From: Blake Wiedman (bwiedman@iconsinc.com)
Date: Mon Mar 22 2004 - 15:54:49 EST
>> warnings of each and every step is not a level
>> playing filed and certainly does not resemble reality for sure.
I agree with everything except for the above statement. Though notifying
the institution does not resemble reality, unfortunately penetration
technicians must follow rules and regulations. Especially in a banking
atmosphere, all data transmitted to third parties must be tracked. To
cover such liabilities, I have a POC who knows what is being conducted
at all times during the test. This POC is not a part of the assessment
and does not inform the targets of such tests under any circumstances.
> A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like
a
> virus.
The idea is great but I do not recommend the recording and transmittal
of data. I send an impotent Trojan horse which only loads a dummy
payload of a text file on the target system.
If you are transmitting data, questions will arise in regard to how the
information is transmitted (SSL or Clear) Also system sanitation will
need to be done to ensure the software has been cleaned.
Blake Wiedman
-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com]
Sent: Monday, March 22, 2004 1:01 PM
To: Kevin
Cc: pen-test@securityfocus.com
Subject: RE: Email Pen-testing
It's about time the industry, IT as a whole comes to understand;
a pentest is something much more then a simple port/vuln scan from
outside.
a simple port/vuln scan has it's value, as a way to probe for potential
risks. A *real* pentest is an attempt to actually make use of potential
holes, show they are in fact real risks, and will in fact be able to be
exploited to gain illegal//unwanted entry into an org's systems and to
their core data and apps. At lesat tince Mitnick's days social
engineering has shown to be a major gateway to resources that should be
better protected.
A company asking for a mere set of potentials wants a sweet little
report
done on a port/vuln scan that anyone with minimal skills can accomplish.
A companyt actually wishing to determine how well they have done their
job
of protecting assests might opt for a full pentest, with all the stops
out
of the bag. Advance warnings of each and every step is not a level
playing filed and certainly does not resemble reality for sure.
Thanks,
Ron DuFresne
On Mon, 22 Mar 2004, Kevin wrote:
> Well, human are the weakest link in the security ring.. and social
> engineering is always the easiest (if not the best) technique to open
up
> loopholes in a security system.
>
> Although it's an area which requires most emphasizes and concern, it
is
> also the most sensitive area where security managers get stuck often
in.
>
> If the company is ok with social engineering in the pen test, then I
> suppose it's ok.. It's ethical as long as you're doing it for a cause
> not malicious and harmful.
>
>
> -----Original Message-----
> From: Blake [mailto:netspan@hotmail.com]
> Sent: Sunday, March 21, 2004 12:22 AM
> To: pen-test@securityfocus.com
> Subject: Email Pen-testing
>
>
>
> Wanted to get your opinion on something...
>
> Doing a pen-test for a small bank which was proving very difficult to
> get it. A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like
a
> virus.
>
> I think this type of testing is becoming more relevant nowadays,
> especially with whats out there. It reinforces properly configured
> antivirus software and user awareness.
>
> I spoke with a previous customer of mine about the idea. He said he
> would be very upset if he was not told prior to that type of test as
> part of normal pen-testing.
>
> Generally speaking, my code of ethics doesn't allow me to social
> engineer. I don't like lying and misleading people. Also people tend
to
> hate you after they've been punk'd.
>
> What's your ideas on the email pen-tesing?
>
>
> -Blake
>
>
------------------------------------------------------------------------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
> ----
>
>
>
------------------------------------------------------------------------
---
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
>
------------------------------------------------------------------------
----
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
------------------------------------------------------------------------
---
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT