Re: Pen-Test and Social Engineering

From: Pete Herzog (lists@isecom.org)
Date: Tue Feb 07 2006 - 09:37:56 EST

• Next message: Ken Kousky: "RE: Converged Network Assessment - VoIP Security"
• Previous message: Neil: "Re: Pen-Test and Social Engineering"
• In reply to: Fixer: "Re: Pen-Test and Social Engineering"
• Next in thread: Terry Vernon: "RE: Pen-Test and Social Engineering"
• Reply: Terry Vernon: "RE: Pen-Test and Social Engineering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Fixer wrote:
<SNIP>
> Probably one of the best attacks that I've used is as follows:
>
> Create a handful of CDs with some legitimate looking (but totally bogus)
> data on it, an autorun script and a customized backdoor (one that
> on-demand AV won't see).

I don't think I'm the only one who sees this as so dangerous as to be
insane to implement. Any number of problems can happen where once it
leaves the building you are responsible for putting a trojan on systems
you can't clean up. Maybe this is what SONY was trying to do too....

>
> Also, if you want to invest a little more time (and money) into it,
> register a web site and create a simple site. My favorite is to use a

Actually, something like this can be a measurable test. Where you mimic
the employee's credit union site and start phishing to see how many
recognize changes, basic insecurities, and those who also report the
problem. All measurable and very helpful as you can specifically make
the site with exactly the problems you expect them to know to be wary of
(because they've been taught this or have signed off on a contract
saying they read and understand this) and the phishing exercises across
many channels like phone, e-mail, company mail, and in person, to
discover areas requiring improvements.

> Even something as simple as knowing
> what their badges look like can help. It's amazing how simple it is to
> forge an ID badge once you know what they look like. Ten minutes and
> the right hardware and you can make yourself an "employee" of anyone
> from CNN to the DoD (not to pick on them).

I understand where this can be helpful in assisting a type of test but
only if the target is trained to recognize a forged badge.

-pete.
www.isecom.org - www.isestorm.org

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Ken Kousky: "RE: Converged Network Assessment - VoIP Security"
• Previous message: Neil: "Re: Pen-Test and Social Engineering"
• In reply to: Fixer: "Re: Pen-Test and Social Engineering"
• Next in thread: Terry Vernon: "RE: Pen-Test and Social Engineering"
• Reply: Terry Vernon: "RE: Pen-Test and Social Engineering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT