RE: Hacking to Xp box

From: Omar A. Herrera (omar.herrera@oissg.org)
Date: Fri Sep 02 2005 - 23:51:25 EDT

• Next message: Omar A. Herrera: "RE: Multiple Spoofed HTTP Requests"
• Previous message: kuffya@gmail.com: "Multiple Spoofed HTTP Requests"
• In reply to: Michael Gargiullo: "RE: Hacking to Xp box"
• Next in thread: Enrique A. Sanchez Montellano: "RE: Hacking to Xp box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Michael Gargiullo [mailto:mgargiullo@pvtpt.com]
>
> One other thing... Malicious people will go for the low hanging fruit
> with high value first. Your CEO's PC won't be high on the list.
>
>

That's a good point, even the secretary of CEO's might have more important
information on their computers than CEO's themselves.

But you consider that convincing the CEO is critical to obtain support for
an adequate top down security strategy (the secretary is not going to pay
for more security resources if they are badly needed). People in high
positions tend to lose the sense of the importance of resources, in
particular of those they don't interact with. Even if you manage to hack the
most critical of their production servers, it is nothing they are familiar
with, they probably don't even know the thing exists, and they might not
care anyway.

If you shut down a critical production server you will definitely caught
their attention because of the side-effects, not for the hack of the system
itself. But that strategy should be discarded (hitting hard your own
organization just to show that risks are real will get you kicked out or
jailed, not to mention the damage you could do). Because of this, it might
be a better idea to make the demonstration with the CEO's personal
computer: You are less likely to hit the organization badly if something
goes wrong, and you will still catch her/his attention.

>From the tone of the original poster, it seems he was challenged by the CEO.
It might not look too professional to engage in games like this, but to be
honest, if he succeeds, he will most probably get more support for security
within his company. In short: the company wins if he wins.

Many times your most important battles are fought far away from the
technical ground (e.g. policies, culture,...) in this case, the real target
is the CEO's ego (to make him more conscious about security).

Regards,

Omar Herrera

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Omar A. Herrera: "RE: Multiple Spoofed HTTP Requests"
• Previous message: kuffya@gmail.com: "Multiple Spoofed HTTP Requests"
• In reply to: Michael Gargiullo: "RE: Hacking to Xp box"
• Next in thread: Enrique A. Sanchez Montellano: "RE: Hacking to Xp box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT