Windows XP Lifecycle Sunset: It’s The Final Countdown
Our friend and colleague, Walt Conway, posted a great column on the Windows XP sunset over at StorefrontBacktalk in February. For those of you who aren’t aware, the support lifecycle for Windows XP comes to an end one year from today. Twelve months may seem far off, but if you depend on these systems within a secure environment, or one subject to any sort of regulatory compliance, you’d better have had a transition plan in place yesterday.
We hope to make enough noise about this issue that nobody can ignore it. There are a few particular points regarding this looming date that we’d like to raise a clamor about:
Read More
Attackers Specifically Targeting Mac OS Point of Sale (POS) Systems
As a Payment Card Industry Forensic Investigator (PFI), 403 Labs is constantly examining the latest attacks targeting POS systems. Of recent note is the discovery that criminal organizations are shifting their focus to target POS systems running on the Apple Macintosh platform.
In the past 60 days, our active trending has seen a significant upswing in attacks on non-Windows POS systems. One of the attacks we’ve seen targeting the Mac platform has left it just as exposed as its Windows-based counterpart. Before I start a “Windows versus Mac” religious uproar, though, let me put some facts on the table.
Read More
pgpass_creds – A new Metasploit Post Module
I recently contributed a module, pgpass_creds, to the Metasploit Framework. It is a post module that grabs cleartext PostgreSQL credentials when applications that utilize libpq, such as
pgAdmin3, store their credentials. You can grab the module by updating to the latest version of Metasploit using msfupdate.
PostgreSQL is a popular, open source database. PostgreSQL offers a C programming interface, libpq, that allows clients to pass queries to the PostreSQL backend server.
Read More
Optimizing oclHashcat-plus GPU Performance/Workload With Rules and Masks
Graphics processing units (GPUs) are incredibly fast at processing repeated tasks in parallel. Typically, they’re used to render graphics (as their name implies). One of the ways we’ve taken advantage of GPUs in the security world is to repurpose them to crack passwords.
But keeping GPUs busy cracking passwords isn’t always easy or intuitive. The problem is that, in order to crack passwords efficiently, GPUs need massive amounts of password candidates. Central processing unit-based (CPU-based) wordlist generators can’t possibly keep up with them.
Read More
Secure Application Development and the OWASP Top 10 (Pt. 3 of 10)
This is part 3 of a 10-part series. Be sure to check out part 1 and part 2 if you haven’t already.
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes.
For those of you who are not familiar with OWASP and their Top 10, the OWASP Top 10 2010 was aimed at highlighting simple problems that can plague applications and ultimately undermine security.
If you missed it, be sure to check out the previous posts on A1: Injection and A2: Cross-Site Scripting (XSS). Here’s the third OWASP application security risk - Broken Authentication and Session Management.
Read More
403 Labs Unveils New Branding, Website
Brookfield, WI – September 11, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has completed a branding refresh project that includes updates to its logo, website and business collateral. The new branding reflects the consultative approach to information security that 403 Labs takes in educating and assisting its world-class clients.
Read More
Emerging Trends in Advanced Persistent Threats (APTs)
I recently sat in on a webinar on the future of advanced persistent threats (APT). A few things struck me during the presentation:
- There are many common misconceptions regarding APTs
-
Gauss could be the next Stuxnet or Duqu
- The APT landscape is constantly changing in a digital game of cat and mouse
Read More
Malware: The Good, the Bad and the Ugly
This presentation by Pete Arzamendi, CISSP, QSA, PA-QSA, GREM, a consultant at 403 Labs, was given at the Milwaukee InfraGard meeting held at Milwaukee Area Technical College (MATC) on August 16, 2012. In it, Pete discusses different types of malware, as well as malware and memory analysis, including an overview of analysis tools and examples pulled from his past experiences.
Those interested in malware can also read Pete’s recent review of “Practical Malware Analysis” or check out other malware-related posts from the 403 Labs team.
Secure Application Development and the OWASP Top 10 (Pt. 2 of 10)
This is part 2 of a 10-part series. You can check out part 1 here.
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes.
For those of you who are not familiar with OWASP and their Top 10, the OWASP Top 10 2010 was aimed at highlighting simple problems that can plague applications and ultimately undermine security.
If you missed it, be sure to check out the previous post on A1: Injection. Here’s the second OWASP application security risk - Cross-Site Scripting.
Read More
PHP-CGI Query String Parameter Vulnerability
A serious PHP vulnerability has been released today. Only sites running PHP as a CGI script are affected. From php.net:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an ‘indexed’ query. This is identified by a “GET” or “HEAD” HTTP request with a URL search string not containing any unencoded “=” characters.
By constructing a URL similar to the following on a PHP-CGI site, an attacker could dump the highlighted source of that script.
http://example.com/index.php?-s
php.net has issued a patch to fix this issue in PHP 5.3.12 or PHP 5.4.2. However, as pointed out by De Eindbazen, the patch is trivial to bypass.
A workaround has been provided by php.net using Apache’s mod_rewrite:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] RewriteRule ^(.*) $1? [L]
Other mitigation options have been proposed by De Eindbazen, but you may find the mod_rewrite method to be the best approach until a PHP releases a better fix.
