Sunday, September 26, 2021

Everyone Gets a Rootkit

Now that I have your attention with that clickbait headline ...

There's been a recent flurry of articles about a longstanding Microsoft Windows capability called "Windows Platform Binary Table" (WPBT).

Introduced with Windows 8, here's an excerpt of Microsoft's description (docx):
This paper describes a mechanism for a platform, via the boot firmware, to publish a binary to Windows for execution.  The mechanism leverages a boot firmware component to publish a binary in physical memory described to Windows using a fixed ACPI table.
"via the boot firmware" is the significant part.

Microsoft goes on:
The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a "clean" configuration. WPBT allows the Windows image on disk to be modified at boot time.

Remember my advice to "Reload Windows on Your New PCs?" That might not be enough.

Principally, WPBT is there for hardware manufacturers to install their own firmware drivers before Windows loads.

But remember Murphy's Law: If anything can go wrong, it will.

As far back as 2015 there have been vulnerabilities related to WPBT. Here's ( Lenovo's story.

This popped up again this week in a report ( from eclypsium.

How-To Geek has the process ( on how to check your PC:
... open the C:\Windows\system32 directory and look for a file named wpbbin.exe. ... If it’s not present, your PC manufacturer hasn’t used WPBT to automatically run software on your PC.
My ThinkPad and Asus desktop were clean.


Sunday, September 19, 2021

WFH Issues

WFH is a new acronym  for "Work From Home." I've blogged about my concerns before here and here.

Recently I came across a white paper from HP's Wolf Security group. Remember that they sell "endpoint security."

According to our HP Wolf Security Blurred Lines and Blindspots report, 23% of office workers globally expect to predominantly work from home post-pandemic, with an additional 16% expecting to split their time equally between home and the office. This will have far-reaching consequences for organizations across all economies.
This change is here to stay. That's really scary from a security perspective.

Here is a summary of their findings.


  • 39% of office workers surveyed aged 18-24 were unsure of the existing data security policies in place at their work
  • 36% of office workers surveyed had been given training on how to protect their home network
  • 54% of office workers surveyed aged 18-24 were more worried about deadlines than exposing the business to a data breach
  • 48% of office workers surveyed aged 18-24 thought security policies are a hindrance
  • 37% of office workers surveyed said security policies and technologies are too restrictive
  • 48% of office workers surveyed said security measures result in a lot of wasted time
  • 31% of office workers surveyed aged 18-24 had tried to circumvent security
We have a lot of work to do.

There's another section on IT Team Rejections. I'll let you read that at your leisure.

Sunday, September 12, 2021

Mobile LTE Coverage Map

I recently came across an interesting article posted by the Federal Communications Commission (FCC).

It contains a map that shows the 4G LTE mobile coverage areas of the nation’s four largest mobile wireless carriers: AT&T Mobility, T-Mobile, UScellular, and Verizon.

It states that the coverage map was created using data submitted voluntarily by the four mobile carriers and depicts the coverage a customer can expect to receive when outdoors and stationary.

I am an AT&T wireless customer and have always found that cellular coverage varies significantly in the Memphis metro area.

This tool supports that experience on AT&T but I am skeptical of the other carriers' reporting.

Here is an example of LTE data in a neighborhood in Memphis that is not friendly to cellular towers.




Who do you believe?

For reference, here's a map of cell tower locations.

Sunday, September 05, 2021


Years ago, a co-worker and I had a discussion about architecting our Unix systems as if each one was at risk from the network, even the LAN. His thinking was that you would never know where the threat was coming from so you should not trust anyone except those connections you made deliberately.

He was so far ahead of everyone else. And ahead of the technology available then.

Now we have Software Defined Networking (SDN). Usually SDN is applied to Wide Area Networks (WANs). SDNs warrant a whole series of posts on their own.

What is now nascent is Microsegmentation.

This excerpt from eSecurity Planet nails my co-worker's vision.
The Problem With Traditional Security Techniques
More traditional security tools, such as firewalls, VPNs and network access control (NAC), have their limits because they focus primarily on securing the network perimeter. Security teams historically assumed the biggest threats were attacking from outside the network. But that approach overlooked insider threats - and the damage that hackers could do when they eventually got inside the network.
SDN provides the underlying technology that wasn't available years ago.

But that allows you to worry about the next layer. What traffic do you allow between systems? Now you need to get to Layer 7 granularity.

Gardicore has a good article that lays out the benefits (and challenges) of microsegmentation.
Benefits of Microsegmentation
Lateral Movement Security
Reduce Attack Surface
Secure Critical Applications
Then an organization has to consider the methods.
Microsegmentation by environment
Creating regulatory boundaries
Microsegmentation by application type
Microsegmentation by tier
The steps for an implementation effort are:
Identify what needs to be segmented
Tackle short-term goals
Deal with long term goals
Labeling of assets is critical along with a comprehensive understanding of the applications relationships and dependencies.

I'll cover more of microsegmentation in future posts.