Category Archives: Website Security

Superfish

      No Comments on Superfish
What you need to know

A security flaw was discovered in software that was pre-installed on some Lenovo laptops. Lenovo has issued the following Press Release.  The story has been reported on multiple sites (for example, here and here). We applaud Lenovo for quickly publishing details on affected models and instructions for removing the flaw. The problem lies in the software from a company called Superfish that was pre-installed by Lenovo on certain computers. The main function of the software was to intervene when the user performed web searches in IE or Chrome browsers, and insert Superfish’s content into the search result page. Lenovo enabled this software to “help users find and discover products visually”, by incorporating relevant search results not offered by the search engine.

Interjecting content in web pages is not new (for example, via browser add-ons), but Superfish’s approach was novel, and didn’t use a browser add-on. Instead, the software intercepted all traffic between the browser and the network external to the computer. But since most large search engines (such as, Google, Bing, and Yahoo) now serve all content over https, the Superfish software couldn’t read (and more importantly, modify) any of that encrypted traffic. To get around this, an SSL Man-in-the-Middle (MITM) was set up in the computer itself, creating fake SSL certificates with the domain name of the intended web site. These certificates were signed by or chained up to Superfish’s private root certificate. Ordinarily, browsers would display a prominent warning that such a certificate wasn’t trusted, so that was addressed that by injecting Superfish’s root certificate into the Windows trusted root store during manufacture. To make all this work, of course, the private key corresponding to that root certificate had to be pre-installed on all of these computers. Superfish took steps to encrypt that private key, but the encryption was trivial and quickly broken.

The result is that attackers now have the private key corresponding to a root certificate that is trusted in these Lenovo computers, and that can be abused in too many ways to describe here.

In some ways, this is similar to the recent incident with Gogo inflight wifi service. Both make use of an SSL MITM technique to insert themselves into the otherwise secure connection between a browser user and the websites they visit. See our recent blog post to learn how SSL MITM attacks work. In Gogo’s case, the MITM (the actor generating certificates on the fly) was in Gogo’s network; in Superfish’s case, the MITM is in the computer itself.

As we’ve said before, SSL Man-in-the-Middle solutions can be justified within an enterprise, for example, to monitor employees’ web traffic. But the well-intentioned inclusion of Superfish had unintended consequences far beyond web searching, and created a potential for malicious MITM attacks. Pre-installing any root that does not belong to an audited Certificate Authority and marking it as trusted undermines the trust model created and maintained by platform vendors, browser vendors, and Certificate Authorities. Platform and browser vendors go to great lengths to validate the Certificate Authorities whose roots they include in their trusted root store. Microsoft provided the ability for an enterprise to add additional roots to the Windows trusted root store, and Google Chrome explicitly avoids performing public-key pinning checks for such added roots. As a result, Chrome users receive no warning of the MITM, as they did in the Gogo incident.

If you think you may have an affected Lenovo computer, visit this web site to check. Uninstalling the Superfish software isn’t enough to remove the vulnerability – you must also remove the Superfish root from the Windows trust store. The instructions provided by Lenovo achieve both objectives.

Women Make Great Engineers

      No Comments on Women Make Great Engineers
Twitter Card Style: 

summary

Gender diversity in workforce is much talked about topic these days. So much that in some companies they have very stringent goals and defined hiring process to bring in diversity in the workforce.  So why is having more women in the workforce and especially more women in engineering so imperative? We are possibly looking at 50% of the potential workforce and that cannot be ignored. It is also a well-known fact that companies that have better diversity have better engagement rates and have higher profitability. There are several studies and surveys that prove this point. While I don’t want to delve deeper into those points, I want to touch upon factors that keep women from opting for engineering careers and even if they opt why they seem not to be aggressively pursuing their careers.

There are several social and cultural factors that go into creating the mindsets for women and men, which varies across the globe. However, pretty surprisingly there is a common pattern all over; women are really good at multitasking, and tend to be perfectionistic as well as prioritize family over career. Great qualities indeed and let me tell you, there is no need to change that.  Also, there are phases where women tend to give up their engineering careers midway through, which are essentially life changing, like getting married, bearing kids etc. There is no need to escape these important and wonderful phases of life, it is just a matter of learning to work around them and still have a great engineering career.

Strive for excellence and not perfection!

I have seen many women around me, and in my own team, feeling guilty that they could not be a better mother, wife, daughter-in-law etc. Many women at this phase will give up their careers, where the guilt gets the better of them. Where is this feeling of guilt arising, it is predominantly due to the inherent quality for women to seek perfection in everything they do – perfect employee, perfect mother, perfect cook and the list goes on. It is also from the fact that we tend to do everything ourselves. Letting go of things that others can do and concentrating of chores/activities that only I must do, has been a constant lesson for me. But, once l learnt this art, it has been liberating experience. While, I try to be “as good as I can be” mother/engineer, I stopped beating myself up for not being a perfect one! Furthermore, I am able to make more time these days to spend with my kids since I delegated work to others! 

Please note that I now only seek excellence and not perfection! The reason I tended to do everything myself earlier was because I thought I can do it perfectly and no one else could! I delegate better, have found bandwidth to do more exciting things at work. And behold! It is already bearing dividends! Suddenly my career seems to be blooming while I am able to take care of my family too!

women_in_engineering.jpeg

Why try to fit in when we can stand out?

I have constantly thought of fitting in to the system around me both in office and at home. It has taken a lot of mentoring and coaching from my friends, colleagues, family and my managers to unlearn the constant urge to fit in.  I learnt to celebrate the difference in my thought process whether in design discussions, meetings, everywhere! In fact, it took a while for me realize that the difference in my perspective is the real value I bring to table.  Don’t feel isolated for thinking differently, instead that is our unique selling position ladies! 

Look for role models – there might not many role models for women folk to look up to and get inspired in their immediate organizations. It will help to motivate other women if they have a role model around. In case there are none, look for ones in extended organizations. For example, I had the privilege to interact with our HR Vice President, Amy Cappellanti, and needless to say, that it was highly inspiring. I have heard similar thoughts from my female colleagues in Mountain View, who had the opportunity to interact with Roxane Divol, the Senior Vice President of our Trust Services BU. We must aim to become a role model ourselves. Help our friends to pursue relentlessly towards engineering excellence. 

Finally, Sky is the limit! What say ladies!!

The New 39-Month SSL Certificate Maximum Validity

Changes in CA/B Forum Baseline Requirements

Twitter Card Style: 

summary

The past few years within the SSL certificate industry have been busy with changes.  1024-bit RSA certificates are long gone, using public SSL certificates on servers with internal domain names is starting to disappear, and the SHA-1 hash algorithm is starting to see its final days.  So what is next?

Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months.  SSL certificates have limited validity periods so that the certificate’s holder identity information is re-authenticated more frequently. Plus it’s a best practice to limit the amount of time that any key is used, to allow less time to attack it.

In line with the latest Certification Authority/Browser Forum Baseline Requirements, CAs will stop issuing 4 and 5-year SSL certificates in the near future.  Symantec plans on eliminating these options in late February 2015 on all SSL management consoles.  Extended Validation (EV) SSL certificates still have a max validity period of 27 months but Organizational Validated (OV) and Domain Validated (DV) certificates (DV not offered by Symantec) will have this new 39-month lifespan.

So how will this affect those who install SSL certificates?  The average person installing certificates in a large enterprise will have to go through the enrollment process a little more often.  If the organization on that level and scale finds this detracts from employee productivity they may want to look at leveraging Symantec Certificate Intelligence Center Automation.  To someone in a small organization who only issues SSL certificates on a very infrequent basis, they may find themselves looking for SSL installation instructions a little more often.  To help you, Symantec has always offered a wealth of information online via our Knowledge Base (the preceding site will be migrating to this location in the near future) and offers amazing support by phone.

Hourglass 350x350.jpg

Please let us know what you think below in the comment section.

The New 39-Month SSL Certificate Maximum Validity

Changes in CA/B Forum Baseline Requirements

Twitter Card Style: 

summary

The past few years within the SSL certificate industry have been busy with changes.  1024-bit RSA certificates are long gone, using public SSL certificates on servers with internal domain names is starting to disappear, and the SHA-1 hash algorithm is starting to see its final days.  So what is next?

Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months.  SSL certificates have limited validity periods so that the certificate’s holder identity information is re-authenticated more frequently. Plus it’s a best practice to limit the amount of time that any key is used, to allow less time to attack it.

In line with the latest Certification Authority/Browser Forum Baseline Requirements, CAs will stop issuing 4 and 5-year SSL certificates in the near future.  Symantec plans on eliminating these options in late February 2015 on all SSL management consoles.  Extended Validation (EV) SSL certificates still have a max validity period of 27 months but Organizational Validated (OV) and Domain Validated (DV) certificates (DV not offered by Symantec) will have this new 39-month lifespan.

So how will this affect those who install SSL certificates?  The average person installing certificates in a large enterprise will have to go through the enrollment process a little more often.  If the organization on that level and scale finds this detracts from employee productivity they may want to look at leveraging Symantec Certificate Intelligence Center Automation.  To someone in a small organization who only issues SSL certificates on a very infrequent basis, they may find themselves looking for SSL installation instructions a little more often.  To help you, Symantec has always offered a wealth of information online via our Knowledge Base (the preceding site will be migrating to this location in the near future) and offers amazing support by phone.

Hourglass 350x350.jpg

Please let us know what you think below in the comment section.

Non-FQDN transition

      No Comments on Non-FQDN transition
Twitter Card Style: 

summary

The CA/Browser Forum is an unincorporated association of separate organizations that creates the guidelines that apply to all SSL certificate and browser providers. Since the effected date of 1 July 2012 Symantec has been notifying customers in regards to certificates with a SAN or Common Name (CN) field that contains a Reserved IP Address or Internal Server Name since they are being phased out due to CA/Browser Forum standards.

This one particular standard has some customers in a bind when renewing or enrolling into a CA signed SSL certificate. Below is the Standard.

abc123-local 400X.jpg

9.2.1Subject Alternative Name Extension

Certificate Field: extensions:subjectAltName

Required/Optional: Required

Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate.

Wildcard FQDNs are permitted.

As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP

Address or Internal Name.

(More information about the CA/B Forum Baseline Requirements can be found at cabforum.org)

This standard means SSL certificates can only be issued to Fully Qualified Domain Names (FQDN) and can no longer be issued to Non-Valid internal names.

Example:

Valid FQDN’s

Non-Valid Internal

abc.com

abc.local

secure.abc.com

abcServer123

autodiscover.abc.com

192.168.0.1

In response to this change customers have to take two main course of action:

  1. Change the common names and reissue their SSL certificates
  2. Move to certificates chained to a private root with two options:
    1. Develop a self-signed internal Certification Authority (CA)
    2. Use a Private CA from Symantec

To help our customers avoid the dangers of a self-signed CA, Symantec is now offering the Private CA.

private_CA_graphic 600X.jpg

The Symantec Private CA ensures:

  • Compliance
  • Support
  • Reduces the time
  • Reduce hidden costs of in house solutions.

This is offered though the Managed PKI for SSL Account. Use the same console to managed external as well as internal certificates.  Ask your account manager for more details! More detailed Information on the Symantec Private CA can be found at www.Symantec.com/private-ssl

Happy Digital Learning Day!

      No Comments on Happy Digital Learning Day!
Twitter Card Style: 

summary

When my older daughter started middle school I was invited to the website where her grades were available real-time.  They’re updated continually by her teachers based on every quiz, homework assignment, and test that she takes. This is a substantial improvement over infrequent report cards and teacher meetings, giving me the ability to detect, early on, any areas needing greater focus (not that it’s needed with my straight-A student). Unfortunately, when I checked the security of the site, I found that “secure login” was optional and, in the case of the middle-school’s implementation, everything was completely unsecured. This included not only my kid’s grades but also the ability to look her up and message her directly. While the school fixed this very quickly, it highlights how easy it is for site operators to miss even the most basic of security practices. As more education is done and administered online, the bar is only getting higher for institutions to protect their student data as well as their own. 

As the world’s largest security company, we continually ask how we can educate people about security and whether the sites that they are visiting are secure. The bottom line is that it needs to be simple — yes or no. The Norton Secured Seal communicates that “yes, this site is secure” to more people than any other seal or browser-based visual cue. Behind the scenes there’s a lot that goes into the display of that seal… Is the data encrypted? Is the site run by a legitimate company? Is the site free from Malware? Only when the answer is yes to all of these questions will visitors see the Norton Secured Seal.

NSec_SYM_MKTG_RGB.jpg

In honor of Digital Learning Day, we are doing our part to both keep people secure and to educate the world about security. Combined with our 24/7 support team, we hope to increase security at educational institutions and let them easily train their visitors to look for the seal that tells them that they’re secure.  

Facebook Sweepstakes Rules

      No Comments on Facebook Sweepstakes Rules

SYMANTEC OFFICIAL RULES FOR THE

Bubble Wrap Appreciation Day FACEBOOK SWEEPSTAKES DRAWING

THE BUBBLE WRAP APPRECIATION DAY FACEBOOK SWEEPSTAKES DRAWING IS OPEN TO LEGAL RESIDENTS OF THE 50 UNITED STATES AND THE DISTRICT OF COLUMBIA (EXCLUDING GUAM, PUERTO RICO, AND ALL OTHER U.S. TERRITORIES AND POSSESSIONS) AND CANADA (EXCLUDING QUEBEC) WHO ARE THE AGE OF MAJORITY IN THEIR STATE OF RESIDENCE AND AT LEAST 18  YEARS OR OLDER.  THIS DRAWING SHALL BE CONSTRUCTED AND EVALUATED ACCORDING TO CALIFORNIA LAW.

NO PURCHASE NECESSARY TO ENTER OR WIN.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

BY PARTICIPATING IN THE DRAWING, YOU ACCEPT AND AGREE TO BE BOUND BY THESE “OFFICIAL RULES” AND THE DECISIONS OF THE JUDGES AND/OR SPONSOR RELATIVE TO THIS DRAWING.

1. SPONSOR

The Symantec Bubble Wrap Appreciation Day Facebook Drawing (the “Drawing”) is sponsored by Symantec Corporation (the “Sponsor”), 350 Ellis Street, Mountain View, California, 94043, U.S.A. The Drawing begins on January 26, 2015 at 12:00:00am Pacific Time (PT) and ends January 28, 2015 at 11:59:59pm PT (the “Drawing Period”). 

THIS DRAWING IS IN NOT SPONSORED, ENDORSED OR ADMINISTRATED BY, OR ASSOCIATED WITH FACEBOOK.

2. ELIGIBILITY – VOID WHERE PROHIBITED

This Drawing is open to legal residents of one of the fifty United States or the District of Columbia and Canada (except Quebec), who have reached the age of majority in their state or of residence as of the starting date of the Drawing Period (“Participant”).  Each Participant must have an account on www.facebook.com.  Persons in any of the following categories are NOT eligible to enter, participate in, or win the Drawing: (a) persons who on or after the starting date of the Drawing Period were or are officers, directors or employees of Symantec Corporation, or any of its subsidiary, affiliated companies, service agencies, or independent contractors; and (b) persons who are immediate family members (defined as spouse or biological or step-mother, father, sister, brother, daughter, or son and each of their respective spouses) of any person in any of the preceding categories, regardless of where they live, and/or individuals who reside in the same household, whether related or not, as any person in any of the preceding categories. Any questions and/or issues concerning eligibility shall be determined at the sole discretion of the Sponsor.  This Drawing is void in Guam, Puerto Rico, and where prohibited by law.  Employees or representative of government agencies or organizations are not eligible to participate.

Participants understand that by participating in this Drawing, they are providing their information to Sponsor and not to Facebook. Further, Participants specifically release Facebook from any and all liability associated with this Drawing. The information you provide will be used as provided in Sponsor’s privacy policy (provide link). Any questions, comments or complaints regarding this Drawing shall be directed to Sponsor and not to Facebook. Participation constitutes Participant’s full and unconditional agreement to these Official Rules and Sponsor’s and/or Judges’ decisions, which are final and binding in all matters related to the Drawing.  Winning a prize is contingent upon fulfilling all requirements set forth herein.

3. HOW TO ENTER.  NO PURCHASE NECESSARY.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

You must have a valid Facebook account in order to participate.  You can enter the Drawing by following these steps during the Drawing Period (“Entry”):

  1. Visit www.facebook.com/SymantecWebsiteSecuritySolutions

  2. Like the Website Security Solutions Facebook Page

  3. Comment on the questions in the Post related to the Drawing

General Requirements 

In addition to the above-listed required steps, all Participants must abide by these General Requirements:

  • Your Entry must be in English.

  • Your Entry must not:

    a. violate applicable law;

    b. depict hatred;

    c. be in bad taste;

    d. denigrate (or be derogatory toward) any person or group of persons or any race, ethnic group, or culture;

    e. threaten a specific community in society, including any specific race, ethnic group, or culture;

    f. incite violence or be likely to incite violence;

    g. contain vulgar or obscene language or excessive violence;

    h. contain pornography, obscenity, or sexual activity; or

    i. disparage the Sponsor. 

  • Your Entry must be original, your sole property, and not previously published or submitted in any other Drawing.

  • Your Entry must not violate any right of a third party including, but not limited to: copyright, trademark, any other intellectual property right, right of publicity, confidentiality, and privacy. Please do not include the name or logo of any company or product produced by a manufacturer other than Symantec.

    By submitting an Entry, you agree that Sponsor has the unrestricted right to use your Entry in whole or in part, commercially or non-commercially in any media known or unknown in perpetuity, worldwide, including the right to publish and display the Entry for advertising and publicity, and to edit and make derivative works, all without additional review or compensation. Additionally, you agree that Sponsor may post your Entry, including your name on its sponsored websites and/or third-party sites. 

Limit one (1) entry per person, regardless of the number of Facebook accounts used, for the duration of the Drawing Period.  If you enter or attempt to enter more than once using multiple Facebook identities, all of your entries may be declared null and void, and you may be disqualified and ineligible to participate in this Drawing.  Duplicate entries and/or other mechanical reproductions of entries are not permitted.  Illegible or incomplete entries will be disqualified.

Your entry may be disqualified, at the sole discretion of Sponsor if you attempt to enter through any means other than by the online submission requirement herein, if you disrupt the Drawing or circumvent the terms and conditions of these Official Rules, or violate the Facebook Terms of Service or Facebook Rules (https://www.facebook.com/policies/?ref=pf), which govern the use of Facebook.  If any of the above occurs, Sponsor has the right to remedy any such action, disruption, or circumvention in a manner to be solely determined by Sponsor.

4. PRIZES

Symantec will award the following prize in the Drawing:

Qty

Description

Estimated Value (USD)

1

Bubble Wrap Suit

$30.00

The total estimated retail value of all of the prizes to be awarded under the Drawing is US$30.00.  The odds of winning depend on the number of eligible entries received during the Drawing Period.  Prizes are not transferable or exchangeable, or redeemable for cash.  No prize substitution is allowed, except Sponsor may substitute a comparable prize at Sponsor’s sole discretion.  Winner is solely responsible for any applicable federal, state, provincial, and local taxes.  Any other costs and expenses associated with prize acceptance and use not specified herein as being provided are winner’s sole responsibility.  All details and other restrictions of prizes not specified in these Official Rules will be determined by Sponsor in its sole discretion.

5. SELECTION OF WINNER; NEED NOT BE PRESENT TO WIN

A total of one (1) potential winner will be selected by random drawing on or around January 28, 2015 at Symantec Corporation, 350 Ellis Street, Mountain View, CA.

Potential winner will be notified via his or her Facebook email account (e.g., “Congrats [Username!] You are a winner!  To claim your prize, email Symantec at brook_chelmo@symantec.com with your contact information”).  Potential winners must respond via Facebook within 7 business days of notification by sending an email message to brook_chelmo@symantec.com  with your contact information.  There will be no additional media or channels utilized to announce winners. 

If a potential winner is (i) found to be ineligible or not in compliance with these Official Rules, (ii) declines to accept a prize, (iii) if Sponsor does not receive a timely response to a winner notification, or (iv) in the event that a prize notification or prize is returned undeliverable, then the corresponding prize will be forfeited, the potential winner disqualified, and at the Sponsor’s sole discretion, the prize may be awarded to an alternate winner chosen by Sponsor’s judges.  Potential winners may be required to furnish proof of identification.  Before being declared a winner, potential winner must execute and return an Affidavit of Eligibility and Waiver of Liability within seven (7) business days from the postmarked date as having been sent by the Sponsor’s representative or otherwise the corresponding prize may be forfeited.

In the event of a dispute as to the identity of an entrant, the affected entry will be deemed submitted by the authorized account holder of the Facebook account used to enter the prize drawing.  A potential winner may be required to provide Sponsor with proof that the potential winner is the authorized holder of the associated Facebook account or email account.  An authorized account holder is defined as the natural person who is assigned to the Facebook account by Facebook, Inc.  If a dispute cannot be resolved to Sponsor’s satisfaction, the affected entry will be deemed disqualified and ineligible to win a prize, but these Official Rules will otherwise continue to govern the affected entry.

6. CONDITIONS

BY PARTICIPATING IN THE DRAWING, YOU AGREE TO RELEASE AND HOLD SPONSOR, FACEBOOK, THEIR RESPECTIVE PARENT COMPANIES, SUBSIDIARIES, AFFILIATES, PRODUCTION AND ADVERTISING AGENCIES, AND EACH OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS (COLLECTIVELY, THE “RELEASED PARTIES”) HARMLESS FROM ANY AND ALL LOSSES, DAMAGES, RIGHTS, AND CLAIMS OF ANY KIND IN CONNECTION WITH THE DRAWING, DRAWING-RELATED ACTIVITY,  OR YOUR ACCEPTANCE, POSSESSION, USE OR MISUSE OF ANY PRIZE, INCLUDING, WITHOUT LIMITATION, PERSONAL INJURIES, PROPERTY DAMAGE, INVASION OF PRIVACY, AND MERCHANDISE DELIVERY.

Sponsor assumes no responsibility for any damage to your computer device which is occasioned by participation in the Drawing, or for any computer device, phone line, hardware, website, software or program malfunctions, or other errors, failures, delayed computer transmissions or network connections that are human or technical in nature. 

All federal, state, provincial, and local laws apply.  Without limiting the generality of the foregoing, Sponsor is not responsible for incomplete, illegible, typographical errors, misdirected, misprinted, late, lost, damaged, stolen, or intercepted Drawing entries or prize notifications; or for lost, interrupted, inaccessible or unavailable networks, servers, satellites, Internet Service Providers, websites, or other connections; or for miscommunications, failed, jumbled, scrambled, delayed, or misdirected tweets, or computer, telephone or cable transmissions; or for any technical malfunctions, failures, difficulties or other errors of any kind or nature; or for the incorrect or inaccurate capture of information, or the failure to capture any information.  In the case of any of the aforementioned events occur, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion.  Sponsor reserves the right in its sole discretion to disqualify any individual who is found to be tampering with the entry process or the operation of the Drawing, or to be acting in violation of these Official Rules, or to be acting in an unsportsmanlike or disruptive manner, or with the intent to disrupt or undermine the legitimate operation of the Drawing, or to annoy, abuse, threaten or harass any other person, and Sponsor reserves the right to seek damages and other remedies from any such person to the fullest extent permitted by law.  In the event Sponsor is prevented from awarding prize(s) or continuing with the Drawing as contemplated herein by any event beyond its control, including but not limited to fire, flood, natural or man-made epidemic, earthquake, explosion, labor dispute or strike, act of God or public enemy, satellite, equipment or software failure, riot or civil disturbance, terrorist threat or activity, war (declared or undeclared) or any federal state or local government law, order, or regulation, public health crisis (e.g. SARS), order of any court or jurisdiction, or other cause not reasonably within Sponsor’s control (each a “Force Majeure” event or occurrence), then subject to any governmental approval which may be required, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion. 

By entering the Drawing, you agree: (i) to be bound by these Official Rules and by all applicable laws and decisions of Sponsor which shall be binding and final; (ii) to waive any rights to claim ambiguity with respect to these Official Rules; (iii) to waive all of rights to bring any claim, action, or proceeding against the Released Parties in connection with the Drawing; and (iv) to forever and irrevocably agree to release, defend, indemnify, and hold harmless the Released Parties from any and all claims, lawsuits, judgments, causes of action, proceedings, demands, fines, penalties, liability costs and expenses (including, without limitation, reasonable outside attorneys’ fees) that may arise in connection with your participation in this Drawing.

By posting to Facebook, you must (i) make no false or misleading representations or advertisements with regard to Sponsor; (ii) make no statements regarding Sponsor that you do not have a reasonable basis for or that are inconsistent with your honest opinions, findings, beliefs, or experiences; (iii) comply with all applicable laws and regulations, including but not limited to advertising and marketing laws such as the Federal Trade Commission’s Endorsement Guidelines; (iv) comply with the Facebook terms of service and other policies; and (vi) comply with any other policies of Sponsor as may be communicated to you during the Drawing Period.

All issues and questions concerning the construction, validity, interpretation and enforceability of these Official Rules, or the rights and obligations of a Participant and/or Sponsor in connection with the Drawing, will be governed by, and construed in accordance with, the laws of the State of California without regard to California conflicts of law principles.  All Participants consent to the exclusive jurisdiction and venue in Santa Clara County, California, U.S.A.

The invalidity or unenforceability of any provision of these Official Rules will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Official Rules will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein. In particular, Sponsor’s employees are not authorized to waive, modify, or amend any provision or provisions of these Official Rules in any manner whatsoever.

By entering the Drawing, Participants agree to the terms of Sponsor’s Privacy Policy (http://www.symantec.com/about/profile/privacypolicy/index.jsp). Unless Participants indicate otherwise at the time of entry, personal information collected from Participants may be used by Sponsor for the purpose of not only administering this Drawing but also contacting you regarding your interest in Sponsor’s products and services.  Winner’s name and identity will be publicly announced via Facebook.

AFFIDAVIT OF ELIGIBILITY AND WAIVER OF LIABILITY

By signing below, the undersigned Participant in the Symantec Bubble Wrap Appreciation Day Facebook Drawing (the “Drawing”) sponsored by Symantec Corporation (“Symantec”) hereby attests that, prior to participating in the Drawing he/she read the Official Rules for the Drawing and has previously agreed that his/her participation in the Drawing is governed exclusively by those Official Rules.  In consideration for the prize awarded to Participant through his/her participation in the Drawing, Participant agrees and acknowledges as follows:

1.   Eligibility: Participant was at least 18 years old and had reached the age of majority in his/her state of residence as of the starting date of the Drawing Period, and is an individual eligible to participate in the Drawing in accordance with the Official Rules, and, accordingly, is eligible to receive any prize awarded to him/her through the Drawing.  Participant acknowledges that his/her right to receive a prize may not be transferred, substituted for another prize, or exchanged for cash, and that Participant is solely responsible for all taxes or governmental fees due for receiving, owning, or using the prize.  Should it thereafter be discovered or determined that Participant was not eligible to receive a prize, Participant agrees to return such prize within ten days of written notice by Symantec, or by a duly authorized agent of Symantec, and to pay all costs associated with the return of such prize.

2.   Waiver of Liability: As set forth in the Official Rules, Participant hereby releases Symantec and Facebook, and their respective subsidiaries, affiliates, agencies, and their respective officers, directors, employees and representatives (collectively, the “Released Parties”) from any and all liability, loss, or damage arising from Participant’s acceptance, possession, or use of a prize, including, but not limited to, claims for product liability, personal injury, breach of contract, and negligence.  Participant acknowledges and agrees that the Released Parties make no warranty, expressed or implied, with respect to the accuracy of any information relating to the prizes awarded, including pricing and product editorials, and Participant hereby waives and releases the Released Parties from any liability, loss, or damage caused directly or indirectly by any inaccuracy associated with such information.  Without in any way limiting the generality of the foregoing, Participant agrees that this waiver embraces, covers and includes each, every, and all matters, transactions, causes of action, claims, demands and obligations arising in favor of Participant as against the Released Parties relating to Participant’s participation in the Drawing.  Participant hereby waives any and all rights under the provisions of California Civil Code Section 1542, which provides as follows:

A general release does not extend to claims which the creditor does not know or suspect to exist in his or her favor at the time of executing the release which if known by him must have materially affected his or her settlement with the debtor.

3.   Governing Law: Participant agrees that any dispute that arises as a consequence of his/her participation in the Drawing will be governed by the laws of the State of California.

Participant:     __________________________________                                                                                               

Signature:    _______________________________________                                                                                                   

Date:  ______________________                     

Address: ____________________________                                                                  

               ____________________________                                                                                                          

Email Address:     ____________________________

Get your business fit for 2015

      No Comments on Get your business fit for 2015
Twitter Card Style: 

summary

A new year begins and at Symantec we want to be sure that you are ready for 2015.  After two major security issues in 2014 (Heartbleed and Shellshock) there are no safe assumptions in website security, so being a fit and resilient organisation ,prepared to tackle the unexpected should be your main motivation in 2015. While predicting the future is a fool’s game, it doesn’t mean we can’t pick up a few pointers from the past.

Before knowing what you demand, we need to know who you are; while website security should always be at the forefront of any online business, a new Symantec infographic emphasises  the importance of paying attention to whatever your role in your company is.

As an IT specialist, you need to know that according to Symantec research; two thirds of medium-sized companies have never conducted a vulnerability assessment on their website. As an IT manager, it is interesting to know that more than half a billion (552 million) identities were exposed in 2013 as a result of data breaches.

As mentioned previously, we need to know about you in order to be able to help. But what do you need? Which information do you need to protect? Are you the kind of person who downloads apps or do you share content on social media?  Perhaps you complete small money transactions or check your bank account via the Internet?

There is no need to worry if you do not know what to be concerned about in each situation.  At Symantec, we want to help you implement the best security solutions for your business. In order to help you determine your requirements, we have prepared a self-assessment quiz that will help you to find the best security solutions for your business, right now.

port.jpg

By simply completing our quiz, you will be able to download a customised report for your business that will offer the best advice to keep you safe. Start the quiz HERE

Now you know what you need to do to get your website site into peak condition, but what’s the next step? The easiest thing is to get in touch with someone from Symantec. After all, we’re the specialists when it comes to website security and keeping your business healthy: that’s why 93 percent of the Fortune 500 and 97 of the top 100 US banks worldwide are using our products.

When you make your get-fit New Year’s resolutions for website security, think of us as your personal trainer.

Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates

Twitter Card Style: 

summary

It was recently disclosed that Gogo, a provider of Wi-Fi Internet services on commercial aircraft, has been issuing spoofed SSL certificates for Google sites that were viewed by customers of Gogo’s service. It appears that Gogo Inflight Internet was acting as an SSL Man-in-the-middle (MITM), a technique used within some enterprises to allow themselves to inspect and control all web traffic, even traffic to secure web sites.  To understand what this means, let me explain MITM in a bit more detail.

While not very common, there are enterprises that use SSL MITM technology to protect their employees and assets. For example, the enterprise can see when their employees visit sites that attempt to deliver malware to eventually block it. Some enterprises might want to ensure that their employees don’t visit inappropriate web sites using company equipment. The enterprise may also deploy a Data Loss Prevention (DLP) solution to guard against company secrets being divulged on public web sites. These uses are justified since the enterprise has an interest in securing its employees and their assets (laptops, desktops, corporate data, etc.)

yellow-puzzle-piece.jpg

Here’s how an SSL MITM works: a browser user tries to open an SSL connection to a web server. The connection attempt is intercepted by the SSL MITM, which opens its own SSL connection to the intended web server. When that web server returns its SSL certificate, the SSL MITM crafts a copy of the certificate using its own public-private key pair and signed by the SSL MITM’s private root certificate. It returns that copy of the certificate to the browser user, who sees a certificate containing the name of the intended web server. Essentially, two SSL connections are set up: one between the browser user and the SSL MITM, the other between the SSL MITM and the web server. The SSL MITM copies traffic back and forth between the parties so they are generally unaware of the SSL MITM. All SSL traffic is encrypted on the wire, but unencrypted in the SSL MITM. This allows the SSL MITM to see everything and even modify traffic in either direction.

It’s surprising to see a company use an SSL MITM with its customers. When used within an enterprise, the root certificate used by the SSL MITM can be installed and trusted in employee computers because the enterprise has complete control over those devices.  But this can’t be done with the enterprise’s customers, who control their own devices.  As a result, these customers will receive a warning when they visit a secure site intercepted by an SSL MITM. It’s clear from the screen shot in the articles related to this issue that the user’s browser warned them that the site’s certificate was signed by an untrusted issuer.

What’s not clear is if Gogo performed a man-in-the-middle interception only for YouTube, or only for Google web properties, or for all web properties secured by SSL. There’s no reason to expect that Gogo intercepted only YouTube traffic. If done for all SSL traffic, it’s likely that a Gogo customer visiting their bank online, for example, would be subject to the same SSL MITM. This would be worrisome, because Gogo would then be able to collect usernames and passwords used on all such sites. Gogo’s CTO said “Gogo takes our customer’s privacy very seriously”, but Gogo’s actions raise a red flag. They could possibly have access to customer data that has nothing to do with Gogo or its services, and Internet users in a post-Snowden era are less willing to trust third parties with their personal information.

Gogo has a legitimate interest in limiting or blocking video streaming, but the way they’ve done it is far overreaching. Perhaps they hoped that customers would avoid using YouTube when they saw a scary security warning. Sadly, an unintended side effect might be to train users to ignore and to click through those warnings, which is counterproductive to the industry’s push for better end-user practices. Ultimately this would devalue all legitimate SSL certificates, and weaken the Certificate Authority/Browser trust model that Certificate Authorities and browser vendors have built and strengthened over the past 15+ years.

We urge Gogo to reconsider their actions and deploy bandwidth limiting solutions that do not involve the use of spoofed SSL certificates.

SCI-FI APPRECIATION DAY FACEBOOK SWEEPSTAKES DRAWING RULES

SYMANTEC OFFICIAL RULES FOR THE

SCI-FI APPRECIATION DAY FACEBOOK SWEEPSTAKES DRAWING

THE SCI-FI APPRECIATION DAY FACEBOOK SWEEPSTAKES DRAWING IS OPEN TO LEGAL RESIDENTS OF THE 50 UNITED STATES AND THE DISTRICT OF COLUMBIA (EXCLUDING GUAM, PUERTO RICO, AND ALL OTHER U.S. TERRITORIES AND POSSESSIONS) AND CANADA (EXCLUDING QUEBEC) WHO ARE THE AGE OF MAJORITY IN THEIR STATE OF RESIDENCE AND AT LEAST 18  YEARS OR OLDER.  THIS DRAWING SHALL BE CONSTRUCTED AND EVALUATED ACCORDING TO CALIFORNIA LAW.

NO PURCHASE NECESSARY TO ENTER OR WIN.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

BY PARTICIPATING IN THE DRAWING, YOU ACCEPT AND AGREE TO BE BOUND BY THESE “OFFICIAL RULES” AND THE DECISIONS OF THE JUDGES AND/OR SPONSOR RELATIVE TO THIS DRAWING.

1. SPONSOR

The Symantec Sci-Fi Appreciation Day Facebook Drawing (the “Drawing”) is sponsored by Symantec Corporation (the “Sponsor”), 350 Ellis Street, Mountain View, California, 94043, U.S.A. The Drawing begins on January 2nd, 2015 at 12:00:00am Pacific Time (PT) and ends January 5th, 2015 at 11:59:59pm PT (the “Drawing Period”).

THIS DRAWING IS IN NOT SPONSORED, ENDORSED OR ADMINISTRATED BY, OR ASSOCIATED WITH FACEBOOK.

2. ELIGIBILITY – VOID WHERE PROHIBITED

This Drawing is open to legal residents of one of the fifty United States or the District of Columbia and Canada (except Quebec), who have reached the age of majority in their state or of residence as of the starting date of the Drawing Period (“Participant”).  Each Participant must have an account on www.facebook.com.  Persons in any of the following categories are NOT eligible to enter, participate in, or win the Drawing: (a) persons who on or after the starting date of the Drawing Period were or are officers, directors or employees of Symantec Corporation, or any of its subsidiary, affiliated companies, service agencies, or independent contractors; and (b) persons who are immediate family members (defined as spouse or biological or step-mother, father, sister, brother, daughter, or son and each of their respective spouses) of any person in any of the preceding categories, regardless of where they live, and/or individuals who reside in the same household, whether related or not, as any person in any of the preceding categories. Any questions and/or issues concerning eligibility shall be determined at the sole discretion of the Sponsor.  This Drawing is void in Guam, Puerto Rico, and where prohibited by law.  Employees or representative of government agencies or organizations are not eligible to participate.

Participants understand that by participating in this Drawing, they are providing their information to Sponsor and not to Facebook. Further, Participants specifically release Facebook from any and all liability associated with this Drawing. The information you provide will be used as provided in Sponsor’s privacy policy (provide link). Any questions, comments or complaints regarding this Drawing shall be directed to Sponsor and not to Facebook. Participation constitutes Participant’s full and unconditional agreement to these Official Rules and Sponsor’s and/or Judges’ decisions, which are final and binding in all matters related to the Drawing.  Winning a prize is contingent upon fulfilling all requirements set forth herein.

3. HOW TO ENTER.  NO PURCHASE NECESSARY.  PURCHASE WILL NOT INCREASE YOUR CHANCE OF WINNING.

You must have a valid Facebook account in order to participate.  You can enter the Drawing by following these steps during the Drawing Period (“Entry”):

  1. Visit www.facebook.com/SymantecWebsiteSecuritySolutions
  2. Like the Symantec Website Security Solutions Facebook Page
  3. Comment on the questions in the Post related to the Drawing

General Requirements

In addition to the above-listed required steps, all Participants must abide by these General Requirements:

  • Your Entry must be in English.
  • Your Entry must not:

a. violate applicable law;

b. depict hatred;

c. be in bad taste;

d. denigrate (or be derogatory toward) any person or group of persons or any race, ethnic group, or culture;

e. threaten a specific community in society, including any specific race, ethnic group, or culture;

f. incite violence or be likely to incite violence;

g. contain vulgar or obscene language or excessive violence;

h. contain pornography, obscenity, or sexual activity; or

i. disparage the Sponsor.

  • Your Entry must be original, your sole property, and not previously published or submitted in any other Drawing.
  • Your Entry must not violate any right of a third party including, but not limited to: copyright, trademark, any other intellectual property right, right of publicity, confidentiality, and privacy.  Please do not include the name or logo of any company or product produced by a manufacturer other than Symantec.

By submitting an Entry, you agree that Sponsor has the unrestricted right to use your Entry in whole or in part, commercially or non-commercially in any media known or unknown in perpetuity, worldwide, including the right to publish and display the Entry for advertising and publicity, and to edit and make derivative works, all without additional review or compensation. Additionally, you agree that Sponsor may post your Entry, including your name on its sponsored websites and/or third-party sites.

Limit one (1) entry per person, regardless of the number of Facebook accounts used, for the duration of the Drawing Period.  If you enter or attempt to enter more than once using multiple Facebook identities, all of your entries may be declared null and void, and you may be disqualified and ineligible to participate in this Drawing.  Duplicate entries and/or other mechanical reproductions of entries are not permitted.  Illegible or incomplete entries will be disqualified.

Your entry may be disqualified, at the sole discretion of Sponsor if you attempt to enter through any means other than by the online submission requirement herein, if you disrupt the Drawing or circumvent the terms and conditions of these Official Rules, or violate the Facebook Terms of Service or Facebook Rules (https://www.facebook.com/policies/?ref=pf), which govern the use of Facebook.  If any of the above occurs, Sponsor has the right to remedy any such action, disruption, or circumvention in a manner to be solely determined by Sponsor.

4. PRIZES

Symantec will award the following prize in the Drawing:

Qty

Description

Estimated Value (USD)

1

Star Trek the Next Generation Motion Picture Box Set

$35.00

The total estimated retail value of all of the prizes to be awarded under the Drawing is US$35.00.  The odds of winning depend on the number of eligible entries received during the Drawing Period.  Prizes are not transferable or exchangeable, or redeemable for cash.  No prize substitution is allowed, except Sponsor may substitute a comparable prize at Sponsor’s sole discretion.  Winner is solely responsible for any applicable federal, state, provincial, and local taxes.  Any other costs and expenses associated with prize acceptance and use not specified herein as being provided are winner’s sole responsibility.  All details and other restrictions of prizes not specified in these Official Rules will be determined by Sponsor in its sole discretion.

5. SELECTION OF WINNER; NEED NOT BE PRESENT TO WIN

A total of one (1) potential winner will be selected by random drawing on or around January 5th, 2015 at Symantec Corporation, 350 Ellis Street, Mountain View, CA.

Potential winner will be notified via his or her Facebook email account (e.g., “Congrats [Username!] You are a winner!  To claim your prize, email Symantec at brook_chelmo@symantec.com with your contact information”).  Potential winners must respond via Facebook within 7 business days of notification by sending an email message to brook_chelmo@symantec.com with your contact information.  There will be no additional media or channels utilized to announce winners.

If a potential winner is (i) found to be ineligible or not in compliance with these Official Rules, (ii) declines to accept a prize, (iii) if Sponsor does not receive a timely response to a winner notification, or (iv) in the event that a prize notification or prize is returned undeliverable, then the corresponding prize will be forfeited, the potential winner disqualified, and at the Sponsor’s sole discretion, the prize may be awarded to an alternate winner chosen by Sponsor’s judges.  Potential winners may be required to furnish proof of identification.  Before being declared a winner, potential winner must execute and return an Affidavit of Eligibility and Waiver of Liability within seven (7) business days from the postmarked date as having been sent by the Sponsor’s representative or otherwise the corresponding prize may be forfeited.

In the event of a dispute as to the identity of an entrant, the affected entry will be deemed submitted by the authorized account holder of the Facebook account used to enter the prize drawing.  A potential winner may be required to provide Sponsor with proof that the potential winner is the authorized holder of the associated Facebook account or email account.  An authorized account holder is defined as the natural person who is assigned to the Facebook account by Facebook, Inc.  If a dispute cannot be resolved to Sponsor’s satisfaction, the affected entry will be deemed disqualified and ineligible to win a prize, but these Official Rules will otherwise continue to govern the affected entry.

6. CONDITIONS

BY PARTICIPATING IN THE DRAWING, YOU AGREE TO RELEASE AND HOLD SPONSOR, FACEBOOK, THEIR RESPECTIVE PARENT COMPANIES, SUBSIDIARIES, AFFILIATES, PRODUCTION AND ADVERTISING AGENCIES, AND EACH OF THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS (COLLECTIVELY, THE “RELEASED PARTIES”) HARMLESS FROM ANY AND ALL LOSSES, DAMAGES, RIGHTS, AND CLAIMS OF ANY KIND IN CONNECTION WITH THE DRAWING, DRAWING-RELATED ACTIVITY,  OR YOUR ACCEPTANCE, POSSESSION, USE OR MISUSE OF ANY PRIZE, INCLUDING, WITHOUT LIMITATION, PERSONAL INJURIES, PROPERTY DAMAGE, INVASION OF PRIVACY, AND MERCHANDISE DELIVERY.

Sponsor assumes no responsibility for any damage to your computer device which is occasioned by participation in the Drawing, or for any computer device, phone line, hardware, website, software or program malfunctions, or other errors, failures, delayed computer transmissions or network connections that are human or technical in nature.

All federal, state, provincial, and local laws apply.  Without limiting the generality of the foregoing, Sponsor is not responsible for incomplete, illegible, typographical errors, misdirected, misprinted, late, lost, damaged, stolen, or intercepted Drawing entries or prize notifications; or for lost, interrupted, inaccessible or unavailable networks, servers, satellites, Internet Service Providers, websites, or other connections; or for miscommunications, failed, jumbled, scrambled, delayed, or misdirected tweets, or computer, telephone or cable transmissions; or for any technical malfunctions, failures, difficulties or other errors of any kind or nature; or for the incorrect or inaccurate capture of information, or the failure to capture any information.  In the case of any of the aforementioned events occur, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion.  Sponsor reserves the right in its sole discretion to disqualify any individual who is found to be tampering with the entry process or the operation of the Drawing, or to be acting in violation of these Official Rules, or to be acting in an unsportsmanlike or disruptive manner, or with the intent to disrupt or undermine the legitimate operation of the Drawing, or to annoy, abuse, threaten or harass any other person, and Sponsor reserves the right to seek damages and other remedies from any such person to the fullest extent permitted by law.  In the event Sponsor is prevented from awarding prize(s) or continuing with the Drawing as contemplated herein by any event beyond its control, including but not limited to fire, flood, natural or man-made epidemic, earthquake, explosion, labor dispute or strike, act of God or public enemy, satellite, equipment or software failure, riot or civil disturbance, terrorist threat or activity, war (declared or undeclared) or any federal state or local government law, order, or regulation, public health crisis (e.g. SARS), order of any court or jurisdiction, or other cause not reasonably within Sponsor’s control (each a “Force Majeure” event or occurrence), then subject to any governmental approval which may be required, Sponsor shall have the right to modify, suspend, or terminate the Drawing in its sole discretion.

By entering the Drawing, you agree: (i) to be bound by these Official Rules and by all applicable laws and decisions of Sponsor which shall be binding and final; (ii) to waive any rights to claim ambiguity with respect to these Official Rules; (iii) to waive all of rights to bring any claim, action, or proceeding against the Released Parties in connection with the Drawing; and (iv) to forever and irrevocably agree to release, defend, indemnify, and hold harmless the Released Parties from any and all claims, lawsuits, judgments, causes of action, proceedings, demands, fines, penalties, liability costs and expenses (including, without limitation, reasonable outside attorneys’ fees) that may arise in connection with your participation in this Drawing.

By posting to Facebook, you must (i) make no false or misleading representations or advertisements with regard to Sponsor; (ii) make no statements regarding Sponsor that you do not have a reasonable basis for or that are inconsistent with your honest opinions, findings, beliefs, or experiences; (iii) comply with all applicable laws and regulations, including but not limited to advertising and marketing laws such as the Federal Trade Commission’s Endorsement Guidelines; (iv) comply with the Facebook terms of service and other policies; and (vi) comply with any other policies of Sponsor as may be communicated to you during the Drawing Period.

All issues and questions concerning the construction, validity, interpretation and enforceability of these Official Rules, or the rights and obligations of a Participant and/or Sponsor in connection with the Drawing, will be governed by, and construed in accordance with, the laws of the State of California without regard to California conflicts of law principles.  All Participants consent to the exclusive jurisdiction and venue in Santa Clara County, California, U.S.A.

The invalidity or unenforceability of any provision of these Official Rules will not affect the validity or enforceability of any other provision. In the event that any provision is determined to be invalid or otherwise unenforceable or illegal, these Official Rules will otherwise remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision were not contained herein. In particular, Sponsor’s employees are not authorized to waive, modify, or amend any provision or provisions of these Official Rules in any manner whatsoever.

By entering the Drawing, Participants agree to the terms of Sponsor’s Privacy Policy (http://www.symantec.com/about/profile/privacypolicy/index.jsp). Unless Participants indicate otherwise at the time of entry, personal information collected from Participants may be used by Sponsor for the purpose of not only administering this Drawing but also contacting you regarding your interest in Sponsor’s products and services.  Winner’s name and identity will be publicly announced via Facebook.

AFFIDAVIT OF ELIGIBILITY AND WAIVER OF LIABILITY

By signing below, the undersigned Participant in the Symantec Sci-Fi Appreciation Day Facebook Drawing (the “Drawing”) sponsored by Symantec Corporation (“Symantec”) hereby attests that, prior to participating in the Drawing he/she read the Official Rules for the Drawing and has previously agreed that his/her participation in the Drawing is governed exclusively by those Official Rules.  In consideration for the prize awarded to Participant through his/her participation in the Drawing, Participant agrees and acknowledges as follows:

1.   Eligibility: Participant was at least 18 years old and had reached the age of majority in his/her state of residence as of the starting date of the Drawing Period, and is an individual eligible to participate in the Drawing in accordance with the Official Rules, and, accordingly, is eligible to receive any prize awarded to him/her through the Drawing.  Participant acknowledges that his/her right to receive a prize may not be transferred, substituted for another prize, or exchanged for cash, and that Participant is solely responsible for all taxes or governmental fees due for receiving, owning, or using the prize.  Should it thereafter be discovered or determined that Participant was not eligible to receive a prize, Participant agrees to return such prize within ten days of written notice by Symantec, or by a duly authorized agent of Symantec, and to pay all costs associated with the return of such prize.

2.   Waiver of Liability: As set forth in the Official Rules, Participant hereby releases Symantec and Facebook, and their respective subsidiaries, affiliates, agencies, and their respective officers, directors, employees and representatives (collectively, the “Released Parties”) from any and all liability, loss, or damage arising from Participant’s acceptance, possession, or use of a prize, including, but not limited to, claims for product liability, personal injury, breach of contract, and negligence.  Participant acknowledges and agrees that the Released Parties make no warranty, expressed or implied, with respect to the accuracy of any information relating to the prizes awarded, including pricing and product editorials, and Participant hereby waives and releases the Released Parties from any liability, loss, or damage caused directly or indirectly by any inaccuracy associated with such information.  Without in any way limiting the generality of the foregoing, Participant agrees that this waiver embraces, covers and includes each, every, and all matters, transactions, causes of action, claims, demands and obligations arising in favor of Participant as against the Released Parties relating to Participant’s participation in the Drawing.  Participant hereby waives any and all rights under the provisions of California Civil Code Section 1542, which provides as follows:

A general release does not extend to claims which the creditor does not know or suspect to exist in his or her favor at the time of executing the release which if known by him must have materially affected his or her settlement with the debtor.

3.   Governing Law: Participant agrees that any dispute that arises as a consequence of his/her participation in the Drawing will be governed by the laws of the State of California.

Participant:                                                                                                   

Signature:                                                                                                      

Date:                                                                                                              

Address:                                                                                                         

Email Address: