06/14/10

Permalink 11:58:08 am, by Zach Brewer, 75 words
Categories: General Security, Pen Testing

Extend MetaSploit Meterpreter Ruby to Allow Direct Windows API Calls (Railgun)

An interesting MetaSploit extension was recently posted to the MetaSploit mailing list. Railgun is an extension that allows for direct access to the Windows API (any existing or uploaded DLL on the target system) through Meterpreter. Railgun knows around 1000 API calls out of the box and additional calls can be added through simple Meterpreter/Railgun commands.

Note, this is not an offiical MetaSploit/Rapid7 extension and you assume all risk for downloading the Railgun extension.

06/13/10

Permalink 05:49:30 pm, by Larry Boggis, 40 words
Categories: Cisco Security Agent

EOL for the Cisco Security Agent

Cisco has officially announced the end-of-sale and end-of life for the Cisco Security Agent. Priveon will post updated information to this Blog, our Web Site and Twitter communications to keep our customers informed.  Stay tuned for additional information and recommendations...

05/19/10

Permalink 05:21:22 pm, by Zach Brewer, 176 words
Categories: General Security, Pen Testing

MetaSploit Releases "MetaSploitable" Vulnerable Pen-Testing Image

A common question in the security world is "what do you recommend for a pen-testing lab?"

This question is somewhat open-ended. When personally asked about pen-testing labs, I typically attempt to narrow down the area of interest from web application security (SQL injection, CSS, CSRF), application/operating system security, database security, network security, or any of the other sub-categories of vulnerabilities and/or pen-testing.

If I can qualify a "pen-testing lab" question with a specific area of interest, I typically answer with a related list of favorite tools, live CDs, websites, and vulnerable images. MetaSploit is nearly always mentioned in the "favorite tools" category for learning pen-test and attack techniques.

Now MetaSploit has released "MetaSploitable" - an image that can be used for pen-testing skill development and testing. I haven't had time to review MetaSploitable yet, but if it comes from HD and company I suspect it will make its way into my list of recommended pen-test lab tools and images.

More information on MetaSploitable, including download instructions, can be found on the official
MetaSploit blog.

05/17/10

Permalink 10:57:27 am, by Larry Boggis, 303 words
Categories: General Security

"If Interested" - Latest Email (419) Scam

It's Monday, and this one was just too funny not to post.

My favorite line is: "In order to become our financial manager for cooperation with private individuals You ARE NOT OBLIGED TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION."

--Complete Email Below (minus obvious header info)--


My name is Jiong Yang and I am the Procurement Manager of China National Heavy Duty Truck Group Corp., China.

The purpose of this message is to draw your attention to a vacant position of a financial manager for cooperation with private individuals.

Nowadays China National Heavy Duty Truck Group Corp. firmly holds a position of a leading company in the Asian market, which ensures our stable development.

So today , we are glad to offer You to:
- become a part of our company
- join a team of high qualified specialists
- get a prestigious part time job
- earn a good deal

In order to become our financial manager for cooperation with private individuals You ARE NOT OBLIGED TO HAVE ANY HIGHER OR PROFESSIONAL EDUCATION. You will just be supposed to:
- have approximately 2 free hours a day
- have a bank account (or to be able to open a new one, especially for company needs)
- have a PC

YOUR PARTICIPATION IS ESSENTIAL TO enable us to grant our customers the best service in shortest dates. YOUR RESPONSIBILITIES will be:
- to receive payments from our customers (private individuals)
- to withdraw the funds and to transfer it to us.
Your SALARY is 10%commission out of every payment that you receive.

If you are interested in the vacancy offered, please reply and if you are not kindly destroy the message.

Our managers will be glad to answer any questions.

We are looking forward to working with you!

Yours faithfully
Jiong Yang
(Procurement Manager)

04/20/10

Permalink 10:21:27 am, by Chad Sullivan, 104 words
Categories: General Security

OWASP Top 10 for 2010 Released

The OWASP has released its Top 10 for 2010 document which can be found here.

As published on their site, the top 10 Risks are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

Please ensure your web developers and/or development partners are following OWASP guidelines and are familiar with OWASP best practices. And, it goes without saying, if they don't know what OWASP is, find a new developer now!

<< 1 2 3 4 5 6 7 8 9 10 11 ... 41 >>

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives