From: Eric McCarty (eric@lawmpd.com)
Date: Sun Mar 21 2004 - 14:00:05 EST
1). Notify the Customer ahead of time.
2). If your Trojan opens a hole make sure it is just for you (password protect, use specific Source IP Lists, etc.) It would be incredibly embarrassing if your Trojan created an avenue of attack for another hacker to use.
3). Work on Timing, don't you think that they are already saturated by the flurry of e-mails with malicious attachments, why do you think yours will be more effective then any others?. Now is probably not the time for such an attack as its a worn out avenue at this point. If they don't have current A/V or border scanning, your Trojan is the least of their worries.
Eric.
-----Original Message-----
From: Blake [mailto:netspan@hotmail.com]
Sent: Saturday, March 20, 2004 8:22 AM
To: pen-test@securityfocus.com
Subject: Email Pen-testing
Wanted to get your opinion on something...
Doing a pen-test for a small bank which was proving very difficult to get it. A friend of mine suggested I send a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs maybe a boxscan, grab passwords, and connects out to the Internet. --Much like a virus.
I think this type of testing is becoming more relevant nowadays, especially with whats out there. It reinforces properly configured antivirus software and user awareness.
I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing.
Generally speaking, my code of ethics doesn't allow me to social engineer. I don't like lying and misleading people. Also people tend to hate you after they've been punk'd.
What's your ideas on the email pen-tesing?
-Blake
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT