What You Need to Know About the Heartbleed Bug

While Microsoft’s push of the final patches for Windows XP might normally be seen as a big deal, a vulnerability in the OpenSSL library has managed to steal the spotlight. CVE-2014-0160, which is more commonly referred to as the “Heartbleed” bug, has revealed that it is possible for a malicious user to retrieve memory that could include sensitive data or even the private encryption keys from web servers running OpenSSL versions 1.0.1-1.0.1f and 1.0.2-beta1. Our security and compliance team has been able to exploit this vulnerability, which means attackers can as well.

Read More

Sikich Grows Security Practice with 403 Labs Merger

Naperville, Ill. — Sikich LLP, a leading accounting, advisory, investment banking, technology and managed services firm, announced today its merger with 403 Labs, a full-service information security consultancy based in Brookfield, Wis.

Read More

Recon-ng ssl_san Reconnaissance Module

During the reconnaissance phase of a penetration test, a common task is to enumerate out the entire set of domain names owned and related to a target. This is most commonly performed using search engine queries, domain transfer attempts and domain name brute forcing.

Read More

I Hate When Conspiracy Theorists are Right

Edward Snowden told us the National Security Agency (NSA) was spying on us. If you were surprised by that, I have a bridge for sale that you may be interested in. However, one of the newest revelations from Snowden is the kind of stuff you usually only hear from people in tinfoil hats.

Read More

403 Labs Adds Jano Kray to Manage Higher Education Vertical

Brookfield, WI – September 4, 2013 – 403 Labs has added Jano Kray as a manager to oversee their specialized higher education compliance vertical.

Jano’s extensive compliance and technology experience includes leading the payment card industry (PCI) compliance team of a prestigious university as well as working in corporate information technology development and management. She also brings with her strategy and development background in the areas of ecommerce, financial systems, regulatory compliance, fundraising, database design, user experience and capacity planning.

Read More

Jacob Ansari Talks PCI DSS Version 3.0 Change Highlights

Last week, the Payment Card Industry Security Standards Council (PCI SSC) released its Version 3.0 Change Highlights document for the PCI Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS). As Ericka Chickowski from Dark Reading points out in her article, “Is PCI Growing Up?”, the release “set tongues wagging once again about the direction of the ever-evolving state of the payment card compliance standards.”

Read More

Revealing XenServer Storage Repository Secrets

During some recent penetration testing, I managed to gain root access to a Citrix XenServer. One of the post-exploitation tasks I performed was to understand what storage repositories were connected to the server. Storage repositories are typically shares on which you host the media used to build the virtual machines or the virtual hard disks.

Read More

PCI SSC Announces Keynote Speakers for 2013 Community Meetings

This morning, the Payment Card Industry Security Standards Council (PCI SSC) announced the keynote speakers for its 2013 Community Meetings for North America, Europe and Asia-Pacific. Jacob Ansari, our very own Director of Technical Services here at 403 Labs, will be giving a keynote talk on forensics at both the North American and European Community Meetings.

Read More

Windows XP Lifecycle Sunset: It’s The Final Countdown

Our friend and colleague, Walt Conway, posted a great column on the Windows XP sunset over at StorefrontBacktalk in February. For those of you who aren’t aware, the support lifecycle for Windows XP comes to an end one year from today. Twelve months may seem far off, but if you depend on these systems within a secure environment, or one subject to any sort of regulatory compliance, you’d better have had a transition plan in place yesterday.

We hope to make enough noise about this issue that nobody can ignore it. There are a few particular points regarding this looming date that we’d like to raise a clamor about:

Read More

How to Decompress an LZMA-Compressed Squashfs on BackTrack 5

If you’re trying to extract a Squashfs and get a zlib::uncompress failed, unknown error -3 error, you may be running into an unsupported compression type as I did recently. Ultimately, I discovered the compression used on my Squashfs was LZMA. I wanted to share just how I was able to decompress the LZMA-compressed Squashfs.

Read More