From: J. Oquendo (sil@politrix.org)
Date: Wed Mar 10 2004 - 02:41:44 EST
Wondering if the subject is going to be filtered...
> No, I'm not referring to the act ( as far as I know ), I'm referring to the
> common practice of the Big Audit Firms (and others) to pepper/"flesh out"
> their audit teams with young, attractive people (male and female, but
> predominantly female due to the predominantly male base of the IT Industry )
> with little or no skills or experience in technical, security or audit
> fields, to get information more easily through taking the proven "sex sells"
> sales tool, and using it as a social engineering tool to more easily get the
> information they want out of an organisation.
S'nothing new take a look at Mata Hari for example. IMO, I think this would
fall into a 'psychology' category as opposed to pentesting however, being
that it does have to deal with security, maybe some in the compsec industry
need to familiarize themselves with military history, deception, perception
management, and classical conditioning altogether.
Take a quick look at something off topic, gyms, health clubs. Do you think
an overweight person wants to see another overweight person doing tae-bo?
No, they want pretty, it boosts the drive to want to achieve something. I
know if I was overweight, why would I want to see overweight people working
out?, to me it would signify the health club is a failure. "Look they can't
even lose weight so why should I bother." Same goes for most industries.
--- Recent news snippet ---
James J. "JJ" Smith was the FBI agent in charge of Chinese intelligence
assets in Los Angeles. Smith handled one key asset, specifically Katrina
Leung. Smith recruited Leung in the 1980s to provide detailed information
about the People's Republic of China. Leung's FBI code name was "Parlor
Maid."
In the process of "handling" Leung, Smith began to have a "sexual
relationship," which eventually led to his downfall. During the 1990s,
Smith's sexual relationship with Leung took a turn for the worse.
http://www.newsmax.com/archives/articles/2003/4/15/164536.shtml
............
............
Sex Lies and Spies: A Short History of the Origins of Espionage
http://www.historytelevision.ca/archives/sexliesspies/spyorigins/
Barker, Rodney. Dancing with the Devil: Sex Espionage, and the
U.S. Marines - The Clayton Lonetree Story.
............
> This trend has been increasing for years, and I have been trying to get the
> point across to our customers of what is happening, with little or no
> success, so I was wondering whether anyone knows of any papers on the
> subject that would help me get them to take it seriously.
You're probably going about it the wrong way. Think about this for a second,
some 'hot' (not to sound chauvinistic or disrespectful to women on the list)
woman is coming on to you, flirting here, flirting there, maybe dinner who
knows. Do you think a man is going to stop for a split second to think of
the underlying reasons for this? I think not.
Same goes for women. I think it would be wise to point out to those who are
new in the field - hell I've been in the field for about 7-8 years now - the
importance of not limiting themselves to strictly focusing on the computing
aspect of things. While there are tons of write-ups on social engineering,
there are so many other ways one can get information. Sometimes one should
pick up a good spy book, read some of the documents on military, and
intelligence to get an understanding of security as a whole concept, and not
something delegated to just compsec e.g., one program, function, design, etc.
"I'm using a unique port knocking sequence that's tunneled using a 4096 bit
key over encrypted satellite traffic to my office. It's then parse by this
patent pending biometric clone created to verify this data." ??? Okay, so
then I'll go to your company pose as a messenger pretend to be picking up
something from someone, ask to use the phone to call my office, and with the
phone directory I dumpster dived for, I'll call someone and engineer a pw
or two. Better yet, I'll target a not so good looking person person in the
company, pay an escort to do the do for a week or two, then sexily ask the
other party to allow them to email their sister, or brother, backdoor their
machine and poof... There went your multimillion dollar security on top of
security on top of security schema of tech.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D
sil @ politrix . org http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net
"Men have been taught that it is a virtue to agree with others.
But the creator is the man who disagrees. Men have been taught
that it is a virtue to swim with the current. But the creator
is the man who goes against the current. Men have been taught
that it is a virtue to stand together. But the creator is the
man who stands alone." -- Ayn Rand
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT