Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Keeping Your Data Safe with SSL

0
0

There's been plenty in the news recently regarding encryption and SSL – which has led some people to wonder how safe the technology really is.  As the leader of Symantec's Trust Services Products & Services organization, I want to assure you that SSL is safe.  Below is some information that may help you understand why, and also inform you about the current state of SSL security.

First, the fundamental key strength of RSA 2048-bit certificates is solid and without question.  Independent cryptography experts have confirmed this, and highly-respected publications such as the MIT Technology Review have published articles on the subject.  As always, organizations that use SSL should make sure they use the strongest algorithms available.

Customers of SSL certificates should take specific actions to safeguard the security of their server-side private keys.  They should put in place powerful network protections and should never utilize tools where private keys are revealed to third parties.  Symantec never takes possession of any customer's SSL private keys.

Lastly, and perhaps most importantly, Certificate Authorities that issue SSL certificates must never share the private keys of their roots. The trust in SSL by everyone – from end-users, to the companies that they communicate with, to the browsers that enable secure connections – all depend on Certificate Authorities to provide unequivocal security of their root keys.  

As the world’s largest and most trusted Certificate Authority, we use best-in-class security processes to protect our roots.  We do not share our private keys with any third-party company, government, organization or individual.  To repeat: We never share our root keys, and never will.  Period. 

We are committed to ensuring our customers can use SSL safely and we recommend that customers take important, but simple steps to proactively protect their private keys.  To learn more about Symantec's SSL offerings, please go to http://go.symantec.com/ssl.


Register now for Webcast: Get your weekends back with NetBackup Appliances

0
0

Register now for a Webcast on Tuesday, Dec. 10 at 10:00am PST to learn how to get your weekends back with NetBackup Appliances!

It's Here...DataCane Official Video

0
0

Think you’ve seen it all? How about 35,000 lbs. of water... 100mph winds... 3 minutes. Check out DataCane.

Can't see the video? See DataCane on YouTube.

ハロー効果と、Mac、マルウェア、セキュリティについて企業が知っておくべきこと

0
0

iPod と iPhone によって作り出された「ハロー(後光、光背)」が、ビジネスユーザーに対する Mac の売上を引き上げています。これが、いわゆる「ハロー効果」です。筆者がこの現象に気付いたのは数年前のことでした。会議室のテーブルでも Mac を広げる姿が増え、あのシルバーの筐体と白く輝くリンゴのマークをたびたび目にするようになってきたからです。Apple 社の報告によると、2013 年の第 4 四半期には、企業向けの Mac の売上が 50% も増加しました。しかし、業務に利用される Mac の台数が増える一方で、Mac のセキュリティに関する誤解は根強く残っています。企業は何を知っておく必要があるのでしょうか。

サイバー犯罪者が最も力を注ぐのは、常に「費用対効果が高い」ところ、つまり大きな PC 市場です。数が物を言う世界であり、ハッカーはいつでも最大の ROI が得られることを追求しています。これまで、それに該当するのは Windows システムでした。Mac を標的にするマルウェアは PC を狙うマルウェアに比べれば今でも少数ですが、攻撃者は「ハロー」に気付き、Mac を狙うようになってきました。

よく知られているのが Flashbackで、これは単独で 600,000 台もの Mac に拡散しました。しかし、考えなければならない問題はほかにもあります。Mac は、経営幹部が好んで選ぶコンピュータだということです。経営幹部は、財務データや企業データなどの機密情報に対するアクセス権を持っているため、ハッカーは貴重なデータが入っている経営幹部たちの Mac を狙うに違いありません。

昨年には、Mac を狙った以下のような脅威が新たに見つかりました。かぎカッコの内容は、シマンテックの脅威情報に記載されている説明です。

OSX.NetWeird - 「侵入先のコンピュータから情報を盗み取る」

OSX.Kitmos - 「バックドアを開き、情報を盗み取り」

OSX.Hackback - 「侵入先のコンピュータから情報を盗み取るトロイの木馬」

OSX.Janicab - 「侵入先のコンピュータのバックドアを開き、情報を盗み取る」

OSX.Hormesu - 「侵入先のコンピュータのバックドアを開き、情報を盗み取り」

OSX.Seadoor - 「バックドアを開き、情報を盗み取り」

OSX.Olyx.C - 「バックドアを開く」

これでおわかりでしょう。

企業向けの Mac も会社のエンドポイントコンピュータの一部と捉えるべきときが来たのです。企業が生産性を最大化し、リスクを最小限に抑えるためには、完全な保護と管理が必要です。最近リリースされた Symantec Endpoint Protection(SEP)12.1.4 では、Mac の保護が容易になり、プラットフォームを超えて機能が拡張されています。最新版の SEP は、侵入防止技術とウイルス対策機能を備え、単一のコンソールから Windows と Mac の両方の管理とレポートが可能です。SEP 12.1.4 は最新の Mac OS X 10.9 Mavericks と Windows 8.1 をサポートし、Mac クライアントのリモート配備も提供します。Java を必要とせず、ウイルス対策定義を SEP Manager から直接ダウンロードすることで帯域幅を節約できます。また、クリティカルなイベントが発生した場合には、Fast Path を通じて即時に通知が行われます。堅ろうなセキュリティを実装し、セキュリティ上の一般的なベストプラクティスに従えば、企業ユーザーは Mac か PC かを問わず、絶えず進化する脅威から保護されるため安心です。詳しくは、www.symantec.com/ja/jp/endpoint-protectionをご覧ください。

シマンテックの総合的なアプローチと、標的型攻撃に対する保護についてはこちらを、シマンテックの革新的な Disarm 技術についてはこちらを参照してください。

その他の情報:

 

Dove trovare versione di Java

0
0

Cos'è Java
Java è un linguaggio di programmazione e una piattaforma di elaborazione sviluppati da Sun Microsystems nel 1995. Si tratta della tecnologia sulla quale si sviluppano i programmi più avanzati, tra cui utilità, giochi e applicazioni aziendali. Java è in esecuzione su oltre 850 milioni di personal computer e miliardi di dispositivi a livello mondiale, inclusi dispositivi mobili e TV. Esiste un numero notevole di applicazioni e siti Web, in aumento ogni giorno, che funzionano esclusivamente se è stato installato Java. Java è veloce, sicuro e affidabile. Dai portatili ai datacenter, dalle console per videogiochi ai computer altamente scientifici, ai telefoni cellulari e a Internet, Java è onnipresente!

Come verificare la versione di Java installata nel computer

Per verificare l'installazione di Java nel computer, visitare il seguente link : Verifica della versione di Java

Download di Java per tutti i sistemi operativi

Le versioni di Java sono disponibili per i seguenti sistemi operativi :

  • Windows 8 Desktop, Windows 7, Windows Vista, Windows XP, Windows Server 2008
  • MAC OS X
  • Linux
  • Solaris

 

DOWNLOAD :
Link : Download di JAVA per tutti i sistemi operativi

 

Quick update....

0
0

I’d like to share two webinars with you that we delivered this week

The first was Attack of the Cyber Spies a webinar delivered as part of BrightTALK’s Hackers Summit which you can access here.

The second is the December update of the regular webinar series I do with my colleague Andrew Shepherd: Website Security Threats: December Update

I've also posted both webinar slide decks to Slideshare here

Finally, I’d also like to share this blog posted by Tom Powledge who is the VP of the Website Secuirty Solutions division here at Symantec Keeping Your Data Safe with SSL

We'll be back next week with some new blogs.

Sustainability Spotlight - Peter Hancock Named Npower's Volunteer of the Year

0
0

In honor of International Volunteer Day this week we are featuring a “Sustainability Spotlight” series, highlighting employees across Symantec who incorporate aspects of corporate responsibility (CR) and sustainability into their day jobs. This series will focus on volunteering and highlight some of the extraordinary efforts employees are making in their communities that last year helped Symantec increase volunteer hours by 41 percent. Yesterday we took a look back at our first Sustainability Spotlight employee, Claire Scull. Today we feature Peter Hancock, Sr. Director, Technical Sales Organization, who was just honored for his volunteer work with non-profit NPower, receiving the organization’s Volunteer of the Year Award.

 

”It takes a village to raise a child” – African Proverb

Everyone has the potential to contribute and make a difference in the lives of our young adults, our veterans, and non-profits across the globe. But sometimes finding the time, or the passion, to take that first step can be hard.

Today, I’m happy to share my story of volunteering through one of Symantec’s non-profit partners NPower. I was honored to be awarded NPower’s Volunteer of the Year Award at their recent gala. Through this partnership with Symantec I’ve found a cause whose mission has become part of my lifestyle and everyday work to the point where I do not even consider my work to be volunteering.

PeterwStudent.png

What is NPower?

NPower’s goal is to harness technology for social good. In addition to connecting highly skilled tech professionals to the projects where they can make the greatest impact, NPower delivers its own educational programs. From veterans in Dallas to underserved young adults in Harlem and Brooklyn, the organization builds brighter futures with free IT training, professional skills, mentoring, internships and job placement. To do this, NPower relies on skilled tech volunteers to provide inspiration, advice and direction.

My journey

My journey with NPower began on a crisp spring morning in May of 2010 at an event where NPower CEO Stephanie Cuskley introduced the organization’s strategic go-forward vision to a group of interested corporate parties. As I was already volunteering my tech skills at Easter Seals, the idea of being part of a larger “tech for good” mission clicked with me and I got engaged.

My first visit to NPower was as a guest lecturer for NPower’s Technology Service Corps program. TSC is a 22-week intensive training program that builds brighter futures for underserved young adults and veterans helping them pursue STEM related careers by providing free professional training and job placement services.

It surprised me that as I waited in the lobby of the classroom, I actually had butterflies in my stomach. But that feeling didn’t last beyond meeting more than 25 young, energetic men and women with a desire to learn about technology and pursue careers in IT. Technology Service Corps was their path to a brighter future for themselves, their families and their communities.

Fast forward to today where I’ve had the pleasure of visiting nearly every NPower classroom in New York, serve as co-Chairman of the Tech Service Corps advisory board and play a key role in advising NPower’s future expansion. Along the way it has been great to see so many Symantec employees join me, hosting site visits so students can gain ‘real-world’ experience, serving as guest lecturers and more.

It has also been inspiring to see Symantec increase its corporate support – as a volunteer I was passionate about NPower and raised awareness at Symantec forming a volunteer group to support TSC. Today, through this partnership Symantec is now one of the largest donors of equipment and software and becoming a National Corporate Underwriter of NPower.

As I look back today on the time I’ve spent mentoring NPower students, I am reminded that every part of it was rewarding. In those few hours every day, my ‘normal’ business day is put into perspective. I am able to use my skills and expertise to help build a future for youth, and also build a stronger future workforce for our industry.

To NPower I thank you very much for the opportunity to make a difference in your students’ futures.

To everyone, one person can make an impact, but you must start somewhere. I did, and I hope after reading this you will feel empowered to do the same.

 

Peter Hancock is Senior Director of Symantec's Technical Sales Organization.

Cryptolocker Q&A: Menace of the Year

0
0

Cybercriminals are constantly looking for ways to evolve their malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. During the past year, Ransomware has received a lot of news coverage which has decreased the number of uninformed victims and lowered the impact and effectiveness of the malware along with the percentage of return to the criminal.

Due to this increased public awareness, in the last quarter of 2014 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, Cryptolocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker's private key.

The following Q&A outlines Cryptolocker and Symantec’s protection against this malware:

Q: What is the difference between Ransomware and Cryptolocker (also known as Ransomcrypt)?

The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.

Q: When was this threat discovered?

In September 2013 the Cryptolocker threat began to be seen the wild.

Q: Is the Cryptolocker threat family something new?

No. Symantec detects other similar malware families such as Trojan.Gpcoder (May 2005) and Trojan.Ransomcrypt (June 2009) that encrypt and hold files ransom on compromised systems.

Q: What is the severity of this Cryptolocker threat?

The severity is high. If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.

Q: How do I know I have been infected by Cryptolocker?

Once infected, you will be presented on screen with a ransom demand.

image1_18.png

Figure 1. Cryptolocker ransom demand
 

Q: How does a victim get infected?

Victims receive spam email that use social engineering tactics to try and entice opening of the attached zip file.

image2_10.png

Figure 2. Cryptolocker spam email example
 

If victims open the zip file attached to the email, they will find an executable file disguised to look like an invoice report or some other similar social engineering ploy, depending on the email theme. This executable file is Downloader.Upatre that will download Trojan.Zbot. Once infected with Trojan.Zbot, the Downloader.Upatre also downloads Trojan.Cryptolocker onto the compromised system. Trojan.Cryptolocker then reaches out to a command-and-control server (C&C) generated through a built-in domain generation algorithm (DGA). Once an active C&C is found, the threat will download the public key that is used to encrypt the files on the compromised system while the linked private key—required for decrypting the files— remains on the cybercriminal’s server. The private key remains in the cybercriminal control and cannot be used without access to the C&C server which changes regularly.

image3_10.png

Figure 3. Cryptolocker attack steps
 

Q: Does Symantec have protection in place for Cryptolocker and the other associated malware?

Yes. Symantec has the following protection in place for this threat:

Detection name

Detection type

Downloader

Antivirus signature

Downloader.Upatre

Antivirus signature

Trojan.Zbot

Antivirus signature

Trojan.Cryptolocker

Antivirus signature

Trojan.Cryptolocker!g1

Heuristic detection

Trojan.Cryptolocker!g2

Heuristic detection

Trojan.Cryptolocker!g3

Heuristic detection

System Infected: Trojan.Cryptolocker

Intrusion Prevention Signature

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

Some earlier Symantec detections that detect this threat have been renamed:

  • Virus definitions dated November 13, 2013, or earlier detected this threat as Trojan.Ransomcrypt.F
  • Intrusion Prevention Signature (IPS) alerts dated November 14, 2013, or earlier were listed as "System Infected: Trojan.Ransomcrypt.F"

Q: What do the C&Cs look like?

The following are recent examples of command-and-control (C&C) servers from the DGA:

  • kstattdnfujtl.info/home/
  • yuwspfhfnjmkxts.biz/home/
  • nqktirfigqfyow.org/home/

Cryptolocker can generate up to one thousand similar looking domain names per day in its search for an active C&C.

Q: How sophisticated is this threat?

While the Cryptolocker campaign uses a common technique of spam email and social engineering in order to infect victims, the threat itself also uses more sophisticated techniques like the following:

  • Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted without the private key held on the attacker’s server, the victim will not be able to decrypt the files.
  • Cryptolocker employs a DGA that is based on the Mersenne twister pseudo-random number generator to find active C&Cs.

Q: How prevalent is the threat?

Symantec telemetry for this threat shows that the threat is prevalent in the United States at present. While the numbers being reported are low, the severity of the attack is still considerable for victims.

image4_5.png

Figure 4. Top 5 countries reporting detections
 

Q: Has Symantec previously released any publications around these attacks?

Yes, Symantec has released the following blogs:

Q: Should I pay the ransom?

No. You should never pay a ransom. Payment to cybercriminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.

Q: Who is behind the Cryptolocker malware?

