

These solutions are not easy on anyone but if we trying want to protect our data it is necessary.

Third-Party Vendor Risk Assessment: Why It Matters?

0
0

by Vivian Tero, Data Center Security & Compliance, Information Security Group, Symantec Corp.

Today, the notion of “supply chain” has gone beyond the traditional physical flow of goods and services to include the flow of data across the business ecosystem.   In the digital supply chain, data is the valuable asset that must be protected, shared securely, managed and archived according to corporate, regulatory and legal mandates.   In this world of highly digitized services, businesses increasingly realize that one may outsource activities to a third party but they are still held accountable, not only for their own activities, but also for their suppliers and business partners.  In regulated industries, a third- or fourth-party vendors’ lack of accountability to regulators may leave a business exposed to civil and even criminal penalties.   As the threat landscape continues to evolve, the onus is, therefore, on businesses to practice continuous due diligence on its information supply chain.

Symantec and Prevalent recently hosted an expert online panel discussion on cybersecurity and third-party risks. The key takeaways from this session include the following:

  • Businesses have very little visibility into the information that is being shared, with whom the information is being shared, and the security practices and protocols of third and fourth parties that have access to the information.
  • Businesses also have very little visibility into the provenance of the data that is entering its networks.
  • Businesses make the assumption that security standards are consistently enforced within the organization, in many instances, failing to take into account differences in standards and resource constraints across its geographically dispersed business units and data centers. 
  • Malicious hackers and data grabbers are increasingly targeting the less secure, smaller third- and fourth-party partners or a business’ regional or field units as backdoors to the parent organization’s data centers.
  • Recommended best practices for addressing third-party vendor risks include the following:
    • Having strong governance controls in terms of assessing partners.
    • Educating the business owners so that risk assessment is incorporated at the beginning of every partner/supplier engagement, instead of having this treated as a “checkbox” assessment.
    • Tiering vendor risk assessment standards and practices according to the security profile of the data and systems that is shared.
    • Conducting a data mapping exercise to help the business scope the data access and sharing rules with its partners and suppliers.
    • Automating the policies and business processes for risk assessment to ensure consistent enforcement and legal defensibility.
    • Conducting periodic assessments of one’s vendor risk management maturity will help businesses baseline its strengths, identify its deficiencies, and programmatically plan and execute its remediation activities. 

 

To learn more about third party vendor risk assessment solutions, see Control Compliance Suite – Vendor Risk Manager Data Sheet.

To view a replay of the web panel discussion on cyberscurity and third-party vendor risk management, click here.

 

 

 

 

Third-Party Vendor Risk Assessment: Why It Matters?

0
0

by Vivian Tero, Data Center Security & Compliance, Information Security Group, Symantec Corp.

Today, the notion of “supply chain” has gone beyond the traditional physical flow of goods and services to include the flow of data across the business ecosystem.   In the digital supply chain, data is the valuable asset that must be protected, shared securely, managed and archived according to corporate, regulatory and legal mandates.   In this world of highly digitized services, businesses increasingly realize that one may outsource activities to a third party but they are still held accountable, not only for their own activities, but also for their suppliers and business partners.  In regulated industries, a third- or fourth-party vendors’ lack of accountability to regulators may leave a business exposed to civil and even criminal penalties.   As the threat landscape continues to evolve, the onus is, therefore, on businesses to practice continuous due diligence on its information supply chain.

Symantec and Prevalent recently hosted an expert online panel discussion on cybersecurity and third-party risks. The key takeaways from this session include the following:

  • Businesses have very little visibility into the information that is being shared, with whom the information is being shared, and the security practices and protocols of third and fourth parties that have access to the information.
  • Businesses also have very little visibility into the provenance of the data that is entering its networks.
  • Businesses make the assumption that security standards are consistently enforced within the organization, in many instances, failing to take into account differences in standards and resource constraints across its geographically dispersed business units and data centers. 
  • Malicious hackers and data grabbers are increasingly targeting the less secure, smaller third- and fourth-party partners or a business’ regional or field units as backdoors to the parent organization’s data centers.
  • Recommended best practices for addressing third-party vendor risks include the following:
    • Having strong governance controls in terms of assessing partners.
    • Educating the business owners so that risk assessment is incorporated at the beginning of every partner/supplier engagement, instead of having this treated as a “checkbox” assessment.
    • Tiering vendor risk assessment standards and practices according to the security profile of the data and systems that is shared.
    • Conducting a data mapping exercise to help the business scope the data access and sharing rules with its partners and suppliers.
    • Automating the policies and business processes for risk assessment to ensure consistent enforcement and legal defensibility.
    • Conducting periodic assessments of one’s vendor risk management maturity will help businesses baseline its strengths, identify its deficiencies, and programmatically plan and execute its remediation activities. 

