Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

How the Elderwood Platform is Fueling 2014’s Zero-Day Attacks

0
0

Back in 2012, Symantec researched the Elderwood platform, which was used in spear-phishing and watering-hole attacks against a wide variety of industries. The Elderwood platform essentially consists of a set of exploits that have been engineered and packaged in a “consumer-friendly” way. This allows non-technical attackers to easily use zero-day exploits against their targets.

We observed attackers using the Elderwood platform against a large number of sectors, including defense, defense supply chain manufacturing, IT, and human rights. Most notably, attackers used this set of exploits in a high-profile campaign known as Operation Aurora.

The Elderwood platform may have first been documented in 2012, but it has continuously been updated with some of the latest zero-day exploits. Within just one month at the start of 2014, the Elderwood platform was used to exploit three zero-day vulnerabilities, proving that this exploit set is still a formidable threat.

Initially, our research suggested that the Elderwood platform was being used by a single attack group. Our latest research leads us to believe that several groups could be using this platform. The evidence suggests that either one distributor is responsible for selling the platform or one major organization developed the exploit set for its in-house attack teams. Either scenario could shed light on how some of the biggest attack groups in action today get such early access to zero-day exploits.

Who could have created Elderwood?
There are several theories which may describe the makeup of the attackers utilizing the Elderwood platform’s zero-day exploits. Our research suggests that there are two more probable scenarios.

  • There is a single parent organization broken into a number of subgroups. Each subgroup is tasked with targeting a particular industry. They each use individually developed malware families and operate their own network infrastructure. The parent organization obtains the zero-day exploits and coordinates the distribution and utilization of these exploits amongst the subgroups.

 elderwood_blog_groups_diagram1.png

Figure 1. Zero-day exploits distributed throughout an organization consisting of multiple teams

  • The attack groups are separate entities with their own agendas. These groups all have contact with a single zero-day exploit supplier which delivers the exploits to the groups at the same time. The supplier may give certain groups preferential treatment, offering zero-day exploits to some attack groups a few days before others. 

elderwood_blog_groups_diagram2.png

Figure 2. Zero-day exploits distributed to different groups but by a common supplier

Based on our evidence, which we will discuss in this blog, it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organization or directly to the various groups. This alone is a sign of the level of resources available to these attackers. 

If the exploits are being purchased from a third party distributor, the purchasing organization must have substantial financial resources to pay for the exploits. If the exploits are developed in-house, this would indicate that the organization has hired several highly technical individuals to do so. These employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.

Elderwood’s notable exploits
In 2012, several Internet Explorer and Adobe Flash exploits were part of the Elderwood platform, which took advantage of a number of vulnerabilities, including the following bugs.

Recently, we have seen the platform use new zero-day exploits against the following vulnerabilities, many of which are similar to the previously used exploits.

These exploits are not the only ones used in the platform, but as we will discuss, they show a connection between Elderwood campaigns. Let’s take a look at some of the major attack groups who have used the Elderwood platform over the past few years.

Who has been using the Elderwood platform?
The following is a timeline of the most recent high-profile use of the Elderwood platform. 

figure3_update_LOB.png

Figure 3. Timeline of known activities of recent zero-day exploits

While many of the following attack groups do not use the Elderwood platform exclusively, they have been observed using it throughout many of their major campaigns over a number of years. Along with taking advantage of vulnerabilities that are known to be covered in the Elderwood platform, the attackers also exploited other flaws, such as the Microsoft Internet Explorer 'CDwnBindInfo' Use-After-Free Remote Code Execution Vulnerability (CVE-2012-4792) and the Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776).

Attack groupTargetsAssociated operation namesExploited vulnerabilitiesMalware used
Hidden LynxDefense industryOperation SnowmanCVE-2014-0322 (Internet Explorer)Backdoor.ZXshell
Vidgrab

Japanese users

Uyghur dissidents

 

CVE-2014-0322 (Internet Explorer)

CVE-2014-0502 (Adobe Flash)

Backdoor.Vidgrab

Backdoor.Jolob

Linfo/IcefogManufacturing firmsIcefog

CVE-2012-0779 (Adobe Flash)

CVE-2014-0324 (Internet Explorer)

Backdoor.Linfo

Backdoor.Hormesu

SakurelAerospace engine manufacturers 

CVE-2014-0322 (Internet Explorer)

CVE-2012-4792 (Internet Explorer)

CVE-2014-0502 (Adobe Flash)

CVE-2014-1776 (Internet Explorer)

Trojan.Sakurel

Table 1. The attack groups using the Elderwood platform

The Elderwood connection
Along with the attack groups’ use of these exploits through their campaigns, the exploits’ infrastructure also appear to be linked.

The two recent Internet Explorer zero-day exploits for CVE-2014-0322 and CVE-2014-0324 share a number of features, including common shellcode. They both can also decrypt malware retrieved from images and write the decrypted malware to a file with a “.txt” extension in the %Temp% folder. 

Along with this, exploits for both CVE-2014-0502 and CVE-2014-0322 were hosted on the same site. Finally, there are indications that suggest that a CVE-2014-0324 exploit was used to drop Backdoor.Linfo. The same malware was dropped in 2012 with the CVE-2012-0779 exploit. 

The following image gives an overall look at how these attack groups’ use of the Elderwood platform are connected.

ewood4_large_update_LOB.png

Figure 4. Some of the connections between recent and previous zero-day exploits

Conclusion
It’s difficult to definitively link the use of zero-day exploits back to one central group or organization. Once a zero-day exploit has been deployed in an attack, it can be reverse-engineered, copied and re-purposed for other attackers to use. The Elderwood platform is particularly easy to reverse-engineer, as its exploits are neatly packaged and separated from the payload. Elderwood’s exploit implementations may have been purposely created in this manner to make it easier for its customers to use. 

However, in these observed attack campaigns, there is a repeating pattern of attack groups using Internet Explorer and Flash zero-day exploits to deliver the same malware families. Not only that, but these exploits share many similarities in their implementation. This evidence indicates that there is a greater level of communication between attack groups than if the exploits were simply being reverse-engineered. 

Whether Elderwood’s creator is a third-party supplier or a major organization equipping its own teams, the various groups using ‘Elderwood’ zero-day exploits are well resourced and motivated. They present a serious threat to potential targets.

Symantec protects customers from the various malware families listed in this blog through our antivirus, IPS, behavioral and reputation technologies.


Windows XP のサポート終了に関して Endpoint Protection をお使いのお客様が知っておくべきこと

0
0
Symantec Endpoint Protection の Windows XP サポートについて

すでにご存じのように、Microsoft 社は Windows XP のサポートを公式に終了しました(Microsoft 社の公式発表は、http://windows.microsoft.com/ja-jp/windows/end-support-helpをご覧ください)。

Windows XP を搭載したコンピュータで Symantec Endpoint Protection をお使いの場合、サポート終了に伴ってコンピュータの保護やシステムのセキュリティにどのような影響があるのか、疑問に思っている方もいらっしゃるでしょう。ここでは、お客様に知っておいていただきたい重要な点をいくつかお伝えします。

  1. 新しいオペレーティングシステムに移行する必要はありますか。

はい。お客様にはできる限りの保護対策をご利用いただきたいと思いますが、そのためには完全にサポートされている Windows オペレーティングシステムに移行するのが最善です。攻撃者は今後も、システムに侵入するために悪用できる手口を模索するに違いありません。シマンテックのソリューションによって、新しく出現する脅威から保護はされますが、抜本的には、強固なセキュリティ戦略の一環として最新のオペレーティングシステムとセキュリティ更新を導入することが必要です。

  1. ユーザーは保護されますか。

シマンテックは、改めてご案内するまでは Windows XP のサポートを継続いたします。お客様のセキュリティを優先し、新しい Windows オペレーティングシステムに移行するまで保護対策を提供し続けたいと考えています。Windows XP に対して新しいゼロデイ攻撃が発生した場合、Symantec Endpoint Protection をお使いのお客様はインサイトと SONAR という 2 つの技術によって保護されます。インサイトおよび SONAR は、コンピュータの移行途中にも脅威に対して高度な防御を提供する技術です。クラス最高の性能がテストによって実証されており(www.AV-test.orgを参照)、現状の Windows XP でも最高のパフォーマンスを引き続き利用しながら、新しいオペレーティングシステムに対する投資を推し進めることができます。

  1. 当面の間、Windows XP システムを保護するために必要な対策がほかにもありますか。

はい。引き続き Windows XP をお使いになる場合は、ほかにもセキュリティ対策を講じることをお勧めします。

A. Symantec Endpoint Protection をお使いの場合:

B. Symantec Endpoint Protection Small Business Edition(SEP SBE)、Symantec Endpoint Protection Small Business Edition 12.1、Symantec Protection Suite をお使いの場合:

  • 疑わしい変化や挙動(メモリ低下、接続性、不審なアプリケーション活動など)があった場合にすぐ気付けるように、お使いのシステムでカスタムアラートやレポートを有効にしてください。脅威やリスクの一般的な指標となり、脅威による影響を軽減する際にも役立ちます。
  • SEP SBE ユーザーがローカル更新ホストをお使いの場合は、最新のアップグレードや更新をすぐに利用できるように、すべての Windows XP システムで LiveUpdate を有効にすることを検討してください。
  • Windows XP システム上で、ユーザーによるアプリケーションのインストールを制限してください。
  • すべての保護対策(Web、インサイト、SONAR など)が有効になっていることを確認してください。
  • 悪用される可能性がある他のアプリケーションやツール(Java や Adobe 製品など)を常に最新の状態に保ち、マルウェア対策を補完してください。

ご不明な点がある場合やサポートが必要な場合には、シマンテックのテクニカルサポートまたはシマンテックパートナーまでお問い合わせください。

Nuts and bolts in NetBackup for VMware: Avoiding CBT penalty with NetBackup Accelerator

0
0
Better Backup for a Virtual World is here!

How can you get 35x faster backups without incurring CBT penalty for enterprise data centers? Let us do a technical deep dive into NetBackup Accelerator feature in NetBackup 7.6.

Have You Joined a Symantec User Group?

0
0
More than just a free lunch!

User Groups are organized by georgaphic regions and focus on Symantec Solutions (Security, Endpoint Management, Backup & Archiving, etc.) Meetings and Connect group pages offer an opportunity for Symantec Customers to share best practices and talk about their challenges and product experiences. It’s also an opportunity to build relationships with peers and strengthen career opportunities. Group meetings are an opportunity to receive product roadmaps and the latest product information from Symantec.

You can find a complete listing of User Groups here: Groups  Find a group in your area and Join Today!

For more information on User Groups, including a complete list of benefits, see this page: User Group Program Overview

Symantec – your Cyber partner

0
0

Cyber security incidents happen every day. They have become inseparable from our everyday business lives. Some you will be able to identify and deal with easily, with no significant damage. Others have the potential to severely disrupt and damage your operations.

However much we may wish there was a silver bullet that could target and eliminate such threats, it isn’t going to happen. The reality is that cyber threats and attacks are here to stay, growing in sophistication and frequency, with no one outside of, or safe from, their reach.

Rather than hoping an attacker might bypass your business (everyone is a potential target in this cyber-connected world), you need to have a Cyber Resilience Strategy firmly in place to protect you. That means identifying the important incidents, and ensuring the business remains effective and up and running throughout any attack. But what does ‘effective’ mean in this case? It means having deep visibility across an organisation into cyber risk, understanding its potential impact. It also means accepting that eliminating such risk is impossible. Failure to recognise this only serves to create a false set of assumptions that can severely impact the organisation.

RISK AND REWARD

While Cyberspace offers unparalleled opportunities for connectivity, innovation and collaboration, it also carries with it enormous risk, which, if left unchecked, can have a significant impact on revenues, brand reputation and compliance. Painful as it might seem, accepting the right level of risk actually supports innovation and reinforces the ability of the organisation to ‘stay safe’. How? Because, by accepting that risk, people are dealing with the realities of today’s threat landscape and, from there, are in a position to create a strategy to minimise the impact that might have on the operations. This is what cyber resilience is all about and it needs to be the backbone of your defences.

Improving an organisation’s resilience is a journey that starts with assessing and defining the current and future cyber position – and that is where Symantec’s expertise comes into play, helping organisations to reach that goal through the Symantec CyberV Enterprise Assessment (EA) Service*.

CyberV EA Service.jpg.png

The service provides visibility into the four cornerstones of cyber resilience – cyber leadership & governance, cyber assessment, threat intelligence and cyber visibility, and cyber protection and response. It assesses the current and desired cyber resilience state, and delivers guidance and recommendations to promote true cyber resilience.

HOW IT WORKS

Crucially, the Symantec CyberV EA Service uses a three-phase, best-in-class approach to cyber assessment, enabling you to define cyber governance:

CyberV Service Assessment Phase

This phase is built around a facilitated discussion and questionnaire that addresses the four cornerstones of cyber resilience. Initial analysis and prioritisation is conducted during this phase. The assessment phase takes around one day to complete.

CyberV Service Analysis Phase

The output of the facilitated discussion and/or questionnaire is further analysed and assessed by Symantec. It identifies:

  • Critical gaps between current and desired state
  • Key areas of organisational focus for cyber
  • Priority action rankings for enhanced cyber resilience
  • Guidance and recommendations for best practices.

CyberV Service Delivery Phase

The output of the service provides:

  • Presentation of findings at a post-assessment briefing
  • Production of a customised report, detailing the findings of the service.

Tailored precisely to the specific requirements of the business, the assessment then identifies the appropriate cyber resilience guidance  to help to strengthen the organisation’s  cyber resilience. Guidance commonly assesses:

  • The organisation’s ‘current’ and ‘desired’ cyber maturity state
  • The integrated cyber framework (policies, processes, toolsets, partners and governance), in order to be able to respond to cyber threats
  • How well organisations gather, correlate and monitor internal and external threat intelligence
  • The degree to how appropriate risk-assessed level of cyber protection is applied
  • The capability to respond effectively to a cyber incident.

By taking a proactive stance on cyber resilience, engaging the Symantec CyberV EA Service to implement the right procedures and develop a clear response strategy, the advantages organisations will gain are a clear vision and understanding of how attacks occur, along with the means to make informed decisions that afford the organisation the right levels of protection.

Overall, what the CyberV EA Service does is to give the organisation – via a fully customised report highlighting priorities and recommendations – a snapshot of exactly where you stand, in terms of cyber resilience, and a roadmap that shows how to get to where the business needs to be, fully supported by Symantec throughout that journey.

For more information please contact myself or the analyst relations team who will be happy to arrange a briefing for you.

*The Symantec CyberV Enterprise Assessment (EA) Service is supported by the Information Security Forum (ISF)

How to Detect, Respond & Recover Faster - the Symantec way

0
0

For enterprises, these are testing times in the extreme. Never have IT departments – and the businesses that they support – been more exposed than they are today.

IT departments are challenged at every turn – with pressure from business leaders asking “is the business safe from cyber attacks?”; rapidly evolving IT estate complexity, including mobile rollouts, new cloud deployments and emerging software-defined data centres. IT relies heavily on its security teams, who are left to deal with disconnected security architectures and struggle with underfunding, and often a lack of incident investigation resources to be able to deal effectively with the waves of security incidents.

The thing is that attackers know this and are constantly seeking to extend their reach into the very fabric of the IT operations. As a result, many organisations are left vulnerable and at risk.

And it’s the nature of the attacks that are causing most consternation. Today’s assailants are slipping way beneath the radar by launching ever more sophisticated and targeted attacks that leverage unknown variants of malware to evade traditional signature-based security technologies. The upshot is that the significant investments enterprises have made in various unconnected protection products are no longer up to the task. Instead, security practitioners are left constantly wondering whether their network has been infiltrated, how far the threats have spread and what assets have been compromised.

What all of this means is that the traditional approach of monitoring security at the network layer is no longer the only answer. Because although network-based advanced threat detection technologies are effective at detecting unknown and zero day malware, typically they do not block the detected threats, but rather allow malicious files to pass through to the internal network and their targeted destination endpoints. As a result, security teams never really know what happened to the detected malware – there is every chance that it may have launched a more complex and advanced attack within their environment.

So, with endpoints often providing the initial ‘foothold’ from which an intruder stages an attack, detecting today's target attacks and advanced persistent threats calls for an integrated, multi-layered approach that detects malicious activity on both network and endpoint devices. And yet often organisations are relying on technologies that weren’t designed to work in tandem, while pouring scarce resources into piecing together fragmented security events —rather than focusing on more strategic security initiatives.

So what can be done to counteract the threats, shore up those shortfalls and keep businesses secure?

Symantec’s response has been to develop the Managed Security Services - Advanced Threat Protection (MSS-ATP) solution. The solution is based on an alliance between Symantec and leading network security providers such as Palo Alto Networks, Cisco (Sourcefire) and Check Point. The alliance provides bi-directional integration between endpoint security solutions and network security vendors, while leveraging Symantec’s leading global threat intelligence network (GIN). MSS ATP enables organisations to rapidly, detect, investigate and remediate unknown and zero day attacks that simply evade disconnected security technologies.

In essence, Symantec MSS-ATP:

  • Empowers the CISO and security operations teams to make sense of complex targeted attacks operating throughout the network and endpoint layers
  • Effectively correlates incidents, enabling security teams to quickly prioritise and pinpoint the most critical security incidents without wasting time (and cost) investigating less important incidents
  • Leverages existing investment in network security and endpoint solutions, while leveraging the global business context of threats from Symantec’s leading threat intelligence network (GIN).

In other words, this is much more than just technology: it is about taking a better, intelligence-based approach to security, leveraging leading technologies and investments you have already made.

Symantec MSS-ATP takes detection, protection and response to a new level. A great example of this is how Symantec is integrating numerous capabilities in the MSS ATP release.

First, MSS-ATP leverages Symantec’s cloud-based MSS threat detection platform that aggregates and correlates unfiltered alerts from a diverse set of technologies, harnessing global threat intelligence to detect traffic patterns associated with malicious activity. We then factor in business-centric contextual awareness to ensure incidents are prioritised based on potential economic impact to the business.

In addition, MSS-ATP solution also leverages our cloud based Insight file reputation technology. This helps reduce investigation of false positive alerts by evaluating the reputation of potentially malicious files detected. Symantec’s Insight file reputation database tracks files and dozens of associated attributes, including age, download source and prevalence within the global community. These attributes are run through complex algorithms to determine each file's level of risk or 'security rating'. If the file detected at the network is low risk, MSS-ATP issues an Information Alert. If the file is deemed high risk, a Critical Alert signals further investigation is necessary.

In short, MSS-ATP Symantec is addressing the unmet need for rapid incident detection, prioritisation and remediation across multiple security platforms, leveraging best of breed technology capabilities, all backed by a truly global business context focused threat intelligence network.

Security partnership and ecosystems are becoming increasingly important for all businesses. MSS-ATP from Symantec is leading this charge to ensure we can support our customers unmet needs time and again.

Please share your thoughts below and make sure to watch this video with Graham Ahearne, Dir. Information Security Service: Managed Security Services - Advanced Threat Protection.

Indexing Exclusions in Enterprise Vault

0
0

I spotted something interesting the other day with Enterprise Vault 10.0.x indexing.  There is an option on the Enterprise Vault Site Settings to exclude particular words/phrases from being indexed at all.

This is useful for companies that have standard disclaimers or other phrases/paragraphs that shouldn't be indexed (because they would simply cause too much noise when doing searches).  To make changes to the indexing exclusions go to the Site Settings, and then the Indexing tab:

2014-05-13_12h53_05.png

Click on 'Exclusions' as highlighted above, and here you can do the exclusion 'maintenance':

 2014-05-13_12h53_37.png

You can setup multiple exclusions too, but it's based on the plain text that you want to be excluded.  Still, this seems like a great feature and one that I hadn't seen before.  Do you implement exclusions like this? Let me know in the comments below.

Spammers Quick to Take Advantage of Second Posthumous Michael Jackson Album

0
0

May 13, 2014 witnessed the release of another posthumous compilation album of Michael Jackson recordings, named Xscape. This reworked collection of Jackson tracks was highly anticipated by music lovers, ever since its announcement in March, 2014. News of the album release has once again made Michael Jackson a hot topic and, unsurprisingly, spammers have been quick to exploit this.

This spam campaign uses a very simple email which is crafted to appear like personal mail. It uses Michael Jackson’s name and some of his song titles to create intriguing subject lines. The body of the email contains a link along with a generic comment. A name is used to sign the email message, as seen in Figure 1, in an effort to give the impression that an acquaintance has sent you an email with a link to the new Jackson album. The URL in the body of the email redirects to a fake pharmacy domain which promises cheap medicines without prescription.

The following are subject lines seen in this spam campaign:

  • Subject: $ Planet Earth (Michael Jackson poem) $
  • Subject: * List of songs recorded by Michael Jackson *
  • Subject: * List of unreleased Michael Jackson songs *
  • Subject: [ Hold My Hand (Michael Jackson and Akon song) ]

 

SpamImage1.png

Figure 1. Example of Michael Jackson spam email

We expect more spam exploiting this news in the coming days and believe the possibility of such emails being phishing attempts or containing malware to be very strong.

Users are advised to adhere to the following best practices:

  • Do not open emails from unknown senders
  • Do not click on links in suspicious emails
  • Never enter personal information on suspicious websites, as they may have been created for phishing purposes
  • Keep your security software up-to-date to stay protected from phishing attacks and malware

AV Is Not Enough for the Enterprise

0
0

Today’s security landscape requires more than basic antivirus, it requires proactive, layered protection. Symantec has recently announced new products and services that will further help protect, detect and respond to empower businesses to run safely and productively now and into the future.

What does SmartIO do?

0
0
Answer: It Makes Everything Faster

“What is SmartIO and what does it do?”  Since the launch of Storage Foundation 6.1, I’ve been asked that question by all sorts of people in all sorts of situations.  The most concise answer I have is that “SmartIO makes everything in a SAN faster”.  In a two-minute conversation with a customer or family member, this answer is typically enough, especially for the less technically inclined members of my family.  For those curious or dubious however, the next question is always “what do you mean everything?”

The first place SmartIO brings value is in application performance, specifically those with lots of small, random reads and writes, such as a transactional database.  By keeping hot data inside the server on super fast solid state devices, application reads are filled in microseconds rather than milliseconds on traditional SAN.

Figure 1 - Transactions per Minute

Figure1_OLTP.png

In Figure 1 above we can see the impact on an OLTP workload with SmartIO enabled when compared to a traditional SAN infrastructure is about 3x.  This is a great benefit to my database and any application that is based on transactional workloads to drive performance and revenue.  Go back to my standard answer when asked about SmartIO, however, and you may say that everything in a SAN is much more than an application or database.  And you would be 100% correct.

Analyzing the end-to-end I/O path from an application to storage, there are multiple points that introduce latency and overhead on physical resources.

             Figure 2 - I/O Flow

           IOPath.jpg

As enterprises add more complexity to this application with the inclusion of server and storage virtualization or the introduction of multiple hops through core and edge switching, that adds more opportunity to introduce latency to the I/O path and puts more strain on the hardware infrastructure that needs to be architected, and re-architected, to handle more and more I/O coming from larger and more complex data sets and applications.

This brings us back to everything and how SmartIO can help along each step in the SAN infrastructure.  As discussed earlier, SmartIO keeps I/O operations within the server through its intelligent, application integrated caching heuristics.   Any I/O that stays inside a server is off of the network, removing the majority of the latency and physical overhead points outlined in the diagram above.

Figure 3 - IO Requests per Second

Figure2_IOReq.png

Analyzing the read requests for the SAN during the benchmark run in figure 3 you can see a dramatic drop in the IO requests made to the back-end storage.  This shows that SmartIO is handling an increasing amount of reads and fulfilling those requests with the internal SSD. I/O’s that used to hit the network driver, hba, fibre-channel network, array controllers, and rotational media are taken completely off the network.  This means more available network and controller capacity to handle more traffic for more servers and applications.  This is SmartIO making everything in the SAN faster.           

 

SAN Only

SAN+SmartIO

Benchmark Time

60 Minutes

60 Minutes

Average SAN Read I/O per second

79.77

2.97

Total SAN Read I/O

586,321

21,846

Over the 120 minute benchmark, our array served approximately 586k read operations. SmartIO took over 550k I/Os off the array. This equates to 550k I/Os off the network, or, when looking at the full request/response path, over 1 million roundtrip operations. 

With SmartIO and Symantec Storage Foundation 6.1 customers can utilize internal SSD to drive up application performance and reduce the network and storage overhead to speed up everything in the SAN. 

For more information on this and other capabilities of Symantec storage management suite, please see:

 

Symantec Signs On to Change the Equation’s Commitment to Excellence in STEM

0
0

Q: What do you get when you bring Vice President Joe Biden, Change the Equation and 26 U.S. companies committed to increasing science, technology, engineering and mathematics (STEM) literacy together over lunch?

  1. Intriguing conversations
  2. Some leftover pie
  3. A national Commitment to Excellence in STEM with signatory companies pledging to ensure all children in communities across the U.S. have access to high-quality, excellent STEM learning opportunities.

The answer is, all of the above! On Friday, May 16, Symantec joined Vice President Joe Biden and 25 other corporate leaders to sign Change the Equation’s (CTEq) Commitment to Excellence in STEM, a public call to action for a national movement to champion STEM literacy among all high school graduates. Change the Equation works at the intersection of business and education to ensure that all students are STEM literate by collaborating with schools, communities and states to adopt and implement excellent STEM policies and programs. This commitment stresses the corporate sector’s pledge to collaborate with each other, other programs and communities; high expectations for all students; data-driven advocacy for STEM; and the availability of high-quality STEM learning programs in communities across the country.

This public declaration also recognizes the importance of STEM literacy as a transformative life skill that impacts the future success of our young people and the ability of our nation to remain a leader in innovation. As cybersecurity issues become more prominent, the need for STEM-trained and -educated leaders that are ready to help solve cybersecurity problems is increasing. Currently, there are not enough STEM-educated people to service the needs of today, even less to serve the needs of tomorrow. In 2011, only 45 percent of U.S. high school graduates were ready for college work in math, and 30 percent were ready in science.

At Symantec, we see providing STEM and literacy education to children and young adults as a business imperative in order to build a diverse and innovative workforce. We specifically look to build programs focused on computer programming, teacher recruitment and training and afterschool education. By signing the Commitment to Excellence, Symantec aims to build on the work we have done with the Change the Equation program since 2010, continuing to engage students in STEM at a young age and increase access to career training for our future cybercrime fighters.
 

STEM.png

 

Jaime Barclay is Symantec's Corporate Philanthropy Program Manager.

Password Stripping with Enterprise Vault 11

0
0

Finally, after a long wait, Enterprise Vault has caught up with some of the third party products which deal with PST migration. At least, it has in some ways. I'm talking about password removal from PST files. This is now an option on the site settings:

23b54b0025946ff23419ea1f256c387e

With this setting enabled (it's not by default) any PST files which Enterprise Vault attempts to migrate which are password protected will have the password stripped first of all.

And in the world of DTRACE when you hit a password protected file you'll see something like this:
 

23b54b0025946ff23419ea1f256c387e.png

168797     10:24:39.352     [7424]     (MigratorServer)     <604>     EV:M     {CMigrator::OpenPSTStore}|Trying to generate password patch to open PST file.

168798     10:24:39.352     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::ComputePstPasswordPatch:#108} Entry.

168799     10:24:39.352     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::OpenPstFile:#66} Entry.

168800     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::OpenPstFile:#86} Exit - 0.

168801     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::GetPstFileType:#179} Entry.

168802     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::GetPstFileType:#198} PST file type is UNICODE.

168803     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::GetPstFileType:#202} Exit - 0.

168804     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ComputePasswordPatch:#311} Entry.

168805     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ReadHeader:#245} Entry.

168806     10:24:39.354     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ReadHeader:#288} Exit.

168807     10:24:39.372     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::FetchPasswordCRC:#434} Entry.

168808     10:24:39.372     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::SearchBlock:#358} Entry.

168809     10:24:39.373     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::SearchBlock:#414} Exit.

168810     10:24:39.373     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ReadBlock:#752} Entry.

168811     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ReadBlock:#786} Exit.

168812     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::FetchPasswordCRC:#483} Found PidTagPstPassword in message store block.|

168813     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::FetchPasswordCRC:#499} PST file IS password protected. Getting it's CRC.|

168814     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::FetchPasswordCRC:#533} Exit.

168815     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::CPstReader<class CPstUtil::CUnicodePst>::ComputePasswordPatch:#336} Exit.

168816     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CPstUtil::ComputePstPasswordPatch:#161} Exit.- 0.

168817     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:M     {CMigrator::OpenPSTStore}|Successfully generated password patch to open PST file '\\?\UNC\ROB-PC\C$\Users\vty\Documents\pwdprotected.pst'. Trying to open pst file using password patch.

168818     10:24:39.374     [7424]     (MigratorServer)     <604>     EV:L     CPSTHelper::OpenPstStore:[\\?\UNC\ROB-PC\C$\Users\vty\Documents\pwdprotected.pst]

Support for Exchange 2013 SP1, SharePoint 2013 SP1, Office 2013 SP1

0
0

*Update 26th March*

 

I'm pleased to announce that from today Enterprise Vault now offers support for Service Pack 1 for Exchange Server 2013 and Outlook 2013 (as a client).

See below for minimum Enterprise Vault versions:

  • Exchange Server 2013 SP1 - Supported from Enterprise Vault 10.0.4 CHF2 or later
  • Outlook 2013 SP1 - Supported as a client from Enterprise Vault 10.0.3 or later

 

SharePoint 2013 SP1 is still in certification and we expect to be able to announce support in the coming weeks.

 

As always, check the Enterprise Vault compatibility guide for all certification information: http://www.symantec.com/docs/TECH38537

2014 年のゼロデイ攻撃を助長している Elderwood プラットフォーム

0
0

シマンテックは 2012 年、さまざまな業種に対するスピア型フィッシングや水飲み場型攻撃に利用された Elderwood プラットフォームについて調査しました。Elderwood プラットフォームは基本的に一連の悪用コードから構成されており、それらが「ユーザーフレンドリーな」形で作成されパッケージ化されているため、技術力の高くない攻撃者でも、標的に対して簡単にゼロデイ悪用コードを使うことができます。

軍需産業、軍事関係のサプライチェーン、製造業、IT、人権問題など幅広い分野に対して、Elderwood プラットフォームを使った攻撃が確認されています。特に注目すべきなのは、「Operation Aurora」として知られる攻撃活動で一連の悪用コードが使われたことです。

Elderwood プラットフォームが初めて確認されたのは 2012 年のことですが、それ以来、最新のゼロデイ悪用コードをいくつも取り入れながら更新が続けられています。2014 年に入ってから最初の 1 カ月だけでも、Elderwood プラットフォームは 3 件のゼロデイ脆弱性の悪用に利用されており、このプラットフォームが依然として手ごわい脅威であることが証明されました。

当初の調査では、Elderwood プラットフォームは単一の攻撃グループによって使われていると思われていましたが、最新の調査結果を踏まえると、複数のグループによって利用されていると考えられます。1 つの供給元がプラットフォームの販売に関与しているか、あるいは大きな 1 つの組織が、その内部の攻撃チームのために一連の悪用コードを開発しているかのいずれかであるという証拠もあります。どちらにしても、今なお活動している最大規模の攻撃グループが、これほど早くゼロデイ悪用コードを利用できる理由を解明する手掛かりになりそうです。

Elderwood を作成したのは誰か
Elderwood プラットフォームのゼロデイ悪用コードを利用している攻撃者の構成については、いくつかの仮説が立てられていますが、シマンテックの調査ではさらに 2 つのシナリオも想定しています。

  • 1 つの上位グループがあって、複数のサブグループから構成されているケース。この場合、各サブグループは特定の業種を標的にするタスクを割り当てられています。それぞれが個別に開発したマルウェアファミリーを使っており、利用しているネットワークインフラも独自のものです。上位グループがゼロデイ悪用コードを入手し、その配布と利用をサブグループ間で調整します。

 elderwood_blog_groups_diagram1.png

図 1.複数のサブグループを束ねる上位グループを通じてゼロデイ悪用コードが配布される

  • 攻撃グループが、目標も異なる別々の組織であるというケース。この場合、各グループが共通して接触している供給元があり、そこからゼロデイ悪用コードが各グループに同時に配布されます。供給元は、一部の攻撃グループを優遇して、他のグループより数日早くそのグループにゼロデイ悪用コードを渡している可能性もあります。

elderwood_blog_groups_diagram2.png

図 2.共通する 1 つの供給元から複数のグループにゼロデイ悪用コードが配布される

シマンテックがつかんだ証拠(後述)から、何者かが 1 つの仲介組織に、または複数のグループに直接、Internet Explorer や Adobe Flash のさまざまなゼロデイ悪用コードを供給している可能性が高いと考えられます。これだけでも、攻撃者が確保しているリソースのレベルの大きさがうかがえます。

悪用コードがサードパーティの供給元を通じて販売されている場合、購入するグループはそれを支払えるだけの潤沢な財源を持っていることになります。悪用コードが組織の内部で開発されている場合、グループは技術力の高い個人を何人も雇っていることになります。こうした技術者は、相当額の報酬を受け取っているか、あるいは何か別の理由があって自分自身では公開市場で悪用コードを販売できないかのいずれかです。

Elderwood による顕著な悪用例
2012 年には、Internet Explorer と Adobe Flash に対する複数の悪用コードが Elderwood プラットフォームによって利用されました。以下の脆弱性を含め、数多くの脆弱性が悪用されています。

最近も、以下の脆弱性に対する新しいゼロデイ悪用コードが利用されていることを確認していますが、その多くは以前に利用された悪用コードと類似しています。

Elderwood プラットフォームで利用されている悪用コードはこれらに限りませんが、後述するように、これこそ Elderwood 攻撃活動間のつながりを示す証拠なのです。それでは、過去数年間にわたって Elderwood プラットフォームを使ってきた代表的な攻撃グループについて見てみましょう。

Elderwood プラットフォームを使ってきたのは誰か
最近確認された、Elderwood プラットフォームを使う目立った攻撃活動を時系列に並べてみます。

figure3_update_LOB.png

図 3.最近ゼロデイ脆弱性の悪用が確認された活動の時系列

以下の攻撃グループの多くは、Elderwood プラットフォームだけを使っているわけではありませんが、この数年間の主な活動では一貫して Elderwood を使っていることが確認されています。Elderwood プラットフォームで利用されていることが判明している脆弱性を悪用しているだけでなく、「Microsoft Internet Explorer の 'CDwnBindInfo'に存在する解放後使用のリモートコード実行の脆弱性」(CVE-2012-4792)や 「Microsoft Internet Explorer に存在するリモートコード実行の脆弱性」(CVE-2014-1776)など、その他の欠陥も悪用しています。

攻撃グループ標的関連する攻撃活動悪用されている脆弱性使われているマルウェア
Hidden Lynx軍需産業Operation SnowmanCVE-2014-0322(Internet Explorer)Backdoor.ZXshell
Vidgrab

日本のユーザー

ウイグルの反体制派

 

CVE-2014-0322(Internet Explorer)

CVE-2014-0502(Adobe Flash)

Backdoor.Vidgrab

Backdoor.Jolob

Linfo/Icefog製造業Icefog

CVE-2012-0779(Adobe Flash)

CVE-2014-0324(Internet Explorer)

Backdoor.Linfo

Backdoor.Hormesu

Sakurel航空エンジンメーカー 

CVE-2014-0322(Internet Explorer)

CVE-2012-4792(Internet Explorer)

CVE-2014-0502(Adobe Flash)

CVE-2014-1776(Internet Explorer)

Trojan.Sakurel

表 1. Elderwood プラットフォームを使っている攻撃グループ

Elderwood との関連性
攻撃グループがその活動を通じてこれらの脆弱性を悪用していたことに加え、悪用コードのインフラにも関連性があるようです。

最近確認された Internet Explorer の脆弱性、CVE-2014-0322 と CVE-2014-0324 に対する 2 つのゼロデイ悪用コードは多くの機能を共有しており、シェルコードもそのひとつです。どちらも、イメージから取得したマルウェアを復号し、%Temp% フォルダ内の .txt 拡張子のファイルに復号後のマルウェアを書き込むことができます。

そのほか、CVE-2014-0502 と CVE-2014-0322 に対する悪用コードは、同じサイトをホストとして利用していました。さらに、CVE-2014-0324 に対する悪用コードが Backdoor.Linfo の投下に使われていたことを示唆する痕跡もあります。同じマルウェアは、2012 年に CVE-2012-0779 に対する悪用コードによって投下されていました。

これらの攻撃グループが Elderwood プラットフォームを利用している状況の全体像を以下の図に示します。

ewood4_large_update_LOB.png

図 4.過去と現在におけるゼロデイ悪用コードの相関図

結論
ゼロデイ悪用コードの使用と、中心的な 1 つのグループまたは組織との関係を断定することはできません。ひとたび攻撃に利用されたゼロデイ悪用コードは、リバースエンジニアリングもコピーも、他の攻撃への転用も可能だからです。Elderwood プラットフォームは、悪用コードがコンパクトにパッケージ化され、ペイロードと分離されているため、リバースエンジニアリングが特に容易です。Elderwood の悪用コード実装は、攻撃者が使いやすいように、意図的にこのような手法で作成されたものかもしれません。

とは言え、最近確認された攻撃活動では、Internet Explorer や Flash のゼロデイ悪用コードを利用して同じマルウェアファミリーを拡散するという、攻撃グループの共通パターンが繰り返されています。それだけでなく、これらの悪用コードは実装方法にも多くの類似点が見られます。こうした証拠から、悪用コードが単にリバースエンジニアリングされているだけの場合と比べて、はるかに緊密なコミュニケーションが攻撃グループ間で交わされているものと考えられます。

Elderwood を作成しているのがサードパーティの供給元であるにせよ、自前のチームを抱えた大きな組織であるにせよ、Elderwood のゼロデイ悪用コードを利用している各グループは潤沢なリソースと十分な動機を持っています。標的となりうる企業や組織にとって深刻な脅威であることは間違いありません。

シマンテック製品をお使いのお客様は、ウイルス対策、侵入防止システム、振る舞い検知やレピュテーション(評価)技術によって、今回のブログで取り上げたさまざまなマルウェアファミリーから保護されています。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Join the TWEET Chat: What are the odds of your company getting attacked?

0
0

Mark your calendars to join the #ISTRTALK chat and plan to discuss the latest attack vectors and techniques used by cybercriminals to gain access to your data.


Rosencrantz and Guildenstern Are Dead!

0
0
A Cautionary Tale (or “Things Happen. People Go Crazy. Everybody Dies.”)

Without digging too far into the works of Shakespeare and by horrendously over-simplifying matters, there is a pair of characters from “Hamlet” that I would like to use as a tortured analogy. They are Rosencrantz and Guildenstern, and things do not go well for them at all.

These two characters are old college friends of the Prince Hamlet and are summoned by the King and Queen to come and look in on their friend who is having a bad time as of late. This, being a Royal summons, they show up because that’s what you do. After meeting up with Hamlet, these two characters note that Hamlet is a bit out of sorts (perhaps this has to do with his father dying recently and his mother marrying his uncle?). After Hamlet kills somebody, Rosencrantz and Guildenstern are requested to embark on a road-trip with the Prince and a note. It’s a request they honor because that’s what you do at the request of the Royals. The Prince makes some small changes to the note because Princes do that type of thing. They get attacked by pirates because that just happens from time to time. In the end, Hamlet skips out on the road-trip and these two characters are at the end of the journey with a note from a King and Queen which request that they be put to death. And they are put to death because this is a Royal request and that’s what you do when the King and Queen ask you to do something of this nature.

“What does this have to do with an AV only install of SEP?” you ask. I’ll connect the two.

For many years, an AV only install was all of the protection that was needed for a client system. Sometimes it was all that was available, but that was okay. The firewall rules were tight and there was scanning on the e-mail system… All seemed well. But, slowly, the threat landscape started to change and threats were starting to leverage vulnerabilities in applications services and operating systems to gain footholds on client systems. No longer was a file required to be written or accessed by a file system in order for the system to be compromised; using an exploit or over-running a buffer could accomplish it all and it could all happen over the wire.

Security vendors noted this change and started incorporating additional technologies into what had traditionally been just AV. Intrusion detection/prevention modules were added. Client firewalls and process and device injection drivers were created. Browser add-ons and helper objects were written. All of these were added together and bundled up as a decidedly new type of client that remarkably un-like the AV client of old.

A brand new set of technologies is delivered to you and what are supposed to do with it? You set it up in the only way you know how: Mirror the old AV only solution because that is what you do. Testing goes well, but testing always goes well because the “Model Office” never seems to have anything to do with a “Real Office”. There may have been hiccups in the limited pilot, but those can be dealt with in time. The software is packaged and then, one night, the trigger is pulled and the rollout begins, because that is how this is done.

Then, the phone rings.

The business critical application that is reliant upon a specialized and rather expensive piece of hardware can no longer function. A custom Java applet can no longer launch. Teamed network cards on server clusters are failing. E-mail cannot be accessed by clients. Processes on devices won’t function. Business stops. Then, the word comes from on high that steps need to be taken to get back to where we were yesterday and you take those steps. That which can just be disabled is disabled and that which needs to be uninstalled is indeed uninstalled. Because that is what you do.

After the events, cases are opened and vendors are alerted. Hardware updates are requested and drivers are written. Device firmware and BIOS are updated.  New sets of policies are updated to become part of the defaults. The entire security software suite is re-written to increase throughput and address interactions with other hardware and software. All of the backend management pieces are updated and there is even a live pilot of the current version of the security suite running on the systems that were heavily impacted last time and everything is working. All that is needed is to follow through and push the rest of the suite. The word from on high is that the new client can be released, but only to new clients as they are built. Now your upgrade path is an act of attrition and that is what you do.

Meanwhile, you are constantly being besieged by threats that are coming from all angles or are desperately attempting to keep abreast of the current vulnerabilities in the software that you run to keep the threats at bay.

Here is where Rosencrantz and Guildenstern come into play. If you have an AV only install active in your environment today, review the business decisions that took place to allow you to arrive and remain at that install. I know that things might have been crazy and that some people may have been hurt, but there are more pirates on the way and the last thing you want is to be knocking on a door holding a letter that spells your own demise, because that’s what happens.

Enterprise Vault 11 is now available...

0
0
Time to upgrade to the biggest, fastest and most productive version ever.

The Enterprise Vault team is excited to announce the general availability of Symantec Enterprise Vault™ 11. You can download the bits from Symantec File Connect here (https://fileconnect.symantec.com).

This highly anticipated release super charges Enterprise Vault, making it bigger, faster and better than ever before:

  • Bigger platform support - Introduction of a powerful IMAP capability to offer support for end user archiving from any email platform
  • Faster archive access - A new, modern end user search interface coupled with archive access via IMAP makes access to archived items easier than ever
  • Faster archive performance - Up to 20% faster archiving rates and up to 18x faster browsing of the archive via Fast Browse
  • Better control and manageability - More powerful PST Migration capabilities, including migration status dashboard, as well as Monitoring and Alerting enhancements via SCOM

Here's a run through some of the major enhancements in Enterprise Vault 11:

Mail Connect

Mail Connect provides the ability to access an archive via an IMAP compatible client from platforms such as mobile phones, tablets, laptops and desktops. It opens up direct access to the user archive from an array of different clients and will be especially useful if you have Mac email clients or are moving your email services to the cloud, but want to retain your Enterprise Vault data on premise. Customers can now deploy Enterprise Vault email archiving within any email server environment, taking advantage of users driving the action of archiving.

Enterprise Vault Search

The all new Enterprise Vault Search is a modern and familiar end-user UI that provides a rich, cross-browser search experience. It unifies and replaces the existing features of Archive Explorer, Integrated Search and Browser Search. End users will find archived information quicker and easier than ever.

Fast Browse

Fast Browse-enabled archives can list the contents of an archived folder up to 18x faster than previously possible. This performance improvement is particularly noticeable when used in conjunction with Mail Connect or Enterprise Vault Search. 

PST Migration Enhancements

Enterprise Vault’s PST migration capabilities have been enhanced to improve the workflow around enablement, monitoring and processing. New capabilities enable administrators to filter and sort PST information in the Enterprise Vault administration console and group PST files or computers for processing in batches. Six new dashboards have been added to provide live migration status and reporting. Additionally, Enterprise Vault can now be configured to migrate password protected PST files without needing to know the password.

Enhanced SCOM Monitoring

The Microsoft System Center Operations Manager (SCOM) pack has been enhanced with improved daily monitoring of key Enterprise Vault resources, which helps provide a status and identify issues or failures in the Enterprise Vault environment as quickly as possible. The new features help reduce the time spent performing daily operational/monitoring tasks for Enterprise Vault, Backup and Storage Administrators.

Storage Safety Queue

Exchange mailbox customers can now benefit from instant quota relief. Using the Safety Copy feature, you can configure vault stores so that Enterprise Vault keeps safety copies in its own internal storage queue. This means that Enterprise Vault can remove items from original locations as soon as they have been archived, independently of whether backups have been completed, while retaining data redundancy. The safety copy is safely removed from the storage queue once backed up or replicated, so time is saved in freeing up space on the original server and more importantly, space is immediately returned to the user’s mailbox so they can continue to work without interruption.

 ------

If you want read more about Enterprise Vault 11 then check out the links below:

Enterprise Vault 11 product documentation (http://www.symantec.com/docs/DOC6634)

Enterprise Vault 11 feature briefings (http://www.symantec.com/docs/DOC7151)

Benefits of upgrading to Enterprise Vault 11 (http://www.symantec.com/docs/DOC7164)

Enterprise Vault IMAP Best Practices Whitepaper (www.symantec.com/docs/DOC7122)

Enterprise Vault PST Migration Whitepaper (www.symantec.com/docs/DOC6625)

Enterprise Vault compatibility guide (http://www.symantec.com/docs/TECH38537)

Enterprise Vault 11 performance guide (http://www.symantec.com/docs/TECH125795)

Why Upgrade to Enterprise Vault 11 page (http://go.symantec.com/upgrade-ev)

 

 

Installing Symantec System Recovery 2013 Management Solution

0
0

First-time install:

=============

 

You install Symantec Installation Manager on the computer where you plan to install the Symantec System Recovery 2013 Management Solution. Ensure the server has high speed internet connection.

 

For an offline installation, you install Symantec Installation Manager on a computer that has an Internet connection. You then use Symantec Installation Manager to create an installation package that you run on the computer that does not have an Internet connection

 

 

  1. Log on to your computer by using either the Administrator account or an Account with administrator privileges.
  2. Install Symantec Installation Manager (SIM).

          a) To download SIM, visit http://www.symantec.com/products/downloads/?inid=us_ps_flyout_prdts_trialware

          b) Under Infrastructure Operations, go to IT Management Suite

          c) Click Download

          d) Login through your SymAccount (If you don’t have, Register to create a new one)

          e) When you click the option to download the product on the Software Download page, the Symantec Installation Manager EXE file is downloaded. The name of the file is symantec_sim.exe. Please refer this technote http://www.symantec.com/business/support/index?page=content&id=HOWTO54448  for SIM Installation pre-requisites .

          f) Install SIM and launch it (It will automatically launch post install. To launch manually, click Start>All Programs>Symantec> Symantec Installation Manager >Symantec Installation Manager).

Note: When you start Symantec Installation Manager, if a new version is available, you are prompted to update to the new version. Choose to update immediately. SIM version should be minimum at 7.1.238

  1. Click Install new products.

 

 ProductSelectionScreen.png

 

  1. Proceed with installation. A readiness check screen will be presented if any of the prerequisite missing with remediation suggested. Follow the steps and done!!!

 For more detail install instructions, please refer product administration guide at, http://www.symantec.com/business/support/index?page=content&id=DOC6257

Upgrade:

=======

  1. Launch SIM (click Start>All Programs>Symantec> Symantec Installation Manager >Symantec Installation Manager)
  2. Click Settings > Change Product Listings, choose global product listing which is present as “symantec_v2.pl.xml.zip”

 Note: This step is needed as we have discontinued shipping DVDs for Symantec System Recovery 2013 Management Solution to better leverage the new release(s) and hotfix(s) of Symantec Management Platform (formerly Altiris).

 Install1.png

  1. Click Upgrade installed products

 Install2.png

 

  1. Proceed with upgrade…Done!

 

For more detail upgrade instructions, please refer product administration guide at, http://www.symantec.com/business/support/index?page=content&id=DOC6257

 

 

 

Bankeiya Malware Targets Users in Japan With or Without Vulnerabilities

0
0

Online banking customers in Japan are being targeted by an information stealing malware family that is distributed using exploits as well through files downloaded from a compromised website.

The Consumerization of IT Has Built B2Both

0
0

BYOD.jpegThe consumerization of IT isn’t new. It’s been infiltrating organizations and breaking down B2C and B2B barriers for over a decade now. Cloud-based email, social networks, and instant messaging were all introduced from the outside in.  We can even thank consumers for smuggling in those emoticons we see peppered throughout our daily communications :).

IT departments must embrace these mini-uprisings and harness the power of their own corporate crowdsourcing. Just like how local governments started building skateboard parks for the disgruntled youth to negotiate 180 fakie kickturns rather than scuff up bank benches or Mayor Quimby’s bust, more and more IT groups are embracing this inevitable change. 

For example, many traditionally close-to-the-vest companies are opening up their own physical IT “stores” to better connect with employees, get ahead of trends, and build up goodwill. Similarly, even SAP has an Apple-esque “genius bar” at many of its offices.

The biggest fear, of course, is a breach in security or data loss. A company can never be 100% safe, but risk can be managed.  IT groups must ditch the draconian mentality and better prepare its flock.  Giving employees access to a few, approved services will create less cracks in the armor.

I spoke with one CTO from a leading Bay Area retail company and security was top of mind: “Data is critical to an organization's success. As long as it remains protected within the internal environment, it should be okay.”  Ultimately, “consumerization of IT is good as we need to develop better technologies to compete for consumer dollars, and the non-consumer sectors end up with a better product.”  In other words, it’s a balance between fences and freedom. 

Here are 6 ways a dominant BYOService can bring goodness to a business:

1.  Better collaboration that breaks down silos

2.  Boosts morale and minimizes frustration

3.  Pre-installed adoption means a quick learning curve

4.  Ubiquitous platform spans devices and platforms – no walled gardens

5.  Mother Earth will thank you – less printing and it puts a stop to those maddening USB drives in the shape of the company logo.

6.  You’ll look cool, even to the skateboard crowd

Viewing all 5094 articles
Browse latest View live




Latest Images