Priveon Labs Security Blog

Cisco has officially announced the end-of-sale and end-of life for the Cisco Security Agent. Priveon will post updated information to this Blog, our Web Site and Twitter communications to keep our customers informed.  Stay tuned for additional information and recommendations...

A common question in the security world is "what do you recommend for a pen-testing lab?"

This question is somewhat open-ended. When personally asked about pen-testing labs, I typically attempt to narrow down the area of interest from web application security (SQL injection, CSS, CSRF), application/operating system security, database security, network security, or any of the other sub-categories of vulnerabilities and/or pen-testing.

If I can qualify a "pen-testing lab" question with a specific area of interest, I typically answer with a related list of favorite tools, live CDs, websites, and vulnerable images. MetaSploit is nearly always mentioned in the "favorite tools" category for learning pen-test and attack techniques.

Now MetaSploit has released "MetaSploitable" - an image that can be used for pen-testing skill development and testing. I haven't had time to review MetaSploitable yet, but if it comes from HD and company I suspect it will make its way into my list of recommended pen-test lab tools and images.

More information on MetaSploitable, including download instructions, can be found on the official
MetaSploit blog.

It's Monday, and this one was just too funny not to post.

My favorite line is: "In order to become our financial manager for cooperation with private individuals You ARE NOT OBLIGED TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION."

--Complete Email Below (minus obvious header info)--


My name is Jiong Yang and I am the Procurement Manager of China National Heavy Duty Truck Group Corp., China.

The purpose of this message is to draw your attention to a vacant position of a financial manager for cooperation with private individuals.

Nowadays China National Heavy Duty Truck Group Corp. firmly holds a position of a leading company in the Asian market, which ensures our stable development.

So today , we are glad to offer You to:
- become a part of our company
- join a team of high qualified specialists
- get a prestigious part time job
- earn a good deal

In order to become our financial manager for cooperation with private individuals You ARE NOT OBLIGED TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION. You will just be supposed to:
- have approximately 2 free hours a day
- have a bank account (or to be able to open a new one, especially for company needs)
- have a PC

YOUR PARTICIPATION IS ESSENTIAL TO enable us to grant our customers the best service in shortest dates. YOUR RESPONSIBILITIES will be:
- to receive payments from our customers (private individuals)
- to withdraw the funds and to transfer it to us.
Your SALARY is 10%commission out of every payment that you receive.

If you are interested in the vacancy offered, please reply and if you are not kindly destroy the message.

Our managers will be glad to answer any questions.

We are looking forward to working with you!

Yours faithfully
Jiong Yang
(Procurement Manager)


The OWASP has released its Top 10 for 2010 document which can be found here.

As published on their site, the top 10 Risks are:

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Please ensure your web developers and/or development partners are following OWASP guidelines and are familiar with OWASP best practices. And, it goes without saying, if they don't know what OWASP is, find a new developer now!

As documented in DDTS CSCtf60530, Cisco has released a patch update for Cisco NAC Appliance Release 4.7(2) CASs that provides web login (no persistent or temporal Agents) support for Apple iPads.

You can retrieve the Patch-iPadSupport.tar.gz file and "Readme" containing installation instructions by logging in to the Cisco Software Download Site and navigating to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.7.2 > Network Admission Control (NAC) Manager and Server System Software > Latest Releases > 4.7.2, and clicking Download Now next to the Patch-iPadSupport.tar.gz filename.