Technique to determine an reasonably accurate archive date and time from the saveset path and file name

Apple’s mobile OS has been enhanced, but is it more secure?

Emerging Threat - Anonymous - Operation Petrol (June 20 2014)

EXECUTIVE SUMMARY:

Who: Anonymous, a politically motivated group of hacktivists (mostly Middle East based). Specifically the AnonGhost group and Mauritanian Hackers group will likely host this operation.
What: Cyber-attacks against oil, gas, and energy companies, but specifically the Petroleum industry in the Middle East.
When: Before, during, and after June 20, 2014. Attackers may attack across different time zones.
Why: Anonymous disagrees with the U.S. Dollar being used as the currency to buy and sell oil.
Note: Denial of Service attacks may be a diversion from the real attacks: fraudulent/illegal wire transfers.

Ive just come off 'Gigya's' latest Webinar about the power of social login for marketing.  You know, when you go to a website and your asked to create an account but you also have the option to simply join by using your facebook account.  Well there is a big problem with this and its not going to be long before hackers are all over it.  People dont realise that when they hit the 'login with facebook' account of whats actually happening and even for a professional its difficult to determine.

The issue is that the social login window is often sized very small and is not sizeable and you cant see the address its pointing at, so it might offer a fake one first, collect your login and password, say there was an error and ask you to try again, then offer you the real one and let you in so you dont think youve been conned.  People do this dozens of times per week and just trust that the little box is really connecting to facebook.  Invariably, the peoplke caught out by this will be the same people that use the same id's and passwords for ebay/paypal/banking apps etc.  I think its about time there was some sort of security lockdown on this to allow users to feel safe that they were only ever typing their credentials into facebook.

While online identity remains a tough nut to crack, it becomes clearer every day that we must move beyond using passwords sooner than later. Passwords have several weakness that leave corporate users, consumers and the online world at significant risk, because at the end of the day they rely on shared secrets between you and another party. The problem is: these secrets aren’t so secret after all.

2013 was the "Year of the Mega Breach." Clearly, hackers are upgrading their tools and creating more sophisticated attacks, which means businesses must do the same when it comes to security. In today’s complex IT environment, cybersecurity is a business imperative, and successful security programs should assume that an incident is not a matter of if, but when. Symantec's CIO, Sheila Jordan, has shared important best practices for CIOs and CSOs in an Op-ed for InformationWeek's, Dark Reading.

While Communications Service Providers (CSPs) tell their customers they are more than ‘simply' network utilities, it stands to reason that they need to provide similar levels of service to traditional utility companies such as water or energy providers. 

In security terms this means offering a certain level of information protection - as has been said more than once, just as we expect water to come out of our pipes clean, so we expect the same for our information. 

This doesn’t mean that the onus is entirely on the CSP, of course. Across the history of end-point security, providers and software vendors have had to work together to help protect the confidentiality, integrity and availability of data whether it is at rest on a PC, or in transit across the network. 

More recently, the rise of mobile computing has seen handsets start simple and become increasingly complex, meaning that consumers are not always well prepared against potential attacks. As our Internet Security Threat Report (ISTR) illustrates, only half of the mobile subscribers have basic security measures (incl. security software) in place and also they are less careful in dealing with suspicious emails and messages compared to subscribers on PCs.  Meanwhile the number of mobile users having had experience of mobile cybercrime in the past 12 months is running at 38% and rising. 

As subscribers often associate their mobile devices with their CSPs, there is a huge opportunity for providers to educate their customer base and additionally offer appropriate mobile security measures, for example by bundling security services with their devices or mobile tariffs. 

This has a number of benefits, from increasing customer loyalty and the stickiness of their offerings (and potentially increasing ARPU), to protecting their own networks from new threats like botnets, and reducing the risk of becoming blacklisted. 

The rate of change in the market remains the biggest challenge - the bad guys can exploit both complexities inherent in the architecture and the fact that people are slow to react or adopt measures. To counter this challenge, our advice to CSPs would be to work on making things simple for consumers, on a number of fronts. 

The first of course, is making any security features as transparent and manageable as possible - the user should need to do the minimum for a service to be active, and it should not get in the way of day to day activities. 

Beyond this there is the question of how security products are packaged and licensed. For example CSPs can offer converged security, with flexible licensing models that work across multiple devices and operating systems (for example Windows PCs, IOS phones, Android tablets, …). Finally, marketing, selling and billing processes can be designed with security and information protection in mind, for example offering a premium service with all-in security and backup.

Mobile security has yet to reach a point where it significantly undermines consumer confidence in their smartphones (as happened with PCs in the late 1990’s). I hope it never will, but even as the risks continue to grow, the opportunity exists to deliver better security-minded services to consumers whatever devices they use and benefit as a result.

Welcome to the May edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. After publishing our annual Internet Security Threat Report, we’re back to take a look at the monthly trends in the threat landscape since the report was published.

Up until May, the year has been relatively quiet on the data breach front. This follows three consecutive months at the end of last year with data breaches that resulted in the exposure of over 100 million identities each month, leading us to call 2013 the year of the “mega-breach.” May sees the return of another large data breach, this time exposing over 145 million identities in one breach.

In terms of targeted attacks, spear phishing attacks per day started out fairly high, where January saw 165 attacks in an average day. However this attack rate has slowly declined as the year has progressed, currently sitting at 54 attacks per day for the month of May.

Ransomware is another area of the threat landscape where we have seen modest declines so far this year. Back in November of 2013, Ransomware activity peaked, where Symantec was blocking 861,000 potential Ransomware infections in the month. These numbers remained relatively high in the first few months of 2014, but have declined significantly in April and May, currently sitting at only 17% of the peak activity seen last November.

In other news, May saw the disclosure of four zero-day vulnerabilities, there were 66 Android malware variants for every family, and phishing, spam, and email virus rates were all up in May after drops in April.

We hope you enjoy the May Symantec Intelligence Report. You can download your copy here.

Organizations are spending more on security and believe they’re adequately protected, yet data breaches continue to impact consumers, businesses and governments – the number of breaches jumped 62 percent in 2013. Overworked and understaffed, security teams are stitching together “good enough” security point products that weren’t designed to work together. Not only does this make you more vulnerable to breaches, but it also increases operational complexity.

Symantec Data Loss Prevention 12.5 introduces new features that give you greater control over your confidential data and simplify the management of DLP including:

1. NEW! Single Server Installation support enables you to deploy the DLP detection servers, Enforce Platform, and Oracle database on a single physical server for branch offices or small organizations (1,000 users or less), and lowers hardware and maintenance costs.
2. NEW! Self-Service Remediation Portal (for Symantec Data Insight) enables business data owners to review and remediate network file policy violations directly from an intuitive online portal, and streamlines the risk remediation process.
3. IMPROVED! DLP Endpoint Agent discovers data stored on Mac OS X; discovers, monitors and prevents events on Microsoft Windows 8.1 Desktop; monitors virtual desktops and applications hosted by Citrix XenApp 6.5, VMware View and Microsoft Hyper-V; and monitors data transferred through the Microsoft Remote Desktop Protocol (RDP).
4. IMPROVED! Endpoint Indexed Document Matching evaluates documents for exact content matches on endpoints in real-time and provides greater control over data use when users are off the network.
5. IMPROVED!Exact Data Matching more accurately detects structured data (i.e., databases, spreadsheets) containing complex, multi-word phrases  which reduces false positives.

To learn more, read the data sheet below or visit go.symantec.com/dlp. Stay tuned for details on our upcoming deep-dive webcast on Data Loss Prevention 12.5! 

Symantec finds out if this infostealer bot is as sophisticated as its marketing suggests.

Spam related to Garcinia Cambogia Extract diet pills also cross-posted to Twitter and avoids spam filters on social networks.

Por: Raphael Sanches C. Paciulli

Introdução

O sistema operacional com a maior abrangência entre os fabricantes de smartphones é sem dúvida o Android da gigante de buscas Google. De acordo com estudos de grandes centros de pesquisas, com mais de 70% do mercado de smatphones o Android ganhou a atenção de muitos hackers dispostos a migrar seus esforços para o mundo mobile com o objetivo de roubar informações ou mesmo de aproveitar essa rede para realizar ataques através da internet.

O número de malwares (software destinado a se infiltrar em um sistema de computador alheio de forma ilícita, com o intuito de causar alguns danos, alterações ou roubo de informações) tem crescido exponencialmente a cada ano. Segundo o relatório da Symantec “2014 Internet Security Threat Report, Volume 19”, houve um aumento de 62% no número de ameaças em 2013.

Mas para muitos usuários, a grande dificuldade neste caso é identificar se o seu smartphone está infectado por algum tipo de vírus, ou pior, se ele faz parte de uma botnet.

A final, o que é uma botnet?

Botnet é um conjunto de computadores ligados à internet controlado por um vírus que possibilita ao atacante executar funções no hospedeiro remotamente.

A botnet é difundida através de bot, um aplicativo capaz de se comunicar com os invasores que o construíram. Este tipo de perigo é um dos menos conhecidos pelos usuários, e justamente por esse motivo ele merece destaque.

Da mesma forma que acontece com o Worm, o bot pode ser um programa independente, agindo e se propagando através do seu computador. Desta forma ele cria suas redes e espalha conteúdo perigoso através dela.

Qual seu objetivo

Na maioria dos casos as botnets são criadas com o objetivo de obter reconhecimento por parte da comunidade hacker ou mesmo o ganho financeiro com a venda ou mesmo a locação da botnet para disseminação de spams ou para utilização de ataques de negação de serviço (DOS – Denied of Service).

Tratando-se de uma botnet em smartphones, um dos principais objetivos é a difusão de spams via SMS e o controle do aparelho para obter informações como lista de contatos, e-mails e dados armazenados, além é claro de poder executar ações sem que o usuário perceba, como a compra de aplicativos e realizar ligações sem que o usuário perceba.

Sistemas operacionais mais atacados

O sistema operacional Android do Google estabeleceu-se como o alvo favorito dos hackers, pela facilidade de infectar aplicativos que estão disponíveis na loja oficial do Google (Android Market) pela deficiência no controle de qualidade dos aplicativos publicados. Outro ponto que reforça a escolha dessa plataforma é a facilidade com que os usuários desse sistema operacional conseguem efetuar downloads de qualquer loja, pois o Android possui uma função que possibilita que o usuário realize downloads de aplicativos de fontes desconhecidas.

De acordo com estatísticas da Symantec, há um enorme crescimento no volume de famílias de malwares: entre Junho de 2012 e Junho de 2013 o número de famílias de malwares conhecidos aumentou em 69%, passando de 121 para 204. Ainda, o número de amostras de malware disponíveis na Internet quadruplicou, passando de 32.000 para cerca de 273.000 no mesmo período. Em geral, no ano de 2013 tivemos um salto significativo no número de novos ataques contra smartphones.

Como os smartphones são infectados

Conforme dito anteriormente, os malwares são obtidos através de aplicações infectadas ou mesmo através de um link recebido via SMS que supostamente seria para download de um aplicativo (na sua maioria jogos), mas que na verdade instala apenas o código malicioso.

O grande número de lojas não oficiais tem contribuído muito para a disseminação dos malwares. Na China, foi descoberta uma rede com mais de 100.000 aparelhos infectados pelo trojan Trojan!MMarketPay.A@Android que foi difundido dentro da rede da Operadora China Mobile uma das maiores operadoras do mundo, e detentora da loja Mobile Market. De acordo com a TrustGo, outras lojas foram utilizadas para a difusão deste trojan tais como nDuoa, GFan, AppChina, LIQU, ANFONE, Soft.3g.cn, TalkPhone, 159.com e AZ4SD.

