By Darren Shou, Director of Symantec Research Labs

Did you know that Symantec supports and funds innovative research that occurs outside of a Symantec office in an academic setting? We’ve been doing this for the past six years via the Symantec Research Labs Graduate Fellowship. This Fellowship is awarded to graduate students who are conducting innovative research that has real-world value, in the areas of information security and storage systems. This week, Symantec announced the recipients of the 2013 Symantec Research Labs Graduate Fellowship – Kai Ren, a Ph.D. candidate in computer science at Carnegie Mellon University, and Christian Rossow, a postdoctoral researcher at Vrije Universiteit Amsterdam in The Netherlands and Ruhr University Bochum in Germany.

The 2013 Symantec Research Labs Graduate Fellowship Recipients
Kai Ren, a Ph.D. candidate in computer science at Carnegie Mellon University, is working on improving metadata management in file systems. His work can be 1.5 to 10 times faster than a traditional file system for metadata-intensive workloads, significantly decreasing the time it takes when accessing large collections of small files. Ren also developed tools to monitor and better understand the performance and behaviors of distributed systems which will help us design better systems. Hailing from Changsha, Hunan Province, China, Ren finished his undergraduate in Tsinghua University in July, 2009. Ren also developed tools to improve the understanding of the performance and behaviors of distributed systems which will help design better systems.

Christian Rossow is a postdoctoral researcher at two leading European System Security research groups: Vrije Universiteit Amsterdam in The Netherlands, and Ruhr University Bochum in Germany. Rossow’s field of expertise is system security, focusing on malware analysis and detection, peer-to-peer botnet monitoring, binary analysis and the effectiveness of anti-spam methods.  His work has been published in highly regarded security conferences such as the Institute of Electrical and Electronics Engineers Symposium on Security and Privacy, Association for Computer Machinery Conference on Computer and Communications Security and the Massachusetts Institute of Technology Spam Conference. Rossow received his Ph.D. from Vrije Universiteit Amsterdam in April 2013 and lives in Borken, Nordrhein-Westfalen, Germany.

Supporting Graduate Research
This year’s fellowship recipients will receive the following:

• Up to $20,000 to cover one year of tuition and to reimburse expenses incurred by the student to engage in research collaboration with Symantec.
• A separate salaried internship, offering recipients direct on-site collaboration with leading experts from Symantec Research Labs. Mentors from Symantec are paired with award recipients, and every mentor is a top researcher or engineer who can provide ongoing technical guidance on the recipient’s research – both during their graduate training, as well as throughout their internship at Symantec.
• A laptop preloaded with Symantec software.

Past Fellows – Where Are They Now?
Past fellowship winners have gone on to lead distinguished careers at prestigious universities, innovative start-ups and companies such as Symantec. Professor David Brumley, the first recipient of the fellowship in 2007, was hired on as faculty at Carnegie Mellon University and has since received several accolades including the Presidential Early Career Award for Scientists and Engineers, the highest honor bestowed by the U.S. government on young scientists and engineers. Many of the fellowship winners have contributed to the development of Symantec’s top technologies including recent fellow, now faculty at Georgia Tech, Dr. Polo Chau, who collaborated in the advancement of Symantec Insight, a reputation-based security technology that tracks and analyzes files from millions of systems to identify new threats as they are created. Fellowship recipient from 2011, Dr. Leylya Yumer, has continued her work in Symantec Research Labs, powering Symantec’s IP and URL Insight program, detecting botnets and malicious websites to keep our customers safe online.  

The 2014 Symantec Research Labs Graduate Fellowship submission process is now open. For more information please visit http://www.symantec.com/about/careers/college/fellowship.jsp.

Recently, we wrote about creepware and how people use it to spy on unsuspecting victims through webcams. As the name implies, this is really creepy. Unfortunately, there are other similar threats on the Internet. Another scam that has become very popular this year is webcam blackmailing. In these cases, the scammers don’t hide the fact that they are using the webcam.

The scam starts with a simple contact request on a social network or dating site. In general, the profile sending the request appears to be the scammer (posing as a woman), and the request is sent to single men. After a bit of small talk, the scammer explains why she fell in love with the man’s profile picture and then changes the topic to one of a more sexual nature. The scammer asks the man to video chat with her, starts stripping, and encourages the man to do the same. If the man joins in, the compromising video is recorded by the scammer until enough incriminating material has been gathered. Once enough video has been recorded, the scammer changes the topic again and indicates that the video will be publicly uploaded and shared with his friends on social networks if he does not pay.

Multiple variations of this scam exist. For example, some scammers ask for photos instead of videos, some use a previously recorded video of a woman stripping to entice the victim, and others ask for money for a better Internet connection or webcam. The scammer promises better video quality if money is sent, they pocket the money right away, and never buy better equipment. To make it even worse, scammers will claim that the victim was chatting with a child, attaching the stigma of pedophilia to the victim. Any personal information that was shared is published along with the video. In some cases a link to a compromised website is sent in order to infect the victim’s computer with a Trojan. The principle behind the scam is always the same. In any case, users should stay vigilant when using social networks or dating sites.

• Be wary of messages from unknown people who want to befriend you. Especially if the topic of sexual video chatting is brought up quickly.
• Think twice before performing compromising acts in front of a camera. Limit the personal details that you share with strangers.
• Don’t fall for prepaid scams. Don’t send money for arbitrary reasons.
• If someone attempts to extort money from you, don’t pay, and call the police. Don’t be embarrassed. If a compromising video of you has been uploaded, contact the service provider and try to have the content removed.

ITMS 7.5 Hotfix 2 is now available!

This blog highlights the new features in NetBackup for VMware to accelerate your journey to Software Defined Data Centers.

A new Symantec pl xml was released to Solution Sam and it contains the Hotfix 2 for the Symantec Management Platform 7.5.

Here are the file details:

And here are the added files in the Solution tree:

• solutions/7_5/sim/7_5_126/symantecinstallationmanagersetup.exe
• solutions/7_5_hf2/ds/symantec_deploymentsolution_7_5_hf2_x64.msi
• solutions/7_5_hf2/smp/altiris_directoryservices_hotfix_x64.msi
• solutions/7_5_hf2/smp/altiris_ns_hotfix_x64.msi
• solutions/7_5_hf2/smp/altiris_unixagent_7_5_hf2_x64.msi
• solutions/7_5_hf2/smp/symantec_softwaremanagementframework_75_hf2_x64.msi

In our last blog series we explored horizontal password guessing attacks. Check out Horizontal Password Guessing Attacks Part I and Part II in case you missed them. This time we'll test our web application with vertical password guessing attacks. Whereas horizontal password guessing attacks entail trying only a few common passwords against a long list of usernames, vertical password guessing attacks entail trying a long list of passwords against a single username. But where do you get a long list of passwords? Wordlists are readily available on the internet. For example, CrackStation offers a ridiculous 15 GB wordlist containing 1,493,677,782 words. CrackStation also offers a more practical 684 MB wordlist containing approximately 64 million common passwords. However, before getting our hands dirty let's consider several important factors:

• Does the web application allow valid account determination? For example, does login functionality return deterministic error message such as "Invalid Username" or "Invalid Password"? If login functionality does not allow valid account determination, "Create Account" or "Forgot Password" functionality might. If the application does not allow valid account determination, you'll need to somehow identify a target username or resort to username guessing. Refer to Horizontal Password Guessing Attacks Part II for more information regarding username guessing.
• Does the web application enforce account lockout? If so, vertical password guessing attacks must be sufficiently throttled in order to avoid account lockout. Depending on the application password policy and account lockout settings, vertical password guessing attacks might be largely ineffective. •Does the web application implement CAPTCHA? If so, automating password guessing attacks might not be possible. However, you should verify that the CAPTCHA implementation works properly, and does not fail open or otherwise allow attackers to bypass manual verification.
• Does the application enforce a password policy including password length and complexity requirements? If so, the wordlist should be optimized for the application. However, it is important to verify that the web application actually enforces the advertised password policy. If the password policy is not enforced by the application, some users will likely not comply with the policy. In addition, if the password policy is only enforced by the browser, users with JavaScript disabled might unknowingly not comply with the policy. Furthermore, it is important to verify that the application did not enforce a more lenient password policy in the past. If so, and passwords are not required to be changed on a periodic basis, users that last changed passwords before the updated password policy might not comply with the policy.

Let's take our discussion of wordlist optimization to the next level. As previously stated, the wordlist should be optimized according to the password policy enforced by the application. Let's brainstorm regular expressions that can be used to prune our wordlist accordingly:

• .{N,}​ – ​At least N characters in length.
• ​.{N,M} – Between N and M characters in length.
• ​[[:alpha:]] – Contains a letter.
• ​[[:lower:]] – Contains a lowercase letter.
• ​[[:upper:]] ​– Contains an uppercase letter
• [[:digit:]] ​– Contains a number.
• ​[[:punct:]] – Contains a special character.

For example, consider this simple wordlist that contains a dozen words:

$ cat wordlist
Foo
foobar
FooBar
FOOBAR
foobar12
FooBar34
FOOBAR56
foobar7!
FooBar8@
FOOBAR9$
12345678
Supercalifragilisticexpialidocious9%

That's right, somewhere right now Mary Poppins is guessing passwords! Mary Poppins is totally 31337! In any case, if the web application enforces a password length requirement of six characters, the following command will optimize the wordlist accordingly:

$ grep -E ".{6,}" wordlist
foobar
FooBar
FOOBAR
foobar12
FooBar34
FOOBAR56
foobar7!
FooBar8@
FOOBAR9$
12345678
Supercalifragilisticexpialidocious9%

If the web application also enforces password complexity requirements that passwords must contain at least one letter and one number, the following command will optimize the wordlist accordingly:

$ grep -E ".{6,}" wordlist | grep -E "[[:alpha:]]" | grep -E "[[:digit:]]"
foobar12
FooBar34
FOOBAR56
foobar7!
FooBar8@
FOOBAR9$
Supercalifragilisticexpialidocious9%

Notice that the applicable grep commands are chained together. While it is certainly possible to construct a monster regular expression in order to get the job done with a single grep command, that would introduce needless complexity. Keep it simple. Finally, consider a web application with a strong password policy that enforces a password length requirement of six characters and password complexity requirements that passwords must contain at least one lowercase letter, uppercase letter, number, and special character:

$ grep -E ".{8,}" wordlist | grep -E "[[:upper:]]" | grep -E "[[:lower:]]" |
  grep -E "[[:digit:]]" | grep -E "[[:punct:]]"
FooBar8@
Supercalifragilisticexpialidocious9%

Just chain together the magic combination of grep commands that matches the password policy, redirect the output to a new file, and say "Abracadabra" in a dramatic voice. Poof! Your wordlist has been optimized! Piece of cake, eh? In the next installment we'll leverage our customized wordlist in order to launch a vertical password guessing attack.

Does anyone know who does the scheduling for the Michigan Endpoint Management User Group meeting? I find these meetings valuable and want to assume responsibility for managing them and getting support for them. Please contact me about the details for being a part of setting the meetings up.

-Ray

This article highlights the audio discovery capabilities included in version 7.1.4 of the Clearwell eDiscovery Platform.

Web カメラを通じて無防備な被害者を監視するクリープウェアについては、先日のブログでお伝えしました。名前が示すとおり、その性質は実に厄介です。残念ながら、インターネット上には類似の脅威がほかにも存在します。今年大きく蔓延しているもうひとつの詐欺行為は、Web カメラによる脅迫です。こちらの場合、詐欺師は Web カメラを利用しているという事実を隠そうとしません。

この詐欺はまず、ソーシャルネットワークや出会い系サイトでの友達申請から始まります。申請を送信してくるのは見るからに詐欺師のプロフィールで（女性を装っています）、申請の送信先は独身男性というのが相場です。しばらく会話を続けると、詐欺師は男性のプロフィールを好きになった理由を説明し始めますが、会話は次第にもっと性的な話題へと移っていきます。詐欺師はビデオチャットを求めて服を脱ぎ始め、相手の男性にも同じようにしてほしいと誘ってきます。男性が誘いに乗ると、詐欺師によって不名誉な動画の録画が始まり、最終的には十分違法性のある画像が残されてしまいます。動画が録画されると詐欺師はまた話題を一転し、支払いを拒否した場合にはこの動画をアップロードして、被害者の友達と共有すると脅してきます。

この詐欺には、複数の手口が存在します。たとえば、動画の代わりに写真を要求するものや、あらかじめ録画されたストリップ動画で被害者を誘惑するものがあります。また、インターネット接続や Web カメラの画質向上を謳って金銭を要求する手口もあり、送金すれば動画の画質が向上すると約束しますが、金銭を送ったが最後、約束が果たされることはありません。さらに質の悪い場合は、詐欺師は被害者が子どもとチャットしていたと主張し、小児性愛の証拠を添付して送りつけてきます。共有してしまった個人情報も、動画と一緒に公開されます。場合によっては、被害者のコンピュータにトロイの木馬を仕掛けるために、感染した Web サイトへのリンクが送信されてきます。詐欺の背後にある原理は常に同じであり、いずれにしてもソーシャルネットワークや出会い系サイトを使うときには用心が必要です。

• 知らない相手から友達申請のメッセージが送られてきたときには注意してください。性的なビデオチャットに話題が急に変わった場合は、特に警戒が必要です。
• カメラの前で不名誉になるような行為をしないように、よく考えてください。知らない相手と共有する個人情報は制限すべきです。
• プリペイド型の詐欺に引っ掛からないようにしてください。どのような理由でも送金してはなりません。
• 金銭を強要された場合には、言いなりに支払うのではなく、警察に連絡してください。恥ずかしさに負けてはいけません。不名誉な動画が万一アップロードされてしまった場合は、サービスプロバイダに連絡して削除を依頼してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Browlock ランサムウェア（Trojan.Ransomlock.AG）は、現在出回っているランサムウェアの中でもおそらく最も単純な亜種でしょう。Ransomlock.AEのように別の悪用コンポーネントをダウンロードするわけでもなく、Trojan.Cryptolockerのようにコンピュータ上のファイルを暗号化するわけでもありません。侵入先のコンピュータ上でプログラムとして実行されることすらありません。このランサムウェアは昔ながらの単純な Web ページにすぎず、ブラウザのタブを閉じられなくする JavaScript が仕掛けられているだけです。ユーザーが住んでいる国または地域を判定したうえで、違法なアダルトサイトにアクセスしたと説明し、地元の警察当局に罰金を支払うよう要求するという典型的な脅迫を実行します。

図 1.違法なアダルトノサイトにアクセスしたとして罰金を要求する Browlock ランサムウェア

驚かされるのは、Browlock の Web サイトにリダイレクトされたユーザーの数です。11 月に、シマンテックは Browlock の Web サイトへの接続を 65 万件以上も遮断しましたが、同じ傾向は 12 月も続いています。22 万件を超える接続が、12 月に入ってからわずか 11 日間で遮断されているのです。追跡を開始した 9 月からの合計では、約 180 万件の接続が遮断されていることになります。

悪用ツールキットやトラフィックリダイレクトシステムをよく知っている方には、こうした数字もとりたてて大きくは見えないかもしれませんが、これはシマンテック製品のユーザーに限った数字です。11 月に検出された 65 万という接続数はごく一部にすぎず、実際の数字はもっと大きい可能性があります。

図 2. 2013 年 11 月と 12 月における Browlock ランサムウェアの活動状況

上に示した数字は、1 日あたりに検出された活動の総数です。攻撃は断続的に発生しており、特に際立っているのは 11 月 3 日と 11 月 16 日です。11 月 16 日には、13 万以上のコンピュータが Browlock の Web サイトへのリダイレクトを遮断されています。

攻撃手法

Browlock を使う攻撃者は、さまざまなアクセスを悪質な Web サイトにリダイレクトするトラフィックを購入している節があります。ここで使われているのがマルバタイジング（悪質な広告）です。マルバタイジングは、正規のネットワークからの広告購入を伴うアプローチとして広がりつつあります。広告先はアダルトサイトと思しきページで、そこから Browlock の Web サイトにリダイレクトされます。

Browlock の攻撃者が購入するトラフィックのソースは何種類かありますが、中心となるのはアダルト広告ネットワークです。Malekalや Dynamooなど、複数のセキュリティ研究者が過去数カ月にわたってこの活動を追跡しています。

最近の例では、攻撃者は広告ネットワークで複数種類のアカウントを作成し、支払い金を預けてから、オンラインチャットフォーラムに類似した名前の Web サイトにユーザーをリダイレクトするトラフィックを購入し始めていました。ユーザーがこのページにアクセスすると、Browlock のサイトにリダイレクトされます。実際、攻撃者はランサムウェアサイト自体と同じインフラに、正規のように見えるドメイン名をホストしています。

Browlock のインフラ

被害者が Browlock の Web サイトにリダイレクトされる際に、被害者と、その被害者の国や地域の法執行機関ごとに固有の URL が生成されます。たとえば、米国からアクセスしたユーザーは次のような URL に誘導されます。

fbi.gov.id693505003-4810598945.a5695.com

この URL には特徴的な要素が 2 つあります。fbi.gov という値と、実際のドメインである a5695.com です。fbi.gov という値は、明らかに米国の法執行機関を表しています。シマンテックは、およそ 25 の地域における 29 種類の法執行機関を表す値を特定しました。次のグラフは、特定された法執行機関のうち上位 10 位までについて接続の比率を示したものです。米国からのトラフィックが最も多く、ドイツ、ユーロポール（欧州警察組織）がそれに続いています。ユーロポールは、特定のイメージテンプレートが作成されていないときの欧州各国が対象です。

図 3. Browlock の標的となった上位 10 の機関

次に問題となる値はドメインです。追跡を開始して以来、196 のドメインが確認されています。ドメインはいずれも、アルファベット 1 文字に 4 桁の数字が続き、.com で終わるという形式です。実際のドメインは、過去 4 カ月にわたって何種類もの IP アドレスでホストされています。

最も活動的な自律システム（AS）は AS48031 - PE Ivanov Vitaliy Sergeevich で、これは過去 4 カ月のどの月にも使われていました。攻撃者は、この AS で 7 種類の IP アドレスを順に使っています。

まとめ

Browlock ランサムウェアの戦術は、単純ですが効果的です。攻撃者は、悪質な実行可能ファイルを使わず、また悪用ツールキットにもアクセスしないことで予算を節約しています。被害者はブラウザを閉じさえすれば Web ページから逃れることができるので、誰も支払いなどしないとも考えられます。しかし、Browlock の攻撃者がお金を払ってトラフィックを購入しているのは明らかである以上、その投資を回収していることは確実です。アダルトサイトのユーザーを狙って、被害者の困惑につけ込むという通常のランサムウェアの手口も依然として続いており、それも成功率に貢献していると思われます。

シマンテックは、IPS とウイルス対策のシグネチャでお客様を Browlock から保護しています。

利用されている悪質なインフラ

AS24940 HETZNER-AS Hetzner Online AG

• IP アドレス: 144.76.136.174、リダイレクトされたユーザーの数: 2,387

 AS48031 - PE Ivanov Vitaliy Sergeevich

• IP アドレス: 176.103.48.11、リダイレクトされたユーザーの数: 37,521
• IP アドレス: 193.169.86.15、リダイレクトされたユーザーの数: 346
• IP アドレス: 193.169.86.247、リダイレクトされたユーザーの数: 662,712
• IP アドレス: 193.169.86.250、リダイレクトされたユーザーの数: 475,914
• IP アドレス: 193.169.87.14、リダイレクトされたユーザーの数: 164,587
• IP アドレス: 193.169.87.15、リダイレクトされたユーザーの数: 3,945
• IP アドレス: 193.169.87.247、リダイレクトされたユーザーの数: 132,398

AS3255 - UARNET

• IP アドレス: 194.44.49.150、リダイレクトされたユーザーの数: 28,533
• IP アドレス: 194.44.49.152、リダイレクトされたユーザーの数: 134,206

AS59577 SIGMA-AS Sigma ltd

• IP アドレス: 195.20.141.61、リダイレクトされたユーザーの数: 22,960

Nigeria Ifaki Federal University Oye-ekiti

• IP アドレス: 196.47.100.2、リダイレクトされたユーザーの数: 47,527

AS44050 - Petersburg Internet Network LLC

• IP アドレス: 91.220.131.106、リダイレクトされたユーザーの数: 81,343
• IP アドレス: 91.220.131.108、リダイレクトされたユーザーの数: 75,381
• IP アドレス: 91.220.131.56、リダイレクトされたユーザーの数: 293

AS31266 INSTOLL-AS Instoll ltd.

• IP アドレス: 91.239.238.21、リダイレクトされたユーザーの数: 8,063

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

「そこにカネがあるからさ」という有名な台詞は、銀行強盗ウィリー・サットン（Willie Sutton）が「なぜ銀行を襲うのか」と問われて答えたものだと言われています。真偽のほどは別としても、この台詞は今でも有効です。

同じ状況が、金融機関を狙う今日のマルウェアにも当てはまります。お金の移動する場所がオンラインバンキングのアプリケーションに変わったので、攻撃者もそれに引き付けられています。オンラインバンキングのサービスを標的にするトロイの木馬が開発され続けているのは、驚くほどのことではありません。最近のブログでお伝えした例は Neverquest というトロイの木馬ですが、これは 2006 年に初めて確認されて以来使われ続けている Trojan.Snifulaの後継種でした。

金融機関を狙う最も一般的なトロイの木馬による感染の件数は、2013 年の 1 月から 9 月までの間に 337% という増加を示しています。1 カ月あたり 50 万台近くのコンピュータが感染して詐欺行為を受けやすくなっているという計算になります。金融機関を狙うトロイの木馬の背景にある仕組みと、その運用の規模を詳しく理解するために、シマンテックはオンラインバンキングを狙うトロイの木馬 8 種類に属している 1,000 以上の設定ファイルを解析しました。これらの設定ファイルには、トロイの木馬が攻撃する URL と、そのとき利用する攻撃方法が定義されています。攻撃方法は、単なるユーザーのリダイレクトから、バックグラウンドでトランザクションを自動実行できる複雑な Web インジェクションまでさまざまです。解析した設定ファイルは、合計で 1,486 の金融機関を標的にしていました。このことからも、トロイの木馬が広く拡散しており、攻撃者にとって金銭的な儲けを生むのであればあらゆるものが標的になっていることが明白です。

最も頻繁に攻撃されているのは米国内の銀行で、調査したトロイの木馬の設定ファイルのうち 71.5% に出現していました。標的となった上位 15 の銀行はすべて、設定ファイルのうち 50% 以上で見つかっており、2 つに 1 つのトロイの木馬が上位の銀行の少なくとも 1 行を狙っていることになります。このように高い数値が表れているのは、トロイの木馬とともに売られている基本ツールキットの一部に、標的となる URL がサンプルとして存在するためかもしれません。あるいは、トロイの木馬が依然としてこうした企業に対して有効だからという理由も考えられます。金融機関の一部はいまだに強力な認証を採用していないからです。もちろん、大部分の金融機関はこうしたサイバー犯罪の推移を意識しています。また、このような攻撃を遮断する新しい保護対策も講じているのですが、残念なことに、新しいセキュリティ対策を始動するには時間も費用も掛かり、攻撃者は常に新しい攻撃の経路を生み出しています。結局のところ、ソーシャルエンジニアリング攻撃は依然として機能し続けることになります。巧妙な作り話に引っ掛かってしまう人というのは、後を絶たないからです。オンラインバンキングのサービスを狙う攻撃は、来年も続くものとシマンテックは予測しています。

金融機関を狙うトロイの木馬の状況について詳しく知りたい方のために、このトピックを扱ったホワイトペーパーの最新版を公開しました（英語）。

金融機関を狙う脅威の 2013 年における概況については、以下の解説画像も参考にしてください。

If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015. For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.

Symantec Data Loss Prevention (DLP), a Leader in the Gartner Magic Quadrant for Content-Aware DLP, helps protect companies from malicious insiders and well-meaning employees.

Edited: This problem has now been resolved.

There is currently a known issue on Connect that is causing some groups to not appear on the site. We believe that we have isolated the problem and are currently working to restore access to these groups. Rest assured that there were no security threats with this action. In addition, we do not believe that any content in these groups will be lost. It is an internal server issue. We do not have an estimated time that these groups will be restored, but do not anticipate that it will be a long-term problem. We will update this blog when we do have a time to resolution.

If you have any questions, please feel free to contact Leslie Miller.

Information is – slowly – moving outside the database. And it’s everywhere. Businesses want to get their hands on all the data that really matters, wherever it resides, because that is the strategy that will ensure they stay ahead of the game.

More and more, they are seeing both structured and unstructured data as their life blood, wherever, and in whatever format, that data presents itself. No matter whether it is ‘System centric’ (ie, it’s in the database) or ‘Information centric’ (it’s ‘out there’ somewhere), it has vast potential value, if it is harnessed and employed properly. Hence organisations are working to develop and deploy big data alongside their established business intelligence structure: that is where their future success lies.

The business opportunities that will assure their survival, growth and future well-being are locked within the flood of data that swirls around us. If they can relate details from across all of their digital information assets, they can create and make use of new views of their business – for example:

• The building trade analysing security CCTV footage of site activity to understand how best to manage delivery of supplies (not to mention workforce productivity)
• Telcos (now CSPs, of course) that push you emails and texts, based on your real-time location (or sell it to third parties, who send you ads for the shopping centre you just entered)
• The pharmaceutical industry being able to track the spread and mutation of disease, based on patient records and visits to hospitals and doctors.

The dangers

Exploiting these swelling data streams has become the quest. However, it’s one that’s also fraught with danger – where every such occasion for advancement presents an equal threat. For each time IT plugs together disparate information sources and discovers new opportunities, they also create new information management challenges. Technology wise, what they are seeking to do may well be possible, but, corporate and compliance wise, are you even allowed to use the information in the ways they propose?

In pursuit of this larger world view, businesses have to venture outside of their familiar ‘comfort capsules’ (where they dealt primarily with siloed data) into the vast, dark space that lies beyond. And it is a journey into the unknown that raises huge security and compliance questions. To such an extent, I know of several organisations that have shied clear of getting such projects started; or abandoned them along the way, as the challenge of protecting sensitive data that’s not within their immediate control has made the task seem beyond resolution. The upshot is that organisations can find themselves embroiled in a vicious circle where, with each new possibility that arises, the management headaches that come with it just get bigger.

What they are seeking now is the right ‘key’ to enable them to access and control that data – while keeping themselves, and all who engage with them, safe and secure. That means making certain the key they employ is one that only they, and those they entrust, have access to, so they are protected at all times, irrespective of where the information they seek actually resides. It is from this stance alone that they can truly unlock the value of ‘bigger data’ and use the information to their competitive advantage.

The way forward

At Symantec, we’ve been talking about this shift from ‘System centric’ to ‘Information centric’ for some time now with our customers. The outcome is that businesses are really starting to get their heads around the reality of what this means, while recognising they are going to have to:

• Create scale-out repositories
• Understand how the contents of those repositories can be used and exploited
• Only allow access based on parameters such as Identity and location
• Think about the protection of information, rather than infrastructure and systems

As with so many businesses, our customers are not only starting to recognise the new, wider potential and value in their information, but also how to exploit it fully, without fear of compromise or their systems being breached. To that end, Symantec 4.0 is structured to enable businesses to tap into and take advantage of that data in ways they are only just beginning to think about. Our focus will centre on three critical areas for information management:

• Information Fabric: helping customers understand what information they have across all aspects of structured and unstructured data. Who is using it, how are they using it, is it protected correctly etc. 
• Unified Security: realising the benefits of intelligent management and unified security in today's complex IT infrastructures. Providing real time analysis and understanding of an organisations ever changing information risk landscape
• Universal Identity: creating a universally accepted identity system across all platforms, helping businesses and users to manage their online identities

We believe this powerful new triumvirate will firmly embrace and meet the many security needs of business in the ‘Bigger Data’ age.

Symantec would like to announce an update of the Validation and ID Protection Service (VIP), with enhancements for VIP Self Service Portal and VIP Manager.

The VIP Self Service Portal has been redesigned! The portal now has an updated visual design and simplified page for managing your credentials, and an option for organizations to display their logo at the top. In the VIP Manager, new features and settings have been added for further customization and security, including changes to the password requirements. These new features have been automatically updated in the web-based portals, unless otherwise noted. 

Summary of New Features

1. Self-Service Portal Enhancements
2. VIP Manager Enhancements
3. VIP Manager Password Security 

Feature Highlights

Self-Service Portal Enhancements

• Redesigned VIP Self Service Portal and Registered Credentials page.
• The Self Service Portal can also be co-branded with a customer logo.* 
• New remote-device diagnostic page allows admins to troubleshoot ithe Registered Computer plug-in (a component of VIP Intelligent Authentication). This page will identify whether the plug-in is installed and offer additional information.
• Support for Simplified Chinese.
• Support for Chrome on Mac, Windows 8 with IE10 only, and Windows 8.1 with Chrome, Firefox, Safari, Internet Explorer 7 or later.

VIP Manager Enhancements

• The Groups feature now supports linking Admin Groups to specific User Groups, to allow for further customization around administrator privileges.**
• Direct Sign-In setting offers the ability to disable sign-in directly to the VIP Manager portal and allow admins to authenticate seamlessly from a corporate identity provider (IdP), such as Microsoft Active Directory.**
• Reports will now default to use the local time zone of the administrator, for a better user experience.

VIP Manager Password Security Features 

• The default validity period for temporary passwords is now 30 minutes rather than 7 days.
• When resetting a password, admins must provide two security codes with the temporary password, rather than just one.
• Support special characters for passwords.

* Exception: Co-branding does not appear on the login page for this release.

** This feature requires an update to Enterprise Gateway 9.3 or later.

Technical Support

We value your business and are committed to customer care.  Please contact us if we can assist or answer any questions. Symantec Support can be reached via email at: enterprise_vipsupport@symantec.com or by phone at +1-650-426-3535 or 1-800-579-2848. You can also visit the VIP support Knowledge Center.

Don’t forget to follow us on Twitter: @SymantecVIP

Symantec would like to announce an update of the Managed PKI Service, with enhancements for PKI Manager and PKI Client.

The PKI Manager Dashboard now displays certificate usage by type, allowing administrators to see and compare certificates in use. To assist customers in replacing SHA-1 certificates for SHA-2 certificates, PKI Manager now offers the ability to migrate certificate profiles. Additionally, the PKI Client for end users supports new third-party cryptographic service providers (CSPs), and has added new integration guides.

Summary of New Features

1. PKI Manager Seat Pool Types
2. PKI Manager Migration Support to SHA-2
3. Expanded Support

Feature Highlights

PKI Manager Seat Pool Types

• In the PKI Manager, administrators will be able to see certificate seat usage by seat pool and sub-seat pool on the Dashboard. For example, users can see the number of user seats, device seats, server seats, and organization seats used and purchased.

PKI Manager Migration Support to SHA-2

• Ability to migrate to new profiles when your certificates are ready to expire or need to be re-keyed to SHA-2.
• More Information on SHA-2: SHA-2 is a set of Secure Hash Algorithms published by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) as the U.S. Federal Information Processing Standard. SHA-2 certificates are more secure than all previous algorithms, and many organizations may be required to upgrade to SHA-2 to comply with Federal and PCI compliance standards.

​Expanded Support

• Support for additional third-party Cryptographic Service Providers (CSPs):
  • Microsoft Base Smart Card Cryptographic Provider (Windows only)
  • eToken Base Cryptographic Provider
• Manufacturing accounts for embedded X.509 certificates now have a seat-pool check for the full and test drive accounts.
• Three new integration guides are now available in PKI Manager:
  • Symantec Managed PKI Integration Guide for MobileIron Virtual SmartPhone Platform
  • Symantec Managed PKI Integrating Secure Email Gateway Certificates with Clearswift SECURE Email Gateway
  • Symantec Managed PKI Integrating Adobe CDS Organization Certificates with Adobe LiveCycle Enterprise Suite for Adobe Reader

​To see the latest platforms and devices supported, please refer to the Managed PKI v8.10 Release Notes.

Don’t forget to follow us on Twitter: @SymantecMPKI

Thus we were able to snoop the query and modify as per requirement. Connected to ASA DB and ran the query.
The output was then processed to produce report

The pace of technological change and its complexity is challenging traditional business continuity paradigms.  What was once considered a ‘Best Practice’ in Business Continuity (BC) no longer serves the new digital-world and organizations can’t rely on these outdated processes to reach their future objectives.    These ‘best practices’, and the standards/guidelines which are based on these best practices are unsuitable for the modern technologically-dependent organization because they were intended to serve a different purpose within a vastly different business environment. Some might question or be puzzled by the notion that long-standing and widely-accepted best-practices could be unreliable, however, that really shouldn’t be so disturbing. After all, ‘Blood-Letting” was once a medical ‘best practice’; one that no so long ago lead to the death of our first US President.  It is time to modernize Business Continuity and align to the genuine needs of today’s technologically dependent organization.

Today almost everything an organization does relies in some form or other on information technology. Businesses use IT to link to customers, suppliers and partners, to increase their operating efficiencies, connect global supply chains and more. With advancements in IT, we now do more transactions online, of greater value, and faster than ever before. It could be said that the modern organization is entirely dependent on IT. In a world filled with thousands of servers that are executing petabytes of data and covering hundreds of miles of networks in less than a Nano-second, unforeseen ‘one-in-a-million’ glitch events can happen in the blink of an eye.  The complexity in today’s IT is extremely different from the uniform and homogenous IT environment that was in place when many Business Continuity ‘best practices’ were designed. To rely on these old ‘best practices’ for your business continuity strategy creates blind-spots that may lead to significant oversights, oversights that profoundly affect the reliability of the overall strategy.

The prevailing ‘best practices’ in Business Continuity has favored a ‘Better Safe than Sorry’ approach to dealing with risk.  While in ordinary life ‘Better Safe than Sorry’ might seem quite sensible; intuitively it does seem better to be safe.  This paradigm does not work when the cost of the safety is greater exceeds the cost of the risk; when ‘the cure is worse than the disease’.  Safety, therefore, is not an ‘all or nothing’ condition, risk comes in matters of degrees and mitigation actions have a variety of trade-offs.  There are times when this perception of safety causes blind-spots that lead us astray and cause us to overspend or waste valuable resources; but feeling safe is not the same as being safe.  As Robert Hahn points out to the US Congress, ‘This leads to a paradox that is becoming increasingly recognized. Large amounts of resources are often devoted to slight or speculative dangers while substantial and well-documented dangers remain unaddressed’[1].  

We can’t bet our organization’s valuable and scarce resources based on intuition and rules-of-thumb; and its harm is that when resources are disproportionally allocated to efforts based on precautionary heuristics then those resources will not be available for less obvious but potentially more harmful risks.  This is what must change to manage continuity in today’s complex business environment; Business Continuity can no longer rely on outdated heuristics and precautionary ‘best practices’. 

Managing continuity in today’s complex IT-dependent organization requires replacing the ‘better safe than sorry’ heuristics with optimal risk-reduction actions. Managing risk depends on measuring the size of the investment and the speculative-ness of the harm.  The potential negative consequences of catastrophic events such as floods, fires, hurricanes, tornados, earthquakes, terrorism, pandemics, or a meteor strike is quite significant.  The question is not whether these events are hazardous or whether they should be of interest to an organization.  It is obvious that the loss of life and resources from catastrophic events can cripple a business and being unprepared for such an event is equally obvious but Capitalism is not about doomsday prepping. Capitalism is about calculated risk-taking: no risk taking, no innovation, no competitive advantage, and no shareholder value.  Congressman Michael G. Oxley points out that “Capitalism is about taking risk, and that is what makes our system so productive.”[2] 
The “Big Question”, the question that precautionary principal does not and cannot answer for Business Continuity is ‘when to stop-spending resources on safety’? The hard question for Business Continuity to answer is not ‘what to do’ but ‘how much to spend’. A business, after all, can’t spend all its money and resources on safety.

Many Business Continuity ‘best practices’ conceal the precautionary-bias by using legitimate sounding terms such as ‘risk appetite’, ‘risk tolerance’, and ‘risk aversion’ but these terms are never developed beyond heuristics and subjective judgment. These terms are just ordinary perceptions about risk and they are neither measurements of risk nor can they be used to calculate risk.  They are simply terms about how we feel about risk. Still other Business Continuity ‘best practices’ mask their subjectivity and bias through the use of elaborate ‘High-Medium-Low’’ (HML) matrix-models.  These tools don’t calculate risk- they merely rank perceptions of risk, providing no credible information or statistical grounding needed to make a rational decision on how to optimally reduce risk.  These models just describe how we feel about risk, which does not help answer ‘what to do’ or ‘how much to spend’.

The precautionary-bias is peppered throughout the many Business Continuity standards, guidelines, ‘best practices’, as well as its certifications.  Today it is more important than ever for a balanced approach to business continuity and precautionary guidelines that consistently ignore minor cracks in continuity will not serve that purpose. Our organizations would be better served if business continuity first looked for ways to proactively fill those continuity cracks rather than solving for the next Apocalypse. All in all “a stich in time saves nine”. The real problem with traditional approaches is not that they are wrong, but that they offer no guidance to modern organizations on how to optimally reduce risk; how to fill the cracks.  The unintended consequence of these outdated Business Continuity methods has been that the operational aspects of IT have been systematically neglected and this might be the biggest blunder in business continuity today. 

With all these best practices, these HML-matrix-models and this talk of risk aversion, there seems to be a growing and significant disconnect with what is actually happening in our new digital-world.  Business Continuity routinely dismisses IT-risks in favor of the prevailing ‘risk-of-the-month’ because of the best practices have a close affinity to the precautionary-bias. While few would argue that IT is becoming increasing important to every organization, a Business Continuity certification consultant recently stated at an industry event that “the ultimate goal of BC activities was to get out of the data center”; an antiquated notion which undoubtedly implies that the IT-infrastructure is unworthy of serious attention from business-oriented BCM practitioners. Nothing could be further from the truth. 

The precautionary-bias coupled with people’s fear will trigger perceptions about worst-case scenarios that make them appear increasingly plausible.  In 2008/2009, the United States suffered a major financial meltdown, one with an impact that many economists have estimated at $1.8 trillion[3]. While we intuitively understand the consequences of a loss at that scale, most of us fail to recognize the extent of a “silent” IT disaster unfolding under our virtual noses. According to IT complexity expert and ObjectWatch founder, Roger Sessions, organizations in the United States lose $1.2 trillion from IT failures every year. Worldwide, the total comes to $6.2 trillion. Although Sessions’ numbers have been challenged by other economists, their calculations remain sobering, concluding that threat worldwide is “only” $3.8 trillion!

The most notable aspect of Session’s math is this: the overwhelming majority of the annual $1.2 trillion loss is not caused by the low-probability/high-consequence catastrophes that capture attention, but by high-probability/low-consequence events that occur frequently, such as software bugs, hardware failures and security breaches. Worse, as applications become more complex, involving an ever-larger tangle of codes, data nodes and systems networks, the exposure to these “smaller” events becomes more frequent and their impact more costly.

The sheer size of these losses due to IT-failure should serve as a wake-up call for anyone related to Business Continuity.  How could the very practices that were intended to provide continuity for our organizations allow interruptions that generate losses of this magnitude? Either Business Continuity’s target or its aim has been considerably off.  While business continuity has been waiting and preparing for a catastrophic event, it ignored the real risk to continuity, IT. Business Continuity ‘best practices’ absolutely must start to do things differently.  We need to start thinking rationally about where to devote our efforts and where to place our emphasis.  Genuine Business Continuity ‘best practices’ must make certain that real and serious risks receive the attention that it deserves. 

The “Big Question” as we discussed earlier, covers optimization of scarce resources in the present to achieve the greatest benefit for our organization in the future.  After all, it is not about turning the lights back on once they fail; continuity is about ensuring that the lights never go off in the first place.  For Business Continuity the “Big Question” has two components: (1) which risks are the serious ones and (2) what are the optimal risk-reduction actions.  Traditional methods currently used in Business Continuity offer little advice to answering the Big Question.  In fact, the current set of heuristics can be dysfunctional because it unknowingly distracts resources to slight or speculative dangers. 

Many in the Business Continuity community share a mistaken belief that it is impossible to develop credible quantitative risk estimates.  That belief is illusory, as real world experience shows that there is a wealth of data on which to base quantitative risk estimates with a degree of precision and confidence sufficient to support sound management decisions.  We don’t have to be perfect, in fact we can’t be perfect, and perfection is infinitely expensive.  We do however need to increase the probability of success by reducing our losses.  We need to apply the appropriate level of discipline relative to the complexity of the situation; IT is too complex to use heuristics, rules of thumb and intuitive judgment.

While precise information is extremely valuable, even small amounts of reliable data is infinitely better that than relying on subjective value judgments when it comes to making sound decisions about managing IT-infrastructure risk.  Risk-related data is increasing available. There is a surprising amount of information from which to make realistic calculations and estimates about IT infrastructure and operational risks. As Immanuel Kant said “We Have a Duty - Especially Where the Stakes Are Large - to Inform Ourselves Adequately about the Facts of the Situation.” All in all, it is far better to use empirical data than rely on intuitive, subjective judgments.

Business Continuity must make informed estimates about future losses and then take appropriate action based on those estimates.  The underlying economic models must be constructed to accurately portray all of the pertinent risk parameters, as opposed to measuring risk-perceptions. Cost-benefit balancing can be applied to ensure a proper proportional-response.  To keep the odds in our favor we must economically quantify the operational risks of the IT-infrastructure so that we can properly evaluate the many tradeoffs and reach the optimal risk-reduction solution for our organizations.

With $3 to $6 Trillion a year at stake, understanding how to prevent the continuing spiral of IT failures will have substantial benefits.  In these difficult economic times, there is a tremendous amount of goodness that $3 to $6 Trillion could add to our global economy.  Making rational decisions about calculated risks which reduce the economic impact of IT failures will be key to achieving a competitive advantage in today’s dog eat dog business world.