Re: Email Pen-testing

From: Rainer Duffner (rainer@ultra-secure.de)
Date: Tue Mar 23 2004 - 11:45:38 EST


Michael Richardson wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>
>
>>>>>>"Blake" == Blake <netspan@hotmail.com> writes:
>>>>>>
>>>>>>
>
> Blake> of normal pen-testing. Generally speaking, my code of
> Blake> ethics doesn't allow me to social engineer. I don't like
>
> Well, trojan'ed email that needs to be double-clicked *IS* social
>engineering.
>
>

In my old company, the CxO once sent out an email with an .exe
attachement and instructions that could be summarized with "double-click
this file".
To add insult to irony, it was, of all things, a new AUP that had to be
accepted by everybody.
The funny thing is that mails by "higher-ups" always looked like they
were faked anyway (headers faked/munged, so that the
idiots^H^H^H^H^H^Husers who clicked "Reply All" wouldn't swamp the CxO's
mailbox.)

It's moments like those (how long did /you/ train your users *not* to
click on .exe-attachments, even if it seems to come from a well known
person ?), that make me want to sentence these people to two months
with only ksh, vi and elm on a box with no X.

Nowadys, they're big in "homeland security". Go figure.

So, who needs social engineering, if you have chief executives ?

Rainer

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT