There's been plenty in the news recently regarding encryption and SSL – which has led some people to wonder how safe the technology really is. As the leader of Symantec's Trust Services Products & Services organization, I want to assure you that SSL is safe. Below is some information that may help you understand why, and also inform you about the current state of SSL security.
First, the fundamental key strength of RSA 2048-bit certificates is solid and without question. Independent cryptography experts have confirmed this, and highly-respected publications such as the MIT Technology Review have published articles on the subject. As always, organizations that use SSL should make sure they use the strongest algorithms available.
Customers of SSL certificates should take specific actions to safeguard the security of their server-side private keys. They should put in place powerful network protections and should never utilize tools where private keys are revealed to third parties. Symantec never takes possession of any customer's SSL private keys.
Lastly, and perhaps most importantly, Certificate Authorities that issue SSL certificates must never share the private keys of their roots. The trust in SSL by everyone – from end-users, to the companies that they communicate with, to the browsers that enable secure connections – all depend on Certificate Authorities to provide unequivocal security of their root keys.
As the world’s largest and most trusted Certificate Authority, we use best-in-class security processes to protect our roots. We do not share our private keys with any third-party company, government, organization or individual. To repeat: We never share our root keys, and never will. Period.
We are committed to ensuring our customers can use SSL safely and we recommend that customers take important, but simple steps to proactively protect their private keys. To learn more about Symantec's SSL offerings, please go to http://go.symantec.com/ssl.
iPod と iPhone によって作り出された「ハロー(後光、光背)」が、ビジネスユーザーに対する Mac の売上を引き上げています。これが、いわゆる「ハロー効果」です。筆者がこの現象に気付いたのは数年前のことでした。会議室のテーブルでも Mac を広げる姿が増え、あのシルバーの筐体と白く輝くリンゴのマークをたびたび目にするようになってきたからです。Apple 社の報告によると、2013 年の第 4 四半期には、企業向けの Mac の売上が 50% も増加しました。しかし、業務に利用される Mac の台数が増える一方で、Mac のセキュリティに関する誤解は根強く残っています。企業は何を知っておく必要があるのでしょうか。
サイバー犯罪者が最も力を注ぐのは、常に「費用対効果が高い」ところ、つまり大きな PC 市場です。数が物を言う世界であり、ハッカーはいつでも最大の ROI が得られることを追求しています。これまで、それに該当するのは Windows システムでした。Mac を標的にするマルウェアは PC を狙うマルウェアに比べれば今でも少数ですが、攻撃者は「ハロー」に気付き、Mac を狙うようになってきました。
よく知られているのが Flashbackで、これは単独で 600,000 台もの Mac に拡散しました。しかし、考えなければならない問題はほかにもあります。Mac は、経営幹部が好んで選ぶコンピュータだということです。経営幹部は、財務データや企業データなどの機密情報に対するアクセス権を持っているため、ハッカーは貴重なデータが入っている経営幹部たちの Mac を狙うに違いありません。
企業向けの Mac も会社のエンドポイントコンピュータの一部と捉えるべきときが来たのです。企業が生産性を最大化し、リスクを最小限に抑えるためには、完全な保護と管理が必要です。最近リリースされた Symantec Endpoint Protection(SEP)12.1.4 では、Mac の保護が容易になり、プラットフォームを超えて機能が拡張されています。最新版の SEP は、侵入防止技術とウイルス対策機能を備え、単一のコンソールから Windows と Mac の両方の管理とレポートが可能です。SEP 12.1.4 は最新の Mac OS X 10.9 Mavericks と Windows 8.1 をサポートし、Mac クライアントのリモート配備も提供します。Java を必要とせず、ウイルス対策定義を SEP Manager から直接ダウンロードすることで帯域幅を節約できます。また、クリティカルなイベントが発生した場合には、Fast Path を通じて即時に通知が行われます。堅ろうなセキュリティを実装し、セキュリティ上の一般的なベストプラクティスに従えば、企業ユーザーは Mac か PC かを問わず、絶えず進化する脅威から保護されるため安心です。詳しくは、www.symantec.com/ja/jp/endpoint-protectionをご覧ください。
Cos'è Java
Java è un linguaggio di programmazione e una piattaforma di elaborazione sviluppati da Sun Microsystems nel 1995. Si tratta della tecnologia sulla quale si sviluppano i programmi più avanzati, tra cui utilità, giochi e applicazioni aziendali. Java è in esecuzione su oltre 850 milioni di personal computer e miliardi di dispositivi a livello mondiale, inclusi dispositivi mobili e TV. Esiste un numero notevole di applicazioni e siti Web, in aumento ogni giorno, che funzionano esclusivamente se è stato installato Java. Java è veloce, sicuro e affidabile. Dai portatili ai datacenter, dalle console per videogiochi ai computer altamente scientifici, ai telefoni cellulari e a Internet, Java è onnipresente!
Come verificare la versione di Java installata nel computer
I've also posted both webinar slide decks to Slideshare here
Finally, I’d also like to share this blog posted by Tom Powledge who is the VP of the Website Secuirty Solutions division here at Symantec Keeping Your Data Safe with SSL
In honor of International Volunteer Day this week we are featuring a “Sustainability Spotlight” series, highlighting employees across Symantec who incorporate aspects of corporate responsibility (CR) and sustainability into their day jobs. This series will focus on volunteering and highlight some of the extraordinary efforts employees are making in their communities that last year helped Symantec increase volunteer hours by 41 percent. Yesterday we took a look back at our first Sustainability Spotlight employee, Claire Scull. Today we feature Peter Hancock, Sr. Director, Technical Sales Organization, who was just honored for his volunteer work with non-profit NPower, receiving the organization’s Volunteer of the Year Award.
”It takes a village to raise a child” – African Proverb
Everyone has the potential to contribute and make a difference in the lives of our young adults, our veterans, and non-profits across the globe. But sometimes finding the time, or the passion, to take that first step can be hard.
Today, I’m happy to share my story of volunteering through one of Symantec’s non-profit partners NPower. I was honored to be awarded NPower’s Volunteer of the Year Award at their recent gala. Through this partnership with Symantec I’ve found a cause whose mission has become part of my lifestyle and everyday work to the point where I do not even consider my work to be volunteering.
What is NPower?
NPower’s goal is to harness technology for social good. In addition to connecting highly skilled tech professionals to the projects where they can make the greatest impact, NPower delivers its own educational programs. From veterans in Dallas to underserved young adults in Harlem and Brooklyn, the organization builds brighter futures with free IT training, professional skills, mentoring, internships and job placement. To do this, NPower relies on skilled tech volunteers to provide inspiration, advice and direction.
My journey
My journey with NPower began on a crisp spring morning in May of 2010 at an event where NPower CEO Stephanie Cuskley introduced the organization’s strategic go-forward vision to a group of interested corporate parties. As I was already volunteering my tech skills at Easter Seals, the idea of being part of a larger “tech for good” mission clicked with me and I got engaged.
My first visit to NPower was as a guest lecturer for NPower’s Technology Service Corps program. TSC is a 22-week intensive training program that builds brighter futures for underserved young adults and veterans helping them pursue STEM related careers by providing free professional training and job placement services.
It surprised me that as I waited in the lobby of the classroom, I actually had butterflies in my stomach. But that feeling didn’t last beyond meeting more than 25 young, energetic men and women with a desire to learn about technology and pursue careers in IT. Technology Service Corps was their path to a brighter future for themselves, their families and their communities.
Fast forward to today where I’ve had the pleasure of visiting nearly every NPower classroom in New York, serve as co-Chairman of the Tech Service Corps advisory board and play a key role in advising NPower’s future expansion. Along the way it has been great to see so many Symantec employees join me, hosting site visits so students can gain ‘real-world’ experience, serving as guest lecturers and more.
It has also been inspiring to see Symantec increase its corporate support – as a volunteer I was passionate about NPower and raised awareness at Symantec forming a volunteer group to support TSC. Today, through this partnership Symantec is now one of the largest donors of equipment and software and becoming a National Corporate Underwriter of NPower.
As I look back today on the time I’ve spent mentoring NPower students, I am reminded that every part of it was rewarding. In those few hours every day, my ‘normal’ business day is put into perspective. I am able to use my skills and expertise to help build a future for youth, and also build a stronger future workforce for our industry.
To NPower I thank you very much for the opportunity to make a difference in your students’ futures.
To everyone, one person can make an impact, but you must start somewhere. I did, and I hope after reading this you will feel empowered to do the same.
Peter Hancock is Senior Director of Symantec's Technical Sales Organization.
Cybercriminals are constantly looking for ways to evolve their malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. During the past year, Ransomware has received a lot of news coverage which has decreased the number of uninformed victims and lowered the impact and effectiveness of the malware along with the percentage of return to the criminal.
Due to this increased public awareness, in the last quarter of 2014 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim's biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, Cryptolocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker's private key.
The following Q&A outlines Cryptolocker and Symantec’s protection against this malware:
Q: What is the difference between Ransomware and Cryptolocker (also known as Ransomcrypt)?
The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.
Q: When was this threat discovered?
In September 2013 the Cryptolocker threat began to be seen the wild.
Q: Is the Cryptolocker threat family something new?
No. Symantec detects other similar malware families such as Trojan.Gpcoder (May 2005) and Trojan.Ransomcrypt (June 2009) that encrypt and hold files ransom on compromised systems.
Q: What is the severity of this Cryptolocker threat?
The severity is high. If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.
Q: How do I know I have been infected by Cryptolocker?
Once infected, you will be presented on screen with a ransom demand.
Figure 1. Cryptolocker ransom demand
Q: How does a victim get infected?
Victims receive spam email that use social engineering tactics to try and entice opening of the attached zip file.
Figure 2. Cryptolocker spam email example
If victims open the zip file attached to the email, they will find an executable file disguised to look like an invoice report or some other similar social engineering ploy, depending on the email theme. This executable file is Downloader.Upatre that will download Trojan.Zbot. Once infected with Trojan.Zbot, the Downloader.Upatre also downloads Trojan.Cryptolocker onto the compromised system. Trojan.Cryptolocker then reaches out to a command-and-control server (C&C) generated through a built-in domain generation algorithm (DGA). Once an active C&C is found, the threat will download the public key that is used to encrypt the files on the compromised system while the linked private key—required for decrypting the files— remains on the cybercriminal’s server. The private key remains in the cybercriminal control and cannot be used without access to the C&C server which changes regularly.
Figure 3. Cryptolocker attack steps
Q: Does Symantec have protection in place for Cryptolocker and the other associated malware?
Yes. Symantec has the following protection in place for this threat:
Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.
Some earlier Symantec detections that detect this threat have been renamed:
Virus definitions dated November 13, 2013, or earlier detected this threat as Trojan.Ransomcrypt.F
Intrusion Prevention Signature (IPS) alerts dated November 14, 2013, or earlier were listed as "System Infected: Trojan.Ransomcrypt.F"
Q: What do the C&Cs look like?
The following are recent examples of command-and-control (C&C) servers from the DGA:
kstattdnfujtl.info/home/
yuwspfhfnjmkxts.biz/home/
nqktirfigqfyow.org/home/
Cryptolocker can generate up to one thousand similar looking domain names per day in its search for an active C&C.
Q: How sophisticated is this threat?
While the Cryptolocker campaign uses a common technique of spam email and social engineering in order to infect victims, the threat itself also uses more sophisticated techniques like the following:
Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted without the private key held on the attacker’s server, the victim will not be able to decrypt the files.
Cryptolocker employs a DGA that is based on the Mersenne twister pseudo-random number generator to find active C&Cs.
Q: How prevalent is the threat?
Symantec telemetry for this threat shows that the threat is prevalent in the United States at present. While the numbers being reported are low, the severity of the attack is still considerable for victims.
Figure 4. Top 5 countries reporting detections
Q: Has Symantec previously released any publications around these attacks?
No. You should never pay a ransom. Payment to cybercriminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.
Q: Who is behind the Cryptolocker malware?
Investigations into the cybercriminals behind the Cryptolocker malware are ongoing.
Q: Is there any advice on how to recover files affected by this attack?
Yes, Symantec Technical Support has released the following article:
Yes. First, follow information security best practices and always backup your files. Keep your systems up to date with the latest virus definitions and software patches. Refrain from opening any suspicious unsolicited emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.
Q: Does Symantec offer backup and disaster recovery software?
The Enterprise Vault Vault Cache and Virtual Vault functionality has made a great impact to the end user experience that people have when working with archived emails in Outlook. Under the covers though there is a set of files that people often wonder about. These are the .DB files which make up the 'Content Cache' of Vault Cache/Virtual Vault. In this blog I'll explain a little bit about the files.
The files existed in the previous incarnation of offline usage of Enterprise Vault, which was called Offline Vault, and actually the structure and contents haven't varied that much in their new life of Vault Cache. You may see a collection of these files on one of my tests systems below:
The files vary in size, and have a special file name. Here is an example name of a .DB file:
2012_10_12_0003.db
This file contains archived emails from the end-users archive for October to December 2012. It is the 3rd such .DB file in that calendar-quarter. Each of the files are named using the same principal.
The files themselves are actually PST files, we can take a copy of one of them with Outlook closed, and open it as a PST file to see the contents. It might look a little bit like this:
And if we look in a folder, we can see the archived items themselves. The collection of these files can take up a sizable amount of disk space, and I've written before about how to manage that via policy, and Vault Cache itself manages the amount of disk used too. The final thing to say is that you might not have these files, it's depending on the users desktop policy whether or not the Vault Cache content is stored locally, or not, and whether or not the setting for 'Offline Store required' is set or not, versus the Outlook connection state.
I've seen some sizable Vault Cache DB files in the past, the sum total of them being several GB of disk space. How big have you seen the Vault Cache DB files? Let me know in the comments below:
Cloud-enabled Management (CEM) is a new feature that allows you to manage client computers outside the corporate network, even if you do not use a Virtual Private Network. CEM was first introduced with IT Management Suite 7.5.
To make the process of implementation quick and easy, we have prepared a whitepaper that describes the concept, requirements and the process of implementation of Cloud-enabled Management.
The 6.1 release of Storage Foundation High Availability introduces SmartIO which enables customers to increase application performance and reduce storage costs while maintaining availability of data and applications.
Introduction
SmartIO takes advantage of internal Solid State Storage (SSD) devices to provide an intelligent, distributed caching layer to serve more reads and writes from inside the host, effectively decoupling front-end IOPs from back-end capacity. SmartIO allows customers to cache at the Volume (VxVM), File System (VxFS), and file level for highly granular control of application performance and utilization of the solid state device. SmartIO utilizes advanced heuristics to maximize the effectiveness of cache population and eviction to ensure the most relevant data is stored within SmartIO’s cache areas. SmartIO can also tie directly into the IO patterns of mission critical databases, such as Oracle and Sybase, to take “hints” as to the type of workload those databases are running and adjust its caching accordingly. Finally, for the most specific of use-cases, SmartIO allows customers to “pin” specific files and directories to the cache to ensure the cache is pre-warmed with that target data.
Benefits
SmartIO is completely integrated into the core Storage Foundation components and can be run in both stand-alone (SF/SFHA) and clustered (SFCFSHA) configurations. Due to the integrated nature, SmartIO can be configured, managed, and tuned without impacting the overlying application. There is no down-time and no new software to install or manage.
Once configured, SmartIO provides:
Increased Application Performance– By bringing the active data inside the server and “closer” to the application, SmartIO removes the network latencies and HDD performance bottlenecks associated with traditional Storage Area Networks.
Reduced Storage Costs– SmartIO, when combined with a “Tier-2” array provides equal and better performance than a traditional “Tier-1” array.
Improved Storage Utilization– By reducing the read requirements on the back-end storage, SmartIO allows for high instance stacking on existing arrays without impacting application performance.
Cascaded Performance Benefits– Storage arrays typically serve multiple servers and applications. SmartIO’s I/O maximization frees up resources on the array to handle more reads and writes from other applications, essentially improving application performance without any SSD.
The following query has the ability to list all Software Releases and their associated rules or just the rules associated with a specifc Software Release:
SELECT rsr.Name AS [Software Release],rir.Name AS [Rule],rir.[Description] AS [Rule Description]
FROM RM_ResourceSoftware_Release rsr
JOIN ResourceAssociation ra ON ra.ParentResourceGuid = rsr.[Guid]
JOIN RM_ResourceInventory_Rule rir ON rir.[Guid] = ra.ChildResourceGuid
--WHERE rsr.Name = 'specific software release'
ORDER BY rsr.Name ASC
As Applicability and Detection rules are both classed as inventory rules, they do not have their own resource type or class; however, it does appear that detection rule names begin with "Detection Rule for", which should allow you to distinguish between the two.
Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness? Many of us have heard the stories about people being spied on using their own computer or people being blackmailed using embarrassing or incriminating video footage unknowingly recorded from compromised webcams. But are these stories true and are some people’s seemingly paranoid precautions justified? Unfortunately the answer is yes, precaution against this type of activity is necessary and there are a multitude of programs out there that can be used for this type of malicious activity…and more. Remote access Trojans (RATs), or what we are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.
This blog will aim to give a general overview of creepware; describing what these threats are and what can, and is, done with them and what the implications are or both the victims and the users of creepware. The blog will also look at the economy of creepware, examining the underground market dealing in everything from the sale of software to the sale and trade of victims. Finally, we will look at how creepware is spread and how to protect against it.
Before we get into the details, here’s a video that will tell you what you need to know about the growing problem of creepware:
Figure 1. Click this image to view Symantec's creepware video
What exactly is creepware?
The acronym RAT is one that is often used when talking about a piece of software that allows someone to control a computer from a remote location. RAT can be an abbreviation for any of the following:
Remote Access/Administration Tool
Remote Access/Administration Trojan
The one difference between remote access tools and remote access Trojans is that the latter is installed surreptitiously and used for malicious purposes. There are many remote access tools, which are used for legitimate reasons such as technical support or connecting to a home or work computer while travelling etc. Unfortunately the same useful features found in remote access tools can be used for malicious activity and a great deal of malware has been designed with this in mind; these programs are called remote access Trojans. Once these Trojans are installed on a victim’s computer they can allow an attacker to gain almost complete control of it. Presence of the Trojan is indiscernible and an attacker can do almost anything that someone physically sitting at the computer can do, including recording footage using the webcam. Recent high-profile cases of this unsavory and creepy behavior have prompted the name creepware to be used when describing remote access Trojans.
Creepware uses a client-server model but switches the usual dynamic we think of when discussing client-server system setups. Creepware flips this process and makes the victim’s computer the server and the attacker’s computer becomes the client. Once the victim’s computer is compromised with creepware an attacker can send requests to it to retrieve files and perform a whole host of other nasty actions.
What’s the big deal?
While there was a time when the use of creepware was relatively rare it is now unfortunately becoming more common. Users of creepware can range from those who make money from extortion and fraud to those using the software for what they see as harmless fun or pranking, otherwise known as trolling. While these two activities may seem to some as very different, they both involve unauthorized access to computers, which is not only morally wrong but is also a serious crime.
Worryingly, morals do not seem to be high up on the list of characteristics when it comes to creepware users, a fact that is blatantly obvious when perusing the many online forums with sections dedicated to creepware.
Figure 2. Doing it for the lulz
Figure 3. Blackmailing victims
While many users on these forums seem to have no moral compass whatsoever, others have an extremely skewed view of what is right and wrong. In one thread a user justifies RATing (using creepware) people by saying it’s their own fault for downloading and installing programs from untrusted sources.
Figure 4. Blaming the victims
Another forum user thinks that if all you do is watch your victims, without them knowing, then it’s fine.
Figure 5. Justifying invasion of privacy
Trawling through the countless posts on creepware/remote access Trojans there seems to be a never-ending supply of users looking for help to set up their software and begin RATing. While there are a few who feel (mildly) guilty about doing what they do, the overwhelming majority see no harm in invading their victims’ privacy and in some cases making money from RATing. In a thread named “Morals of messing with people” one user asks fellow hackers their opinion on whether what they do is right.
Figure 6. Moral dilemma
The replies speak for themselves.
Figure 7. Moral bull****
Unfortunately, creepware users may not see, or care about, the damage that can be caused by creepware. There are plenty of cases where innocent people have fallen prey to creepware and have been left traumatized or worse by their attackers. One way in which creepware users monetize their activities is sextortion. Sextortion is a form of exploitation that employs non-physical forms of coercion to extort sexual favors from the victim.
In August 2013, Miss Teen USA, 19-year-old Cassidy Wolf became a victim of creepware. Miss Wolf was hacked by a fellow high-school student who used creepware to take pictures of her undressing in her bedroom. The hacker then attempted to blackmail his victim by threatening to publish the pictures online if she didn’t take more explicit photos but Miss Wolf went to the police. The hacker was eventually caught and pleaded guilty to hacking at least two dozen women in a number of countries.
Another well-publicized case involved an attacker using creepware to display a warning message box on his victims’ computers telling them that their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam. Several of the women were subsequently recorded taking a shower when they had brought the computer into the bathroom.
Sadly, these cases are only the tip of the iceberg when it comes to creepware and the impact it can have on victims. Because many victims do not report this type of crime perpetrators often escape justice. Attackers can threaten to post stolen or recorded content online, and if this threat is carried out the victim’s reputation can be permanently damaged. The effects of this type of harassment and cyberbullying in general are long lasting and can even lead to suicide. Creepware, it would seem, is a cyberbully’s ideal tool.
Creepware and RATs are a global problem; they are used throughout the world, usually for all the wrong reasons.
Figure 8. Top five countries for RAT activity in past six months
What can creepware do?
So what exactly can creepware do? There are an abundance of creepware programs on the market, such as Blackshades (W32.Shadesrat), DarkComet (Backdoor.Breut), Poison Ivy (Backdoor.Darkmoon), and jRAT (Backdoor.Jeetrat) to name but a few, many of these programs share the same core set of functionality. We’ll take a closer look at one in particular, the Pandora RAT detected by Symantec as Trojan.Pandorat.
Pandora RAT allows an attacker to gain access to the following items on a compromised computer:
Files
Processes
Services
Clipboard
Active network connections
Registry
Printers
If all that isn’t enough, Pandora can also allow an attacker to:
Remotely control the compromised desktop
Take screenshots
Record webcam footage
Record audio
Log keystrokes
Steal passwords
Download files
Open Web pages
Display onscreen messages
Play audio messages using the text-to-speech function
Restart the compromised computer
Hide the taskbar
Hide desktop icons
Cause system failure/blue screen of death
Ease of use and a slick graphical user interface (GUI) are very important factors in today’s design-focused world, and creepware is no exception. Pandora, as is common with other RATs, sports an easy-to-use GUI that can be mastered almost instantly by experts and novices alike. If the use of creepware was once reserved for hardened blackhat hackers it is now most definitely accessible to everyone from script kiddies to total noobs.
Figure 9. User friendly human computer interface of Pandora RAT
Creepware has many different uses including:
Voyeurism
Attackers use the victim’s webcam and/or microphone to secretly record them.
Information/file stealing
Information such as banking details or passwords and files such as pictures and videos can be copied or deleted.
Blackmail/sextortion
Pictures or videos stolen from the computer, or recorded using the webcam, are used to force the victim into posing for explicit pictures or videos, performing sexual acts, or coercing money from the victim.
Trolling
The attackers use creepware to cause the computer to behave strangely by opening pornographic or shocking websites, displaying abusive messages, or in some cases causing system damage all for their amusement.
Using computer for DDoS attacks, etc.
Compromised computers can be used to carry out distributed denial of service (DDoS) attacks, bitcoin mining, or other functions where it may be beneficial for the attacker to use victims’ resources.
Creepware economy
Creepware is big business in the underground economy with a thriving market revolving around the sale of the software. The creepware itself can be purchased from the developers’ own websites or from people advertising on hacking forums. Advertisements for the sale of FUD crypters, JDB generators, and slaves among other things can be found in said forums. If you find this terminology a little bewildering, here are some useful definitions:
FUD– Fully undetectable (by security vendors)
Crypter– A tool used to rearrange files in a way that the actual bytes are scrambled, making it difficult to detect
JDB– Java drive-by – This involves a Java applet being placed onto a website, when the user visits the site a pop-up will appear asking for user permission. Once permission is given, the creepware is downloaded.
Slave – A computer that has been infected with creepware
If all that sounds a little too much like hard work, anyone interested in getting their own creepware setup can pay any number of willing “experts” to do all the leg work for them. Prices vary for different services. Creepware/RATs can be found for free but the ones that are for sale can cost anything up to $250. Add-on services, such as FUD crypting and setup cost between $20 and $50. As with most things these days, free advice and instructions can easily be found online with plenty of users eager to pass on their knowledge about the best tools, tricks, and methods concerning creepware.
What can users do to protect themselves?
The following methods may be used to infect computers with creepware:
Drive-by downloads– By visiting a website, the user unknowingly downloads the creepware onto their computer
Malicious links– Malicious links, leading to websites hosting drive-by downloads, are distributed using social media, chat rooms, message boards, spam email etc. The attacker may also hack user accounts to make it seem like the link is being sent by a friend. Others may try to lure victims by posting enticing messages.
Exploit kits– Potential victims may visit compromised websites or click on malicious links and are then redirected to the exploit kit’s server where a script runs that will determine what exploits can be leveraged. If an exploit is viable, the victim is infected with the creepware and the attacker is notified.
Peer-to-peer file-sharing/torrents– The creepware server installer is packaged with a file, usually a popular program or game crack, and shared on a file sharing site. Once the file is executed, the creepware server module is installed.
To stay protected against creepware, Symantec recommends users to:
Keep antivirus definitions, operating systems, and software up-to-date.
Avoid opening emails from unknown senders and clicking on suspicious email attachments.
Exercise caution when clicking on enticing links sent through email, instant messages, or posted on social networks.
Only download files from trusted and legitimate sources.
Be suspicious of unexpected webcam activity. When you’re not using the webcam, keep the shutter closed, if your webcam doesn’t have a shutter, use a piece of tape to cover it when not in use.
In today’s world, computers play an important role in our lives and the idea that such a ubiquitous tool could be used by an attacker to invade our privacy is a scary thought. While creepware is capable of causing a great deal of damage, taking appropriate defensive steps can keep you protected. By having good up-to-date security software and following some basic best practices we can all keep the creeps out of our computers.
By Pat Padilla and Gary Phillips, Co-Champions of SymPride.
The Human Rights Campaign (HRC) announced yesterday that Symantec achieved a perfect score of 100 in its Corporate Equality Index (CEI) for the sixth consecutive year. HRC also recognized Symantec for being one of the “Best Places to Work for LGBT Equality.” The coveted distinction acknowledges Symantec’s leadership and commitment to equality, and represents the many efforts dedicated to assuring Symantec is a great place to work.
HRC is the nation’s largest civil rights organization working for the equality of lesbian, gay, bisexual and transgender (LGBT) people. It uses the CEI as a means to rate large U.S. companies on how they treat their LGBT employees, consumers, and investors. The CEI requires companies who score 100 percent to have fully inclusive equal employment opportunity policies, provide equal employment benefits to all employees and to demonstrate their commitment to equality publicly. This year HRC awarded over 300 companies perfect scores, an increase over last year.
Symantec’s perfect score, along with the “Best Places to Work for LGBT Equality” distinction, is a reflection of our goal to create a work environment where all employees are valued and respected for their individual differences and unique perspectives. Diversity at Symantec encompasses respect, open-mindedness and a commitment to professional and personal growth in a safe work environment for all. Symantec encourages its employees to contribute to and participate in an open, flexible and supportive environment that helps bring the best ideas to light. By embracing diversity, we make the most of our human resources, talent and abilities – and that is what makes Symantec a great place to work.
SymPride, an initiative we are both particularly passionate about, is Symantec's LGBTA Employee Resource Group (ERG). SymPride engages in activities designed to promote equality, cultural sensitivity, and social networking for Symantec employees. The group strives to help make Symantec a great place to work by fostering LGBTA awareness and learning, improving our cultural competence, and engaging employees. What started in 2007, initially through an informal LGBTA group formed at Symantec, has transformed into a dynamic team that has helped in influencing Symantec’s place on the CEI for the past six years.
SymPride's charter is to:
Support workplace improvement, community outreach programs, and D&I programs for LGBTA employees at Symantec
Create a safe and open working environment at Symantec for all LGBTA employees
Encourage LGBTA career development through leadership, mentoring, and networking opportunities
Lead Symantec outreach to non-profit organizations supporting the LGBTA community
SymPride is just one of Symantec’s Diversity & Inclusion ERGs. Others include Symantec’s Women’s Action Network (SWAN) (with 17 chapters worldwide), Symantec’s Black Employee Network (SBEN), our Hispanic Outreach and Leadership Affinity group (HOLA), and Leading and Empowering Asian Development (SymLEAD). ERGs are grassroots networks of employees who share a common culture or common characteristics and have a desire to connect. At Symantec, ERGs help to build cultural awareness and understanding while celebrating differences. They’ve also been an invaluable tool in helping us connect with employees on key cultural and diversity issues and ensuring all employees feel their voices are heard.
Few areas of IT seem to be gaining as much attention at the moment as cloud orchestration, as represented by OpenStack and CloudStack, VMWare and the like. The debates in the blogosphere and on social media could suggest nothing short of all-out war as different vendors and groups back one approach or another.
To understand what's going on, it is best to start with the elephant in the room - Amazon, whose Elastic Compute Cloud(EC2) service (now part of its AWS portfolio) scared the socks off other vendors when it came to market - not least because it offered a fundamentally different approach to computing, compared to traditional, in-house systems.
The Amazon model is based on the enormous power of virtualisation, which enables processing workloads to be allocated to computer hardware far more dynamically than was possible in the past. This is what gives EC2 its 'elasticity' in that processing cycles can be scaled up or down according to demand. To fully take advantage of the notion requires more distributed approaches to software design, so that some processing can take place in parallel.
Ever since EC2 was launched, more traditional hardware and software vendors have been working hard to bring similar capabilities to market. Amazon's weakness is that it is entirely hosted - workloads have to be built and run "in the public cloud", that is on Amazon's servers. Equally, it can get expensive, particularly (it is said) for data transfers.
For a number of reasons, not least because it is a good idea, vendors have been looking to deliver similar capabilities to run in their clients' own data centres (as a "private cloud") or in hosted data centres - the term "hosted private cloud" refers to the fact that it is possible to combine both. A front runner is VMWare, which is understandable given its market dominance in the virtualisation space: VMWare's cloud orchestration technology is called VSphere.
A number of other initiatives have been kicked off by consortia of vendors and other groups. One is OpenStack, formed between hosting provider RackSpace and NASA in 2010, with an aim to use open source technologies to provide all the capabilities needed in a highly dynamic, virtualised IT environment. Another is CloudStack, based on a product acquired by Citrix which has now been open sourced; smaller, similar efforts include Eucalyptus.
The front runner is probably OpenStack, which is now backed by some 250 vendors including IBM, HP and Dell. I say 'probably' because this is the nub of the issue - with so much choice, each of which has its own strengths and weaknesses, it has become difficult for enterprises to decide which approach might best meet their needs. The comparison cannot be like for like - for example, CloudStack is reputed to be less fragmented, as well as easier to install and manage than OpenStack.
The market is continuing to evolve rapidly - just this week for example, Amazon announced a GPU-based EC2 instance to enable more graphics or computation-centric processing such as VDI or gaming (and which can no doubt be turned to big data analytics and the like).
On the upside, conversations are turning increasingly to the notion of interoperability. For example, Eucalyptus boasts close API alignment with Amazon EC2 enabling the two to work together. As enterprise adoption increases, it seems inevitable that organisations will clamour for different cloud orchestration models to work together, as their own needs evolve and mature alongside market evolution.
The market in 2-3 years time will likely look quite different to now, though the same players might still be fighting it out. For any organisation looking to make a foray into the world of private cloud computing, therefore, the key is to fully understand the requirements to be met and to conduct appropriate due diligence to ensure that current and immediate future needs will be met. It may also be best to stick to core features of any platform, apart from where a clear business return can be achieved by pushing the envelope.
The highly dynamic compute models made possible by virtualisation can enable organisations to achieve great results. Better to focus on these first, than try to come up with a one-size-fits-all strategy in what is still a rapidly evolving market.
Symantec provides storage management software for a number of cloud platforms, including Amazon Web Services (AWS) and OpenStack. You can read more here: http://www.symantec.com/cloud-storage-backupand please share your thoughts below.
Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing eleven bulletins covering a total of 24 vulnerabilities. Ten of this month's issues are rated ’Critical’.
As always, customers are advised to follow these security best practices:
Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintaining functionality.
Avoid handling files from unknown or questionable sources.
Never visit sites of unknown or questionable integrity.
Block external access at the network perimeter to all key systems unless specific access is required.
An elevation of privilege vulnerability exists in Microsoft Local Procedure Call (LPC) where an attacker uses a specially crafted LPC port message to cause a stack-based buffer overflow condition on either the LPC client or server.
MS13-097 Cumulative Security Update for Internet Explorer (2898785)
An elevation of privilege vulnerability exists within Internet Explorer, which bypasses Internet Explorer Enhanced Protected Mode restrictions during the validation of a local file installation and during the secure creation of registry keys.
An elevation of privilege vulnerability exists within Internet Explorer, which bypasses Internet Explorer Enhanced Protected Mode restrictions during the validation of a local file installation and during the secure creation of registry keys.
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
MS13-100 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2904244)
Remote code execution vulnerabilities exist in Microsoft SharePoint Server. An authenticated attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account.
MS13-104 Vulnerability in a Microsoft Office Could Allow Information Disclosure (2909976)
An information disclosure vulnerability exists when the affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.
MS13-096 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)
A remote code execution vulnerability exists in the way that the affected Windows components and other affected software handle specially crafted TIFF files. The vulnerability could allow a remote code execution if a user views TIFF files in shared content.
MS13-101 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430)
An elevation of privilege vulnerability exists in the Microsoft Windows kernel. This vulnerability is caused when the Windows kernel improperly handles objects in memory.
A denial of service vulnerability exists in the Microsoft Windows kernel. This vulnerability is caused when the Windows kernel improperly processes a specially crafted TrueType font file.
A remote code execution vulnerability in the Microsoft Scripting Runtime Object Library that occurs due to a memory-corruption error when handling an object in memory.
MS13-106 Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass (2905238)
An elevation of privilege vulnerability exists in ASP.NET SignalR that could allow an attacker access to resources in the context of the targeted user.
MS13-098 Vulnerability in Windows Could Allow Remote Code Execution (2893294)
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles the Windows Authenticode signature verification for portable executable (PE) files.
MS13-105 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service account.
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service account.
Remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.
Remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow a remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser.
More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.
A not-so-simple program I wrote in perl that helps to generate policy information and historical run information together in one single-command output, so you can provide detailed information to the customer about their backups.
悪質な Web サイト上にホストされている Office ファイルを開こうとしているとき、影響を受ける Microsoft Office ソフトウェアが特別に細工された応答を適切に処理できない場合に、情報漏えいの脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、標的となる SharePoint または他の Microsoft Office サーバーサイトで現在のユーザーの認証に使うアクセストークンを確認できる場合があります。
MS13-096 Microsoft Graphics コンポーネントの脆弱性により、リモートでコードが実行される(2908005)
Exchange Server 2007、Exchange Server 2010、Exchange Server 2013 に、WebReady ドキュメント表示機能によるリモートコード実行の脆弱性が存在します。この脆弱性により、特別に細工されたファイルをユーザーが Outlook Web Access を使ってブラウザで参照した場合に、LocalService アカウントとしてリモートでコードが実行される可能性があります。
Exchange Server 2007、Exchange Server 2010、Exchange Server 2013 に、WebReady ドキュメント表示機能によるリモートコード実行の脆弱性が存在します。この脆弱性により、特別に細工されたファイルをユーザーが Outlook Web Access を使ってブラウザで参照した場合に、LocalService アカウントとしてリモートでコードが実行される可能性があります。
今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。
In this article I'd like to give you a tip or two about why items sometimes just simply remaining in an 'archive pending' state. I'm sure you've all seen this from time to time in your environment, or one at a customers, and, you've probably been asked why they are stuck in a pending state. Now, you'll get some answers to help you out when the question arises again.
Backups Not Yet Run
I work extensively in lab environments, and so my safety copy settings on the Vault Stores I work with are invariably set to 'Immediately'. In the real world though, you're much more likely to see:
... the status is set to 'After Backup'.
This means that when an item is manually archived, or archived by the scheduled running of the archiving task, or by manually running the archiving task, the item will not turn into a full shortcut, it will go to a pending state.
Once a good backup has been done of the Vault Store, then the Storage Services will 'flip' all those items from pending to full shortcuts.
Client-Server a bit broken
From time to time the above process is sometimes 'broken' when it comes to an end-user manually archiving an item. Sometimes the client to server communication is broken, and the item goes to a pending state on the client, but never gets archived, and the resulting 'issue' is never pushed back down to the client. The net result is that the item sites in a pending state. Sometimes this can happen if an item goes to a pending state, and then an end-user moves the item to a subfolder.
Server side a bit broken
The general process described above of the backup completing and then storage going through and flipping all the pending shortcuts to full shortcuts also sometimes gets interrupted. When that happens those items can also sit in a pending state, though usually it's a LOT of items which are stuck like that, rather than just a few from end-users.
Most of the things that might get a bit broken, be it server side or client side, or a combination of the two can be fixed by something that is already built in to EV ....
Help on the way?
Enterprise Vault helps with all of this through a process called 'pending shortcut timeout'. It's configured on the archiving policy:
The setting can be configured to a number of days (or turned off completely if that is what you want to do). What happens is that when the archiving task runs in normal or report mode it will clean up the items which are marked as pending, and cancel them back to normal items - so that archiving can be tried again on them. This stops transient issues causing items to stick around in a pending state for a long time.