 

To learn more about third party vendor risk assessment solutions, see Control Compliance Suite – Vendor Risk Manager Data Sheet.

To view a replay of the web panel discussion on cyberscurity and third-party vendor risk management, click here.

PAYING THE PRICE FOR SUCCESS: CYBERCRIME AND THE MIDDLE EAST

0
0

As we wrote in our previous blog The Middle East and North Africa (MENA) region is basking in the joys of booming economic growth.

These are exciting times however, that said, such success also has its downsides. While e-commerce is on a rapid upward trajectory – particularly in the banking and travel sectors – it has made many MENA businesses highly attractive to the cybercriminals, who are out to cash in on any vulnerabilities they can exploit.

Just how open to the cybercriminals the region is can best be exemplified by the targeting of its oil and gas sector. Last year, it was the victim of a hacker attack known as Shamoon (aka W32.Disttrack), which is capable of wiping files and rendering several computers on a network unusable. Saudi Arabia's national oil company Saudi Aramco itself came under fire, with 30,000 of its computers knocked out, resulting in its own network being taken offline. Only a few days later, in Qatar, computer systems at energy firm RasGas, one of the world's largest producers of liquid petroleum gas, were also taken offline by a similar attack.

What exactly can Shamoon do, once it gets inside an organisation? A great deal of damage, is the answer. Using bespoke malware written to run on both 64bit and 32bit systems, it is able to:

  • Disseminate malware over the network
  • Pass data to the attackers
  • Erase disks of infected machines.

But the level and scale of attacks go way beyond that. In some cases, they are designed to cause maximum disruption for political reasons. In other cases, it’s all about inflicting brand damage or manipulating the market. But mostly these assaults are driven by financial motives. And they are only increasing. As the MENA region’s economy prospers, the cybercriminals are out to do the same.

One favoured method of trapping the unsuspecting is by means of what is known as a ‘Watering hole’ web attack. Just as a lion will lurk unseen waiting for its prey when it comes out into the open to drink, believing it is safe, so, too, do the hackers seek out those with their guard down (Indeed one particularly successful (for the perpetrator that is) waterhole attack infected 500 organisations in a single day). Moreover, the intended victims that the attackers seek out are particular individuals or groups (organisation, industry or region, such as MENA) and then: Identifying which websites are used most often

  • Exploiting a website vulnerability and infecting one or more of these sites with malware
  • Ensuring as a result that some member of the targeted group will also get infected.

Once that process is complete, the trap is sprung and the defenceless victim ensnared. Google, Apple, Twitter and Facebook have all been victims of such attacks after employees visited a site popular with iOS app developers.

For those intent on enjoying a share of MENA’s burgeoning prosperity, while avoiding the damage inflicted by the cybercriminals, it is vital that anyone who engages with your business remains safe and secure, particularly when conducting on line transactions. And the way to make certain of this is by using SSL and a trust mark such as the Norton Secured Seal

In fact, SSL certificates should be the starting point for any ecommerce site or anyone else that asks customers to submit personal information. Equally, for companies that don't ask for personal information from visitors, SSL is still an absolute must, as it acts as a powerful protective barrier on line, keeping the cybercriminals at arm’s length. So, if you are operating in the region or looking to do so, you need to put a series of ‘Best Practice’ measures in place, such as:

Advanced Reputation Security: Detect and block new and unknown threats based on global reputation and ranking

Layered Endpoint Protection: use more than just AV – use full functionality of endpoint protection including heuristics, reputation-based, behaviour-based and other technologies; restrict removable devices and turn off auto-run to prevent malware infection

Layered Network Protection: Monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies; network protection is more than just blacklisting

Security Awareness Training: ensure employees become the first line of defence against socially engineered attacks, such as phishing, spear phishing, and other types of attacks.

Website Security Solutions from Symantec: SSL certificates with added website malware scans and web vulnerability assessment to ensure your site cannot be compromised by hackers.

Most of all, you need to create and enforce security policies, so that all confidential information is encrypted – and monitor globally for network intrusions, propagation attempts and other suspicious traffic patterns, including using reputation-based technologies.

On which note, according to a survey carried out recently by the independent web research organisation Baymard Institute, in conjunction with Google, the Norton Secured Seal is by far the most trusted – nearly 13% ahead of its nearest rival (http://baymard.com/blog/site-seal-trust). It was shown to be the seal that gave customers the strongest sense of trust when purchasing online, making it the de facto choice.