Investigations into the cybercriminals behind the Cryptolocker malware are ongoing.

Q: Is there any advice on how to recover files affected by this attack?

Yes, Symantec Technical Support has released the following article:

Q: Any advice on how to not become a victim?

Yes. First, follow information security best practices and always backup your files. Keep your systems up to date with the latest virus definitions and software patches. Refrain from opening any suspicious unsolicited emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

Q: Does Symantec offer backup and disaster recovery software?

Yes. Symantec has the Backup Exec Family of products.


Enterprise Vault .DB files, and their naming

0
0
 
 
The Enterprise Vault Vault Cache and Virtual Vault functionality has made a great impact to the end user experience that people have when working with archived emails in Outlook. Under the covers though there is a set of files that people often wonder about. These are the .DB files which make up the 'Content Cache' of Vault Cache/Virtual Vault. In this blog I'll explain a little bit about the files.
 
The files existed in the previous incarnation of offline usage of Enterprise Vault, which was called Offline Vault, and actually the structure and contents haven't varied that much in their new life of Vault Cache. You may see a collection of these files on one of my tests systems below:
 
vault-cache-files1.png
 
The files vary in size, and have a special file name. Here is an example name of a .DB file:
 
2012_10_12_0003.db
 
This file contains archived emails from the end-users archive for October to December 2012. It is the 3rd such .DB file in that calendar-quarter. Each of the files are named using the same principal.
 
The files themselves are actually PST files, we can take a copy of one of them with Outlook closed, and open it as a PST file to see the contents. It might look a little bit like this:
 
vault-cache-files2.png
 
And if we look in a folder, we can see the archived items themselves. The collection of these files can take up a sizable amount of disk space, and I've written before about how to manage that via policy, and Vault Cache itself manages the amount of disk used too. The final thing to say is that you might not have these files, it's depending on the users desktop policy whether or not the Vault Cache content is stored locally, or not, and whether or not the setting for 'Offline Store required' is set or not, versus the Outlook connection state.
 
I've seen some sizable Vault Cache DB files in the past, the sum total of them being several GB of disk space.  How big have you seen the Vault Cache DB files? Let me know in the comments below:
 

Cryptolocker に関する Q&A: 今年最大の脅威

0
0

サイバー犯罪者はいつでも、マルウェアを進化させる方法を探っています。ウイルス対策をめぐる研究や解析、対策が進み、ユーザー意識が向上したためマルウェアの威力が薄れ、拡散も鈍っていることから、進化が生存の鍵となっているからです。ランサムウェアは、この数年間でメディアに大きく取り上げられた結果、知らぬ間に犠牲になるユーザーが減り、その影響力や効果も半減するとともに、犯罪者にとって費用対効果も下がってきました。

このようにユーザー意識が高まった結果、2013 年最後の四半期にはサイバー犯罪の世界に新たな脅迫の手口が生まれました。それが Cryptolockerです。Cryptolocker は、貴重なデータを失うかもしれないという、ユーザーにとって最大の不安を突くことで広がっています。以前のランサムウェアはオペレーティングシステムをロックしてデータファイルを人質に取るものの、たいていは回復が可能でした。ところが、Cryptolocker は脅迫がもっと効果的になっており、攻撃者が持つ秘密鍵を使わない限り、ロックされたファイルを取り戻すことはできません。

以下の Q&A では、Cryptolocker と、それに対するシマンテックの保護対策についての概略をお伝えします。

Q: Ransomlock と Cryptolocker(別名 Ransomcrypt)の違いは何ですか?

Ransomlock と Cryptolocker の違いは、一般的に Ransomlock がコンピュータ画面をロックするのに対して、Cryptolocker は個々のファイルを暗号化してロックするという点です。被害者を脅迫して金銭を奪い取ろうとする点は共通しています。

Q: この脅威が発見されたのはいつですか?

Cryptolocker の被害が初めて確認されたのは、2013 年 9 月です。

Q: Cryptolocker は新しい脅威グループに属するものですか?

いいえ。侵入先のシステムでファイルを暗号化して身代金を要求する類似のマルウェアグループとして、シマンテックはこれまでにも Trojan.Gpcoder(2005 年 5 月)や Trojan.Ransomcrypt(2009 年 6 月)などを検出しています。

Q: Cryptolocker の重大度はどのくらいですか?

重大度は「高」です。万一 Cryptolocker によってファイルを暗号化され、そのファイルをバックアップしていなかった場合には、まず復元することはできません。

Q: Cryptolocker に感染しているかどうかを確認するにはどうすればよいですか?

感染した場合には、次のような身代金要求画面が表示されます。

image1_18.png

図 1. Cryptolocker の身代金要求画面
 

Q: この脅威にはどのように感染しますか?

ソーシャルエンジニアリングの手口を使ったスパムメールを被害者に送りつけ、添付されている zip ファイルを開かせようと試みます。

image2_10.png

図 2. Cryptolocker スパムメールの例
 

電子メールに添付されている zip ファイルを開くと、実行可能ファイルが含まれていますが、これは電子メールの内容に合わせて請求書に見せかけたり、別のソーシャルエンジニアリング手法で偽装されたりしています。この実行可能ファイルは Downloader.Upatreで、Trojan.Zbotをダウンロードします。Trojan.Zbot に感染すると、Downloader.Upatre は感染したシステムにさらに Trojan.Cryptolocker もダウンロードします。次に Trojan.Cryptolocker は、組み込みのドメイン生成アルゴリズム(DGA)を利用してコマンド & コントロール(C&C)サーバーに接続しようとします。アクティブな C&C サーバーが見つかると、感染したシステムでファイルを暗号化する際に使われる公開鍵がダウンロードされますが、それに対応する秘密鍵(ファイルの復号に必要です)はサイバー犯罪者のサーバーに残されたままです。秘密鍵はサイバー犯罪者の手の内に残り、定期的に変更される C&C サーバーにアクセスしない限り使用することはできません。

image3_10.png

図 3. Cryptolocker の攻撃手順
 

Q: シマンテックは Cryptolocker や関連するマルウェアに対する保護対策を提供していますか?

はい。シマンテックは、この脅威に対して以下の検出定義を提供しています。

検出名検出タイプ
Downloaderウイルス対策シグネチャ
Downloader.Upatreウイルス対策シグネチャ
Trojan.Zbotウイルス対策シグネチャ
Trojan.Cryptolockerウイルス対策シグネチャ
Trojan.Cryptolocker!g1ヒューリスティック検出
Trojan.Cryptolocker!g2ヒューリスティック検出
Trojan.Cryptolocker!g3ヒューリスティック検出
System Infected: Trojan.Cryptolocker侵入防止シグネチャ

Symantec.Cloudサービスをお使いのお客様は、このマルウェアの拡散に使われているスパムメッセージからも保護されています。

このマルウェアを検出する以前の検出定義は、一部名前が変更されています。

  • 2013 年 11 月 13 日以前のウイルス定義では、このマルウェアは Trojan.Ransomcrypt.F として検出されていました。
  • 2013 年 11 月 14 日以前の侵入防止シグネチャ(IPS)では、「System Infected: Trojan.Ransomcrypt.F」として検出されていました。

Q: C&C サーバーはどのような形式ですか?

DGA で生成される最近のコマンド & コントロール(C&C)サーバーの例を以下に示します。

  • kstattdnfujtl.info/home/
  • yuwspfhfnjmkxts.biz/home/
  • nqktirfigqfyow.org/home/

Cryptolocker はアクティブな C&C サーバーを検索するときに、見かけの類似したドメイン名を 1 日当たり 1,000 件まで生成できます。

Q: Cryptolocker はどのくらい高度ですか?

Cryptolocker 攻撃は、スパムメールとソーシャルエンジニアリングでお馴染みの手法を用いて感染を試みますが、Cryptolocker 自体も以下のように高度な技術を駆使しています。

  • Cryptolocker は、強力な RSA 2048を使った公開鍵暗号を採用しています。攻撃者のサーバーに置かれている秘密鍵がないと、被害者は暗号化されたファイルを復号することはできません。
  • Cryptolocker は、メルセンヌツイスタ擬似乱数生成機能に基づいた DGA を採用し、アクティブな C&C サーバーを探します。

Q: この脅威の感染状況はどうですか?

この脅威に対するシマンテックの遠隔測定によると、現在は米国で多く感染が確認されています。報告されている件数は少ないものの、被害者にとって被害は深刻です。

image4_5.png

図 4.検出が報告された上位 5 カ国
 

Q: これまでにシマンテックはこれらの攻撃に関する情報を公開していますか?

はい。シマンテックは以下のブログを公開しています。

Q: 身代金の支払いに応じるべきですか?

いいえ。けっして身代金を払ってはいけません。サイバー犯罪者への支払いに応じると、さらにマルウェアによる攻撃を助長することになります。また、仮に支払っても、ファイルが復号される保証はありません。

Q: Cryptolocker 攻撃の背後にいるのは誰ですか?

Cryptolocker 攻撃の背後にいるサイバー犯罪者については、調査が進められているところです。

Q: この攻撃の影響を受けたファイルの復元方法についてアドバイスはありますか?

はい。シマンテックテクニカルサポートが以下の記事を公開しています。

Q: 被害を受けないようにするにはどうすればいいですか?

まず、情報セキュリティに関するベストプラクティスに従って、ファイルは常にバックアップしてください。また、最新のウイルス定義対策とソフトウェアパッチを使って、システムを常に最新の状態に保ち、疑わしい迷惑メールは開かないようにしてください。また、このような攻撃から保護するために、シマンテックの最新技術をお使いいただき、シマンテックのコンシューマ向けまたはエンタープライズ向けの最新ソリューションを導入してください。

Q: シマンテックはバックアップおよびディザスタリカバリソフトウェアを提供していますか?

はい。シマンテックは、Backup Exec ファミリー製品を提供しています。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

'Cloud-enabled Management Whitepaper' is now published

0
0

Hi Everyone,

Cloud-enabled Management (CEM) is a new feature that allows you to manage client computers outside the corporate network, even if you do not use a Virtual Private Network. CEM was first introduced with IT Management Suite 7.5.

To make the process of implementation quick and easy, we have prepared a whitepaper that describes the concept, requirements and the process of implementation of Cloud-enabled Management.

You can find the whitepaper at the following URL:
http://www.symantec.com/docs/DOC7049

SmartIO in Storage Foundation HA 6.1

0
0

The 6.1 release of Storage Foundation High Availability introduces SmartIO which enables customers to increase application performance and reduce storage costs while maintaining availability of data and applications.

Introduction

SmartIO takes advantage of internal Solid State Storage (SSD) devices to provide an intelligent, distributed caching layer to serve more reads and writes from inside the host, effectively decoupling front-end IOPs from back-end capacity.   SmartIO allows customers to cache at the Volume (VxVM), File System (VxFS), and file level for highly granular control of application performance and utilization of the solid state device.  SmartIO utilizes advanced heuristics to maximize the effectiveness of cache population and eviction to ensure the most relevant data is stored within SmartIO’s cache areas.  SmartIO can also tie directly into the IO patterns of mission critical databases, such as Oracle and Sybase, to take “hints” as to the type of workload those databases are running and adjust its caching accordingly.  Finally, for the most specific of use-cases, SmartIO allows customers to “pin” specific files and directories to the cache to ensure the cache is pre-warmed with that target data.

Benefits

SmartIO is completely integrated into the core Storage Foundation components and can be run in both stand-alone (SF/SFHA) and clustered (SFCFSHA) configurations.  Due to the integrated nature, SmartIO can be configured, managed, and tuned without impacting the overlying application.  There is no down-time and no new software to install or manage.

Once configured, SmartIO provides:

  • Increased Application Performance– By bringing the active data inside the server and “closer” to the application, SmartIO removes the network latencies and HDD performance bottlenecks associated with traditional Storage Area Networks.
  • Reduced Storage Costs– SmartIO, when combined with a “Tier-2” array provides equal and better performance than a traditional “Tier-1” array.
  • Improved Storage Utilization– By reducing the read requirements on the back-end storage, SmartIO allows for high instance stacking on existing arrays without impacting application performance.
  • Cascaded Performance Benefits– Storage arrays typically serve multiple servers and applications.  SmartIO’s I/O maximization frees up resources on the array to handle more reads and writes from other applications, essentially improving application performance without any SSD.

Supported Configurations

  • Storage Foundation Standard (Read Only)
  • Storage Foundation Enterprise
  • Storage Foundation High Availability
  • Storage Foundation Cluster File System HA

Supported Operating Systems

  • Red Hat Enterprise Linux 5, 6
  • SUSE Linux Enterprise Server 11
  • Oracle Enterprise Linux 5, 6

For More Information

Go to: http://go.symantec.com/storagefoundation

Documentation for the release is available on our SORT Documentation Site.

How to find the rules associated with Software Releases

0
0

The following query has the ability to list all Software Releases and their associated rules or just the rules associated with a specifc Software Release:

SELECT rsr.Name AS [Software Release],rir.Name AS [Rule],rir.[Description] AS [Rule Description]
FROM RM_ResourceSoftware_Release rsr
JOIN ResourceAssociation ra ON ra.ParentResourceGuid = rsr.[Guid]
JOIN RM_ResourceInventory_Rule rir ON rir.[Guid] = ra.ChildResourceGuid
--WHERE rsr.Name = 'specific software release'
ORDER BY rsr.Name ASC

As Applicability and Detection rules are both classed as inventory rules, they do not have their own resource type or class; however, it does appear that detection rule names begin with "Detection Rule for", which should allow you to distinguish between the two.

Creepware - Who’s Watching You?

0
0

creepware_title_banner.png

Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams. But are these stories true and are some people’s seemingly paranoid precautions justified? Unfortunately the answer is yes, precaution against this type of activity is necessary and there are a multitude of programs out there that can be used for this type of malicious activity…and more. Remote access Trojans (RATs), or what we are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.

This blog will aim to give a general overview of creepware; describing what these threats are and what can, and is, done with them and what the implications are or both the victims and the users of creepware. The blog will also look at the economy of creepware, examining the underground market dealing in everything from the sale of software to the sale and trade of victims. Finally, we will look at how creepware is spread and how to protect against it.

Before we get into the details, here’s a video that will tell you what you need to know about the growing problem of creepware:

CreepVidFig.png

Figure 1Click this image to view Symantec's creepware video
 

What exactly is creepware?

The acronym RAT is one that is often used when talking about a piece of software that allows someone to control a computer from a remote location. RAT can be an abbreviation for any of the following:

  • Remote Access/Administration Tool
  • Remote Access/Administration Trojan

The one difference between remote access tools and remote access Trojans is that the latter is installed surreptitiously and used for malicious purposes. There are many remote access tools, which are used for legitimate reasons such as technical support or connecting to a home or work computer while travelling etc. Unfortunately the same useful features found in remote access tools can be used for malicious activity and a great deal of malware has been designed with this in mind; these programs are called remote access Trojans. Once these Trojans are installed on a victim’s computer they can allow an attacker to gain almost complete control of it. Presence of the Trojan is indiscernible and an attacker can do almost anything that someone physically sitting at the computer can do, including recording footage using the webcam. Recent high-profile cases of this unsavory and creepy behavior have prompted the name creepware to be used when describing remote access Trojans.

Creepware uses a client-server model but switches the usual dynamic we think of when discussing client-server system setups. Creepware flips this process and makes the victim’s computer the server and the attacker’s computer becomes the client. Once the victim’s computer is compromised with creepware an attacker can send requests to it to retrieve files and perform a whole host of other nasty actions.
 

What’s the big deal?

While there was a time when the use of creepware was relatively rare it is now unfortunately becoming more common. Users of creepware can range from those who make money from extortion and fraud to those using the software for what they see as harmless fun or pranking, otherwise known as trolling. While these two activities may seem to some as very different, they both involve unauthorized access to computers, which is not only morally wrong but is also a serious crime.

Worryingly, morals do not seem to be high up on the list of characteristics when it comes to creepware users, a fact that is blatantly obvious when perusing the many online forums with sections dedicated to creepware.

creepware_blog_fig1.png

Figure 2. Doing it for the lulz

creepware_blog_fig2.png

Figure 3. Blackmailing victims

While many users on these forums seem to have no moral compass whatsoever, others have an extremely skewed view of what is right and wrong. In one thread a user justifies RATing (using creepware) people by saying it’s their own fault for downloading and installing programs from untrusted sources.

creepware_blog_fig3.png

Figure 4. Blaming the victims

Another forum user thinks that if all you do is watch your victims, without them knowing, then it’s fine.

creepware_blog_fig4.png

Figure 5. Justifying invasion of privacy

Trawling through the countless posts on creepware/remote access Trojans there seems to be a never-ending supply of users looking for help to set up their software and begin RATing. While there are a few who feel (mildly) guilty about doing what they do, the overwhelming majority see no harm in invading their victims’ privacy and in some cases making money from RATing. In a thread named “Morals of messing with people” one user asks fellow hackers their opinion on whether what they do is right.

creepware_blog_fig5.png

Figure 6. Moral dilemma

The replies speak for themselves.

creepware_blog_fig6.png

Figure 7. Moral bull****

Unfortunately, creepware users may not see, or care about, the damage that can be caused by creepware. There are plenty of cases where innocent people have fallen prey to creepware and have been left traumatized or worse by their attackers. One way in which creepware users monetize their activities is sextortion. Sextortion is a form of exploitation that employs non-physical forms of coercion to extort sexual favors from the victim.

In August 2013, Miss Teen USA, 19-year-old Cassidy Wolf became a victim of creepware. Miss Wolf was hacked by a fellow high-school student who used creepware to take pictures of her undressing in her bedroom. The hacker then attempted to blackmail his victim by threatening to publish the pictures online if she didn’t take more explicit photos but Miss Wolf went to the police. The hacker was eventually caught and pleaded guilty to hacking at least two dozen women in a number of countries.

Another well-publicized case involved an attacker using creepware to display a warning message box on his victims’ computers telling them that their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam. Several of the women were subsequently recorded taking a shower when they had brought the computer into the bathroom.

Sadly, these cases are only the tip of the iceberg when it comes to creepware and the impact it can have on victims. Because many victims do not report this type of crime perpetrators often escape justice. Attackers can threaten to post stolen or recorded content online, and if this threat is carried out the victim’s reputation can be permanently damaged. The effects of this type of harassment and cyberbullying in general are long lasting and can even lead to suicide. Creepware, it would seem, is a cyberbully’s ideal tool.

Creepware and RATs are a global problem; they are used throughout the world, usually for all the wrong reasons.

creepware_country_stats_600x600_mk2.png

Figure 8. Top five countries for RAT activity in past six months
 

What can creepware do?

So what exactly can creepware do? There are an abundance of creepware programs on the market, such as Blackshades (W32.Shadesrat), DarkComet (Backdoor.Breut), Poison Ivy (Backdoor.Darkmoon), and jRAT (Backdoor.Jeetrat) to name but a few, many of these programs share the same core set of functionality. We’ll take a closer look at one in particular, the Pandora RAT detected by Symantec as Trojan.Pandorat.

Pandora RAT allows an attacker to gain access to the following items on a compromised computer:

  • Files
  • Processes
  • Services
  • Clipboard
  • Active network connections
  • Registry
  • Printers

If all that isn’t enough, Pandora can also allow an attacker to:

  • Remotely control the compromised desktop
  • Take screenshots
  • Record webcam footage
  • Record audio
  • Log keystrokes
  • Steal passwords
  • Download files
  • Open Web pages
  • Display onscreen messages
  • Play audio messages using the text-to-speech function
  • Restart the compromised computer
  • Hide the taskbar
  • Hide desktop icons
  • Cause system failure/blue screen of death

Ease of use and a slick graphical user interface (GUI) are very important factors in today’s design-focused world, and creepware is no exception. Pandora, as is common with other RATs, sports an easy-to-use GUI that can be mastered almost instantly by experts and novices alike. If the use of creepware was once reserved for hardened blackhat hackers it is now most definitely accessible to everyone from script kiddies to total noobs.

creepware_screen_shots_600x600_mk2.png

Figure 9. User friendly human computer interface of Pandora RAT

Creepware has many different uses including:

  • Voyeurism
    Attackers use the victim’s webcam and/or microphone to secretly record them.
  • Information/file stealing
    Information such as banking details or passwords and files such as pictures and videos can be copied or deleted.
  • Blackmail/sextortion
    Pictures or videos stolen from the computer, or recorded using the webcam, are used to force the victim into posing for explicit pictures or videos, performing sexual acts, or coercing money from the victim.
  • Trolling
    The attackers use creepware to cause the computer to behave strangely by opening pornographic or shocking websites, displaying abusive messages, or in some cases causing system damage all for their amusement.
  • Using computer for DDoS attacks, etc.
    Compromised computers can be used to carry out distributed denial of service (DDoS) attacks, bitcoin mining, or other functions where it may be beneficial for the attacker to use victims’ resources.
     

Creepware economy

Creepware is big business in the underground economy with a thriving market revolving around the sale of the software. The creepware itself can be purchased from the developers’ own websites or from people advertising on hacking forums. Advertisements for the sale of FUD crypters, JDB generators, and slaves among other things can be found in said forums. If you find this terminology a little bewildering, here are some useful definitions:

  • FUD– Fully undetectable (by security vendors)
  • Crypter– A tool used to rearrange files in a way that the actual bytes are scrambled, making it difficult to detect
  • JDB– Java drive-by – This involves a Java applet being placed onto a website, when the user visits the site a pop-up will appear asking for user permission. Once permission is given, the creepware is downloaded.
  • Slave – A computer that has been infected with creepware

If all that sounds a little too much like hard work, anyone interested in getting their own creepware setup can pay any number of willing “experts” to do all the leg work for them. Prices vary for different services. Creepware/RATs can be found for free but the ones that are for sale can cost anything up to $250. Add-on services, such as FUD crypting and setup cost between $20 and $50. As with most things these days, free advice and instructions can easily be found online with plenty of users eager to pass on their knowledge about the best tools, tricks, and methods concerning creepware.
 

What can users do to protect themselves?

The following methods may be used to infect computers with creepware:

  • Drive-by downloads– By visiting a website, the user unknowingly downloads the creepware onto their computer
  • Malicious links– Malicious links, leading to websites hosting drive-by downloads, are distributed using social media, chat rooms, message boards, spam email etc. The attacker may also hack user accounts to make it seem like the link is being sent by a friend. Others may try to lure victims by posting enticing messages.
  • Exploit kits– Potential victims may visit compromised websites or click on malicious links and are then redirected to the exploit kit’s server where a script runs that will determine what exploits can be leveraged. If an exploit is viable, the victim is infected with the creepware and the attacker is notified.
  • Peer-to-peer file-sharing/torrents– The creepware server installer is packaged with a file, usually a popular program or game crack, and shared on a file sharing site. Once the file is executed, the creepware server module is installed.

To stay protected against creepware, Symantec recommends users to:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Avoid opening emails from unknown senders and clicking on suspicious email attachments.
  • Exercise caution when clicking on enticing links sent through email, instant messages, or posted on social networks.
  • Only download files from trusted and legitimate sources.
  • Be suspicious of unexpected webcam activity. When you’re not using the webcam, keep the shutter closed, if your webcam doesn’t have a shutter, use a piece of tape to cover it when not in use.

In today’s world, computers play an important role in our lives and the idea that such a ubiquitous tool could be used by an attacker to invade our privacy is a scary thought. While creepware is capable of causing a great deal of damage, taking appropriate defensive steps can keep you protected. By having good up-to-date security software and following some basic best practices we can all keep the creeps out of our computers.

Default Chromeless Player

Symantec Once Again Recognized as Leader in LGBT Equality

0
0

By Pat Padilla and Gary Phillips, Co-Champions of SymPride.

BPTW_14-4C.jpg

The Human Rights Campaign (HRC) announced yesterday that Symantec achieved a perfect score of 100 in its Corporate Equality Index (CEI) for the sixth consecutive year. HRC also recognized Symantec for being one of the “Best Places to Work for LGBT Equality.” The coveted distinction acknowledges Symantec’s leadership and commitment to equality, and represents the many efforts dedicated to assuring Symantec is a great place to work.

HRC is the nation’s largest civil rights organization working for the equality of lesbian, gay, bisexual and transgender (LGBT) people. It uses the CEI as a means to rate large U.S. companies on how they treat their LGBT employees, consumers, and investors. The CEI requires companies who score 100 percent to have fully inclusive equal employment opportunity policies, provide equal employment benefits to all employees and to demonstrate their commitment to equality publicly. This year HRC awarded over 300 companies perfect scores, an increase over last year.

Symantec’s perfect score, along with the “Best Places to Work for LGBT Equality” distinction, is a reflection of our goal to create a work environment where all employees are valued and respected for their individual differences and unique perspectives. Diversity at Symantec encompasses respect, open-mindedness and a commitment to professional and personal growth in a safe work environment for all. Symantec encourages its employees to contribute to and participate in an open, flexible and supportive environment that helps bring the best ideas to light. By embracing diversity, we make the most of our human resources, talent and abilities – and that is what makes Symantec a great place to work.

SymPride, an initiative we are both particularly passionate about, is Symantec's LGBTA Employee Resource Group (ERG). SymPride engages in activities designed to promote equality, cultural sensitivity, and social networking for Symantec employees. The group strives to help make Symantec a great place to work by fostering LGBTA awareness and learning, improving our cultural competence, and engaging employees. What started in 2007, initially through an informal LGBTA group formed at Symantec, has transformed into a dynamic team that has helped in influencing Symantec’s place on the CEI for the past six years.

SymPride's charter is to:

  • Support workplace improvement, community outreach programs, and D&I programs for LGBTA employees at Symantec
  • Create a safe and open working environment at Symantec for all LGBTA employees
  • Encourage LGBTA career development through leadership, mentoring, and networking opportunities
  • Lead Symantec outreach to non-profit organizations supporting the LGBTA community

SymPride is just one of Symantec’s Diversity & Inclusion ERGs. Others include Symantec’s Women’s Action Network (SWAN) (with 17 chapters worldwide), Symantec’s Black Employee Network (SBEN), our Hispanic Outreach and Leadership Affinity group (HOLA), and Leading and Empowering Asian Development (SymLEAD). ERGs are grassroots networks of employees who share a common culture or common characteristics and have a desire to connect. At Symantec, ERGs help to build cultural awareness and understanding while celebrating differences. They’ve also been an invaluable tool in helping us connect with employees on key cultural and diversity issues and ensuring all employees feel their voices are heard.

You can read more about Symantec’s diversity and inclusion efforts in the 2013 Corporate Responsibility Report

 

Co-authored by Pat Padilla, SymPride Champion, and Gary Phillips, SymPride Co-Champion


The cloud orchestration wars - focus on the task at hand

0
0

Few areas of IT seem to be gaining as much attention at the moment as cloud orchestration, as represented by OpenStack and CloudStack, VMWare and the like. The debates in the blogosphere and on social media could suggest nothing short of all-out war as different vendors and groups back one approach or another. 

To understand what's going on, it is best to start with the elephant in the room - Amazon, whose Elastic Compute Cloud(EC2) service (now part of its AWS portfolio) scared the socks off other vendors when it came to market - not least because it offered a fundamentally different approach to computing, compared to traditional, in-house systems. 

The Amazon model is based on the enormous power of virtualisation, which enables processing workloads to be allocated to computer hardware far more dynamically than was possible in the past. This is what gives EC2 its 'elasticity' in that processing cycles can be scaled up or down according to demand. To fully take advantage of the notion requires more distributed approaches to software design, so that some processing can take place in parallel. 

Ever since EC2 was launched, more traditional hardware and software vendors have been working hard to bring similar capabilities to market. Amazon's weakness is that it is entirely hosted - workloads have to be built and run "in the public cloud", that is on Amazon's servers. Equally, it can get expensive, particularly (it is said) for data transfers.

For a number of reasons, not least because it is a good idea, vendors have been looking to deliver similar capabilities to run in their clients' own data centres (as a "private cloud") or in hosted data centres - the term "hosted private cloud" refers to the fact that it is possible to combine both. A front runner is VMWare, which is understandable given its market dominance in the virtualisation space: VMWare's cloud orchestration technology is called VSphere. 

A number of other initiatives have been kicked off by consortia of vendors and other groups. One is OpenStack, formed between hosting provider RackSpace and NASA in 2010, with an aim to use open source technologies to provide all the capabilities needed in a highly dynamic, virtualised IT environment. Another is CloudStack, based on a product acquired by Citrix which has now been open sourced; smaller, similar efforts include Eucalyptus. 

The front runner is probably OpenStack, which is now backed by some 250 vendors including IBM, HP and Dell. I say 'probably' because this is the nub of the issue - with so much choice, each of which has its own strengths and weaknesses, it has become difficult for enterprises to decide which approach might best meet their needs. The comparison cannot be like for like - for example, CloudStack is reputed to be less fragmented, as well as easier to install and manage than OpenStack. 

The market is continuing to evolve rapidly - just this week for example, Amazon announced a GPU-based EC2 instance to enable more graphics or computation-centric processing such as VDI or gaming (and which can no doubt be turned to big data analytics and the like). 

On the upside, conversations are turning increasingly to the notion of interoperability. For example, Eucalyptus boasts close API alignment with Amazon EC2 enabling the two to work together. As enterprise adoption increases, it seems inevitable that organisations will clamour for different cloud orchestration models to work together, as their own needs evolve and mature alongside market evolution. 

The market in 2-3 years time will likely look quite different to now, though the same players might still be fighting it out.  For any organisation looking to make a foray into the world of private cloud computing, therefore, the key is to fully understand the requirements to be met and to conduct appropriate due diligence to ensure that current and immediate future needs will be met. It may also be best to stick to core features of any platform, apart from where a clear business return can be achieved by pushing the envelope. 

The highly dynamic compute models made possible by virtualisation can enable organisations to achieve great results. Better to focus on these first, than try to come up with a one-size-fits-all strategy in what is still a rapidly evolving market.  

Symantec provides storage management software for a number of cloud platforms, including Amazon Web Services (AWS) and OpenStack. You can read more here: http://www.symantec.com/cloud-storage-backupand please share your thoughts below.

Microsoft Patch Tuesday – December 2013

0
0

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eleven bulletins covering a total of 24 vulnerabilities. Ten of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Dec

The following is a breakdown of the issues being addressed this month:

  1. MS13-102 Vulnerability in Windows Local Procedure Call Could Cause Elevation of Privilege (2898715)

    LPC Server Buffer Overrun Vulnerability (CVE-2013-3878) MS Rating: Important

    An elevation of privilege vulnerability exists in Microsoft Local Procedure Call (LPC) where an attacker uses a specially crafted LPC port message to cause a stack-based buffer overflow condition on either the LPC client or server.

  2. MS13-097 Cumulative Security Update for Internet Explorer (2898785)

    Internet Explorer Security Feature Bypass Vulnerability (CVE-2013-5045) MS Rating: Important

    An elevation of privilege vulnerability exists within Internet Explorer, which bypasses Internet Explorer Enhanced Protected Mode restrictions during the validation of a local file installation and during the secure creation of registry keys.

    Internet Explorer Security Feature Bypass Vulnerability (CVE-2013-5046) MS Rating: Important

    An elevation of privilege vulnerability exists within Internet Explorer, which bypasses Internet Explorer Enhanced Protected Mode restrictions during the validation of a local file installation and during the secure creation of registry keys.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-5047) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-5048) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-5049) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-5051) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2013-5052) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

  3. MS13-100 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244)

    SharePoint Page Content Vulnerabilities (CVE-2013-5059) MS Rating: Important

    Remote code execution vulnerabilities exist in Microsoft SharePoint Server. An authenticated attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account.

  4. MS13-104 Vulnerability in a Microsoft Office Could Allow Information Disclosure (2909976)

    Token Hijacking Vulnerability (CVE-2013-5054) MS Rating: Important

    An information disclosure vulnerability exists when the affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.

  5. MS13-096 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)

    Microsoft Graphics Component Memory Corruption Vulnerability (CVE-2013-3906) MS Rating: Critical

    A remote code execution vulnerability exists in the way that the affected Windows components and other affected software handle specially crafted TIFF files. The vulnerability could allow a remote code execution if a user views TIFF files in shared content.

  6. MS13-101 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430)

    Win32k Integer Overflow Vulnerability (CVE-2013-3899) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Win32k.sys kernel-mode driver validates address values in memory.

    Win32k Use After Free Vulnerability (CVE-2013-3902) MS Rating: Important

    An elevation of privilege vulnerability exists in the Microsoft Windows kernel. This vulnerability is caused when the Windows kernel improperly handles objects in memory.

    TrueType Font Parsing Vulnerability (CVE-2013-3903) MS Rating: Important

    A denial of service vulnerability exists in the Microsoft Windows kernel. This vulnerability is caused when the Windows kernel improperly processes a specially crafted TrueType font file.

    Port-Class Driver Double Fetch Vulnerability (CVE-2013-3907) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows audio port-class driver (portcls.sys) handles objects in memory.

    Win32k Integer Overflow Vulnerability (CVE-2013-5058) MS Rating: Important

    A denial of service vulnerability exists in the way that the Win32k.sys kernel-mode driver handles objects in memory.

  7. MS13-099 Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution (2909158)

    Use-After-Free Vulnerability in Microsoft Scripting Runtime Object Library (CVE-2013-5056) MS Rating: Critical

    A remote code execution vulnerability in the Microsoft Scripting Runtime Object Library that occurs due to a memory-corruption error when handling an object in memory.

  8. MS13-106 Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass (2905238)

    HXDS ASLR Vulnerability (CVE-2013-5057) MS Rating: Important

    A security feature bypass exists in an Office shared component that does not properly implement Address Space Layout Randomization (ASLR).

  9. MS13-103 Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege (2905244)

    SignalR XSS Vulnerability (CVE-2013-5042) MS Rating: Important

    An elevation of privilege vulnerability exists in ASP.NET SignalR that could allow an attacker access to resources in the context of the targeted user.

  10. MS13-098 Vulnerability in Windows Could Allow Remote Code Execution (2893294)

    WinVerifyTrust Signature Validation Vulnerability (CVE-2013-3900) MS Rating: Important

    A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles the Windows Authenticode signature verification for portable executable (PE) files.

  11. MS13-105 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)

    MAC Disabled Vulnerability (CVE-2013-1330) MS Rating: Critical

    An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service account.

    OWA XSS Vulnerability (CVE-2013-5072) MS Rating: Critical

    An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service account.

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-5763) MS Rating: Critical

    Remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

    Oracle Outside In Contains Multiple Exploitable Vulnerabilities (CVE-2013-5791) MS Rating: Critical

    Remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Finding Policy Information by Client (command-line scripting)

0
0

A not-so-simple program I wrote in perl that helps to generate policy information and historical run information together in one single-command output, so you can provide detailed information to the customer about their backups.

マイクロソフト月例パッチ(Microsoft Patch Tuesday)- 2013 年 12 月

0
0

今月のマイクロソフトパッチリリースブログをお届けします。今月は、24 件の脆弱性を対象として 11 個のセキュリティ情報がリリースされています。このうち 10 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

  • ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
  • ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
  • 未知の、または疑わしいソースからのファイルは扱わない。
  • 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
  • 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 12 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms13-Dec

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

  1. MS13-102 Windows のローカルプロシージャコールの脆弱性により、特権が昇格される(2898715)

    LPC サーバーのバッファオーバーランの脆弱性(CVE-2013-3878)MS の深刻度: 重要

    Microsoft ローカルプロシージャコール(LPC)に特権昇格の脆弱性が存在します。攻撃者が特別に細工した LPC ポートメッセージを使うと、LPC クライアントまたはサーバー上でスタックベースのバッファオーバーフロー状態が発生します。

  2. MS13-097 Internet Explorer 用の累積的なセキュリティ更新プログラム(2898785)

    Internet Explorer セキュリティ機能回避の脆弱性(CVE-2013-5045)MS の深刻度: 重要

    Internet Explorer に特権昇格の脆弱性が存在します。ローカルファイルインストールを検証するとき、またはレジストリキーを安全に作成するときに、Internet Explorer の拡張保護モード制限が回避されます。

    Internet Explorer セキュリティ機能回避の脆弱性(CVE-2013-5046)MS の深刻度: 重要

    Internet Explorer に特権昇格の脆弱性が存在します。ローカルファイルインストールを検証するとき、またはレジストリキーを安全に作成するときに、Internet Explorer の拡張保護モード制限が回避されます。

    Internet Explorer のメモリ破損の脆弱性(CVE-2013-5047)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2013-5048)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2013-5049)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2013-5051)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2013-5052)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

  3. MS13-100 Microsoft SharePoint Server の脆弱性により、リモートでコードが実行される(2904244)

    SharePoint ページコンテンツの脆弱性(CVE-2013-5059)MS の深刻度: 重要

    Microsoft SharePoint Server には、リモートコード実行の脆弱性が存在します。認証された攻撃者がこれらの脆弱性の悪用に成功すると、W3WP サービスアカウントのセキュリティコンテキストで任意のコードを実行できる場合があります。

  4. MS13-104 Microsoft Office の脆弱性により、情報漏えいが起こる(2909976)

    トークンのハイジャックの脆弱性(CVE-2013-5054)MS の深刻度: 重要

    悪質な Web サイト上にホストされている Office ファイルを開こうとしているとき、影響を受ける Microsoft Office ソフトウェアが特別に細工された応答を適切に処理できない場合に、情報漏えいの脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、標的となる SharePoint または他の Microsoft Office サーバーサイトで現在のユーザーの認証に使うアクセストークンを確認できる場合があります。

  5. MS13-096 Microsoft Graphics コンポーネントの脆弱性により、リモートでコードが実行される(2908005)

    Microsoft Graphics コンポーネントのメモリ破損の脆弱性(CVE-2013-3906)MS の深刻度: 緊急

    影響を受ける Windows コンポーネントや、影響を受けるその他のソフトウェアが特別に細工された TIFF ファイルを処理する方法に、リモートコード実行の脆弱性が存在します。この脆弱性により、共有コンテンツ内の TIFF ファイルをユーザーが表示した場合に、リモートでコードが実行される場合があります。

  6. MS13-101 Windows カーネルモードドライバの脆弱性により、特権が昇格される(2880430)

    Win32k のメモリ破損の脆弱性(CVE-2013-3899)MS の深刻度: 重要

    Win32k.sys カーネルモードドライバがメモリ内のアドレス値を検証する方法が原因で、特権昇格の脆弱性が存在します。

    Win32k の解放後使用の脆弱性(CVE-2013-3902)MS の深刻度: 重要

    Microsoft Windows カーネルに、特権昇格の脆弱性が存在します。この脆弱性は、Windows カーネルがメモリ内のオブジェクトを正しく処理しない場合に起こります。

    TrueType フォントの解析の脆弱性(CVE-2013-3903)MS の深刻度: 重要

    Microsoft Windows カーネルに、サービス拒否の脆弱性が存在します。この脆弱性は、特別に細工された TrueType フォントファイルを Windows カーネルが正しく処理しない場合に起こります。

    Port-Class ドライバのダブルフェッチの脆弱性(CVE-2013-3907)MS の深刻度: 重要

    Windows オーディオの Port-Class ドライバ (portcls.sys) がメモリ内のオブジェクトを処理する方法が原因で、特権昇格の脆弱性が存在します。

    Win32k の整数オーバーフローの脆弱性(CVE-2013-5058)MS の深刻度: 重要

    Win32k.sys カーネルモードドライバがメモリ内のオブジェクトを処理する方法が原因で、サービス拒否の脆弱性が存在します。

  7. MS13-099 Microsoft Scripting Runtime オブジェクトライブラリの脆弱性により、リモートでコードが実行される(2909158)

    Microsoft Scripting Runtime オブジェクトライブラリの解放後使用の脆弱性(CVE-2013-5056)MS の深刻度: 緊急

    メモリ内のオブジェクトを処理する際のメモリ破損エラーが原因で、Microsoft Scripting Runtime オブジェクトライブラリにリモートコード実行の脆弱性が存在します。

  8. MS13-106 Microsoft Office 共有コンポーネントの脆弱性により、セキュリティ機能が回避される(2905238)

    HXDS ASLR の脆弱性(CVE-2013-5057)MS の深刻度: 重要

    Address Space Layout Randomization(ASLR)を適切に実装しない Office 共有コンポーネントに、セキュリティ機能回避の脆弱性が存在します。

  9. MS13-103 ASP.NET SignalR の脆弱性により、特権が昇格される(2905244)

    SignalR XSS の脆弱性(CVE-2013-5042)MS の深刻度: 重要

    ASP.NET SignalR に特権昇格の脆弱性が存在するため、攻撃者は標的となるユーザーのコンテキストでリソースにアクセスできる場合があります。

  10. MS13-098 Windows の脆弱性により、リモートでコードが実行される(2893294)

    WinVerifyTrust Signature Validation の脆弱性(CVE-2013-3900)MS の深刻度: 重要

    WinVerifyTrust 機能がポータブル実行可能(PE)ファイルに対する Windows Authenticode Signature Verification を処理する方法に、リモートコード実行の脆弱性が存在します。

  11. MS13-105 Microsoft Exchange Server の脆弱性により、リモートでコードが実行される(2915705)

    MAC 無効の脆弱性(CVE-2013-1330)MS の深刻度: 緊急

    Microsoft Exchange Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、Outlook Web Access(OWA)サービスアカウントのコンテキストで任意のコードを実行できる場合があります。

    OWA XSS の脆弱性(CVE-2013-5072)MS の深刻度: 緊急

    Microsoft Exchange Server に特権昇格の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、Outlook Web Access(OWA)サービスアカウントのコンテキストで任意のコードを実行できる場合があります。

    Oracle Outside In に悪用される恐れのある複数の脆弱性(CVE-2013-5763)MS の深刻度: 緊急

    Exchange Server 2007、Exchange Server 2010、Exchange Server 2013 に、WebReady ドキュメント表示機能によるリモートコード実行の脆弱性が存在します。この脆弱性により、特別に細工されたファイルをユーザーが Outlook Web Access を使ってブラウザで参照した場合に、LocalService アカウントとしてリモートでコードが実行される可能性があります。

    Oracle Outside In に悪用される恐れのある複数の脆弱性(CVE-2013-5791)MS の深刻度: 緊急

    Exchange Server 2007、Exchange Server 2010、Exchange Server 2013 に、WebReady ドキュメント表示機能によるリモートコード実行の脆弱性が存在します。この脆弱性により、特別に細工されたファイルをユーザーが Outlook Web Access を使ってブラウザで参照した場合に、LocalService アカウントとしてリモートでコードが実行される可能性があります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Three Reasons Why Items are Stuck in Pending Archive

0
0
In this article I'd like to give you a tip or two about why items sometimes just simply remaining in an 'archive pending' state. I'm sure you've all seen this from time to time in your environment, or one at a customers, and, you've probably been asked why they are stuck in a pending state. Now, you'll get some answers to help you out when the question arises again.
 
Backups Not Yet Run
 
I work extensively in lab environments, and so my safety copy settings on the Vault Stores I work with are invariably set to 'Immediately'.  In the real world though, you're much more likely to see:
 
after-backup-pending.png
 
...  the status is set to 'After Backup'.
 
This means that when an item is manually archived, or archived by the scheduled running of the archiving task, or by manually running the archiving task, the item will not turn into a full shortcut, it will go to a pending state.
 
Once a good backup has been done of the Vault Store, then the Storage Services will 'flip' all those items from pending to full shortcuts.
 
Client-Server a bit broken
 
From time to time the above process is sometimes 'broken' when it comes to an end-user manually archiving an item. Sometimes the client to server communication is broken, and the item goes to a pending state on the client, but never gets archived, and the resulting 'issue' is never pushed back down to the client. The net result is that the item sites in a pending state.  Sometimes this can happen if an item goes to a pending state, and then an end-user moves the item to a subfolder.
 
Server side a bit broken
 
The general process described above of the backup completing and then storage going through and flipping all the pending shortcuts to full shortcuts also sometimes gets interrupted. When that happens those items can also sit in a pending state, though usually it's a LOT of items which are stuck like that, rather than just a few from end-users.
 
Most of the things that might get a bit broken, be it server side or client side, or a combination of the two can be fixed by something that is already built in to EV ....
 
Help on the way?
 
Enterprise Vault helps with all of this through a process called 'pending shortcut timeout'. It's configured on the archiving policy:
 
pending-shortcut-timeout.png
 
The setting can be configured to a number of days (or turned off completely if that is what you want to do). What happens is that when the archiving task runs in normal or report mode it will clean up the items which are marked as pending, and cancel them back to normal items - so that archiving can be tried again on them. This stops transient issues causing items to stick around in a pending state for a long time.
Viewing all 5094 articles
Browse latest View live




Latest Images