The release notes for ITMS 7.5 HF6 are now published on the following link:
http://www.symantec.com/docs/DOC7337
 

Getting ready for Vegas? Symantec Vision Las Vegas 2014 is going to be a great event and they'll be lots of experts from our Email Security team on hand to talk to. Many of them will be talking at breakout sessions or working with you in hands-on labs.

If you're looking to find out how Email Security from Symantec has evolved, why Antivirus and Antispam won't cut the mustard, how you block targeted attacks in Office 365 or how the email gateway provides context to your security event clutter, then you should definitely checkout these session and labs from the team.

Not To Be Missed Breakout Sessions:

Wednesday 8th May
9:00am    Behind the Yellow Curtain: Discover Symantec's Proactive Protection Technology - 1481
3:15pm    Microsoft Office 365 - Uncertainty Matters - 1485
3:15pm    Cloud Security: How I Sleep At Night - Customer Panel - 1320
4:30pm    Secure Your Email with Encryption as a Service - 1486

Thursday May 9th
10:15am   Gateway, Cloud and Targeted Attacks: Symantec's Vision Strategy and Roadmap - 1483

Hands-On Labs:

Monday May 5th
2:15pm    Keep It Secret, Keep It Safe - DLP at Your Gateway  - 1733
3:30pm    Protecting Email with DLP and Encryption - 1523

Wednesday May 7th
9:00am & 4:30pm    Strong Email Security with Symantec Messaging Gateway - 1525
4:30pm    Data Protection and Stronger Security for Email  and Microsoft Office 365 - 1721
10:15am  Protecting Email with DLP and Encryption - 1523

Thursday May 8th
11:30am  Data Protection and Stronger Security for Email and Microsoft Office 365 - 1721

Keep an eye out for the experience areas where you are bound to find members of the team talking about the benefits of real time link following over URL re-writing and other techniques that make our Email Security service so effective at blocking targeted attack email campaigns, regardless of who is hosting your mailbox.  They'll be wearing one of these badges and would love to talk to you.

We are looking forward to connecting with you all in Vegas!

- Symantec Email Security Team

Become a design partner to help define how Symantec's Information Management portfolio (Backup & Recovery, Information Availability, and Information Intelligence) will enable business continuity, application development, analytics, eDiscovery, cloud migration, and much more.

A Symantec chama atenção para a mais recente ameaça online que usa o chamariz da “dieta milagrosa” para aliciar internautas descuidados, usuários das redes sociais. De acordo com a companhia, o golpe consiste em atrair indivíduos ávidos para emagrecer a clicarem em links que prometem dietas eficazes e revolucionárias, para então, redirecioná-los a páginas promocionais e convencê-los a comprarem os produtos.

Neste contexto, os criminosos virtuais preferem os meios sociais de comunicação para tentar atrair um maior número de usuários, expor suas identidades e obter ganhos financeiros. De acordo com o Relatório Anual da Symantec sobre Ameaças à Segurança na Internet, durante 2013, mais de 552 milhões de identidades foram expostas na Internet por meio de ataques virtuais.

No caso específico desta ameaça, a Symantec destaca o grande número de sites e contas do Twitter que foram comprometidas e utilizadas pelos cibercriminosos para espalhar o SPAMs maliciosos por meio da Engenharia Social. Um dos exemplos de ataques online ocorreu na página projetada para parecer idêntica ao site oficial da Women’s Health.

Figura 1. Página promocional falsa projetada por criminosos virtuais.

Nesta recente campanha, contas pertencentes a atletas, políticos, produtores de televisão, blogueiros, comediantes e outras figuras públicas foram comprometidas e possibilitaram aos hackers atingirem centenas de milhares de seguidores de cada perfil. As celebridades são alvos frequentes, procuradas pelos criminosos para ajudar atrair mais vítimas e aumentar as chances de convencer alguém a clicar em seus links e talvez até mesmo comprar o produto que propõe grandes perdas de peso.

Figura 2. Contas comprometidas de duas figuras públicas: a primeira, de um jogador de futebol americano e, a segunda, de uma modelo dos Estados Unidos.

Arquitetura Social e Pinterest como Alvo

Além do Twitter, o Pinterest também foi vítima do ataque. Há algumas semanas, o TechCrunch publicou um artigo sobre ameaças sociais, já que uma das contas de sua co-editora foi comprometida e usada para divulgar fotos sobre sua perda de peso. Com base em pesquisa realizada pela Symantec foi possível identificar que as descrições das imagens e dos sites comprometidos, que atuam como direcionadores do golpe, são iguais aos usados na campanha maliciosa direcionada por meio do Twitter. Por isso, acredita-se que ambas estejam conectadas aos mesmos criminosos virtuais.  Para que os internautas não sejam vítimas de crimes virtuais por meio das redes sociais, a Symantec oferece as seguintes dicas de comportamento online seguro:

Para usuários comuns:

• Utilize senhas fortes e diferentes em seus dispositivos e perfis sociais;
• Não acesse ou compartilhe links duvidosos e suspeitos que chegam no e-mail ou no perfil social;
• Sempre opte por portais seguros e oficiais seja para navegação ou compras online;
• Faça constantemente uma inspeção nos seus computadores e aparelhos em busca de vírus e malware – softwares de segurança como o Norton 360 Multi-Devices lhe ajudam nesta proteção.

Para donos dos sites:

• Usar a versão mais recente de seu sistema de gerenciamento de conteúdo;
• Sempre aplique todos os patches de segurança;
• Atualize as extensões do portal;
• Reveja as permissões do diretório em seus servidores web.

Para mais informações acesse este blog post ou entre em contato com a agência de comunicação da Symantec para agendar uma entrevista com algum porta-voz da companhia.

Enterprise Vault.cloud: HeartBleed Vulnerabilities
Announcement - Heartbleed OpenSSL information

시만텍 보안 연구소는 지난 11월 Linux.Darlloz라는 사물 인터넷(IoT, Internet of Things) 웜을 발견했습니다. 이 웜은 Intel x86 아키텍처 기반의 컴퓨터를 공격합니다. 뿐만 아니라 라우터와 셋톱 박스에서 흔히 볼 수 있는 ARM, MIPS, PowerPC 아키텍처 장치도 주요 표적입니다. 시만텍 보안 연구소는 Linux.Darlloz를 처음 발견한 후 1월 중순에 이 웜의 새로운 변종을 찾아냈습니다. 시만텍의 분석에 따르면, 이 웜의 개발자는 특히 웜을 통한 수익 창출에 초점을 맞추고 지속적으로 코드를 업데이트하고 새로운 기능을 추가하고 있습니다.

시만텍이 2월에 전체 인터넷 IP 주소 범위를 대상으로 조사를 실시한 결과, 31,000대 이상의 장치가 Linux.Darlloz에 감염된 것으로 드러났습니다.

코인 채굴

또한 시만텍은 현재 이 웜이 암호 통화(cryptocurrency)를 채굴하는 데 이용되고 있다는 사실도 확인했습니다. Intel 아키텍처를 실행하는 컴퓨터가 이 새로운 변종에 감염되면 cpuminer라는 오픈 소스 기반의 코인 채굴 소프트웨어가 설치됩니다. 그런 다음 이 웜은 감염된 컴퓨터에서 민코인(Mincoin) 또는 도기코인(Dogecoin)을 채굴하는 작업을 시작합니다. 2014년 2월 말까지 도기코인(이 글의 작성 시점 기준 약 46달러) 42,438개, 민코인(동일 시점 기준 약 150달러) 282개가 공격자에 의해 채굴되었습니다. 하지만 일반적인 사이버 범죄와 비교할 때 금액이 적은 편이므로 공격자가 수익을 늘리기 위해 더욱 보안 위협을 지능화하는 데 주력할 것으로 예상됩니다.

이 웜의 새로운 코인 채굴 기능은 Intel x86 아키텍처 기반 컴퓨터에만 영향을 미치며, 사물 인터넷 장치에 대한 공격 사례는 아직 확인되지 않았습니다. 코인 채굴은 일반적으로 장치에 넉넉한 메모리와 강력한 CPU가 있어야 가능합니다.

민코인과 도기코인이 표적이 된 이유

이 웜은 더 높은 유명세와 가치를 누리고 있는 암호 통화인 비트코인(Bitcoin)을 노리기보다 민코인과 도기코인의 채굴에 주력하는 것으로 보입니다. 이는 민코인과 도기코인이 Scrypt 알고리즘을 사용하기 때문입니다. 따라서 수익을 내려면 맞춤형 ASIC 칩이 필요한 비트코인과 달리 가정용 PC에서 수월하게 채굴할 수 있습니다.

새로운 표적

최초의 Darlloz 버전은 라우터 및 셋톱 박스에 사용되는 사용자 이름과 암호의 9개 조합을 사용했습니다. 반면 최신 버전은 13개의 로그인 인증 정보 조합을 사용하는데, 그로 인해 사내 원격 감시에 널리 사용되는 IP 카메라도 공격할 수 있습니다.

사물 인터넷 장치를 노리는 이유

사물 인터넷은 사실상 인터넷에 연결된 모든 유형의 장치를 가리킵니다. 많은 사용자들이 컴퓨터 보안에는 만전을 기하지만 사물 인터넷 장치도 함께 보호해야 한다는 사실을 깨닫지 못할 수 있습니다. 상당수의 사물 인터넷 장치는 일반 컴퓨터와 달리 기본 사용자 이름과 암호가 함께 제공되는데, 아마도 이 정보 자체를 변경하지 않은 사용자가 많을 것입니다. 이렇듯 기본 사용자 이름과 암호를 사용하는 것 자체가 사물 인터넷 장치에 대한 대표적인 공격 벡터 중 하나로 작용합니다. 또한 이러한 장치 중 상당수에는 사용자가 알지 못하는 취약점이 있으며 그에 대한 패치도 설치되어 있지 않습니다.

이 보안 위협은 컴퓨터, 라우터, 셋톱 박스, IP 카메라를 주 공격 대상으로 하지만 향후 이 웜이 업데이트되면 홈 오토메이션 장치, 웨어러블 기술과 같은 다른 사물 인터넷 장치도 표적이 될 수 있습니다.

다른 공격자 차단

이전 블로그에서 설명한 것처럼, 이 웜은 Linux.Aidra와 같은 다른 공격자나 웜이 Linux.Darlloz에 감염된 장치를 공격하지 못하도록 차단합니다. 실제로 이 악성 코드 개발자는 지난 11월에 유포한 웜에서 이 기능을 구현했습니다.

1월 초, 다수의 라우터에서 발견된 백도어에 관한 보고가 있었습니다. 원격 공격자는 이 백도어를 이용하여 라우터에 액세스한 다음 사용자의 네트워크를 감염시킬 수 있습니다. 이는 Darlloz 개발자에게 불리하게 작용했기 때문에 이 개발자는 백도어 포트에 대한 액세스를 차단하는 기능을 구현했습니다. 즉 감염된 장치에 새로운 방화벽 규칙을 만들어 다른 공격자들이 동일한 백도어를 통해 침투할 수 없도록 한 것입니다.

감염 현황

일단 어떤 장치가 감염되면 Darlloz는 감염을 확산시키기 위해 포트 58455에서 HTTP 웹 서버를 시작합니다. 이 서버는 웜 파일을 호스팅하며 아무나 이 포트를 통해 HTTP GET 요청을 사용하여 파일을 다운로드할 수 있도록 합니다. 시만텍은 이 포트가 열린 채로 정적 경로에서 Darlloz 파일을 호스팅하는 IP 주소를 검색했습니다. 그런 다음 Darlloz 웜이 다운로드 가능하다는 전제 하에 호스트 서버의 OS 지문을 수집해 보았습니다. 아래의 통계치를 보면 감염 실태를 대략적으로 파악할 수 있습니다.

• 31,716개의 IP 주소가 Darlloz에 감염된 것으로 확인되었습니다.
• 139개 지역에서 Darlloz 감염이 발생했습니다.
• 감염된 IP 주소로부터 449개의 OS 지문이 식별되었습니다.
• Darlloz 감염 중 43%는 Linux를 실행하는 Intel 기반 컴퓨터 또는 서버에서 발생했습니다.
• Darlloz 감염의 38%는 라우터, 셋톱 박스, IP 카메라, 프린터 등 다양한 사물 인터넷 장치에서 발생한 것으로 보입니다.

                                                     그림 1. Darlloz 최다 감염 5개 지역

중국, 미국, 한국, 대만, 인도의 5개 지역이 전체 Darlloz 감염의 50%를 차지했습니다. 인터넷 사용자 수가 많거나 사물 인터넷 장치가 널리 보급된 것이 주 원인으로 보입니다.

감염된 사물 인터넷 장치

개인 사용자는 본인의 사물 인터넷 장치가 악성 코드에 감염될 수 있다는 사실을 인식하지 못할 수 있습니다. 그 결과, 이 웜은 4개월 만에 31,000대의 컴퓨터 및 사물 인터넷 장치를 공격했으며 지금도 계속 확산되고 있습니다. 이 악성 코드 개발자는 앞으로도 계속 기술 환경의 변화에 발맞춰 새로운 기능을 추가하면서 웜을 업데이트할 것으로 예상됩니다. 시만텍 역시 이 보안 위협에 대한 감시를 늦추지 않을 것입니다.

완화 조치

• 컴퓨터 또는 사물 인터넷 장치에 설치된 모든 소프트웨어에 보안 패치를 적용하십시오.
• 모든 장치의 펌웨어를 업데이트하십시오.
• 모든 장치의 기본 암호를 새 암호로 변경하십시오.
• 필요하지 않은 경우 포트 23 또는 80을 통한 외부의 연결을 차단하십시오.

Announcing an update for Symantec VIP. Two-factor authentication is critical to protecting against vulnerabilities like Heartbleed, and Push verification makes it even easier.

Adobe 社は、Adobe Flash Player に存在するバッファオーバーフローの脆弱性（CVE-2014-0515）に対するセキュリティ情報を公開しました。この新しいセキュリティ情報 APSB14-13 によると、複数のプラットフォームで、さまざまバージョンの Adobe Flash Player に影響するバッファオーバーフローの脆弱性が存在します。攻撃者は、この深刻な脆弱性を悪用して、リモートから任意のコードを実行できる可能性があります。 Adobe 社では、この脆弱性がすでに悪用されていることを確認しています。さらに詳しい調査により、この脆弱性は標的型攻撃で悪用されていることがわかっています。

セキュリティ情報によれば、次のバージョンの Adobe Flash Player に脆弱性が存在します。

• Windows 版の Adobe Flash Player 13.0.0.182 およびそれ以前のバージョン
• Macintosh 版の Adobe Flash Player 13.0.0.201 およびそれ以前のバージョン
• Linux 版の Adobe Flash Player 11.2.202.350 およびそれ以前のバージョン

シマンテックセキュリティレスポンスは、今後も継続して状況を監視し、この脆弱性に関する追加情報が確認でき次第お知らせいたします。また、脆弱性悪用の可能性を軽減するために、Adobe 社が提供しているパッチを適用することをお勧めします。更新プログラムを入手するには、Adobe Flash Player のダウンロードセンターに直接アクセスするか、またはインストール済みの製品で表示される更新確認を承諾してください。Chrome および Internet Explorer に付属の Flash Player は、それぞれのブラウザを更新することで、脆弱性の存在しないバージョンに更新できます。

更新情報 - 2014 年 4 月 29 日:
シマンテック製品をお使いのお客様は、以下の検出定義によってこの攻撃から保護されています。

ウイルス対策
Bloodhound.Flash.24

侵入防止システム
Web Attack: Adobe Flash Player CVE-2014-0515

Symantec.Cloudサービスをお使いのお客様も、この脆弱性を悪用した電子メール攻撃から保護されています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Late last week, Facebook users in India were tricked by scammers who were claiming to offer a tool that could hack Facebook in order to obtain passwords belonging to the users’ friends. Unfortunately for these users, they actually ended up hacking their own accounts for the scammers and exposed their friends in the process.

Figure 1. Scam promoting how to hack your Facebook friends

Want to hack your friends?
A post began circulating on Facebook from a particular page featuring a video with instructions on “Facebook Hacking” with a disclaimer stating that it was for education purposes only. The post links to a document hosted on Google Drive that contains some code that, according to the scam, will allow users to reveal their friends’ Facebook passwords. The instructions attempt to convince the user to paste the code into their browser console window and asks them to wait two hours before the hack will supposedly work.

You just hacked yourself

Figure 2. Facebook account hijacked to follow and like various pages

What really happens when you paste this code into your browser console window is that a series of actions are performed using your Facebook account without your knowledge. Behind the scenes, your account is used to follow lists and users, and give likes to pages in order to inflate the follower and like counts defined by the scammers.

Figure 3. What does the Fox say? I have over 56,000 likes!

Your account is also used to tag the names of all your friends in the comment section of the original post. This is done to help the scam spread further, playing off the curiosity of your friends, who may visit the post to find out more and hopefully follow the instructions as well.

Figure 4. User’s compromised account tags friends in the original scam post

What is this type of scam called?
This scam is a variation of a method known as self-XSS (self cross-site scripting), where a user is tricked into copying and pasting code into their browser’s console that will perform various actions on their behalf.

Facebook is trying to discourage users from unwittingly causing harm to their accounts through this method. Some users that attempt to paste code may receive a warning from within their browser’s developer console that points to the following link:

https://www.facebook.com/selfxss

Is this type of scam new?
This type of scam originally began circulating back in 2011. This current iteration has been around since at least the beginning of 2014.

The original scammers behind this iteration had great success with the scam at the beginning of this year, netting between 50,000 to 100,000 likes and followers on a number of pages and profiles. Some of the variable names in the code (mesaj and arkadaslar) suggest the authors are of Turkish descent.

Why is this affecting users in India?
For this campaign, the individuals responsible are based in India. They have modified the original authors’ code by simply adding their own pages and profiles into the script to increase their follower and like counts.

What to do if you have fallen for this scam
If your account has liked and followed a number of pages and profiles without your consent, you should review your activity log. From your activity log, you can locate, unlike and unfollow the pages and profiles associated with this scam.  You should also consider posting a status update notifying your friends about the scam to make sure they don’t fall for the same trick.

The opposite of ethical hacking

Figure 5. Scammers label their efforts as “ethical hacking”

While investigating this scam, we found that the individuals behind it were publicly discussing their efforts. Speaking in Punjabi, one of the individuals summed it up by saying, “Now this is the way ethical hacking is happening.” However, these efforts couldn’t be further from the concept of ethical hacking.

A lesson learned
Always remember that if it sounds too good to be true, it is. Being able to hack someone’s Facebook password by just pasting some code into your browser sounds way too easy and should signal that this is a scam. At the end of the day, your account would be impacted and the safety of your account could be at risk. It’s best to err on the side of caution and think twice before following instructions that ask you to paste code into your browser to hack passwords or unlock features on a website.

Tuesday, May 6th marks a special day for non-profits in Silicon Valley - Silicon Valley Gives Day! For 24 hours, one website will provide a single donation platform to benefit over 650 non-profits working in Silicon Valley.

As part of Silicon Valley Gives Day, Symantec is matching all donations up to $10,000 to one of our non-profit partners - Techbridge.

Techbridge, a non-profit organization dedicated to inspiring underrepresented girls in science, technology, and engineering, has worked withover 4,000 girls in grades 5-12 through its after-school and summer programs in the San Francisco Bay area. From tackling the challenge of designing a prosthetic hand for the disabled, building a customized gumball machine or learning the fundamentals of chemical engineering by mixing their own lip balm, Techbridge curriculum brings STEM alive for girls through projects with real-world applications.

Below is a recent blog by Techbridge that details the many ways you can get involved in this important day. For example, in addition to donating, you can follow the campaign on Facebook and use the hashtag #svgives to share the news on social media.

We hope you’ll join us in celebrating and supporting this important day for the Silicon Valley community – whether it’s donating, spreading the news, or both!

Jaime Barclay is Symantec's Corporate Philanthropy Program Manager.

Donate to Techbridge through Silicon Valley Gives, May 6 2014

By Sarah Elovich, Techbridge Grants Manager

Techbridge is participating in Silicon Valley Gives, an online fundraising event on May 6, 2014. On this day, the Silicon Valley Community Foundation will facilitate donations for local nonprofits through a single online donation platform. This is your chance to help us make history in the first ever all day giving event for non-profits serving Silicon Valley!

Your donations to Techbridge made today until Tuesday May 6 through this website will be doubled, thanks to our generous friends at Symantec.

In addition to the Symantec match, donations made at specific times on May 6 can take your dollars even further including:

• Midnight - 1am: Two-to-one dollar match
• 12 noon hour: Dollar-for-dollar match
• 6 pm hour: Dollar-for-dollar match
• 7 pm hour: Dollar-for-dollar match

Find the full list of matches and prizes here.

Join our Facebook event to get updates.

Please invite your friends and help us reach our $10,000 goal!

As always, we thank you for helping us inspire girls to change the world.

Symantec está al tanto de los reportes de la vulnerabilidad de Día Cero, Vulnerabilidad de Ejecución de Código Remoto para Microsoft Internet Explorer, que afecta todas las versiones de Internet Explorer.

Microsoft dio a conocer un aviso de seguridad referente a una vulnerabilidad en Internet Explorer que está siendo empleada en limitados ataques dirigidos. Actualmente no existe un parche disponible para esta vulnerabilidad y Microsoft, hasta el momento que este texto fue escrito, no ha proporcionado una fecha de lanzamiento para uno.

Nuestras pruebas confirman que la vulnerabilidad afectó Internet Explorer en Windows XP. Ésta es la primera vulnerabilidad de Día Cero que no será arreglada para los usuarios de Windows XP, pues Microsoft concluyó el soporte para este sistema operativo el pasado 8 de abril de 2014. Sin embargo, Microsoft informó que su Kit de herramientas de Experiencia de mitigación mejorada (EMET, por sus siglas en inglés) 4.1 y superior podrá mitigar esta vulnerabilidad de Internet Explorer y es compatible con Windows XP.

Symantec Security Response recomienda a los usuarios, adicionalmente al uso de EMET, cambiar temporalmente por un navegador diferente hasta que el parche se encuentre disponible por parte del proveedor. Symantec protege a sus clientes contra este ataque con las siguientes detecciones:

• Bloodhound.Exploit.552

• Web Attack: MSIE Use After Free CVE-2014-1776

Mantendremos actualizado este blog con información adicional tan pronto esté disponible.

Actualización – 28 de abril de 2014

Con la finalidad de reducir la Vulnerabilidad de Ejecución de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776), Symantec brinda las siguientes recomendaciones.

Microsoft declaró que las versiones del Kit de herramientas de Experiencia de mitigación mejorada (EMET, por sus siglas en inglés) 4.1 y superior podrá disminuir esta vulnerabilidad de Internet Explorer. El kit de herramientas también está disponible para los usuarios de Windows XP. Si el uso de EMET no es una alternativa, los usuarios pueden considerar reducir el problema anulando el registro a un archivo DLL llamado VGX.DLL. Este archivo provee soporte para VML (Vector Markup Language) en el navegador. Esto no es necesario para la mayoría de los usuarios. No obstante al anular el registro del library cualquier aplicación que utilice DLL no funcionará apropiadamente. Igualmente, algunas aplicaciones instaladas en el sistema potencialmente pueden regresar el registro al DLL. Con esto en mente, la siguiente línea de instrucciones puede ser ejecutada para volver inmune al sistema de ataques que intenten explotar la vulnerabilidad. Esta línea de instrucciones puede ser usada para todos los sistemas operativos afectados:

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

También hemos desarrollado un archivo de lote que puede ser usado para llevar a cabo la tarea de aquellos que requieran administrar infraestructuras de TI más grandes.

Nota: Los usuarios necesitarán renombrar el archivo usando una extensión .bat

El archivo de lotes tiene la habilidad de verificar el estado actual del archivo DLL y de remover el registro de DLL como se requiere. La secuencia de comandos descrita en el lote de archivos es muy simple y se puede utilizar como base para personalizar el código y  adaptarse a las necesidades de ciertos entornos de sistema.

Aunque no son necesarias herramientas especiales en particular para mitigar esta vulnerabilidad, por favor tome en cuenta que las recomendaciones, como las proporcionadas aquí, pueden que no sean útiles para futuras vulnerabilidades. Recomendamos que los sistemas operativos sin soporte, como Windows XP, sean reemplazados por versiones con soporte tan pronto sea posible.

A Symantec está ciente dos relatórios de vulnerabilidade de Dia Zero, Vulnerabilidade de Execução de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776), que afeta todas as versões do Internet Explorer.

A Microsoft publicou um aviso de segurança sobre a vulnerabilidade no Internet Explorer, que está sendo utilizada em limitados ataques dirigidos. Atualmente não existe nenhum patch disponível para esta vulnerabilidade e a Microsoft, até o momento em que este texto foi escrito, não ofereceu uma data de divulgação desta correção.

Nossos testes confirmaram que a vulnerabilidade afeta o Internet Explorer do Windows XP. Esta é a primeira vulnerabilidade de Dia-Zero que não será corrigida para os usuários do Windows XP, pois a Microsoft encerrou o suporte deste sistema operacional em 8 de abril de 2014. No entanto, a Microsoft afirmou que o seu avançado kit de ferramentas de Mitigação (EMET) 4.1 e acima poderá mitigar essa vulnerabilidade do Internet Explorer que é suportado pelo Windows XP. Além de usar o EMET, a Symantec incentiva os usuários a mudarem temporariamente para um navegador da Web diferente até que uma correção seja disponibilizada pelo fornecedor.

Symantec protege os clientes contra este ataque, com as seguintes detecções:

• Bloodhound.Exploit.552

• Web Attack: MSIE Use After Free CVE-2014-1776

Nós vamos atualizar este blog com mais informações assim que estiverem disponíveis.

Atualização – 28 de Abril

Com a finalidade de reduzir a Vulnerabilidade de Execução de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776) , a Symantec ofrece as seguintes recomendações

A Microsoft declarou que versões do avançado kit de ferramentas de Mitigação (EMET) 4.1 e superiores podem atenuar essa vulnerabilidade no Internet Explorer. O kit de ferramentas está disponível para usuários do Windows XP também. Se a utilização do EMET não for uma opção, os usuários podem considerar como forma de reduzir o problema anulando o registro de um arquivo DLL chamado VGX.DLL. Este arquivo provê suporte para VML (Vector Markup Language) no navegador. Essa ação não é necessária para a maioria dos usuários. No entanto, ao anular o registro da Library qualquer aplicação que utilize DLL não funcionará de maneira apropriada. Igualmente, algumas aplicações potencialmente instaladas no sistema podem se registrar no DLL. Com isso em mente, a seguinte linha de instruções pode ser executada para tornar imune o sistema de ataques que tentem explorar esta vulnerabilidade. Esta linha de recomendações pode ser usada para todos os sistemas operativos afetados.

"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Nós também desenvolvemos um arquivo de lote que pode ser utilizado para executar a tarefa para aqueles que necessitem administrar grandes infra-estruturas de TI.

Nota: Os usuários terão de renomear o arquivo usando uma extensão .bat

O arquivo de lote tem a capacidade de verificar o estado atual do arquivo DLL e cancelar o registro da DLL, conforme necessário. O roteiro descrito no arquivo de lote é muito simples e pode ser usado como uma base para customizar o código para atender às necessidades de certos ambientes de sistema.

Apesar de nenhuma ferramenta especial ser necessária para atenuar essa vulnerabilidade, por favor note que as recomendações, como as fornecidas aqui, podem não ser as mesmas possíveis para vulnerabilidades futuras. Recomendamos que os sistemas operacionais não suportados, como o Windows XP, sejam substituídos por versões atualizadas, logo que possível.

On May 20th, we will be making a few changes to the PartnerNet page for our Symantec Endpoint Protection Small Business Edition 2013 product. First, you will notice that the product name will change to “Symantec Endpoint Protection Small Business Edition”. We are removing “2013” from the name in order to help eliminate customer perceptions that the product is outdated. This change will also better reflect the fact that this product is sold primarily as a cloud service and therefore is always up to date. Please note that the SKUs and Buying Programs will not be changed.

Secondly, we have refreshed core collateral for this product with stronger messaging to help you better position this popular solution to your customers:

• 2013 has been removed from the name in the new materials to reflect that this is a version-less product.
• Our new messaging focuses primarily on the popular cloud-managed deployment and customers with growing businesses
• The maximum number of recommended users has been increased from 250 to <1000

Symantec Endpoint Protection Small Business Edition provides:

•             Always-on virus and malware protection that’s fast and effective

•             Business-grade security delivered in minutes

•             Cloud-based protection for growing businesses

“With all the cloud buzz, a lot of partners are ready to jump in; even end-users are asking for it. With Symantec it's easy to do. Easier to manage, a better portal, and full protection – They fall in love with it!”

-Eric Courtwright, Ingram Micro Cloud Specialist

You can access the new SEP SBE materials on PartnerNet.

Also, be on the lookout for our June Webcast on Selling the Symantec Endpoint Security Family – From SMB to Commercial and Beyond, where we will walk through how to identify the right product for the right customer; ranging from Norton Small Business, to SEP SBE, to SEP 12.1 and all the way up to the Security Suite.

Best Wishes and Happy Selling!

Liz Jennings, Product Marketing for Channel SEP SBE

Updates deployed to the Connect production servers as a result of the code sprint that ended 29 April 2014.

User Facing: Desktop

• Added spam scanning to the private message forms. If the scan engine determines the contents of a private message is spam, the message will be rejected.
• Fixed an issue with line breaks and carriage returns reported by post-by-email users who are submitting posts with Outlook 2010 in text mode.
• Added the ability for post-by-email users to submit attachments with their email posts and comments.
• Added code to the post-by-email subsystem that detects "Automatic Replies" (vacation rules) in mail coming from Outlook accounts. The code ignores the message and creates a log entry each time a post is ignored for auditing purposes.

Admin Facing

• Created a broken link checking tool for Community Managers to check their communities for broken links.
• Added code to help track and audit username changes.
• Added the ability for blog admins to add a "Recent Comments" section to the right sidebar of their blog pages. This section will display the five most recent comments made to posts that belong to the target blog.
• Added the ability for blog admins to add a "Featured Comments" section to the right sidebar of their blog pages. This section will display comments that the blog admin tags as featured.
• Added the ability for blog admins to customize their blog pages with a banner comprised of a custom image and a custom color of their choice.
• Added tracking code to the share widgets so management could pull analytics about which articles are shared, liked, and +d.
• Added the ability to reward points for comments to users in specific roles.

Behind the Scenes

• Added code that ensures Twitter Card and Facebook Open Graph meta tags always use "anonymous" URLs.

SEO Wins

• Added canonical metadata to user profile pages to improve SEO.
• Added topic tags as link metadata on all posts.

On May 20th, we will be making a few changes to the PartnerNet page for our Symantec Endpoint Protection Small Business Edition 2013 product. First, you will notice that the product name will change to “Symantec Endpoint Protection Small Business Edition”. We are removing “2013” from the name in order to help eliminate customer perceptions that the product is outdated. This change will also better reflect the fact that this product is sold primarily as a cloud service and therefore is always up to date.

For detailed information visit Liz Jennings' blog in the Partner Community: Symantec Endpoint Protection Small Business Edition – New Name, New Marketing Materials

寄稿: Binny Kuriakose

シマンテックは最近、Heartbleed 脆弱性に便乗したフィッシングメールを確認しました。このフィッシング攻撃は、米軍関係の保険サービスを装って Heartbleed 脆弱性に関するメッセージを送信し、情報を収集しようとします。

Heartbleed は最近発見されたセキュリティ脆弱性で、OpenSSL のバージョン1.0.1 から 1.0.1f に影響します。この脆弱性は OpenSSL 1.0.1g で修正済みです。脆弱性の詳細や対処方法については、シマンテックのセキュリティアドバイザリーを参照してください。

スパマーやフィッシング攻撃者は、最新のニュースや話題を利用してペイロードを偽装します。フィッシングメールでは多くの場合、セキュリティに関する懸念につけ込んで、ソーシャルエンジニアリングの手口を本物らしく見せようとします。電子メールに仕込まれたペイロードによって、受信者が機密情報を漏らすように仕向けるのです。

今回の場合、次のような電子メールが送られてきます。

 
図 1. Heartbleed 脆弱性に便乗したフィッシングメール

この例には、興味深い特徴がいくつかあります。

• X-Mailer ヘッダーを見ると、送信者が使っている電子メールクライアントが非常に古いもの（Microsoft Outlook Express 6.00.2600.0000）だと分かります。多くのユーザーが依然として古い電子メールクライアントを使っていますが、最新のオンラインビジネスでそのような電子メールクライアントを使ってセキュリティに関する通知を送信することはほぼありません。
• 「has initiate」という文法上の誤りがあります。攻撃者は、最新の話題をいち早く悪用して新しいフィッシング攻撃を実行しようと焦るため、文法の間違いを犯しがちです。また、送信者の母国語が英語ではないことも珍しくありません。
• さらに、このフィッシングメールは有名な米軍関係の保険サービスからのセキュリティ警告と称しているにもかかわらず、掲載されている「ログイン」リンクをクリックすると、実際には危殆化したトルコの製造業社のサイトにアクセスします。

以上は、フィッシングメールの判断基準のすべてではありませんが、フィッシング攻撃にありがちな間違いや矛盾を示しています。

Heartbleed に関するアドバイザリーで詳しく説明しているように、個人情報の提供や更新を要求する電子メールには警戒するようにしてください。また、そのようなメッセージに含まれるパスワードリセットやソフトウェア更新のリンクは、決してクリックしないでください。個人情報の更新や変更が必要な場合は、該当する Web サイトに直接アクセスして実行することをお勧めします。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

I'm the Product Manager for Symantec Information Fabric, an offering in development to help you understand and govern your organization’s information. During Vision we are conducting usability studies against our early development systems. This study will introduce you to the concept of Information Fabric and then we will conduct a hands on usability session. It’s a unique chance for you to tell us how you would like to use this new offering and your feedback will directly influence how we design and develop this product.

The session will be about 50 minutes long and will be conducted in the 'whisper suite'. We are looking for attendees who look after or make decisions around:

• storage / storage management / archiving
• compliance
• security
• records management

and who may have experience of any of the following product sets:

• NBU
• Data Insight
• Enterprise Vault
• DLP

If you are interested in helping us develop our next generation products, and fit the bill above, then please drop me a private message with:

• Name
• Company
• Role
• Products you are knowledgeable of
• 3 preferred time slots for the session

To see what slots are available, view this on-line calendar and page forward to the week of May 4 - 10. 

There will be one formality for this session. We will need to conduct this session under NDA. While you may have a wider NDA in place with Symantec, I do require an explicit NDA for this session. We'll have these available for you to sign in the 'whisper suite'

As an appreciation of your participation, there will be a thank you gift available at the end of the session (subject to applicability guidelines).

Due to the high demand for these sessions, I do have certain selection criteria and unfortunately I will not be able to extend an invite to everyone applies. But please do let me know of your interest.

Look forward to seeing you in Vegas!

Darren

Hello everyone! My name is Antoine Andrews and I’m the new Director of Global Diversity and Inclusion for Symantec. 

As I’m writing this, I’ve officially been in my new role for an entire eight days and I am loving it! As the Director of Global Diversity and Inclusion, my role is to continue the path forward that the Global Corporate Responsibility Team has laid out to ensure Symantec has the best and most innovative global talent to meet the needs of our customers and drive business performance. 

My very early (and I mean very early) observations are that the company has invested heavily on closing the gender gap within our internal talent pipeline and also on the talent of the future, globally. As innovation continues to be a key priority for Symantec, we have to leverage the diversity of all our employees to help us innovate. In my opinion, having inclusive leaders, team environments, and processes are all equally as important. They foster idea sharing and it is often the case that some of the best ideas come from the people and teams who offer a different perspective.

This month, Diversity/Careers magazine featured an article by Symantec’s Cecily Joseph, VP Corporate Responsibility, demonstrating how companies put their efforts around Diversity and Corporate Responsibility into action. The article does a wonderful job highlighting what differentiates Symantec in the Diversity and CR fields. 

I’m so proud that Symantec has focused efforts on promoting diversity in many areas, such as diversifying our global talent, recognizing and embracing differences in our company culture, and impacting the global communities where we operate.  Focusing on these areas will help Symantec drive great business results while also having a positive impact on the world’s future.

Please click here to read (or here to download) the Diversity Careers article where Cecily talks about Symantec’s dedication to cybersecurity and equality (pg 92-93).

Antoine Andrews is Symantec's Director, Global Diversity and Inclusion.

Today marks the one month anniversary of the devastating Heartbleed vulnerability. Specifically, one month ago today Google first notified the OpenSSL development team of the vulnerability. From the start CVE-2014-0160 was not just another software vulnerability. No, this one was big. A vulnerability of epic proportion. Who would've thought that a simple buffer over-read could threaten to undermine the security of the Internet?  As you know by now, Heartbleed allows attackers to read 64KB of server memory. What exactly is contained in that 64KB of server memory? Well that's a little random. Depending on the location of the heartbeat payload within server memory, the leak could reveal cryptographic keys, usernames and passwords, email messages, and a multitude of other sensitive information. How could this possibly happen? Looking back, a series of cascading failures is to blame.

• Let's start with the TLS Heartbeat Extension protocol defined in RFC 6520. The TLS Heartbeat Extension protocol is designed to maintain and verify a TLS connection without the need to renegotiate the connection every time. The client sends heartbeat payload to the server, and the server responds with the exact same heartbeat payload in order to verify the connection. But why was the heartbeat payload designed as a variable length field? And why would the heartbeat payload possibly need to be a whopping 64KB in length? Wouldn't a fixed length field of 64 bytes have been more than sufficient?  Or was the heartbeat payload designed to covertly transfer Tolstoy's War And Peace? Defining a fixed length heartbeat payload field of 64 bytes would've simplified the application code and likely prevented the Heartbleed vulnerability. Ironically the "Security Considerations" section of RFC 6520 states that "this document does not introduce any new security considerations." Oops.

• What about the programmers? OpenSSL development is "volunteer-driven", and is performed by a staff of eight programmers. The developers perform an incredible service to the Internet at large, providing critical software that is used to secure electronic commerce, financial transactions, and everything else that must be encrypted over the World Wide Web. Recently a consortium of more than a dozen major technology corporations consisting of Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMware pledged $100,000 per year for the next three years to help fund open source projects such as OpenSSL. Will this help solve the problem? Yes. Will this solve the problem completely? No. Technology corporations boast an impressive stable of well-paid developers, yet critical vulnerabilities are still identified within commercial software at an alarming rate. As long as programmers are human, mistakes will be made and critical vulnerabilities will be introduced into application code.

• What about the programming language? Like many open source software components, OpenSSL is written in the C programming language. One of the reasons that the C programming language is so powerful is because of direct memory management. C memory allocation and pointers allow programmers incredible control over program execution. Unfortunately, these very same features make the C programming languages extremely dangerous. Common C programming mistakes can lead to critical vulnerabilities such as buffer overflows and, in the case of the Heartbleed vulnerability, buffer over-reads.

• What about the application code? The vulnerable code was introduced with OpenSSL 1.0.1 on March 14, 2012. Depending on whether TLS or DTLS was utilized, the vulnerable code was located within the "tls1_process_heartbeat()" function of the "t1_lib.c" file or the "dtls1_process_heartbeat()" function of the "dl_both.c" file, respectively. Let's consider the "tls1_process_heartbeat()" function of the vulnerable "t1_lib.c" file. The function is called with an SSL data structure passed by reference:
  

  2437 tls1_process_heartbeat(SSL *s)

  Later the "p" variable is initialized as a pointer to the heartbeat request, and the purported payload length is read from "p" into "payload":

  2446 n2s(p, payload);

  Note that the actual payload length is never verified. The next line initializes the "pl" variable as a pointer to the payload:

  2447 pl = p;

  Later "pl" is copied into "bp", a pointer to "buffer":

  2469 memcpy(bp, pl, payload);

  Finally "3 + payload + padding" bytes of "buffer" are transmitted to the client:

  2474 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

  Because the actual length of the payload received from the client is never verified, the client can send a single byte of payload but specify a payload length of 65,536 bytes, triggering the Heartbleed vulnerability and leaking 65,535 bytes of data stored within server memory. RFC 6520 actually states that the payload length must not exceed 2^14 bytes, but the payload length is stored in a 16-bit integer and this restriction is not enforced, so 2^16 bytes can be extracted from server memory. Worse yet, in order to improve performance OpenSSL developers utilized a custom freelist implementation instead of the standard "malloc()" and "free()" memory allocation functions.  Consequently, the memory returned by the server is more likely to contain sensitive information. The patched version of the previously vulnerable "t1_lib.c" file adds proper bounds checking in order to prevent the buffer over-read and therefore eliminate the Heartbleed vulnerability. If the actual length of the payload received from the client is greater than the purported payload length, the heartbeat response is not sent:

  2601 if (1 + 2 + payload + 16 > s->s3->rrec.length)
  2602 return 0; /* silently discard per RFC 6520 sec. 4 */

• What about disclosure? What a mess! According to the timeline compiled by Fairfax Media, Google first identified the Heartbleed vulnerability on or before March 21. However, Google did not report Heartbleed to the OpenSSL development team until April 1. Heartbleed was next identified by Finland's Codenomicon on April 2. However, Codenomicon did not report Heartbleed to the OpenSSL development team until April 7, although Codenomicon did report the vulnerability to the National Cyber Security Centre Finland on April 3. Upon learning that a second researcher had identified the Heartbleed vulnerability, the OpenSSL development team released a security advisory and patched software later the same day. In between the initial Google discovery on March 21 and the patched software released on April 7, several companies including Google, Facebook, and Akamai were notified of the vulnerability and shrewdly disabled the TLS Heartbeat Extension. However, other companies including Cisco, Yahoo, and Twitter were not notified and therefore were unable to disable the TLS Heartbeat Extension. Who else knew about the Heartbleed vulnerability since it was introduced with OpenSSL 1.0.1 on March 14, 2012? How did two separate researchers identify Heartbleed 12 days apart after the vulnerability lingered within the OpenSSL code for over two years? Why the bumpy vulnerability disclosure timeline? Suffice it to say that the Heartbleed vulnerability did not set the standard for responsible vulnerability disclosure.

• What about security awareness? Finally a bright spot! On April 5, Codenomicon purchased the Heartbleed.com domain, where it published details regarding the vulnerability on April 7. The information was thorough and well written, and the clever Heartbleed logo resonated with the media and Internet users alike:
  

  The Heartbleed vulnerability was all over the news. Sites like Wikipedia and XKCD did a fantastic job explaining the vulnerability to non-technical Internet users. Mashable compiled a list of passwords that needed to be changed immediately. And a myriad of sites allowed you to test arbitrary servers for the presence of the Heartbleed vulnerability. All things considered, Heartbleed security awareness was handled in an exemplary manner.

So what now? Can we guarantee that Heartbleed will never happen again? No. Application code is still written by humans, so mistakes will be made. They are inevitable. However, it is crucial that the technology industry learns from Heartbleed in order to improve processes surrounding protocol design, software development, and vulnerability disclosure. Only then can the technology industry stop a series of cascading failures from resulting in another devastating security vulnerability.

What is a Customer Safari?

Why are Customer Safaris helpful?

When?