For any business intent on capturing and keeping customers in the MENA region by establishing the highest levels of trust and trustworthiness, such reassurance will play a major role in the days ahead, as the internet spreads its reach even farther and e-commerce gathers ever greater momentum.

To learn more please visit go.symantec.com/ssl

Free Yourself From THe Office: The ITMS iPad App is Now Available

0
0

Enjoy a consistent endpoint management experience from console to iPad.  The ITMS Admin app is a mobile extension of the Symantec Management Console.  It lets you monitor client computers, check Patch, Inventory and Software data.  The app supports Symantec IT Management Suite 7.5 or higher.

The English version is now available for download from AppStore in the US, UK, SIngapore, India, Australia, Canada, and New Zealand.

For more information regarding description, installation, usage, and more, click on the following link:

http://www.symantec.com/business/support/index?pag...

 

Over 2 million Facebook, Google, Twitter passwords stolen - Again !

0
0

 

 
The gory details are in the article. But essentially it is the same story of harvesting passwords using key logging software, very simple. Yet the solution to stop this occurring every time is also really simple - use 2-factor authentication. All reputed websites that got hacked offer this. It is (sort of) simple to use and thwart similar hacks. Even if your username and password is compromised, your 2nd factor is the barrier between the hacker and your assets.
 
Symantec VIP is a leading cloud based strong authentication solution. We enable One Time Passcode using your phone. In a age when we carry our cell phones, probably more than one, why not also use it for the developing strong authentication. It takes away the hassle of carrying an additional piece of hardware.
 
Next time you are doing Likes, Poking or Hash-tagging your selfies, make sure unauthorized users don't pry your content and take over. Enable your account with 2-factor authentication.
 
It is Simple,Smart and provides Strong Authentication.

偽の Twitter 実験: Twitter のお勧めを悪用する詐欺師

0
0

12 月 2 日、多くの Twitter ユーザーが騙されて、@VerifiedReport または @MagicReports という名前の偽の Twitter アカウントをフォローしてしまうという事例がありました。どちらも、ユーザーと報道機関やジャーナリストとの間で Twitter 社が行っている実験の一部であると称し、多数の Twitter ユーザーをフォローしながら次のようにツイートしています。「This is a Twitter experiment. We are changing the way users interact with journalists and news organizations.(これは Twitter 実験です。ユーザーとジャーナリストや報道機関との対話方法を変えようと試みています。)」
 

Twitter Exp 1.png

図 1. @VerifiedReport に関する MagicRecs からの通知
 

多くの場合、この 2 つのアカウントがユーザーの目にとまったきっかけは、@MagicRecs という正規の Twitter アカウントからの通知でした。
 

Twitter Exp 2.png

図 2. Twitter の実験的アカウント MagicRecs
 

MagicRecs は、Twitter 社が作成した実験的アカウントであり、「ユーザーのネットワークで何か興味をそそることがあったとき、個別対応したお勧め情報をダイレクトメッセージ(DM)として送信」します。このサービスは、Twitter のモバイルアプリの機能として最近統合され、Twitter 社によると「フォローしているお友達が立て続けに、ある人をフォローしたり、特定のツイートをお気に入りに登録したりリツイートした場合に、その動きを知らせるプッシュ通知を受け取ることが可能になりました」

@MagicRecs を利用したことがあるユーザーはそれを信頼しているので、詐欺師が正規サービスの信用を利用して偽の実験をでっちあげようとするのは当然のことと言えます。

なかには、この 2 つのアカウントが正規のものかどうか疑ったユーザーもいましたが、それ以外のユーザーは、特に @MagicRecs にお勧めされた後では、Twitter 社の従業員まで含めてこのアカウントをフォローしてしまいました。

 

 

Twitter 社はその後、この 2 つのアカウントを停止しましたが、他にもまだ疑わしいアカウントが残っていて活動を続けています。@MagicFavs、@MagicSmacks、@MagicSext などがそれで、いずれも @MagicRecs によってお勧めされ、1,000 人近いフォロワーがいます。

シマンテックは、どちらのアカウントも DM を通じてリンクを送信しようとは試みていないことを確認しています。これらのアカウントが作成された意図は依然として不明ですが、少なくとも、新たな手口を試し続ける詐欺師が存在するということを思い出させる役には立っています。その新たな手口で、詐欺師は無警戒な Twitter ユーザーを欺いてリンクをクリックさせ、ログイン情報を盗み出したり、アフィリエイトプログラムの手法を利用して金銭を詐取したりすることを狙っているのです。

@MagicRecs のような正規のサービスを利用する場合でも、フォローするアカウントについては注意してください。特に Twitter 社が所有するアカウントであると称している場合には、Twitter で認証済みのアカウントかどうかを確認する必要があります。疑わしい様子がある場合、不正なアカウントである確率はやはり高いということを忘れないようにしてください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。


Bitcoin の急騰で仮想銀行強盗が増加

0
0

仮想通貨 Bitcoin は、過去数週間で価値が急騰していますが、同時にバブルを懸念する声も大きくなっています。投資家が押し寄せるようになった今、不安材料は価値の崩壊だけではありません。この数週間で、Bitcoin ウォレットとオンラインバンキングのサービスが攻撃を受け、数百万ドル相当の仮想通貨が盗まれるという事件が相次いでいます。
 

Bitcoin Thefts 1.png

図 1.最近発生した Bitcoin 盗難の被害額(11 月 29 日時点の米ドル換算額)
 

数百万ドル規模の盗難

現在まで続く攻撃の波が始まったのは 11 月 7 日のことで、オーストラリアの Bitcoin ウォレットサービスである Inputs.io が 2 度にわたって攻撃を受け、業務を閉鎖したと発表しました。被害総額は 4,100 Bitcoin(このブログの執筆時点で 434 万ドル相当)にも及んでいます。Inputs.io によると、攻撃者はサーバーホスト側の欠陥を突いて 2 要素認証をすり抜けました。この攻撃によって、Inputs.io のサイトはユーザーの預金を返還できない状態になっています。

人々はなぜ Inputs.io に Bitcoin を預けていたのでしょうか。Inputs.io には、「ウォレットを混在させて」ユーザー間で Bitcoin を交換するサービスがあります。実質的には匿名化サービスの一種であり、Bitcoin 取引の追跡を難しくするものです。しかし、Bitcoin ウォレットに対してこのレベルのアクセスが可能だったことこそ、Inputs.io が攻撃に対して脆弱だった原因かもしれません。

Inputs.io の経営者は、TradeFortress という別名で知られる若いオーストラリア人です。盗難事件後、オーストラリア ABC ニュースのインタビューに応じた同氏は、Bitcoin を盗んだのは自分ではないと主張していますが、不思議なのはこの事件を警察に届けるつもりがないと語っていることです。「Bitcoin が相手では、警察でも一般ユーザー以上の情報は入手できません。Bitcoin は自分自身で預金を管理するものだと主張する人もいるでしょう」と TradeFortress 氏は述べています。

その数日後には次の事件が、今度は中国で発生しました。Bitcoin 取引所の GBL が 11 月 11 日に突然サイトを閉鎖し、投資家の資金 1,270 万ドルもサイトとともに姿を消してしまったのです。詳しく調査したところ、GBL は詐欺だったことが判明しました。GBL は香港政府による認可を受けていると称していましたが、単に事業所として登録されているだけで、金融サービス業としての営業認可は受けていなかったことが判明しています。

この事件のすぐ後に続いたのが、チェコの Bitcoin 取引所 Bitcash.cz に対する攻撃の報道です。この事件ではおよそ 4,000 人が被害を受け、被害総額は 51 万 4,000 ドルに達しました。ところが、これだけ儲けても満足しなかったと見える攻撃者は、Bitcash.cz の電子メールアドレスを利用して同サイトのユーザーに電子メールを送信し、米国の回収会社を使って盗まれた資金を取り戻そうとしていると謳い、そのコストとして各ユーザーに 2 Bitcoin ずつを負担するよう求めました。

最も新しい事件では、デンマークの Bitcoin 決済処理業兼ウォレットプロバイダである BIPS 社が被害を受けましたが、これは組織的な攻撃に狙われてシステムが侵害された結果であったことが今週になって確認されました。同社によると、何件かのコンシューマ向けウォレットが侵入を受け、この攻撃でおよそ 1,295 Bitcoin(約 137 万ドル相当)が盗み出されたと推定されますが、盗まれた Bitcoin の大部分は顧客ではなく BIPS 社が所有するものでした。攻撃を受けた後、BIPS 社はコンシューマ向けウォレットサービスを終了し、商取引向け処理に専念すると発表しています。
 

資産を保護するために

Bitcoin は安全であると一般的に言われていますが、それはあくまでも偽造が不可能という意味です(いつまでも不可能とは限りませんが)。最近の盗難事件で明らかになったように、盗まれないという意味で安全なのではありません。

では、Bitcoin の盗難を防ぐためにどのような対策が取れるのでしょうか。これまでに確認された攻撃の種類から考えると、Bitcoin を保管する場所に相当の注意を払うことが最優先です。たとえば、GBL は香港政府の認可を受けていると称していましたが、事実ではありませんでした。同様に、Inputs.io のウォレット混在サービスもプライバシー重視の利用者には魅力的だったかもしれませんが、利用者の資金にアクセスできるレベルがセキュリティ上のリスクになった可能性もあります。

Inputs.io が攻撃を受けた後で、経営者の TradeFortress 氏はこう述べています。「インターネットに接続したコンピュータからアクセスできるような形で Bitcoin を保存することはお勧めしません」。BIPS 社に対する攻撃で、同社 CEO のクリス・ヘンリクセン(Kris Henriksen)氏も、即座にオンラインウォレットのセキュリティについて認識を改めたうえ、従業員にもオンラインウォレットをいっさい使わないよう忠告したほどです。

Bitcoin を保管できる場所はオンラインの仮想ウォレットだけであると多くの人々が思い込んでいますが、実際にはオフラインで保管することも可能です。これには、まず USB メモリなどのオフラインのデバイスに保存するウォレットを作成し、次にこのウォレットのアドレスに Bitcoin を送信します。推奨方法とは言え、オフラインウォレットを作成する手順は少々煩雑ですが、少なくとも理論上は、オンラインストレージよりも安全です。技術的には、Bitcoin 自体はオンラインのままであり、Bitcoin へのアクセス手段である秘密鍵がオフラインになるだけです。

オフラインストレージをさらにもう一歩進めれば、電子的なデバイスをまったく介在させず紙のウォレットを作成するという方法も可能です。ただし、紙ベースのウォレットは現金と同じリスクを伴うことになるので、どこか安全な場所に保管しなければなりません。

オンラインサービスプロバイダも、それぞれセキュリティの強化に乗り出しています。世界有数の Bitcoin 取引所である Mt.Gox は、ワンタイムパスワード(OTP)カードを導入することで追加のセキュリティ層を実装しており、このカードはただちに全ユーザーに送付される予定です。Mt.Gox によれば、このカードは単独で使うことも、他の 2 要素認証方式と組み合わせて使うこともできます。たとえば、身元確認のために差し込む USB キーの Yubikey などに対応しています。

Mt.Gox で環境設定にこのカードを入力すれば、ログイン時に追加のパスワードが必要になるようにアカウントを設定できます。カード上のボタンを押すと、ログインごとに一意のパスワードが生成されます。
 

Bitcoin の通貨価値の急騰

Bitcoin 盗難の急増は、Bitcoin の通貨価値がこの数週間で急騰したという事実に間違いなく関係しています。このブログの執筆時点で、1 Bitcoin はおよそ 1,060 ドルに相当します。その価値は今年に入ってから 45 倍にも達していますが、その高騰の大半は過去数週間に起きています。1 カ月前、Bitcoin は 190 ドル前後で取引されていました。

こうした急騰の結果、少額の Bitcoin しか所有していなかったとしても、今ではそれが高額になっています。これを何より端的に物語っているのが、廃棄したラップトップコンピュータの中に、7,500 Bitcoin 分のウォレットが入ったままだったことに気付いた IT 専門家のエピソードでしょう。これは 2009 年に自分でマイニングした Bitcoin であり、その当時には数ドル程度の価値しかありませんでした。
 

Bitcoin Thefts 2.png

図 2.過去 6 カ月間における Bitcoin - 米ドルの為替レート(データ出典: bitcoincharts.com
 

その後 Bitcoin の価値は、時折下落しながらも大幅に上昇し続けています。10 月初めにアンダーグラウンドのドラッグ販売サイト Silk Road が FBI によって閉鎖に追い込まれたときには、Bitcoin の価値が急落するのではないかという憶測が流れました。Bitcoin はアンダーグラウンドで広く使われているからです。この閉鎖劇の直後には、確かに Bitcoin 売りも見られましたが、数日のうちには回復基調となり、Bitcoin はまた高騰し始めました。

この急騰の原因としては、規制当局が Bitcoin を真剣に考え始めたという事実も関係しているかもしれません。たとえば、米国上院の国土安全保障・政府問題委員会は先週、仮想通貨に関する公聴会を開き、司法省の代表が Bitcoin を「合法的な交換手段である」と述べました。これに対し、同委員会のトム・カーパー(Tom Carper)委員長は、議会と政府が仮想通貨について「賢明で良識的、かつ効果的な政策」を決定する必要があると述べています。

一方で、Bitcoin の急騰がバブルを生み出すのではないかという懸念も広がりつつあります。対ドル為替レートのグラフを見ると、すぐに思い当たる疑問点があります。Bitcoin を決済方法として認める企業の数は明らかに増えていますが、その増え方は通貨価値の高騰に追いついていないということです。どちらかといえば、現在の高騰をもたらしている大きい原因は思惑買いだと考えられ、歴史が証明しているとおり、そのような熱狂的な買いは不幸な結果に終わることが少なくありません

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

オンラインバンキングを狙うトロイの木馬、危険な新種の Neverquest は古い同族の進化形

0
0
最近、オンラインバンキングを狙う新しいトロイの木馬のことがメディアで報じられています。このトロイの木馬は、報道では Neverquest と呼ばれています。コンピュータが Neverquest に感染すると、特定のブラウザでオンラインバンキングの Web サイトを開いたときにコンテンツが改ざんされ、サイトに不正なフォームがインジェクトされます。そうなると、攻撃者はユーザーからログイン情報を盗み出せるようになり、さらには VNC(Virtual Network Computing)サーバーを利用して、侵入先のコンピュータを制御できるようにもなります。Neverquest は自身を複製するために、ログイン情報を盗み出して Neverquest ドロッパーをスパムで送りつけるか、FTP サーバーにアクセスして資格情報を取得したうえで Neutrino 悪用ツールキットによってマルウェアを拡散するか、またはソーシャルネットワークのログイン情報を取得して侵入先の Web サイトへのリンクを拡散します。
 
シマンテックがトロイの木馬 Neverquest を解析したところ、これはシマンテックが Snifulaとして検出するマルウェアグループの進化形であることがわかりました。Snifula が初めて出現したのは 2006 年のことですが、Neverquest のコードを解析した結果、Snifula グループの古いサンプル(Backdoor.Snifula.D)との類似点が確認されたのです。また、Snifula によって以前に使われていたことが判明しているネットワークのインフラは、Neverquest と密接に関係があることも確認されています。この新しい脅威に対しては、2013 年 4 月中頃に初めて確認されたときから、さまざまな汎用検出名ですでに保護対策が実施されています。その後、検出定義を分類化したので、現在この脅威は Trojan.Snifulaとして検出されます。
 
類似点
前述したように、Trojan.Snifula(通称 Neverquest)のコードには、Snifula グループの古いサンプルとの類似点が認められます。2 つの脅威の実行可能ファイルは、構造と機能こそ異なっているものの独特なコードの一部を共有しており、そこに両者の関連性が見て取れます。たとえば以下の画像を見ると、8 バイトのデータをネットワーク上に送信するコードがあり、そのうち最初の 4 バイトに「26A6E848」という特殊なマーカーが含まれていることがわかります。
 
figure1_5.png
図 1. Trojan.Snifula(Neverquest)でネットワークトラフィックを送信するコード
 
figure2_2.png
図 2. Backdoor.Snifula.D で使われている図 1 と同じコード
 
コードはほぼ同一で、マーカーも共通です。つまり、このコードは一般に入手できるソースから採用されたものではないことになります。もちろん類似点はこれだけではなく、ほかにも多くの共通点を見出すことができます。
 
figure3_2.png
図 3. Trojan.Snifula(Neverquest)で現在のプロセス ID を記録するコード
 
figure4_1.png
図 4. Backdoor.Snifula.D の同じコード
 
このコードは、悪質なプロセス ID を現在時刻とともにログに記録します。コードも文字列も 2 つの脅威で同一であり、CRC アルゴリズムと Aplib アルゴリズム、そしていくつかの共通の文字列が使われています。
 
コマンド & コントロールのインフラ
シマンテックは、Trojan.Snifula(Neverquest)で使われているコマンド & コントロール(C&C)ネットワークのインフラを調べて、両者の間に関連性の手掛かりがあることも解明しています。Trojan.Snifula は、C&C サーバーとして IP アドレス 195.191.56.245 を使っていました。その IP アドレスでホストされていることがわかっているドメインは 2 つしかなく、その 1 つが FyXqgFxUmihXClZo.org です。このドメインは Aster Ltd が所有していることがわかっており、Aster Ltd が所有しているドメインは、以下の 26 個であることも確認されています。
  • accman.com.tw
  • afg.com.tw
  • amosw.com.tw
  • aster.net
  • asterdon.ru
  • asterltd.com
  • astervent.ru
  • bestsid.com.tw
  • countdown.com.tw
  • durpal.com.tw
  • facestat.com.tw
  • fforward.com.tw
  • fyxqgfxumihxclzo.org
  • geobiz.net
  • makumazna.com.tw
  • maskima.com.tw
  • maxward.com.tw
  • miison.com.tw
  • mssa.com.tw
  • parti.com.tw
  • pluss.com.tw
  • sparkys3.com
  • sparkys3.net
  • tdaster.ru
  • thehomeofficecatalogue.net
  • thehomeofficecatalogue.org
 
Aster Ltd のドメインのうち Pluss.com.tw と Countdown.com.tw は、IP アドレス 195.210.47.173 でホストされています。シマンテックは 2013 年の 2 月と 3 月に、Backdoor.Snifula.D で使われたアクティブな C&C サーバーとこの IP アドレスとの関連性を特定しています。Sparkys3.net や Facestat.com.tw など、Aster Ltd が所有するその他のドメインは、IP アドレス 195.137.188.59 でホストされており、これも Trojan.Snifula の C&C サーバーが使う IP アドレスとして確認されているものです。
 
Snifula グループ
シマンテックは、過去数年間で Snifula グループのさまざまな新種を確認しています。今回の Trojan.Snifula は、さらに高度な技術を利用して成長しており、情報を盗み出しますが、その出現は Snifula グループの歴史上、予測された進化です。Snifula グループが何年も掛けて進化し成長してきたことから、このマルウェアが今すぐ脅威を取り巻く世界から姿を消すとは考えられません。
 
この脅威から保護するために、シマンテックは以下の侵入防止システム(IPS)シグネチャを提供しています。
  • System Infected: Trojan.Snifula Activity
 
シマンテックは、この脅威に対して最善の保護対策を提供できるように、今後も Snifula グループの監視を続けます。このような攻撃から保護するために、ノートン インターネットセキュリティSymantec Endpoint Protectionを使用することをお勧めします。
 
 
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Using RestoreShortcutBody with Enterprise Vault to rewrite shortcut content

0
0
 
 
From time to time Enterprise Vault administrator may wish to change the content of shortcuts that are built by the system once an email has been archived. I don't think it's something that happens 'all too often' because it's possible to test out quite well in a lab environment what a resulting shortcut will look like depending how you have configured it. But .. sometimes there is a need to change the policy. In this blog I'll explain the way to make the change, and what to look out for.
 
The shortcut policy is shown below:
 
shortcutpolicy.png
 
You can see how it's made up of a number of different components and features to make the resulting shortcut look like, well, a shortcut, rather than the original item. There is even the option to keep the full message body, but then you're not going to get any real space savings when using Enterprise Vault in that manner -- your mobile device users might love you more though, because it will mean that they can see the whole of all items, archived or not.
 
When a change is made to these settings the next time the archiving agent runs, newly archived items will take on the policy which has been defined.
 
That's great - but - items archived in the past will be following the old policy though. Once they've been written, they are then stuck like that. In order to change them an administrator can implement a registry key called 'RestoreShortcutBody':
 
1. On the Enterprise Vault server, open the Registry Editor.
 
2. Navigate to the following key.
 
HKEY_LOCAL_MACHINE\Software\WoW6432Node\KVS\Enterprise Vault\Agents
 
3. Create a new DWORD with the name RestoreShortcutBody and a value of 1.
 
4. Restart the Enterprise Vault Admin Service.
 
5. Open the Vault Administration Console, right-click on the Mailbox Archiving Task and select Run Now.
 
6. Under Run Mode, if you are running EV8 and above select Shortcut Processing.   (Choose Report if you are running a version below EV8)
 
The archiving task will then go through and rewrite all the *existing* shortcuts. It won't recreate any that have been deleted by users.  One thing to note when this is running is that you can monitor it's progress by creating a Search Folder in Outlook which has Message Class as it's filter.. then view that search folder, and look for Modified Date. I also think it is a great idea in a large environment to process these sorts of updates in batches. So rather than doing a shortcut processing run on ALL mailboxes in the entire environment do it on a batch of users.  This sort of activity is also good to fill up a weekend, when the systems may be less busy. Users don't need to be connected, because the activity is taking place directly against the Exchange Server.
 
Have you ever used the RestoreShortcutBody registry key to rewrite shortcuts? Let me know in the comments below:
 
 
 

Sustainability Spotlight – Symantec Employees Sleep Out to Tackle Youth Homelessness

0
0

Today is International Volunteer Day and to celebrate we are featuring a “Sustainability Spotlight” series, highlighting employees across Symantec who incorporate aspects of corporate responsibility (CR) and sustainability into their day jobs. This series will focus on volunteering and highlight some of the extraordinary efforts employees are making in their communities that last year helped Symantec increase volunteer hours by 41 percent. Today we start with a look back at our first Sustainability Spotlight employee Claire Scull, with a post on her experience and involvement in this year’s Byte Night event in the UK.

 

Some people might think it’s crazy that I volunteer to sleep outside for a night once a year regardless of the ever changeable UK weather. I have slept out with my fellow Symantec colleagues in Reading, however we also have teams sleeping out in London by Tower Bridge, and Scotland. But what most people don’t realize is that last year up to 100,000 youth across the UK were without a home or a place to sleep. Of these, one in three attempt to take their life.

For me it’s all about perspective – I am fortunate to be able to choose to  do this for one night to raise awareness of the issue, whilst unfortunately these young adults and children don’t have a choice and are doing it every day and night.

We sleep out as a Symantec team as part of Action for Children’s Byte Night event - the IT industry’s annual sleep out to raise funds and awareness for youth homelessness, and for the great work that Action for Children does to transform the lives of vulnerable and neglected children throughout the UK.    

I first became involved with Byte Night three years ago, when just a few days before the event, a colleague asked me to join as they were a team member short. Since then I have become more actively engaged, having sat on the Thames Valley Board helping to get the event up and running, supporting fundraising efforts across the Thames Valley, and bringing support, encouragement and motivation inside Symantec to help with our Symantec team fundraising. 

There are so many reasons myself and others continue to take part in Byte Night every year. This video features IT professionals (and me!) speaking about why we are so passionate about this event. 

Record breaking year

Each year the event grows and 2013 was a record breaking year! Byte Night had a total of 1,448 sleepers across the UK, and raised more than £1 million.

This was the fifth year that Symantec took part in Byte Night with a total of 480 volunteer hours (up from 408 last year). We had an extremely dedicated team of 13 sleepers who helped us increase our impact around the event and on the night, and helped Byte Night reach record breaking numbers! A huge thank you to:

  • Jennifer Sawyer
  • Sian John
  • Penny Rose
  • Simon Moor
  • Paul  Barrick
  • Lisa Sellers
  • Elliott Fonte
  • Heena Lad
  • Pamela Kernott
  • Lisa Hall
  • Adam Patherick
  • Lynn Gardner

Byte Night takes place no matter what the weather conditions. That is the reality for young people without a home and it is this very fact that brings even more impact and awareness to the event. Thankfully this year it was a lot warmer and drier. Last year it was very wet and cold, and many were sleeping in puddles as the night wore on.  This year we all managed to get quite a bit of sleep, and were fortunately and humbly warm and dry. We also had a new venue in Reading for the Thames Valley event as the overall numbers of sleepers has grown.

In one night you can make a huge difference

For anyone who is interested in getting involved, I would say just do it, just get involved. It is a fantastic event, and there are so many ways to be involved - you can be a sleeper, a board member for London, Reading, Manchester or in Scotland, you can support those that sleep out with their fundraising, you can tweet and Facebook to raise awareness, or you can just become more involved with Action for Children more generally and be an on-the-night helper, a project supporter or a mentor.

Byte Night is now a special time of year for me. I always walk away with a new-found appreciation for what I have, and so thankful for the great work Action for Children is doing. Being involved has opened my eyes to the dangers, conditions and hard lives that homeless people have, especially youth who don’t always realize this doesn’t have to be their only path.

I don’t think having a home, a warm place to sleep and supportive family should be a luxury, it should be something all of us have. Thanks to Action for Children and their wonderful work, there is help out there.

 

Claire Scull is Corporate Communications Project Manager for Symantec.

Keeping Your Data Safe with SSL

0
0

By Tom Powledge, Vice President, Trust Services, Symantec

There's been plenty in the news recently regarding encryption and SSL – which has led some people to wonder how safe the technology really is.  As the leader of Symantec's Trust Services Products & Services organization, I want to assure you that SSL is safe.  Below is some information that may help you understand why, and also inform you about the current state of SSL security.

First, the fundamental key strength of RSA 2048-bit certificates is solid and without question.  Independent cryptography experts have confirmed this, and highly-respected publications such as the MIT Technology Review have published articles on the subject.  As always, organizations that use SSL should make sure they use the strongest algorithms available.

Customers of SSL certificates should take specific actions to safeguard the security of their server-side private keys.  They should put in place powerful network protections and should never utilize tools where private keys are revealed to third parties.  Symantec never takes possession of any customer's SSL private keys.

Lastly, and perhaps most importantly, Certificate Authorities that issue SSL certificates must never share the private keys of their roots. The trust in SSL by everyone – from end-users, to the companies that they communicate with, to the browsers that enable secure connections – all depend on Certificate Authorities to provide unequivocal security of their root keys.  

As the world’s largest and most trusted Certificate Authority, we use best-in-class security processes to protect our roots.  We do not share our private keys with any third-party company, government, organization or individual.  To repeat: We never share our root keys, and never will.  Period. 

We are committed to ensuring our customers can use SSL safely and we recommend that customers take important, but simple steps to proactively protect their private keys.  To learn more about Symantec's SSL offerings, please go to http://go.symantec.com/ssl.

Viewing all 5094 articles
Browse latest View live




Latest Images