The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Archive for the ‘Uncategorized’ Category

My Evolving Security Philosophy

Posted by Xavier Ashe on February 5, 2013

From the very start of considering a move from IBM Security Systems to Bit9, I gave a lot of thought to my security philosophy.  I really do believe strongly in IBM’s security portfolio, and I wanted to make sure moving to Bit9 didn’t undercut my security philosophy.  Working for IBM taught me a lot about holistic security and how good security products are usable no matter if you have basic security maturity, or advanced.  I generally focused on the network side of security, mainly in SIEM and NIPS.  I’ve shied away from endpoint security (for the exception of dabbling in forensics and TEM), because it’s such a headache. Virus scan software is a joke, letting just about everything modern in.  Case in point with the recent attacks at the New York Times:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

I see this all the time.  That’s why products like QRadar and IBM Security NIDS are so popular.  You have to fall back to the network, if can’t get control of the endpoint.  Why attack the endpoint?  It’s seems to be the easiest and most successful.  There’s typically three categories of attacks:

  1. Remote attacks launched from the internet (DoS, SQL Injection, etc.)
  2. Insider threats, and
  3. Infect an endpoint, then launch attack from within (phishing, drive-by downloads)

Network based protection is very useful at blocking and/or detecting all three of these attacks categories, but that leaves you with a perimeter based security protection.  With perimeter based security, one tries to tackle the channels of infections like email and web browsing.  There are tons of solutions that help with this, but nothing helps as soon as that endpoint walks out the door.  Network security should be used to protect infrastructure, not endpoints.

So what can be done to protect the endpoint?  IBM Tivoli Endpoint Manager does a lot to manage all the small stuff like patch management, software delivery, compliance, and virus scanning.  I say small stuff, not to dismiss its importance, but they are processes that should be in place already.  Having TEM take care of it all is just easier.

When I was at IBM and a customer was worried about the Insider Threat, we would use either TSIEM or QRadar to pull in system and audit logs.  What we usually found near pure chaos, since it’s very hard to figure out what is what within system logs.  The best approach I have found is using white list policies.  We would build profiles of acceptable behavior in an environment, filter it out, then analyze the rest.  It was a great approach and bled over into some of my other SIEM and NIPS scenarios.

The reason I bring this up is that one of the reasons I like Bit9’s software is that it employs a similar white list approach, but looks to be MUCH easier than the rat’s nest that is system and audit logs.

Let me summarize:

  • Network security is best when focused on protecting infrastructure like hosted applications and databases.  It loses effectiveness when trying to secure the endpoint.
  • As for hosted applications, security vulnerability testing and security development should be a closed loop.
  • Insider threats can only be managed if you are doing system and audit log analysis.  It’s a costly investment, but worth it to certain business sectors like banking and military.
  • Endpoint protection must include basic measures including patch management, lifecycle management, and basic written security policy.
  • I believe SIEM is critical to tie it all together and should be the single pane of glass.
  • Maturity in other security processes like identity management, access management, policy, compliance, encryption, and asset management help all your other security investments.
  • Overall security policy governance has to be tailored to the size and type of organization.

As I write this out, I see that going after endpoint security with Bit9 fits for me.  I am looking forward to learning more about its capabilities and how our customers would like to use it.


Posted in Personal Note, Security, Uncategorized | 2 Comments »

One day in Taipei

Posted by Xavier Ashe on February 12, 2012

Taipei 101

Taipei 101

I am on a business trip in Taipei, Taiwan this week. It’s a TSOM/TSIEM deployment that I’ve been looking forward to for several months. I arrived late Saturday night, so I had one day to get all the sightseeing in I could. It’s the best way for me to get acclimated to the 13 hour change. If I stay in the hotel, I’m bound to fall sleep way to early. Here’s where I went today. If you are reading this to reproduce my itinerary, be forewarned – I like to walk. A lot. That last message came from my feet, who are not very happy with me right now.

The main tuned mass damper atop Taipei 101

The main tuned mass damper atop Taipei 101

I started the day from The Taipei City Hall MRT station and took a leisurely walk through the business district. I finally got to my first destination, Taipei 101, the world’ tallest building with the world’s fastest elevator. Okay, it WAS the tallest building in the world from 2004-2010. Those upstarts in Dubai had to out do them. It’s still the world’s largest sundial. And is has the world largest tuned mass damper sphere. What’s that, you say? It’s a big freakin ball that hangs in the middle of the building at the top, and it keeps the building from swaying too much. In fact, I never felt it sway. Unlike the Westin in Atlanta. There’s lots for a geek to fall in love with at Taipei 101. There’s a lot of technology and a lot of meaning into every aspect of the building (example:it has 8 segments of 8 floors).

On the Maokong Gondola

On the Maokong Gondola

After that, I took a long walk to the Liuzhangli MRT station to do some urban exploring. I took the Wenhu Line to the end to ride the Maokong Gondola. I decided to wait in line for the “Crystal Cabins”, also called “Eyes of Maokong Gondola”, a plexiglass bottomed gondola. It was a great trip and the sights were as good as atop Taipei 101. I am a sucker for mountains, and these were quite nice. The gondolas go up and over several hills and traverse some steep valleys. At points the winds were really scary, but I made it up to Maokong Station safe and sound.

The "Tea House"

The "Tea House"

Now that I was safely up the mountain, I started to wander. I was heading in the direction of the Taipei Tea Promotion Center, but didn’t make it that far. I stopped off at a random tea house (this area is known at the Tea Gardens) called …wait for it… Tea House (they don’t have an English site, but they are at It was a very nice place and I was thankful that they had teenager on staff that spoke very good English and taught me how to make traditional tea. I had tea oil chicken (it sounded like the thing you eat in the Tea Gardens) and Oolong Four Seasons Tea, which was like a more flavorful green tea. I sat a while enjoy the quiet of the mountainside, listening to strange, but calming, birds calls.

Playing the saw in Taipei

With my unused tea in hand and a fresh water bottle, I hiked back to the Gondola station and then back to the Taipei Zoo MRT station. I went to the Zhongziao-Fuxing station to check out SOGO. It didn’t seem too different than an American mall, so I quickly left. Next stop was the Longshan Temple MRT station, and you guessed it, the Longshan Temple. As I walked to the temple, I walked through No. 12 Park. It was where all the men were. The park was jam packed with old Taiwanese men playing what looked like Xiangqi, but I wasn’t sure. It was an very interesting find, even more so when I found a street performer playing the saw. That’s some good stuff right there. I think she’s ready to move to the Appalachian Mountains.

Mengjia Longshan Temple

The Mengjia Longshan Temple

I crossed the street and entered into the Longshan Temple. It was very crowded, which made it surreal and spiritual. I walked around and took in the sounds of the chanting, the smell of the incense, and the dedication of the followers. There is something moving about watching a religious practice you know absolutely nothing about, beyond my 3rd grade teachings of “weird religions you’ll never see in the south”. They had very elaborate paper creatures, some that were hung up as to let people pray underneath them. Besides healing my spirit, I also let my feet take a rest, but not for long.

Bopiliao Historic Block

Bopiliao Historic Block

I had a pretty basic tourist map that indicated that other neat things were near. So I just picked a direction that kinda pointed me in the right direction. I didn’t find any of the things on my map. I did however find the Bopiliao Historic Block. It’s a couple of well-preserved and renovated streets and traditional shop homes from the Qing Dynasty (the last Dynasty before the Republic of China was created). It was a great discovery and I was taken on how “modern” it looked. Seems like the architecture here inspired architects back home.

Ximen Square

Ximen Square - looks familar, eh?

It was getting late in the day and I decided to call it quits. I plotted a round about way of getting to the Ximen MRT Station. I came across The Red House, which had a small bazaar around it. I browsed a bit, then tried again to get to the Ximen MRT Station. I got there, decided to take a break, and started people watching. Then I noticed something (see the picture to the left). This was Taipei’s Times Square. I sat for long enough to watch some crazy woman go ape shit on her man and to watch the crowds gather. It was time for the famed “Night Markets” of Taipei. I gathered up enough strength to do some more walking. The energy was high. The were street performers (really good ones – no saw playing), magicians, food vendors (I picked up two different types of unknown fruit), caricature artists, silhouette artists, and TONS of people. After getting nice and lost, I gave in and looked a Google Maps on my phone, only to realize that I was one block away from the MRT station.

Here’s a few things I observed today:

  • Man purses are IN. The vast majority of men younger than 40 had a man purse.
  • A high of 75 degrees F is really cold to the Taiwanese. Everyone had on jackets, many with big winter coats. I was the only person in a t-shirt. Which reminds me:
  • T-shirts do not make the cut for men’s fashion here. Everyone I saw had a collared shirt, collared jacket, or hoodie. I felt naked in just a t-shirt.
  • Electronics are more expensive here than in the US. Which I find odd, since a lot of them are made here. Example, the 360 Kinect is about $530 here.
  • There is a distinct lack of iPhones, but a smorgasbord of other devices. All of them full touch screens. Some of them have tiny iPhone sized screens, but most of them have larger screens. Some were huge phones or small tablets. I did spot one or two iPhones and at least one iPad, but this land is not dominated by Apple.

Well tomorrow I start my TSOM/TSIEM project and will probably work most nights on my other pet projects (like getting that TSOM/TSIEM to QRadar Transition Redpaper finished!). I am uploading all my photos to my Flickr account, if you care to see more. My sore feet and I are going to bed.

Posted in Uncategorized | Tagged: , , | 2 Comments »

Why The TCP Attack Is Likely Bad, But Not That Bad

Posted by Xavier Ashe on October 3, 2008

There’s been a bunch of new information released over the past few days about the potential big TCP denial of service flaw. The three most informative posts I’ve read are:

  1. Fyodor’s discussion of either the same, or a similar issue.
  2. Richard Bejtlich’s overview.
  3. Rob Graham’s take on the potential attack.

Here’s what I think you need to know:

  1. It is almost certainly real.
  2. Using this technique, an attacker with very few resources can lock up the TCP stack of the target system, potentially draining other resources, and maybe even forcing a reboot (Could this trash a host OS? We don’t know yet.).
  3. Anything that accepts TCP connections is vulnerable. I believe that means passive sniffing/routing is safe.
  4. The attack is obvious and traceable. Since we are using TCP and creating open connections (not UDP) it means spoofing/anonymous attacks don’t seem possible.
  5. Thus, I’d be more worried about a botnet that floods your upstream provider than this targeted attack.
  6. This is the kind of thing we should be able to filter, once our defenses are updated.


Posted in Uncategorized | Leave a Comment »

PCI DSS version 1.2 differences and updates

Posted by Xavier Ashe on October 3, 2008

On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements.  There are a number of changes as outlined previously in the update document.  The PCI SSC has established a life cycle process that will ensure the PCI DSS standard is revised and updated on a two year cycle.  What follows is a detailed outline of the differences between version 1.1 and 1.2 (some that have not been discussed previously) and the implications of those changes. (Unless otherwise noted, those items in quotations are taken directly from the PCI DSS or the update document linked above.)

Good dissection of the new reg from the PCI Blog.

Posted in Uncategorized | Leave a Comment »

Security metrics: more is not better

Posted by Xavier Ashe on October 3, 2008

The shiny new version of SP800-55, renamed “Performance Measurement Guide for Information Security“, takes a rather different tack but is still quite long (80 pages in total, half of which are appendices).  I suspect the primary reason for its existence is to suport FISMA (the US Federal Information Security Management Act, essentially a set of information security policies mandated in law for US Government agencies) by imposing a standardized set of metrics that can be used to benchmark agencies and force the laggards to pull their socks up.  It remains a highly beurocratic and costly response to a genuine management problem.

Another draft NIST standard, SP800-80 “Guide for Developing Performance Metrics for Information Security“, emphasises the process of developing and implementing security metrics.  It includes a shorter list of STTCBM (‘candidate metrics’), but again takes a database approach with forms in the appendices characterising the metrics by ‘metric type’, ‘frequency of collection’ etc., details which, by the way, are organization and implementation-specific and really not that hard for grown-up security managers to figure out for themselves.

Read the full article on the (ISC)2 Blog.

Posted in Uncategorized | Leave a Comment »

TSOM 4.1.1 Available

Posted by Xavier Ashe on August 27, 2008

Tivoli Security Operations Manager V4.1.1 is now available. To download this updated release support entitled customers should access the Passport Advantage Customer download site.

Tivoli Security Operations Manager V4.1.1 has been updated to include the following:

Additional Platform Support

* Added Windows 2003 SP2 64
* Added Red Hat Linux 5.x


* Tivoli Change and Configuration Management Database integration via Tivoli Application Dependency Database Manager
* IBM Tivoli License Manager Support
* IBM Support Assistant Support

New Capabilities / Enhancements

* IPv6 Tolerance
* LDAP Authentication
* Compliance Reports for PCI

Posted in Uncategorized | Leave a Comment »

Performance Measurement Guide for Information Security

Posted by Xavier Ashe on July 30, 2008

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.

Click here to download the PDF.

Posted in Uncategorized | Leave a Comment »

The Internet is Broke – Check your DNS server to see if your vulnerable

Posted by Xavier Ashe on July 9, 2008

Wow. It’s out. It’s finally, finally out.


So there’s a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes…somewhere. Not where it was supposed to. You may have heard about this — the Wall Street Journal, the BBC, and some particularly important people are reporting on what’s been going on. Specifically:

1) It’s a bug in many platforms

2) It’s the exact same bug in many platforms (design bugs, they are a pain)

3) After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day.

4) This has not happened before. Everything is genuinely under control.

I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.

It was a good day.

CERT has details up, and there’s a full-on interview between myself and Rich Mogull up on Securosis.  For the non-geeks in the audience, you might want to tune out here, but this is my personal blog and I do have some stuff to mention to the crew.

Read more from the man of the hour, Dan Kaminsky.  You can check to see if your nameserver is vulnerable at DoxPara.  Word is he will be release details of this vulnerablilty at BlackHat in a few week.

Posted in Uncategorized | Leave a Comment »

Pass-the-Hash still works on XP SP3

Posted by Xavier Ashe on June 30, 2008

Ok, so Windows XP SP3 is out.

With this new version:

whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more ‘gentle’ and ‘stealth’ 🙂 version of the tool and requires precise memory addresses.

But that’s why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.

And that’s also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.

This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).

I haven’t tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.

In case you were wondering, the new addresses you need for Windows XP SP3 English are:

whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54

From Hexale’s Blog.  Download Pass-the-Hash Toolkit.

Posted in Uncategorized | Leave a Comment »

Videos of Hacker Cons

Posted by Xavier Ashe on June 27, 2008

Almost every security conference we’ve attended in the last year has uploaded videos from their speaker tracks. Explore the archives below, and you’re bound to find an interesting talk.

Found on Hack-a-day.

Posted in Uncategorized | Leave a Comment »

IBM releases FISMA add-on for Tivoli Compliance Insight Manager (TCIM)

Posted by Xavier Ashe on June 9, 2008

IBM has released a module for its IBM Tivoli Compliance Insight Manager that watches traffic for compliance with the Federal Information Security Management Act. The FISMA Compliance Management Module includes automated log collection, a compliance dashboard, regulatory compliance reports and report distribution. Agencies can generate FISMA-specific reports using the module’s policy and report definition engines. It can be used as a part of an agency wide program to ensure FISMA compliance, according to the company.

Government Computer News picked this one up.

Posted in Uncategorized | Leave a Comment »

'Unbreakable' BD+ Blu-ray protection cracked

Posted by Xavier Ashe on November 9, 2007

A software firm reckons it has definitely cracked the forthcoming BD+ copy protection on
Blu-ray discs even though
Sony says it has beefed up the protocols involved.

Confident developer
says it has the ability to get round the Blu-ray camp's latest security
protocol – despite its latest AnyDVD software only cracking Blu-ray's
older security system, AACS (Advanced Access Content System).
Currently, Blu-ray disks are digitally encrypted using that system,
also used by the HD DVD camp. But BD+ is a new layer of security that
is exclusive to Blu-ray.

Blu-ray: not so tough

already found a way to crack BD+ and we have just turned to
fine-tuning,” said James Wong, SlySoft's head of development in a
statement. “I should really think about hiring a bodyguard now, since
this product won't please everybody.”

Read the full article on

Posted in Uncategorized | Leave a Comment »

%d bloggers like this: