I justed posted a post-Diginotar commentary on my personal blog. Here is a very brief summary: It is still unknown if Globalsign is compromised or not and if yes we still do not know if there are any other CA’s out there compromised. The attacker suggests that he has access to four more CAs. If you have SSL certificates signed by Globalsign, attacker (or his clients; Burç commented on this) can generate certs similar to yours. So you getting a new certificate from some other CA does not help a lot. We suggest updating all OSs and browsers which help in disabling trust to Diginotar for now. Still, keep an eye open to see what is to come.
12
Sep '11
Sep '11
9
Sep '11
Sep '11
No need to bore you with details, I think anyone who reads this entry knows about Diginotar and other CA incidents.
For my point of view I would kindly ask reader to be familiar with the messages from Comodohacker who pwned Diginotar and issued some fraudulent certificates.
30
May '11
May '11
IstSec 2011 is to be held between June 3-4, 2011 at Bilgi University, Istanbul. Symturk is a gold sponsor for the event. We are contributing to IstSec with two activities; Burak is to talk on Application Security with Static Analysis and Symturk Digital Drama will do the premiere of the show. Hope to see you all in IstSec!
29
May '11
May '11
You know information security awareness trainings. Generally both the attendees and speakers dislike it. A full hour (may even be longer) of speech with ‘Do this, don’t do that‘ type of commanding. No, this is not for Joe Average; not even for us when delivering. And more important than this, even if you deliver such training to your employees this does not help them learn the rules and behave accordingly just because they don’t understand the ‘why‘s.
This is where Symturk Digital Drama comes in. We have worked with a professional drama team (scriptwriters, producer and professional actors) to develop a 1 hour comedy where employees both have fun and learn at the same time. Audience not only learn what and how to do but also why they need to do it. This is expected to have a far better impact on employee behavior.
A trailer video shall be published soon. The premiere of the show will be held during IstSec Conference.
Today I was trying to create a Space Optimized Snapshot on a linux box which has SF 5.0MP4 installed on it.
When i issued the following commands, error occured:
[root@linuxbox ~]# vxsnap -g DR-DG01 prepare Vol01 ndcomirrors=1
VxVM vxsnap INFO V-5-1-13571 Volume is under RVG, setting drl=no.
VxVM vxassist WARNING V-5-1-9639 Mirroring DCO logs is highly recommended.
[root@linuxbox ~]# vxrvg -g DR-DG01 -S -P SO snapshot RVG cachesize=10%
VxVM VVR vxassist ERROR V-5-1-10127 creating volume SO-DR-Vol01-CV01:
Volume or log length violates disk group alignment
Continue »
7
Nov '10
Nov '10
Istanbul – November 2010; Symturk, a leading provider of security testing and incident response services, has cooperated with several banks and law enforcement to uncover a new crime network targeting internet banking users in Turkey.
The criminal network was identified to be stealing network credentials of several populer services (gmail, hotmail, msn etc.) and internet banking accounts of Turkish users. The criminals were compromising some 1.000 user accounts on average on any given day. The total number of compromised accounts is unknown.
The technical lead for the analysis was Mr. Serkan Erayabakan, a senior security consultant with Symturk. Symantec Security Response is informed for immediate release of a new update to the malware signature database.
After the discovery and analysis, Symturk worked with several banks and later handed over the case to law enforcement.
Mr. Burak Dayioglu, a principal consultant with Symturk, warned internet banking users that a specific Zeus variant is gaining momentum in Turkey and that they are investigating this one as well. According to preliminary analysis this relatively new malware is somehow based on Zeus 2 and Zeus Mitmo (man in the mobile). This class of next generation malware not only steals user credentials but also attempts to install a backdoor to Symbian and Blackberry smartphones to steal one time password SMSs.
If you want to find the virtual DAG node name to backup an Exchange 2010 database (DAG), you can try the following:
Reference: NetBackup 7.0 Admin Guide. Continue »
This document tries to cover the backup of Virtual Machines inside a Vmware server using NetBackup 7.
NetBackup 7 is now fully integrated with VmWare using VStorage API and does not require a storage space for snapshots. NetBackup directly backups the snapshots. Continue »
In this post, it is assumed that you have already installed a properly working SSIM appliance. If you do not have one, please contact us. This is a standard and recommended procedure to install an SSIM (Symantec Security Information Manager) Agent on both windows and linux based platforms.
We will do this in six steps:
- 1. Check Collector Registration
- 2. Copy installation files to target computer
- 3. Install Symantec Event Agent
- 4. Do post-installation checks for agent
- 5. Install Collector(s)
- 6. Do post-installation for overall process
Step 1: Check Collector Registration
A collector runs on a Symantec Event Agent. An agent does nothing itself. It provides a communication channel among your computer with Symantec Security Information Manager (SSIM) appliance for your collectors. Therefore before installation please check the collectors if they are registered. Simply do following instructions:
1. Close Java GUI before continuing this operation, if it is not already closed.
2. Open Web UI using a browser (https://<ssim-server-ip-address>)
3. Logon using Administrator account or an account has administrator privileges.
4. From the main menu choose Settings and choose collector registration from submenu.
5. If your collector is listed in “Currently Registered Collectors”, do nothing. Otherwise, choose “register” from left menu and choose “browse” and upload sip file which is provided for you with collector installation package under “sip” directory.
Step 2: Copy installation files to target computer
Before installing a collector, you must install Symantec Event Agent. It is available for on Microsoft Windows, Linux and Solaris platforms. Depending on your Symantec Security Information Manager (SSIM) version, its size varies from 43MB to 78MB. Always use proper version of Symantec Event Agent which is provided with your Symantec Security Information Manager (SSIM) Appliance.
Step 3: Install Symantec Event Agent
In this step, you should run installation of Symantec Event Agent. If it is on a Windows platform, just double click and start installation. If you are performing this operation on linux based system, you should extract installation files firstly. “tar -xvf <package_name>” will extract a directory named Agent. In this directory, you will find an installation file named as “install.sh”. Start installation by executing this shell script. During installation on both linux and windows versions, you will be asked for Symantec Security Information Manager (SSIM) Appliance IP address or fully qualified hostname. In any case, the computer you initiated installation should be able to resolve fully qualified name from ip address and vice versa. You must allow traffic from Symantec Security Information Manager (SSIM) appliance to your agent on 5998 (TCP). Addition to this, you must allow traffic from your agent to Symantec Security Information Manager (SSIM) appliance on 443 (TCP).
4. Do post-installation checks for agent
First of all, you should perform checks on the computer where you installed agent. Unless you specified another directory during installation, agent will be installed on default directory. Default directories are listed below:
On a 32 bit windows: It is C:\Program Files\Symantec\Event Agent\
On a 64 bit windows: It is C:\Program Files (x86)\Symantec\Event Agent\
On linux based: It is /opt/Symantec/sesa/Agent
On windows computers, please run agentmgmt.bat. On linux based computers, pleas run agentmgmt.sh. Choose “1″ from the menu and check if your agent is running and connected. If everything is OK, it is not required but recommended to perform a cross check. To do this, you should run Java GUI to connect your Symantec Security Information Manager (SSIM) appliance. Logon using either Administrator account or an account with administrative privileges. Click System tile and choose Administration tab. Navigate to Organizational Units and choose default. Your agent should be listed on the right with the installation time.
Step 5: Install Collector(s)
Unzip your collector file. On windows you may use either windows self extraction or an external program like WinZip, Winrar, etc. Browse the directory where you extracted. On windows based computers run install.bat under install subdirectory and on linux based computers run install.sh file. If the computer you installing collector has direct internet access please choose yes when it prompts you to run liveupdate. If you have more than one collector, please repeat this step for each.
Step 6: Do post-installation for overall process
In this step, you should specify configuration which is specific for your collector and product. There might be any other action required to run your collector. Please check your product documentation which is provided with collector. In most cases there is no need to perform additional operations. Now, we will connect to Symantec Security Information Manager (SSIM) Appliance using Java GUI. From the System Tile, choose Product Configurations. You must specify a configuration for each collector. This configuration describes information to Symantec Event Agent on how to connect your security product. Additional to product configuration, it is recommended that you should define (or assign an existing one) “Agent Configuration” from the product “SSIM Agent and Manager”, “Agent Connection Configuration” from the product “SSIM Agent and Manager” listed on tree view.
Special Notes for Turkish Enterprises: In the product configuration, Enabling Raw Event Logging may effect your system performance. Altough its negative affect on system performance, enabling this option is mandatory in Turkey. Due to regulations law no 5651, you must keep raw events. Raw events will be evident in a lawsuit not parsed form.
24
Oct '10
Oct '10
Where is your confidential data ?
How is it being used ?
How do you prevent data loss ?
Although data loss prevention, or DLP is a paradigm shift in information security, it addresses risks that have long been known to information security professionals. These risks are focused around handling certain types of data with information security risk, such as personally identifiable information, credit card holder data, financial and legal information, as well as company intellectual property, or IP. Exposing this data outside an organization’s security perimeter leads to consequences detrimental to the company, such as regulatory fines, customer attrition due to loss of trust, and lost of I,P leading to decreased competitive differentiators.
Due to the creation and proliferation of data today, it has become increasingly critical for businesses to put measures in place to secure this data. DLP solutions help to protect this data while allowing the organization to function with minimal obstruction to operations.
DLP solutions work in conjunction with security tools that companies may already have deployed both on endpoint computers and on the network. These may include network and personal firewalls, antivirus, antispam, encryption, and digital rights management tools. The main difference between a DLP solution and these other technologies is that DLP solutions are content-aware; they are designed to give visibility into where the company’s most sensitive data is stored, who has access to it, and where and by whom it is sent outside the company’s network. Existing security applications cannot perform this level of monitoring. Additionally, DLP solutions must provide comprehensive functionality to prevent this sensitive data from being sent outside the organization through an endpoint computer or through the network.
DLP solutions take a data-centric approach to security, because so much data and content is created and shared across various groups within and among organizations. Before DLP products were available, it was impossible for organizations to address the risk of data loss.
