Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Facebook ユーザーの個人情報を盗もうとする偽の投票サイト

0
0

寄稿: Parag Sawant

フィッシング詐欺師は、ユーザーの重要な情報を手に入れるチャンスを増やすために、さまざまな計略を繰り出し続けています。シマンテックが最近確認したフィッシング攻撃の場合は、男性と女性のどちらが偉いかと質問する偽の投票サイトを通じてデータが集められていました。

フィッシングページは無料の Web ホスティングサイトを利用しており、Facebook ユーザーを標的にした偽の投票ページには、「WHO IS GREAT BOYS OR GIRLS?(男性と女性、どちらが偉い?)」という質問と[VOTE(投票)]ボタンがあります。ページには、投票結果を示す棒グラフも埋め込まれており、過去 4 年間の総得票数が示されます。このようなグラフがあることで、より本物らしく見えます。

figure1_1.jpg
図 1.投票サイトへの登録を求める Facebook アプリケーション

最初のフィッシングページには、投票プロセスを開始するボタンがあります。このボタンをクリックすると、次の図のようにポップアップウィンドウが開き、ユーザーのログイン ID とパスワードを入力するよう求められます。

figure2_0.jpg
図 2.ユーザーのアカウント情報の入力を求めるポップアップウィンドウ

ポップアップウィンドウには、男性か女性のどちらかに投票するためのボタンと、投票を送信するボタンも表示されます。フィールドに必要な情報をすべて入力し終わると、投票した情報を確認するための確認ページに進みます。

figure3.jpg
図 3. ユーザー情報を入力し終わると、投票の確認メッセージが表示される

ここで最初のページに戻ろうとして、投票数が定期的に増えていることに気付きました。先ほど 4,924,055 だった数値が、今見ると 4,924,096 になっているのです。

figure4.jpg
図 4.変化する前と変化した後の投票数の比較

今回のフィッシング詐欺師は以下の URL を使っており、そのサブドメインからこれがアプリケーションであることがわかります。
[http://]smartapps.[削除済み].com

このサイトに騙されたユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。

偽アプリケーションを餌に使う手口は珍しいものではありません。インターネットを利用する際には、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。

  • アカウントにログインするときに、アドレスバーの URL を確かめ、間違いなく目的の Web サイトのアドレスであることを確認する。
  • 電子メールメッセージの中の疑わしいリンクはクリックしない。
  • 電子メールに返信するときに個人情報を記述しない。
  • ポップアップページやポップアップウィンドウに個人情報を入力しない。
  • 個人情報や口座情報を入力する際には、鍵マーク(画像やアイコン)、「https」の文字、緑色のアドレスバーなどが使われていることを確かめ、その Web サイトが SSL で暗号化されていることを確認する。
  • ノートン インターネットセキュリティやノートン 360など、フィッシング詐欺やソーシャルネットワーク詐欺から保護する統合セキュリティソフトウェアを使う。
  • 電子メールで送られてきたリンクや、ソーシャルネットワークに掲載されているリンクがどんなに魅力的でも不用意にクリックしない。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。


The 2013 Internet Security Threat Report: Year of the Mega Data Breach

0
0

istrbanner.png

Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things. We’ll explore each of these topics in greater detail below.

The year of the mega data breach
While 2011 was hailed by many as the “Year of the Data Breach,” breaches in 2013 far surpassed previous years in size and scale. For 2013, we found the number of data breaches grew 62 percent from 2012, translating to more than 552 million identities exposed last year – an increase of 368 percent. This was also the first year that the top eight data breaches each resulted in the loss of tens of millions of identities – making it truly the year of the “mega” data breach. By comparison, only one data breach in 2012 reached that distinction.

Attackers set their sights on medium-sized businesses
If you’ve been following our reports, you know that small and medium-sized businesses (SMBs) are a key target for attackers, and this year proved no exception to the trend. In 2013, SMBs collectively made up more than half of all targeted attacks at 61 percent – up from 50 percent in 2012 – with medium-sized (2,500+ employees) businesses seeing the largest increase.

Attacks against businesses of all sizes grew, with an overall increase of 91 percent from 2012. Similar to last year, cybercriminals deployed watering hole attacks and spear-phishing to increase the efficiency of their campaigns. However, spear-phishing campaigns were down 23 percent, with cybercriminals relying less on emails to carry out their attack campaigns. Watering hole attacks allowed the bad guys to run more campaigns through drive-by-downloads, targeting victims at the websites they frequently visit. Efforts were also aided by a 61 percent increase in zero-day vulnerabilities, which allowed attackers to set up on poorly patched sites and infect their victims with little or no additional effort required. 

Government remained the most targeted industry (16 percent of all attacks). This year we looked at not only the volume of attacks but also at who are the preferred targets and what are the odds of being singled out. The bad news is that no one faces favorable odds and we all need to be concerned about targeted attacks. However, looking at the odds produced some surprises. If you’re a personal assistant working at a mid-sized mining company, I have bad news for you – you topped the “most wanted” list for attackers. 

Mobile malware and madware invades consumers’ privacy
While many people download new apps to their mobile devices without a second thought, many malicious apps contain highly annoying or unwanted capabilities. Of the new malware threats written in 2013, 33 percent tracked users and 20 percent collected data from infected devices. 2013 also saw the first remote access toolkits (or RATs) begin to appear for Android devices. When running on a device, these RATs can monitor and make phone calls, read and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device – all without the knowledge or consent of the victim.

Ransomware growth explodes and turns even more vicious 
As we had previously predicted, ransomware, the malicious software that locks computers and files, grew rapidly in 2013. Ransomware saw an explosive 500 percent growth over last year and remained a highly profitable enterprise for the bad guys, netting $100 to $500 USD for each successful ransom payment. We also saw attackers become more vicious by holding data hostage through high-end encryption and threatening to delete the information forever if the fee was not paid within the given time limit.

The future of identity theft: The Internet of Things
Which of these things have been hacked in the past year: a refrigerator or a baby monitor? When I ask customers this question, they often reply, “Both.” The correct answer is the baby monitor. Despite what you may have heard on the news, Internet connected refrigerators have yet to be attacked. But never say never. Security researchers in 2013 demonstrated that attacks against cars, security cameras, televisions and medical equipment are all possible. The refrigerator’s time will come. The Internet of Things (IoT) is on its way and related threats are sure to follow. In this year’s report, we talk about what we’ve seen so far, and the consensus is that the Internet connected device at most risk of attack today is the home router.

What comes next? With personal details and financial information being stored on IoT devices, it’s only a matter of time before we find a true case of a refrigerator being hacked. Right now, security is an afterthought for most manufacturers and users of these devices, and it will likely take a major security incident before it is seriously considered. However, by starting the conversation now about the potential security risks, we will be that much more prepared when that day comes. This year’s ISTR starts the conversation. 

For more details, check out the complete Internet Security Threat Report, Vol. 19.

Internet Security Threat Report 2013 - The Year of the Identity Breach?

0
0

In security as in business, information is power. As we put together the latest edition of the Internet Security Threat Report, we wanted to do more than simply throw some figures out there. As a result, Volume 19 presents a comprehensive analysis of last year’s threats according to publicly available information and events within Symantec’s purview, as well as detailed guidance about what security professionals can do in response. 

At the top level of the report, the main finding was a rapid and significant increase in breaches leading to the exposure of individual identities - employee, customer and patient details. Overall a total of 552 million identities were exposed, across 253 significant security breaches. 

Just as significantly, many of these breaches took place in the final quarter of the year, suggesting that we are at the beginning of a slew of such attacks - one of the reasons we felt pressed to include detailed advice in the report. 34% of reported incidents were due to hacking and 27% were due to theft or loss, while 29% of incidents involved identities accidentally being made public, through simple user error. Only 6% due to insider attack, which is relatively good news. 

One area we found fascinating was how not all breaches were equal. For example, a mere 8 breaches across the sample exposed more than 10 million identities each. Similarly, while 44% of incidents were reported to be in the healthcare sector, these only caused 1% of identities to be exposed; meanwhile, the 5% of breaches coming from the retail sector led to the exposure of 30% of the total identities. 

Targeted attack campaigns have increased by 91% since 2012. To identify such incidents, we look for clear evidence that the recipient was targeted, and how it was done: from our research, it appears that the people most at risk are personal assistants and communications/PR managers, who are being sent generic emails about order details or payment information - the bread-and-butter of such roles. 

In fact, attackers are becoming even more savvy, running a larger number of campaigns against an increasingly focused number of individuals. Year on year, the number of target recipients per campaign has dropped from 111 to 23. It would appear that the ‘bad guys’ are also able to analyse information to decide who is worth targeting and what messages work the best. 

The future security battleground may well be based on who has access to the best information, a factor we are taking into account not only in the ITSR bout across Symantec’s services. Watch this space for more, and in the meantime, if you want a copy of the report, you can download it here.  

Hurry Fast: Vision Sessions Almost Full

0
0
Register While You Still Can

Session are filling up fast at Vision this year. We're seeing record registrations so you'll want to act fast. Bookmark and check back here often as nearly full sessions will be updated frequently.

Session IDTitleAbstractTypeTracks 
1283How to Use CCS to Proatively Manage RiskA complex threat environment requires organizations to take a proactive approach to their security with clearly defined and customized objectives. In this lab, Symantec experts will delve into the features of Symantec Control Compliance Suite. You will learn how to combine rich, native assessment data from multiple sources, normalize that data to get a truly composite view of your risk posture and present this information in an actionable format to multiple stakeholders. Your organization can then prioritize and track remediation efforts based on your defined security and risk management objectives.Hands On LabEmbracing Proactive Cyber Security 
1394Zero to Install in 30 Minutes or Less with NetBackup AppliancesWhile backup is a fundamental function in any data center, running your first backup shouldn't take two days. Don't miss this hands-on lab, where you'll be introduced to the new Symantec installation and configuration wizard that will have you starting your first data backup in 30 minutes.Hands On LabEnabling the Modern Data Center 
1424The Practical Value of NetBackup OST integration with Primary StorageReplication Director enables a number of different Snapshot-based data protection options within NetBackup. This lab will explore each of them in the context of a typical Microsoft Exchange deployment. You'll walk away with a more detailed understanding of how these Snapshot-based data protection options in Replication Director work and when it makes sense to use each of them.Hands On LabEnabling the Modern Data Center 

You can access the session scheduler here.

 

Not yet registered for Vision? You can do so here!

 

Microsoft Patch Tuesday – April 2014

0
0

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing four bulletins covering a total of 11 vulnerabilities. Seven of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the April releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-apr

The following is a breakdown of the issues being addressed this month:

  1. MS14-017 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)

    Microsoft Office File Format Converter Vulnerability (CVE-2014-1757) MS Rating: Important

    A remote code execution vulnerability exists in the way that affected Microsoft Office software converts specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    Microsoft Word Stack Overflow Vulnerability (CVE-2014-1758) MS Rating: Important

    A remote code execution vulnerability exists in the way that Microsoft Word parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    Word RTF Memory Corruption Vulnerability (CVE-2014-1761) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Word parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  2. MS14-018 Cumulative Security Update for Internet Explorer (2950467)

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-0235) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1751) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1752) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1753) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1755) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1760) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

  3. MS14-019 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)

    Windows File Handling Vulnerability (CVE-2014-0315) MS Rating: Important

    A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  4. MS14-020 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (2950145)

    Arbitrary Pointer Dereference Vulnerability (CVE-2014-1759) MS Rating: Important

    A remote code execution vulnerability exists in the way that Microsoft Publisher parses specially crafted files. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

2014 Internet Security Threat Report: Mega Data Breaches and Targeted Attacks Grow Significantly

0
0

Symantec’s latest Internet Security Threat Report (ISTR), Volume 19 provides a snapshot of the current global threat landscape, helping to pinpoint where companies need to focus their energy.

Symantec 2014 Internet Security Threat Report

0
0

Symantec launched its 2014 Internet Security Threat Report (ISTR), Volume 19, which highlights how cybercriminals unleashed the most damaging series of cyberattacks in history – ushering in the era of the “Mega Breach.” Please visit the ISTR landing page for this year’s report and supplemental assets.

 

How to license a SEP 12.1 unmanaged client

0
0

Additional information can be viewed in the unmanaged client's System Log to verify that licensing has been successful.


Endpoint Management Luncheon at Vision 2014

0
0

Attention Endpoint Management customers attending Vision!

Please join us for lunch on Tuesday, May 6 and Wednesday, May 7 during Vision Las Vegas 2014.

We are inviting all Endpoint Management customers to gather together to enjoy good food, valuable conversations, and cool prizes. 

Each lunch table will have a designated topic to focus the discussion and Symantec experts available to answer questions. The luncheon each day will be held during the normal lunch time scheduled at Vision but in our own conference room. To attend, simply sign-up like you would for any other Vision session or lab using the session scheduler.

Sign-up for Luncheon on Tuesday, May 6

Sign-up for Luncheon on Wednesday, May 7

And yes! You are welcome to join us for lunch on both days!

See you in Vegas!

 

Windows PowerShell のダークな力

0
0

先日、Microsoft のスクリプト言語、Windows PowerShell がマルウェア作成者によって不正な目的に利用されていると報じられました。シマンテックは、さらに多くの PowerShell スクリプトが、悪質な目的で攻撃に使われていることを特定しています。これまでに確認された他の PowerShell スクリプトとは違って、今回のスクリプト(シマンテックは Backdoor.Trojanとして検出します)は、さまざまな層の不明瞭化の機能を備えており、悪質なコードを rundll32.exe にインジェクトして、コンピュータの内部に潜伏しながら、バックドアのように動作し続けることができるのです。

Powershell 1.png

図 1.元の Microsoft Windows PowerShell スクリプト

上の画像を見るとわかるように、このスクリプトは平文でユーザーの目に触れないように不明瞭化されています。ところが、攻撃者はスクリプト全体を base64 でエンコードするために、-EncodedCommand というパラメータを使っていました。デコードしてもスクリプトは不明瞭化されたままで、次の図のように見えます。

Powershell 2.png

図 2. PowerShell スクリプトの最初の復号層

次に、このスクリプトは自身の一部を base64 から平文に再度デコードし、デコードされた部分を圧縮解除の機能によって渡します。圧縮解除されたデータは、不明瞭化を解除した PowerShell スクリプトの最新段階であり、Invoke-Expression コマンドによって実行されます。

Powershell 3.png

図 3.不明瞭化を解除された PowerShell スクリプト

攻撃者は、コンピュータに潜伏するために埋め込まれたコードを処理中にコンパイルし、実行できるように、CompileAssemblyFromSource というコマンドを使います。コンパイルされたコードは次に、保留状態で rundll32.exe を実行し、新しく作成されたプロセスに悪質なコードをインジェクトして、rundll32 のスレッドを再開します。これが、コンピュータ上で検出をすり抜けるための手口です。

インジェクトされたコードは次にリモートコンピュータへの接続を試み、リモートコンピュータは命令のバッファが受信されるのを待ちます。続いてこのコードが、EXECUTE_READWRITE 許可を持つ命令を格納し、その命令がステルス状態で実行されます。

インジェクトされたコードがメモリを割り当て、命令を受信して後で実行する過程を次の図に示します。

Powershell 4.png

図 4. rundll32.exe にインジェクトされた悪質なコード

シマンテック製品をお使いのお客様は、Backdoor.Trojanという検出定義により、この攻撃から保護されています。感染を防ぐために、シマンテックの最新技術を使い、ウイルス対策を更新することをお勧めします。不明な PowerShell スクリプトは実行しないよう心がけるとともに、悪質なスクリプトの実行を防ぐために、PowerShell のデフォルトの実行設定は低くしないようにしてください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Instagram Scam: Lottery Winners Impersonated to Offer Money for Followers

0
0

Over the last week, Instagram scammers have been posting images offering fake lottery winnings to followers. They have convinced users to share the posts, give up personal information, and even send money back to the scammers.

In this scam, a number of Instagram accounts have been created to impersonate real-life lottery winners from the UK and US. These accounts claim to offer US$1,000 to each Instagram user who follows them and leaves a comment with their email address.

figure1_20.png
Figure 1. Instagram accounts impersonating real-life lottery winners

The accounts impersonating lottery winners have been extremely successful, and have gained anywhere from 5,000 to 100,000 followers.

Once they have amassed a certain number of followers, they reveal a secondary Instagram account belonging to their “accountant”, who is in charge of delivering the US$1,000 to users—with a catch.

figure2_19.png
Figure 2. Fake “accountant” profiles asking users for money

The previous figure shows the “accountant” profiles asking Instagram users to send US$0.99 through a large payment processing service to cover the postage fees for mailing out the checks.

figure3_11.png
Figure 3. Users who have fallen for the lottery scam

Even though a number of red flags were present for users, the scam has proven to be a success. Each account has gained thousands of followers, with users willingly divulging their email addresses, and some users sending scammers US$0.99 for the supposed postage fees.

The main goal of this scam campaign was to collect accounts with thousands of followers for personal use or resale. During our research, we also found that user names associated with some of the impersonation accounts had performed an account pivot. This means the avatar, user name, and user biography section were changed to preserve the account from being flagged for spam. This allowed the scammers to continue to use or sell the account.

figure4_9.png
Figure 4. Instagram impersonation accounts have reappeared with fewer followers

Shortly after the account pivot, the impersonation accounts reappeared, but with fewer followers than before. One of the accounts even claimed that it was “hacked” and asked followers to be patient.

It’s clear that these accounts are fraudulent, but users continue to believe that they will be given US$1000 just for following Instagram accounts.

Symantec advises users with the following precautions:

  • Do not believe everything you read, especially on social networking sites
  • Be skeptical when you come across such offers. As we have previously pointed out, free stuff on social networks is not free
  • Do not willingly give up personal information
  • Do not send money to somebody you do not know or trust

Always remember that if it sounds too good to be true, it is.

Using Social Intelligence to Uproot Advanced Persistent Threats

0
0

The number of spear-phishing campaigns grew a dramatic 91 percent in 2013 according to this year’s Internet Security Threat Report. With cyber attacks, it’s not a matter of if, but when an attack will occur. Without complete visibility into your environment and the current threat landscape, it’s easy to be blindsided by an attacker and have security incidents to go undetected. Organizations need to build a cyber-resilient strategy to protect sensitive data from targeted attacks and advanced persistent threats.

social-intelligence-blog.pngWhat are Advanced Persistent Threats?

An advanced persistent threat (APT) is a targeted attack that uses multiple phases to break into a network, avoid detection, and harvest valuable information over the long term. The fact that APTs are often aimed at stealing intellectual property suggests new roles for cybercriminals as information brokers in industrial espionage schemes. This is how it works:

  1. Reconnaissance - Cybercriminals gather information about the company they want to infiltrate and employees to target through social engineering.
     
  2. Weaponization/Delivery– Most of your employees can spot an obvious phishing email when they see one and will delete it before it causes any damage. But what about one that’s not so obvious? An email that has been carefully designed to look legitimate may seem legitimate – but one click could put your company’s data at risk. For example, attackers could send emails to specific employees posing as the company IT department prompting them to change their password. The email looks legitimate, so your employee clicks on the URL unaware that they’ve just exposed the company to a malware attack. The link was created by the attacker to be passed around the world through multiple redirects to evade detection from traditional email security filters – ending up on a fake website that looks just like your company website. Malware from the malicious site infects the employee’s computer, exploiting a known (or unknown) vulnerability.
     
  3. Exploitation/Installation– Now that the cybercriminals have open access to this system, they launch more malware to find other vulnerabilities within the network that have access to your company’s private data. The attackers stay “low and slow” to avoid detection and they map the organization’s defenses from the inside to create a battle plan.
     
  4. Command and Control– The cybercriminals can remain undetected for months, deploying multiple parallel kill chains to ensure success. They expand their access to other internal systems and may also install malware to secretly acquire data or disrupt operations. It’s all about remote control, the ability to weave an infected node into a network of information acquisition.
  1. Exfiltration– Valuable information about your company or employees is sent back to the attack team’s home base for analysis and further exploitation fraud – or worse. Your company’s own network can even be used to attack someone else, and you’ll be blamed for it!

You need information to protect your information. Symantec recommends building a cyber-resilience strategy -- fueled by security intelligence -- to help you safeguard your organization from APT. This will help you:

  • Avoid being blindsided by an attack by using the power of big data. The Symantec security intelligence solutions analyze unfiltered alerts, external threat intelligence, and traffic patterns for malicious activity.  We correlate and find trends for you so you can be proactive and not purely reactive.
  • Create a security-aware and enabled workforce.  You’re only as secure as your weakest link.  Create a comprehensive strategy across people, technology, and processes. 

Symantec intelligent security solutions are the cornerstone to a cyber-resilient strategy. To learn more, join us at Symantec Vision.

Heartbleed Bug Poses Serious Threat to Unpatched Servers

0
0

A newly discovered vulnerability in one of the most commonly used implementations of the SSL and TLS cryptographic protocols presents an immediate and serious danger to any unpatched server. The bug, known as Heartbleed, allows attackers to intercept secure communications and steal sensitive information such as login credentials, personal data, or even decryption keys.

Heartbleed, or the OpenSSL TLS 'heartbeat' Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.

Heartbeat is an extension to the TLS protocol that allows a TLS session to be kept alive, even if no real communication has occurred for some time. The feature will verify that both computers are still connected and available for communication. It also saves the user the trouble of having to reenter their credentials to establish another secure connection if the original connection is dropped.

How does it work? Heartbeat sends a message to the OpenSSL server, which in turn relays that message back to the sender, verifying the connection. The message contains two components, a packet of data known as the payload which can be up to 64KB and information on the size of the payload.

However, the Heartbleed vulnerability in OpenSSL allows an attacker to spoof the information on the payload size. For example, they could send a payload of just one kilobyte in size, but state that it is 64KB.

How an OpenSSL server deals with this malformed Heartbeat message is key to the danger this vulnerability poses. It does not attempt to verify that the payload is the same size as stated by the message. Instead it assumes that the payload is the correct size and attempts to send it back to the computer it came from. However, since it doesn’t have the full 64KB of data it will instead automatically “pad out” the payload with data stored next to it in the application’s memory. If the server received a 1KB payload, it will thus send it back along with 63KB of other data stored in its memory. This could include the login credentials of a user, personal data, or even, in some cases, session and private encryption keys.

The data the application sends back is random and it is possible that the attacker may receive some incomplete or useless pieces of data. However, the nature of the vulnerability means that the attack can be performed again and again, meaning the attacker can build a bigger picture of the data stored by the application over time.

Private encryption keys may be the most difficult thing to steal using this attack. Data is stored in a sequential fashion, with new data stored in front of older data. Encryption keys will usually be stored “behind” the payload in memory, meaning they are less likely to be accessed. Content from current SSL/TLS sessions is the type of data most likely to be at risk.

The Heartbleed bug is the latest in a series of SSL/TLS vulnerabilities uncovered this year. TLS and its older predecessor SSL are both secure protocols for Internet communication and work by encrypting traffic between two computers.

In February, Apple had to patch two critical vulnerabilities affecting SSL in its software. It first issued an update for its mobile operating system iOS, which patched a flaw that enabled an attacker with a privileged network position to capture or modify data in sessions protected by SSL/TLS. Days later, a second update was issued, this time for its desktop operating system OS X, after it was discovered that the same vulnerability also affected it.

In March, a certificate vulnerability was found in security library GnuTLS, which is used in a large number of Linux versions, including Red Hat desktop and server products, and Ubuntu and Debian distributions of the operating system.

GnuTLS is an open source software implementation of SSL/TLS. The bug meant that GnuTLS failed to correctly handle some errors that could occur when verifying a security certificate. This could allow an attacker to use a specially crafted certificate to trick GnuTLS into trusting a malicious website. The vulnerability was immediately patched by GnuTLS.

Heartbleed is by far the most serious vulnerability in SSL/TLS to be uncovered of late. The nature of the bug and the fact that affects one of the most widely used implementations of SSL/TLS means that it poses an immediate risk.

Advice for businesses:

  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension
  • After moving to a fixed version of OpenSSL, if you believe your web server certificates may have been compromised or stolen as a result of exploitation, contact the certificate authority for a replacement
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory

Advice for consumers:

  • You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
  • Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
  • Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
  • Monitor your bank and credit card statements to check for any unusual transactions

heartbleed-explained_02.png

Heartbleed in OpenSSL: Take Action Now!

0
0

This week a vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library (http://heartbleed.com).  OpenSSL is widely used, often with applications and web servers like Apache and Nginx.   OpenSSL versions 1.0.1 through 1.0.1f contain this vulnerability, which attackers can exploit to read the memory of the systems.  Gaining access to the memory could provide attackers with secret keys, allowing them to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. Data in memory may also contain sensitive information including usernames and passwords.

