April 2013
1 post
14 tags
Windows XP Lifecycle Sunset: It's The Final...
Our friend and colleague, Walt Conway, posted a great column on the Windows XP sunset over at StorefrontBacktalk in February. For those of you who aren’t aware, the support lifecycle for Windows XP comes to an end one year from today. Twelve months may seem far off, but if you depend on these systems within a secure environment, or one subject to any sort of regulatory compliance, you’d better...
March 2013
1 post
11 tags
How to Decompress an LZMA-Compressed Squashfs on...
If you’re trying to extract a Squashfs and get a zlib::uncompress failed, unknown error -3 error, you may be running into an unsupported compression type as I did recently. Ultimately, I discovered the compression used on my Squashfs was LZMA. I wanted to share just how I was able to decompress the LZMA-compressed Squashfs.
Here is the superblock info for our Squashfs:
# unsquashfs -s...
January 2013
1 post
14 tags
HIPAA Gets a Second Wind
On January 17th, the U.S. Department of Health and Human Services (HHS) announced several changes to the Health Insurance Portability and Accountability Act (HIPAA). These changes, also known as the Omnibus Rule, amend and expand upon the Health Information Technology for Economic and Clinical Health (HITECH) and the Genetic Information Nondiscrimination Act of 2008.
The change that may have...
December 2012
4 posts
12 tags
Exynos Vulnerability on Samsung Devices
I recently purchased a Samsung Galaxy Note II and have been thoroughly enjoying it. The number of diverse applications is pretty amazing.
Unfortunately, a few days ago, a colleague passed an article along detailing an exploit associated with my brand of phone. The exploit is connected to the Exynos processor and the capability to obtain access to all physical memory.
This is a serious issue...
11 tags
Potential LogMeIn, DocuSign Email Leaks
On Friday, December 14, Brian Krebs posted an entry titled, “LogMeIn, DocuSign Investigate Breach Claims” to his blog, Krebs on Security.
Without completely repeating what he said, it appears several users of LogMeIn remote access software, as well as users of DocuSign electronic signatures, have reported an increase in malicious spam emails to the email addresses associated with the...
13 tags
Attackers Specifically Targeting Mac OS Point of...
As a Payment Card Industry Forensic Investigator (PFI), 403 Labs is constantly examining the latest attacks targeting POS systems. Of recent note is the discovery that criminal organizations are shifting their focus to target POS systems running on the Apple Macintosh platform.
In the past 60 days, our active trending has seen a significant upswing in attacks on non-Windows POS systems. One of...
11 tags
A Potential New Leash on the Data-Mining Monsters
Yesterday, the Senate Judiciary Committee gave approval to a privacy bill sponsored by Sen. Al Franken (D-Minn.), known as the Location Privacy Protection Act. This bill, a revamped version of one Franken attempted to push forth in 2011, is aimed at putting control over your location data into your own hands.
The thrust of the new bill is that location-enabled devices and apps will need to ask...
November 2012
2 posts
12 tags
PCI Council Releases Risk Assessment Guidelines
PCI DSS Requirement 12.1.2 tells merchants and service providers that they must prepare a formal risk assessment to identify threats and vulnerabilities that can impact the security of cardholder data.
Unfortunately, at least based on my experience, many merchants struggle to respond properly to this requirement. The PCI Council has come to the rescue, however, by releasing the PCI DSS Risk...
10 tags
pgpass_creds – A new Metasploit Post Module
I recently contributed a module, pgpass_creds, to the Metasploit Framework. It is a post module that grabs cleartext PostgreSQL credentials when applications that utilize libpq, such as
pgAdmin3, store their credentials. You can grab the module by updating to the latest version of Metasploit using msfupdate.
PostgreSQL is a popular, open source database. PostgreSQL offers a C programming...
October 2012
1 post
11 tags
P2PE Challenges – Looking at Endpoint Devices
The Payment Card Industry Security Standards Council (PCI SSC) made several significant developments in their point-to-point encryption (P2PE) program this year, with assessor training, releasing the program guide, and opening up their report submission portal for P2PE assessment reports.
Somewhat interestingly, the market hasn’t shown much enthusiasm for this. I think we can attribute this to...
September 2012
6 posts
11 tags
Optimizing oclHashcat-plus GPU...
Graphics processing units (GPUs) are incredibly fast at processing repeated tasks in parallel. Typically, they’re used to render graphics (as their name implies). One of the ways we’ve taken advantage of GPUs in the security world is to repurpose them to crack passwords.
But keeping GPUs busy cracking passwords isn’t always easy or intuitive. The problem is that, in order to...
12 tags
A Hacker's Bucket List
As a technologist and security enthusiast, part of the “fun” we have at work is tossing around attack scenarios and challenging each other with situational risk. This time it started out with:
If I steal credit card track data, I can make HUGE purchases (and perhaps return for cash).
If I steal PIN data, I can get cash directly.
If I steal health-related data in bulk from...
11 tags
iPhone 5 Launch Day: An Identity Thief’s Dream
16 times (not nine). 16 TIMES! That’s how many times I needed to provide my Social Security number (SSN) to activate my new iPhone 5 today. With the congestion and havoc of iPhone launch day, the systems at the retailer where I picked up my phone were crashing continuously. Each attempt to activate my new phone required two entries of my Social Security number.
The retailer had a...
16 tags
E-Discovery - Overlooked Sources for Early Case...
Whether you are experienced with electronic discovery (e-discovery) or new to the process, the presentation of a new legal hold can be an intimidating situation. Knowing the magnitude of the hold, the repercussions and the work effort can make anyone wonder, “How big is this case going to be?”
Early case assessment (ECA) is done to bring clarity to the situation. ECA is the first step in...
13 tags
Secure Application Development and the OWASP Top...
This is part 3 of a 10-part series. Be sure to check out part 1 and part 2 if you haven’t already.
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common...
10 tags
403 Labs Unveils New Branding, Website
Brookfield, WI – September 11, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has completed a branding refresh project that includes updates to its logo, website and business collateral. The new branding reflects the consultative approach to information security that 403 Labs takes in educating and assisting its world-class clients.
To illustrate the...
August 2012
4 posts
12 tags
Emerging Trends in Advanced Persistent Threats...
I recently sat in on a webinar on the future of advanced persistent threats (APT). A few things struck me during the presentation:
There are many common misconceptions regarding APTs
Gauss could be the next Stuxnet or Duqu
The APT landscape is constantly changing in a digital game of cat and mouse
The common myth among IT administrators is that APTs only go after large corporations, the...
11 tags
Malware: The Good, the Bad and the Ugly
This presentation by Pete Arzamendi, CISSP, QSA, PA-QSA, GREM, a consultant at 403 Labs, was given at the Milwaukee InfraGard meeting held at Milwaukee Area Technical College (MATC) on August 16, 2012. In it, Pete discusses different types of malware, as well as malware and memory analysis, including an overview of analysis tools and examples pulled from his past experiences.
View more...
12 tags
Merchants are the Winners in the Qualified...
If you are a merchant with a third-party system integrator or software reseller that installed or manages your PA-DSS-validated payment application, you want to know about the PCI Council’s Qualified Integrators and Resellers (QIR) program.
Third-party integrators and resellers play a critical role in the security of merchants’ point of sale (POS) systems. They are the experts who install the...
9 tags
403 Labs Adds Mark Shelhart to Manage Forensics
Brookfield, WI – August 2, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has added Mark Shelhart as a Manager to oversee its forensics practice.
Having previously worked as the Vice President of Incident Response and Forensics with Arsenal Security Group, and as the Forensic Practice Manager at Trustwave, Mark brings a plethora of skills and experience...
July 2012
1 post
14 tags
New P2PE SAQ and Program Guide Released
Merchants and service providers curious about point-to-point encryption (P2PE) will be interested in two documents recently released by the PCI Security Standards Council. One of the documents is a new Self-Assessment Questionnaire (SAQ) for P2PE merchants. The other is version 1.0 of the P2PE Program Guide. Each has information worth your attention, and each is available now in the Council’s...
June 2012
5 posts
11 tags
Reminder About "New" PCI DSS Requirements
We wanted to remind those organizations impacted by the Payment Card Industry Data Security Standard (PCI DSS) that two “best practices” will be maturing and going into effect as requirements after June 30th.
Both of the soon-to-be requirements fall under the section of the Standard devoted to developing and maintaining secure systems and applications (Requirement 6).
The first...
8 tags
Things to Consider When Using Wi-Fi
As a frequent business traveler and coffee shop web surfer, I am becoming more and more cognizant of what I am connecting to when it comes to Wi-Fi networks. Not only am I aware of what types of networks I am connecting to, but also where I am connecting (e.g. coffee shops, hotels, airports, etc.). Granted, my awareness is heightened due in part to the fact that I work in the Information...
8 tags
Practical Malware Analysis – Another Hit From No...
Malware analysis is an obsession for me. So when I heard that No Starch Press was coming out with a new book called Practical Malware Analysis (also available at Amazon), I had to pick it up. Having read several No Starch Press books, I was confident that the content of the book was going to be good. Once again, No Starch Press did not let me down.
The writers, Michael Sikorski and Andrew Honig,...
11 tags
Secure Application Development and the OWASP Top...
This is part 2 of a 10-part series. You can check out part 1 here.
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software...
11 tags
403 Labs Becomes P2PE Qualified Security Assessor...
Brookfield, WI – June 1, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has been certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment Application Qualified Security Assessor for Point-to-Point Encryption (PA-QSA (P2PE)) by the Payment Card Industry Security Standards Council (PCI SSC).
The new certifications...
May 2012
4 posts
12 tags
P2PE Hardware Solution Requirements and Testing...
A few weeks ago, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.1 of the P2PE Hardware Solution Requirements and Testing Procedures. Shortly thereafter, the PCI SSC held its first training session for assessors. 403 Labs attended and we are now officially certified as a Qualified Security Assessor for Point-to-Point Encryption (QSA (P2PE)) and Payment...
7 tags
PHP-CGI Query String Parameter Vulnerability
A serious PHP vulnerability has been released today. Only sites running PHP as a CGI script are affected. From php.net:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an ‘indexed’ query. This is identified by a “GET” or “HEAD” HTTP request with a URL search string not containing any...
8 tags
Paravirtulization with Citrix XenServer 6.0 and...
In light of everyone’s interest in how to set up Paravirtulization with Citrix XenServer 5.5 and Ubuntu 10.04 and Ubuntu Precise Pangolin 12.04 LTS being released, you may be interested in getting the new Long Term Support (LTS) version running in Paravirtualized (PV) mode.
Even more exciting is that while the latest version of Citrix XenServer 6.0.2 doesn’t come with an Ubuntu 12.04...
6 tags
VPN DNS Resolving Woes in Ubuntu 12.04
If you have recently upgraded to Ubuntu 12.04, you may have experienced problems resolving hosts when using a DNS server over a VPN connection.
Here’s a likely situation… You’re finding that any hosts with a .local (or other private) suffix that are provided by the remote DNS server do not resolve. However, you can find the host by command line utilities, like nslookup and...
April 2012
4 posts
10 tags
The Mythical Ruby Splat
Most Rubyists are aware of variable length arguments in a method definition. For example:
Just as a refresher, the * operator, commonly known as a “splat,” collects the arguments into an array object. So in the example above, the variable *names is an array object, which means it can be used just like any other array:
What blew my mind recently was stumbling across Ruby code where...
12 tags
Secure Application Development and the OWASP Top...
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes.
For those of you who are not familiar with...
6 tags
Threat to Privacy all the Rage
The Internet has been abuzz recently concerning the changes that Google recently made to their privacy policy. Opinions following Google’s consolidation of dozens of separate privacy policies into a single policy seem to run the gamut but, as is often the case, those opposed to the change seem to have been speaking a bit louder.
While everyone is certainly entitled to their own opinions, Thomas...
9 tags
Statistical Analysis of the Impact of Data Breach...
Recently, an interesting paper entitled “Empirical Analysis of Data Breach Litigation” was brought to my attention. A group of researchers took an empirical look at actual litigation events for data breaches under data breach notification statutes and arrived at some interesting conclusions. As it states in the abstract:
Our results suggest that the odds of a firm being sued in federal court...
March 2012
3 posts
9 tags
Microsoft Remote Desktop Vulnerability Identified...
Both Threatpost and the SANS Storm Center report that Microsoft RDP services are vulnerable. The exploit is rumored to be capable of crashing or causing denial of service attacks on vulnerable Windows machines.
Companies using RDP should install the Microsoft patch and, in the meantime, block off RDP from all sources except those absolutely required for the business.
9 tags
IDA Pro Book, 2nd Edition - A Must-Have Reference
At last year’s Defcon, I wandered around the vendor area looking for the EFF to make a donation. While looking for the EFF, I came across the No Starch Press booth and noticed that they had the second edition of The IDA Pro Book (also available at Amazon). As an IDA user, I had always wanted to read the first edition, but never made the time to do so. I had previously read several other No...
8 tags
403 Labs Adds Two New Project Managers
Brookfield, WI – March 8, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has added Meg Bridgeman and Justin Vermilyea to its staff as Project Managers.
As Project Managers, Meg and Justin will each be responsible for guiding client engagements from inception to completion by coordinating efforts between internal and external project teams. The expansion...
February 2012
6 posts
11 tags
OpenVPN Authentication Using PAM and Duo Security
It’s possible to configure OpenVPN with two-factor authentication utilizing PAM and Duo Security’s phone authentication on Ubuntu 10.04 LTS.
You just need to think like a hacker… By using password concatenation with OpenVPN’s PAM plugin and Duo Security’s plugin, your password will be comma-delimited, supporting both a PAM integrated password and Duo...
11 tags
Chain of Custody Proves to be MLB’s Weak Link
As a PCI Forensic Investigator (PFI), 403 Labs deals with chain of custody and evidence handling requirements on a regular basis. As a Wisconsin-based company, located just outside of Milwaukee, 403 Labs also happens to be host to a number of Milwaukee Brewers fans. It probably goes without saying then that the recent news involving Brewers superstar and National League MVP, Ryan Braun, has...
11 tags
PCI Requirement 12.8 is Your Friend
Each QSA has parts of the PCI DSS that they view as particularly important. For some, it is encryption; for others, firewall rules. For me, it is Requirement 12.8, which enforces the policies for managing service providers. It is not just me who thinks that merchants need to enforce security provisions with their service providers. I now have the Federal Trade Commission as company.
For...
7 tags
Research Suggests One in Eleven Users Selects...
Cambridge researchers have published some very interesting work on the history of four-digit PINs, as well as some evaluation of user-selected PIN choices. Their research suggests that one in every 11 to 18 user-selected PINs corresponds to the user’s birthday. The history of PIN numbers alone makes the paper worth the read.
Given that a lost or stolen wallet will usually contain not...
6 tags
Life Before Google
My wife recently stumbled upon a Chuck & Beans comic over at Shoebox Blog and thought that it did a good job of describing what my life could have been like.
Thank you, Internet, for making my life more informed.
11 tags
Super Bowl XLVI: Covering the Security Spread
While Eli Manning is prepping for his second Super Bowl appearance in five years, his brother Peyton may be prepping to join a new team. After all, it looks like Indianapolis already found a way to spend his roster bonus money.
As the Super Bowl nears game-time this weekend at Lucas Oil Stadium in Indianapolis, it is being reported that it will be the most money ever spent on security technology...
January 2012
2 posts
9 tags
Update to California Data Breach Disclosure Law
On January 1, 2012, California’s new data breach disclosure law, SB 24, took effect. SB 24 replaced the 2002 legislation, SB 1386, the first of its kind in the US. SB 24 differs from its predecessor in the information the affected entities must disclose and how they must communicate the breach with regulators.
The Information Law Group posted a nice summary of the bill just after it was...
10 tags
Chip Cards Coming to the US, but With a Difference
Visa recently provided some guidance as to what the introduction of chip cards to the US market will look like. The cards will follow the EMV (named after the card brands Eurocard, MasterCard, and Visa) standard, but with one big difference. In the US, consumers will not need to enter a PIN to authorize a transaction.
This guidance follows the card brand’s August announcement of their broad...
December 2011
10 posts
10 tags
Germany’s Chaos Computer Club is in Search of...
Let’s face it, nerds like space. After all, it IS “the final frontier…” For the duration of the Space Age, NASA has been the primary way that young dreamers have found their role in non-earthbound technologies. For those with the hacker spirit, that may change.
The Chaos Computer Club (CCC), an organization of hackers based in Germany, has announced plans for the Hackerspace Global Grid. At...
#Reaver brute force attack tool cracks #WPA in 10 hours via @TheHackersNews - http://t.co/QyUrZHzI #infosec #security #WiFi
403 Labs #QSA Todd Aument wishes you a happy BYOD Day! - http://t.co/cbZM7GPX #mobile #infosec #security #PCI
10 tags
Happy BYOD Day!
It’s that time of year again. It’s time for your employees to unwrap their shiny, new smartphones and tablets.
As the holidays wind down and everyone gets back to work, they’ll likely want to plug their brand new toys into their workstation. It’s Bring Your Own Device Day (thanks to Network World for the acronym)! Documents will get synced, passwords will be keyed, corporate email will be on yet...
10 tags
Sarcasm – The Gift That Keeps on Giving
Apparently, someone must have activated Santa’s badge to our secured facility. It seems he then took it upon himself to surreptitiously leave gifts around the office for us. While I hate to admit it, mine seemed way too fitting – “The Official Dictionary of Sarcasm” by James Napoli. I can only assume the subtitle, “A Lexicon for Those of Us Who Are Better and Smarter Than the Rest of You,” was not...