Porém recentemente na conferência BlackHat realizada em junho deste ano, foi mostrado pelos especialistas da Bluebox Security que o modelo de verificação das medidas de criptografia adotadas pelas aplicações Android permite que um invasor modifique os pacotes de aplicações (APK) sem quebrar as assinaturas de criptografia das mesmas.

Quando uma aplicação é instalada, ela cria uma “zona isolada” chamada sandbox, e o Android regista a assinatura digital dessa aplicação, explica o diretor da BlueBox, Jeff Forristal. Todas as atualizações posteriores devem coincidir com essa assinatura para verificar que são do mesmo autor, continua o especialista.

Este é um evento significativo para o modelo de segurança do Android, porque garante que os dados sensíveis armazenados por uma aplicação, numa área isolada, só possam ser acessados por uma nova versão da aplicação assinada com a chave do autor original. A vulnerabilidade, que existe desde pelo menos a versão 1.6 do Android, chamada de Donut, permite adicionar o código nocivo infectando os pacotes, sem quebrar as medidas de segurança. Desta forma dependendo do tipo de aplicação, o hacker pode explorar essa falha para a criação de uma botnet.

Trojans mais difundidos através da botnet

De acordo com os analistas, o malware detectado como "Backdoor.AndroidOS.Obad.a"é, provavelmente o Trojan mais sofisticado de todos os tempos direcionado para a plataforma Android. Ele pode enviar mensagens SMS para números de telefone, baixar e instalar outros tipos de malware no dispositivo infectado e/ou enviar as infecções via Bluetooth, bem como executar comandos remotos a partir do aparelho.

Em três meses foram descobertas 12 variações deste malware, e todos tinham o mesmo conjunto de funções e um alto nível de ofuscação de código, e cada uma delas utilizava uma vulnerabilidade no Android para dar direitos de administrador no dispositivo para o malware, que torna muito mais difícil a eliminação dessa ameaça. Após a divulgação desta ameaça o Google corrigiu o problema na versão 4.3 do Android, mas as versões anteriores ainda possuem essa vulnerabilidade.

Fonte: http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distributed_via_mobile_botnets

O outro programa malicioso que infecta dispositivos móveis Android é a aplicação “Free Calls Update”, uma mistura de falso antivírus e ransomware (malwares que cobram resgate pelos dados roubados). O aplicativo depois de executado tenta obter os privilégios de administrador do dispositivo para modificar as configurações e assim ligar/desligar o Wi-Fi e o 3G. O aplicativo é um antivírus falso que finge analisar programas maliciosos e detectar supostas pragas existentes no dispositivo, incentivando a vítima a comprar uma licença para a versão completa, como em PCs.

Ao navegar, o aplicativo exibe uma janela pop-up que consegue assustar o usuário e avisa que um programa malicioso tenta roubar conteúdo pornográfico do celular, este aviso é repetitivo e bloqueia completamente o dispositivo.

Em termos de capacidades e flexibilidade, a tendência dos programas maliciosos para dispositivos móveis convergem com programas maliciosos no mundo do PC. As amostras modernas abusam de tecnologia de ofuscação para evitar as medidas de segurança, e muitas vezes carregam vários módulos que tornam a infecção mais persistente e que extraem informações adicionais ou fazem o download e instalação de malware adicional.

Como evitar a infecção no aparelho.

Para evitar que o aparelho seja infectado por algum desses malwares, o mais recomendado é sempre estar com a versão do smartphone atualizada, e não realizar nenhuma alteração de firmware que não esteja de acordo com a versão oficial do fabricante, pois muitas das versões de firmware existentes podem estar infectadas com algum tipo de malware que possa prejudicar o uso do smartphone, além de o fabricante não fornecer garantia nesses casos.

