Network and Computer Security

Just as if we needed that, a new polymorphism technique allows viruses on AMD-64 processors to be even harder to detect.

“The virus, dubbed W64.Bounds, is not spreading in the wild, but was submitted as a proof of concept to antivirus researchers. The program is not easy to detect because it encrypts itself using a new algorithm and exploits a Windows feature available only on AMD64 systems to control execution”, Peter Ferrie, senior antivirus researcher for Symantec, said.

See the full article on SecurityFocus.

Just as Microsoft released on August 8th an IE 6 update to fix multiple vulnerabilities (See Microsoft Security Bulletin MS06-042), the NSFocus security team has found this update does introduce a new vulnerability.

This vulnerability can be exploited remotely by sending an overly-long URL to the browser.

This issue has been assigned the name: CVE-2006-3869

See here for the full details: NSFOCUS Security Advisory (SA2006-08)

See here for the advisory from microsoft and the updated patch: Microsoft Security Bulletin MS06-042.

The August 15th issue of Bruce Schneier’s Crypto-Gram newsletter is out (ans has been for a few days now, but your favorite webmaster has been on vacation):

What really matters as far is computer security is concerned!

For an exclusive and alternative take on the current world news, just make sure you read the “Last Week’s Terrorism Arrestsâ€? article, as it’s the best I’ve read on this subject so far!

Last Week’s Terrorism Arrests
Remote-Control Airplane Software
Crypto-Gram Reprints
Doping in Professional Sports
iPod Thefts
News
Security Certifications
The Doghouse: Sniper Flash Cards
A Month of Browser Bugs
HSBC Insecurity Hype
Counterpane News
Updating the Traditional Security Model
Bot Networks
Comments from Readers

The problem with viruses, worms and other malicious codes or hacking attempts is that it’s not always easy to detect them. In most of the cases, it’s actually quite hard to spot them.

There are many different techniques and tools to do so, but none of them is really fully efficient, so a good network and security administrator will have to learn to combine several tricks to try to detect what’s wrong on his network.

Yiming Gong wrote a very interesting article about the usage of NetFlow to detect Worms; definately a must-read for network administrators (Note: For Open-Source people who don’t have/want NetFlow, some alternatives are suggested in the second article).
Detecting Worms and Abnormal Activities with NetFlow, Part 1

Detecting Worms and Abnormal Activities with NetFlow, Part 2

We often see articles and sews about denial of service and distributed denial of service attacks (”DoS” and “DDoS”), but besides the fact they render a service useless by trying to overloading it, few details are usually given.

As it turns out, the mechanism is a bit more complicated and it’s not exactly an ‘Overloading’ of the service is the sence we usually mean it, but most of the time it’s actually a flood of the networking layer of the target machine(s).

Abhishek Singh wrote a very good acticle that explains this technique very well. It’s a very good read and a very well illustrated article. Definately worth the read!

The last Microsoft Office version appears to contain lots of vulnerabilities; so much in fact that many experts fear a new macro-virus like Melissa is quite likely to appear very soon.

Since the end of 2005, about 20 vulnerabilities have been found in Office; that’s more than enough for the virus and worm writers out there to find an easy to exploit one and to take over all the machines with the lastest Office (Word, Excel, PowerPoint, Outlook, and, for professional users, Access) installed.

The problem is even more accute that in takes an average of 4 months to Microsoft to issue patches fixing security problems; so as the number of known vulnerabilities increases tons of systems remain vulnerable.

Read more here: Flaw finders lay siege to Microsoft Office

It’s no news that no antivirus is 100% safe.

It has always been that way and will always be. The answer is simple: there are actually very few antiviruses sharing the biggest market share (the top 5 AVs most likely represent more than 95% of the installed base). So the virus writters can very quickly check their “lastest,not-released-in-the-wild-yet” virus and see which antivirus applications detect it as a malware and modify it accordingly.

ZDNet just published a good paper on the subject: Why popular antivirus apps ‘do not work’?

I’ve already featured some tools here like Nmap, OSSEC and Honeytrap, but I’m not talking about security tools nearly enough.

So this time let me introduce you to OSSIM. OSSIM stands for Open Source Security Information Management and aims to unify network monitoring, security, correlation, and qualification in one single tool. It combines Snort, Acid, MRTG, NTOP, OpenNMS, nmap, nessus and rrdtool to provide the user with full control over every aspect of networking or security. It has always been long and painfull to install and maintain many security tools at once and OSSIM allows to benefit from the best security tools in an easy and integrated way.
OSSIM has been under heavy development for a few years now and the last release (0.9.9rc2) is much easier to install than the previous versions.

If you’re in doubt you can get a feel at how it looks by looking at those OSSIM screenshots.

Links:

• OSSIM homepage
• Download OSSIM

The July 15th issue of Bruce Schneier’s Crypto-Gram newsletter is out.

As usualy, plenty of great articles that give a real insight into what matters as far is computer security is concerned. In particular, make sure you read the “Economics and Information Security” article, as it’s the best I’ve read on this subject so far!

Here’s the summary of the newsletter:
Economics and Information Security
Crypto-Gram Reprints
Google and Click Fraud
A Minor Security Lesson from Mumbai Terrorist Bombings
News
Getting a Personal Unlock Code for Your O2 Cell Phone
The League of Women Voters Supports Voter-Verifiable Paper Trails
Brennan Center and Electronic Voting
Comments from Readers

We’re all wondering which antivirus is the best one to protect our servers.

The guys from Nephentes wondered the same thing and took the time to submit a sample of 4987 viruses to 14 antivirus softwares running on *nix platforms (some free some not).

The full study is here, but if you’re impatient here’s the summary:

(Note: the ‘Trend’ percentage is the variation between the current test and the previous one)