Heartbleed is not a vulnerability with SSL/TLS, but rather a software bug in the OpenSSL heartbeat implementation. SSL/TLS is not broken; it is still the gold standard for encrypting data in transit on the Internet. However, due to the popularity of OpenSSL, approximately 66% of the Internet or two-thirds of web servers (according to Netcraft Web server report ) could be using this software. Companies using OpenSSL should update to the latest fixed version of the software (1.0.1g) or recompile OpenSSL without the heartbeat extension as soon as possible.

As the world’s leading Certification Authority, Symantec has already taken steps to strengthen our systems. Our roots are not at risk; however, we are following best practices and have re-keyed all certificates on web servers that have the affected versions of OpenSSL.

After companies have updated or recompiled their systems, Symantec is recommending that customers replace all their certificates -regardless of issuer- on their web servers to mitigate the risks of security breach. Symantec will be offering free replacement certificates for all our customers.   

Finally, Symantec is asking customers to reset passwords to their SSL and code-signing management consoles.  Again, this is a best practice and we encourage companies to ask their end customers to do the same after their systems have applied the fix.  We will continue to work with our customers to minimize the impact of security risks from this vulnerability.

For your convenience, here is a summary of steps to take:

For businesses:

  • Anyone using OpenSSL 1.0.1 through 1.0.1f should update to the latest fixed version of the software (1.0.1g), or recompile OpenSSL without the heartbeat extension.  
  • Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL.
  • Finally, and as a best practice, businesses should also consider resetting end-user passwords that may have been visible in a compromised server memory.

For consumers:

  • Should be aware their data could have been seen by a third party if they used a vulnerable service provider.
  • Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.
  • Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

Healthcare, the Walking Dead, and Windows XP

0
0

Windows XP End of Support (EOS) and what it means for Healthcare Providers and HIPAA compliance.


マイクロソフト月例パッチ(Microsoft Patch Tuesday)- 2014 年 4 月

0
0

今月のマイクロソフトパッチリリースブログをお届けします。今月は、11 件の脆弱性を対象として 4 つのセキュリティ情報がリリースされています。このうち 7 件が「緊急」レベルです。

いつものことですが、ベストプラクティスとして以下のセキュリティ対策を講じることを推奨します。

  • ベンダーのパッチが公開されたら、できるだけ速やかにインストールする。
  • ソフトウェアはすべて、必要な機能を使える最小限の権限で実行する。
  • 未知の、または疑わしいソースからのファイルは扱わない。
  • 整合性が未知の、または疑わしいサイトには絶対にアクセスしない。
  • 特定のアクセスが必要な場合を除いて、ネットワークの周辺部では重要なシステムへの外部からのアクセスを遮断する。

マイクロソフトの 4 月のリリースに関する概要は、次のページで公開されています。
http://technet.microsoft.com/ja-jp/security/bulletin/ms14-apr

今月のパッチで対処されている問題の一部について、詳しい情報を以下に示します。

  1. MS14-017 Microsoft Word および Office Web Apps の脆弱性により、リモートでコードが実行される(2949660)

    Microsoft Office File Format Converter の脆弱性(CVE-2014-1757)MS の深刻度: 重要

    Microsoft Office ソフトウェアが、特別に細工されたファイルを変換する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーとして任意のコードを実行できる場合があります。現在のユーザーが管理者ユーザー権限でログオンしている場合は、影響を受けるシステムを攻撃者が完全に制御する可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

    Microsoft Word のスタックオーバーフローの脆弱性(CVE-2014-1758)MS の深刻度: 重要

    Microsoft Word が、特別に細工されたファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーとして任意のコードを実行できる場合があります。現在のユーザーが管理者ユーザー権限でログオンしている場合は、影響を受けるシステムを攻撃者が完全に制御する可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

    Word RTF のメモリ破損の脆弱性(CVE-2014-1761)MS の深刻度: 緊急

    Microsoft Word が、特別に細工されたファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーとして任意のコードを実行できる場合があります。現在のユーザーが管理者ユーザー権限でログオンしている場合は、影響を受けるシステムを攻撃者が完全に制御する可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

  2. MS14-018Internet Explorer 用の累積的なセキュリティ更新プログラム(2950467)

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-0235)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-1751)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-1752)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-1753)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-1755)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

    Internet Explorer のメモリ破損の脆弱性(CVE-2014-1760)MS の深刻度: 緊急

    Internet Explorer のメモリ内のオブジェクトへのアクセスが不適切な場合に、リモートコード実行の脆弱性が存在します。この脆弱性によってメモリが破損し、攻撃者が現在のユーザーのコンテキストで任意のコードを実行できる場合があります。

  3. MS14-019 Windows のファイル操作コンポーネントの脆弱性により、リモートでコードが実行される(2922229)

    Windows のファイル操作の脆弱性(CVE-2014-0315)MS の深刻度: 重要

    Microsoft Windows が外部ネットワークから実行される .bat ファイルや .cmd ファイルを処理する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、影響を受けるシステムを完全に制御できる恐れがあります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。システムでのユーザー権限が低い設定のアカウントを持つユーザーは、管理者のユーザー権限で実行しているユーザーよりもこの脆弱性による影響が少ないと考えられます。

  4. MS14-020 Microsoft Publisher の脆弱性により、リモートでコードが実行される(2950145)

    任意のポインタ逆参照の脆弱性(CVE-2014-1759)MS の深刻度: 重要

    Microsoft Publisher が、特別に細工されたファイルを解析する方法に、リモートコード実行の脆弱性が存在します。攻撃者がこの脆弱性の悪用に成功すると、現在のユーザーとして任意のコードを実行できる場合があります。現在のユーザーが管理者ユーザー権限でログオンしている場合は、影響を受けるシステムを攻撃者が完全に制御する可能性があります。攻撃者はその後、プログラムのインストール、データの表示、変更、削除、完全なユーザー権限を持つ新しいアカウントの作成ができる場合があります。

今月対処されている脆弱性についての詳しい情報は、シマンテックが無償で公開している SecurityFocusポータルでご覧いただくことができ、製品をご利用のお客様は DeepSight Threat Management System を通じても情報を入手できます。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Enterprise Vault 11 is coming, are you ready?

0
0

Enterprise Vault 11 is right around the corner. Is your environment ready for it? Are you already on Enterprise Vault and this will be a 'simple' upgrade, or are you on an older version of Enterprise?

Is there a particular feature or benefit you are most looking forward to in Enterprise Vault 11?

For me, I think it's the IMAP support. I can't wait to try that out on my iPad.

2014 年版『インターネットセキュリティ脅威レポート』: 大規模なデータ侵害の年

0
0

istrbanner.png

今年も、シマンテックの最新の調査結果をお伝えする『インターネットセキュリティ脅威レポート』(ISTR)(英語)をお届けする時期になりました。過去 1 年間のシマンテックの調査と解析に基づいて、脅威を取り巻く世界の現状を考察しています。今年のレポートで取り上げている大きな傾向としては、データ侵害と標的型攻撃の大幅な増加、モバイルマルウェアとランサムウェアの進化、モノのインターネットがもたらす潜在的な脅威といったことが挙げられます。以下、これらのテーマについてそれぞれ詳しく見ていきます。

大規模なデータ侵害の年
2011 年は「データ侵害の年」と呼ばれましたが、2013 年のデータ侵害は前年までの規模をはるかに超えるものでした。2013 年、データ侵害の件数は 2012 年から 62% 増え、さらには漏えいした個人情報の数は 5 億 5,200 万件と、実に 368% も増加しています。また、データ侵害の被害が大きかった上位 8 件すべてにおいて、漏えいした個人情報の数が 1,000 万を超えた初めての年でもあり、まさに「大規模な」データ侵害の年だったと言えます。その前年、2012 年は同様の規模のデータ漏えいは、わずか 1 件にすぎませんでした。

中規模企業に狙いを定める攻撃者
これまでのレポートをお読みであれば、攻撃者の狙う主な標的が中小規模の企業(SMB)であることをご存じでしょう。今年もその傾向は変わっていません。2013 年には、SMB 全体が標的型攻撃の半数を超えて 61%(2012 年は 50%)に達し、なかでも中規模(従業員数 2,500 人以上)企業への攻撃が最も大きく増加しました。

規模を問わず全企業に対する攻撃も、2012 年から 91% とほぼ倍増しています。サイバー犯罪者が、攻撃の成功率を高めようとして水飲み場型攻撃やスピア型フィッシングを仕掛けている点は前年と同様ですが、攻撃活動に電子メールを利用する比率が下がってきたため、スピア型フィッシング攻撃は 23% 減少しました。一方、水飲み場型攻撃によってドライブバイダウンロードを通じた攻撃が増え、標的が頻繁に訪れる Web サイトでユーザーを待ち構えて狙うようになっています。ゼロデイ脆弱性が 61% 増加したことも、攻撃を助長しました。攻撃者は、ゼロデイ脆弱性を悪用することで、適切にパッチが適用されていないサイトに攻撃を仕掛け、余分な手間をほとんど、あるいはまったく掛けずに被害者の環境に感染できるためです。

最も多く狙われた業種は、引き続き政府機関でした(全攻撃の 16%)。今回のレポートでは、攻撃の量だけでなく、誰が好んで標的にされるのか、標的に選ばれる確率はどのくらいなのかも調べています。悪いことに、その確率の点で誰が有利ということはなく、標的型攻撃には全員が備えなければなりません。ただし、その確率を確かめた結果、意外な事実も判明しています。中規模の採掘会社で個人秘書を務めている方には残念なニュースですが、あなたは「最も狙われている」業種です。

消費者のプライバシーを侵害するモバイルマルウェアとマッドウェア
深く考えずに新しいアプリをモバイルデバイスにダウンロードする人は少なくありませんが、悪質なアプリの多くは、きわめて不快な機能や望ましくない機能を備えています。2013 年に作成された新しいマルウェアのうち、33% はユーザーを追跡し、20% は侵入先のデバイスからデータを収集していました。また 2013 年は、Android デバイスに対するリモートアクセスツールキット(RAT)が出現し始めた最初の年でもあります。デバイス上で実行されている RAT は、監視をしたり電話を掛けたりするほか、SMS メッセージを送受信する、デバイスの GPS 座標を取得する、カメラとマイクを有効にして利用する、デバイスに保存されているファイルにアクセスするといったことが可能です。もちろん、被害者はそれを知ることもなければ、同意もしていません。

爆発的に増え、ますます悪質になるランサムウェア
シマンテックが以前に予測したとおり、2013 年にはランサムウェア(コンピュータやファイルをロックする悪質なソフトウェア)が急増しました。過去 1 年間で 500% という爆発的な増加を示したことに加え、身代金の受け取りに成功するたびに 100 ~ 500 ドルの利益があるという、攻撃者にとっては非常に儲かる商売になっています。また、高度な暗号化によってデータを人質に取り、所定の期日までに身代金を支払わなければデータを完全に消去すると脅すなど、攻撃の悪質さも増してきています。

個人情報窃盗の未来を握る「モノのインターネット」
過去 1 年間にハッキングの被害に遭ったのは、冷蔵庫とベビーモニターのどちらでしょうか。お客様にこう質問すると多くの人々は「両方」と答えますが、正解はベビーモニターです。ニュースなどでどう報じられていようと、インターネットに接続された冷蔵庫が実際に攻撃を受けたことは、まだありません。ただし、あくまでも「まだない」だけです。セキュリティ研究者は 2013 年に、自動車、防犯カメラ、テレビ、医療機器に対する攻撃がいずれも可能であることを実証しています。次は冷蔵庫の番かもしれません。モノのインターネット(IoT)は今ちょうど成長過程にあり、関連する脅威が追随するのは間違いありません。今年のレポートで、これまでに判明した点に触れていますが、インターネットに接続されているデバイスのうち攻撃を受けるリスクが最も高いのはホームルーターであるという見解は一致しています。

次に起こるのは何でしょうか。IoT デバイスには個人情報や銀行口座などの情報が保存されているので、実際に冷蔵庫がハッキングされる事案が発生するのも時間の問題でしょう。今のところ、IoT デバイスのメーカーとユーザーのどちらにとってもセキュリティは二の次です。深刻なセキュリティ事案が発生するまでは真剣に考慮されないかもしれませんが、潜在的なセキュリティリスクに備えて今すぐ検討を開始しておけば、いざというときのために万全の準備をすることができます。まずは、今年の ISTR をお読みいただくことから始めてください。

詳しくは、『インターネットセキュリティ脅威レポート』第 19 号(英語)をご覧ください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Climate Change Series - Celebrating the One Year Anniversary of the Climate Declaration

0
0

“Tackling climate change is one of America’s greatest economic opportunities of the 21st Century (and it’s simply the right thing to do).” - BICEP Climate Declaration

Today is the first anniversary of the Business for Innovative Climate & Energy Policy (BICEP)’s Climate Declaration – a call to action from leading American businesses, urging the public, policy makers and business leaders to seize the economic opportunity in tackling climate change.

At Symantec, we are convinced that a strong, international coalition of governments, businesses, and civil society organizations is required to effectively address climate challenges. We are therefore proud to be signatories of the Climate Declaration, joining approximately 500 companies nationwide to demonstrate our commitment to combatting climate change and advocating for all in the corporate community to do the same. In honor of the Climate Declaration’s first anniversary, we present a two-part series focusing on one of our primary efforts to reduce our climate change impacts – green building – as well as a deeper look at what the Climate Declaration means to us at Symantec.

What Does LEED Platinum Certified Look Like? Take a Peek Inside…

As mentioned above, mitigating our impacts on climate change is central to our environmental strategy, and a key part of this is green building where we have set a goal to obtain LEED and Energy Star certifications for 100 percent of our owned or long-leased facilities.

This past year was another success for green building at Symantec and we continued to move closer to our green building goal.  We’ve reached 22 LEED certified buildings which has brought our certified facilities to 82% of our eligible real estate square footage. And recently, we wrote about how we are leveraging our current efforts to take green building at Symantec to the next level.

A highlight this year was the development of two LEED Platinum certified facilities in Pune, India bringing the number of our LEED Platinum facilities to a total of three! The Platinum certification, which recognizes the highest level of performance, is not easy to come by, however, our two offices performed strong across the board.

Due to the hard work and expertise of the project development team lead by Karminder Singh (Senior Manager, Global Space Planning and Projects, Workplace Solutions), the offices scored 88 and 89 out of 100 and received “notable achievements”in key areas such as alternative transportation, water efficiency, aligning with regional green building priorities and reducing building energy consumption. To achieve this level of performance and optimize our efficiencies, we leveraged subject matter experts and best practices in green building throughout the design and building process. For example, at one site we reduced potable water usage by 53.74% from the calculated baseline design, and 95.81% of construction waste was diverted from landfill.

LEEDing Design

Have you ever wondered what LEED Platinum looks like? While past posts have focused on the technical aspects of LEED, today we are excited to share some visuals – through a peek into our new LEED Platinum certified campus in Pune.

Enjoy the tour!

 

Pune 1.jpgPune 2.jpgPune 3.jpgPune 4.jpgPune 5.jpgPune 6.jpgPune 7.jpg

 

Cecily Joseph is Symantec's Vice President, Corporate Responsibility.

How to Fight the Rise of the Mega Breach

Viewing all 5094 articles
Browse latest View live




Latest Images