Atualmente os fabricantes de antivírus para PC tem desenvolvido soluções de antivírus para Android com o objetivo de evitar a disseminação destes malwares e auxiliar os usuários menos avançados no processo de instalação de aplicativos verificando se existe algum código malicioso embutido na aplicação.

Conclusão

Como pôde ser observado, existem algumas falhas graves na implementação de segurança do Android que ainda estão por ser corrigidas pelo Google em todas as versões do seu sistema operacional, mas isso também não impede o seu uso, pois a disseminação dos malwares está ligada principalmente ao uso incorreto do smartphone (download de aplicações em lojas não oficiais e alteração da firmware).

Desta forma, utilize sempre a versão atualizada do Android de acordo com o fabricante do seu smartphone e sempre faça o download de aplicativos de lojas oficiais e que tenham uma boa reputação por parte dos usuários no que tange à sua funcionalidade.

Fonte: zdnet, anonymousbrasil, viruslist, IDG Now!, TrustGo.

Raphael Sanches Cavalheiro Paciulli – Consultor em Segurança da Informação pela EZ-Security. Profissional com 7 anos de experiência na área de Infraestrutura de TI e Segurança da Informação. Formado em Tecnologia da Informação pela FASP e pós-graduado em Segurança da Informação pelo ITA.

The new VIP Access for Android release catches the wave of new hardware protected applications.

As I do everyday, I receive these posts and articles about eDiscovery.  Not very often does it make me want to create an article about it and share the details of a valuable topic.

As this case will describe, the best tactics are to hire an eDiscovery specialist and utilize software such as Clearwell to ensure your defensibility!

Tip One: Get an expert who knows how to collect the electronically stored information on social media.

Tip Two: Downloading a Facebook profile, printing it, and conducting document review for redactions is not the best way to produce social media.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The Defendants in Stallings v. City of Johnston City, requested the Plaintiff produce the following social media:

Each and every social media posting by Stallings from 2011 to the present concerning her employment at Johnston City, allegations of wrongdoing against her, her suspension or termination, the investigation into missing money or wrongdoing in the Water Department, her lawsuit, her emotional or physical well-being, or any other matter identified in her Amended Complaint. This request includes all postings made by Stallings at any time on a Facebook account, Twitter, Instagram, or any other social media site.

Stallings v. City of Johnston City, 2014 U.S. Dist. LEXIS 68566, at (S.D. Ill. May 19, 2014).

The Plaintiff stated that Facebook only allows for a download of data in its entirety. As such, the Plaintiff’s attorney and paralegal spent a week printing and redacting the 500 pages of the Plaintiff’s Facebook account.

The Court was not thrilled with the Plaintiff’s claimed technological hardships. The first Court ordered the Plaintiff to produce the un-redacted pages of the Facebook profile, then to produce the entire un-redacted file from 2007 to present day.

The Plaintiff did not identify with whom she had relevant discussions with on Facebook or whether any privileged attached to those conversations. Moreover, the Plaintiff argued that she had conversations with minors on Facebook, but not whether any of those discussions were relevant to the lawsuit.

The Court stated it was clear that the Plaintiff had relevant conversations on Facebook about the litigation. Id. Moreover, the Court recognized that the communications could have admissions against interest and impeachment value. As such, the Plaintiff had to provide the names and residences of the individuals she communicated with on Facebook.

The Court ultimately ordered the Plaintiff to produce a redacted hard copy of all relevant Facebook pages from 2011 to the present. The Plaintiff also had to provide defendants with the names and towns of residence of the individuals with whom the Plaintiff had relevant conversations. The Court defined the relevant Facebook pages as those containing statements about this case or the litigation, including discussions of her physical or mental health. The Plaintiff did not have to provide the names and location of minors without a Court order. Stallings.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It is clear that the requesting party did a good job with their request, because it sought what was relevant to the case, not a social media fishing expedition.

This case highlights the challenges lawyers have in not retaining experts to perform collections. While not directly stated, it seemed the Plaintiff’s attorney was trying to collect the Facebook profile through the download option without an expert and then conduct a manual review. I would encourage a law firm client to try a different approach.

Refer back to tips one and two at the top of this article and have a better sleep!

Great thanks to http://bowtielaw.wordpress.com for bringing out this case for review.

regards,

Jeff

Apple 社のモバイル OS に新機能が搭載されますが、セキュリティは強化されるのでしょうか。

In your Enterprise Vault world, how many archiving policies do you have? Is one sufficient?  Maybe for some people it is, but for most a couple of policies will be sufficient.  Sometimes though you’ll see an environment with LOTS of policies.

Lots = Bad

There are lots of reasons why having many policies is a bad idea. For example it makes it hard to troubleshoot the age old user issue of ‘My stuff isn’t getting archived, and it should be’. It also makes it hard to tweak small things (e.g. Whether the 'Delete from Vault' button is available to users) across all policies as they each have to be edited.

Often times people get to the situation of having many policies because they’ve inherited users from different corporate acquisitions. In your Enterprise Vault world how many policies do you have? Let me know in the comments below...

An interesting finding from the Internet Security Threat Report we issued last month concerns companies with 1-2,500 employees - variously grouped as the Small to Medium Business (SMB) sector - who are seeing the largest increase in targeted attacks. These attacks have already increased by 91% year on year; in addition, whereas 50% were aimed at SMBs in 2012, by 2013 the number had increased to 61%.

The clear suggestion - confirmed by other research we have done - is that the creators of such attacks are becoming smarter in terms of understanding how to profit from targeted attacks. As a result they are focusing less on bigger enterprises and more on smaller and mid-size companies, which often have less security countermeasures in place.

This begs the question - where are such organisations going to get help, and from whom? Communications Service Providers (CSPs) already offer services to the lucrative enterprise market; they also often bundle security capabilities with consumer connectivity packages.

However, the SMB market has been left somewhat untouched - a fact we have had confirmed by numerous analysts. This challenge also presents a great opportunity for CSPs, particularly as they look for 'low hanging fruit' services they can sell to SMBs - that is, ones with low incremental cost but with benefits beyond revenue, for example customer loyalty.

For CSPs, the job can be made simpler by integrating security offerings directly into cloud market places, so customers can shop for the services and bundles appropriate to their needs. For our part, for example, we have developed Symantec Endpoint Protection (SEP).cloud - CSPs can integrate this cloud service directly, using service brokerage software from the likes of Parallels or AppDirect.

Email or Web security delivery can be dealt with in the same way, enabling CSPs to offer a full bundle of cloud-based security services among others. Adopting a marketplace approach takes the pressure off CSPs having to second-guess what their customers might want, enabling them to learn from the market as to what bundles make the most sense.

For a final statistic, a cloud services survey presented by Amdocs, at the Telco Cloud World Forum in Munich (28-30 April), stated that 74% of SMBs would prefer to buy services from a single service provider, but only 45% actually do so. The onus is on the CSPs to create the right bundles of core services and offer these in an easy to consume way, through their market places or other delivery methods. Those who succeed in doing so will best position themselves to serve the huge SMB market with essential services, not least security and information protection.

Le Service Pack 1 de la version 7.5 apporte le support de :
- IE 10 et IE 11 pour la console.... Enfin!
- Windows 2012 comme serveur Altiris.

Join Novacoast on June 24th, at 11am EST for an Altiris 7.5 webinar

- Follow the link below to register

         http://connect.novacoast.com/altiris-upgrade-webinar

                 New features & Why theres no better time to upgrade!

For more information contact:

Ryan Schoenherr

rjschoenherr@novacoast.com

(800) 949-9933 Ext. 5203