From: xyberpix (xyberpix@xyberpix.com)
Date: Thu Dec 09 2004 - 13:25:33 EST
Frank,
As Tod mentioned and as I said "Hidden".
This is the way that I have done pen tests for banks and stock
exchanges, as well as hospitals, and it has always been fine with the
men in suits. Yes it does make their security look lousy, but that's
what I usually get hired for, to prove a point, get a higher budget and
make some serious changes.
xyberpix
On Thu, 2004-12-09 at 14:12 -0600, Todd Towles wrote:
> Frank, If I remember correctly Xyberpix stated that they should be
> hidden. St8r from his e-mail
>
> " be allowed, stick a business card somewhere out of site, and make a
> note of it."
>
> Therefore I understand your point but fail to see the bad idea. You need
> to prove you were in a area...I could walk in your office and tell you
> that I was in a area but wouldn't it be better to take a member of
> management around with you as you pick the cards up? The general staff
> wouldn't know what is going on...and sorry to say it but the test is
> designed to find the sorry security, not hide it.
>
> Just my 2 cents.
>
> > -----Original Message-----
> > From: Frank Knobbe [mailto:frank@knobbe.us]
> > Sent: Thursday, December 09, 2004 2:05 PM
> > To: Todd Towles
> > Cc: xyberpix; Vic N; Pen-Test[List]
> > Subject: RE: physical security pentesting procedures, tips,
> > audit programs?
> >
> > On Tue, 2004-12-07 at 14:56, Todd Towles wrote:
> > > Very good idea xyberpix, I like the business card idea.
> > >
> > > Growing off of xyberpix's idea - If you have time...write
> > the date and
> > > the time on the back of the card while placing it. The
> > dates could be
> > > written on the cards beforehand to reduce the time it
> > takes. Then you
> > > will have a written account of time you were in a area.
> >
> > Uhm, very bad idea in my opinion. I do not believe that your
> > sponsor (usually management) would appreciate if you let the
> > employees, or even public, know how far you compromised the
> > security and how weak it looks.
> >
> > Imagine doctors and/or patients spreading the story of
> > janitors going around leaving calling card that "they were
> > there". You might as well put up posters that say "Your
> > security sucks". Would have the same effect on your sponsor,
> > which will undoubtedly "shorten your final engagement".
> >
> > Instead of leaving cards/clues that you were there, I
> > recommend you take pictures with a digital camera. When we do
> > physical security checks, we document the violations in the
> > report with the pictures as proof (like a stack of sensitive
> > documents sitting unguarded in the hallway, unlocked
> > cabinets, or the all time favorite, logged-in
> > administrator/supervisor workstations :)
> >
> > A picture speaks more than a thousand words. But you should
> > keep your findings confidential and only disclose it to your
> > sponsor. You owe him that much at least.
> >
> > Regards,
> > Frank
> >
> >
-- For Security and Open Source news and tips visit: http://xyberpix.demon.co.uk
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT