RE: Pen-Test and Social Engineering

From: Bob Radvanovsky (rsradvan@unixworks.net)
Date: Tue Feb 07 2006 - 16:36:03 EST

I can see it now (fade to black in flashback mode and Scooby-Doo sound effects from Waynes World) from the beginning scene of "Dr. No"...

The individual, composed and self-assured of himself, sitting quietly at a Baccarat table, with 3 other guests, sipping Kentucky (sippin') Bourbon, has just won another round against the 'house'. As with any game, the 'house' is usually favoured 3 to 1, but tonight, our stranger continues to sit at the table, sipping his drink, and smoking no-named Turkish cigarettes. Panning upward from the table, we see our gent with a slightly greased haircut, slightly tipped to the right of the brow, wearing an off-white dinner jacket, with black trowsers, polished black shoes, and a signet ring on his left hand, 4th finger from the thumb.

The gent doesn't utter a word, but continues playing, quietly, his game, while the spectators continue their winnings, courtesy of this unnamed gentleman. Suddenly, a woman in a red dress (sorry, I just *loved* that movie) with an evening shawl, wearing white pump shoes, enters the Grand Casino Ballroom, noting the now 8th winning (in a row) by our unnamed gentleman. She saucingly danters down the steps, one foot at a time, careful not to loose her balance, but continues to retain her poise and graceful evening elegance. She saunters up to the Baccarat table, and quietly sits down, waiting for the next round.

"Banc ala Bond", is exclaimed by the 'house' dealer. She counts a small wad of cash, quietly and discretely, from her small purse. A table courtesy approaches her, requesting if she would like a drink. She agrees stating "Vodka martini, shaken, not stirred, no olive." Having made this order, our unnamed gent lights up another cigaratte, and takes another sip from his class noting the elegant woman in the red dress now sitting almost directly in front of him. She in turn, lights up one of her own cigarettes and places a nice hefty sum onto the table for her bet.

The 'house' dealer places the cards onto the table. The gent utters, faintly, "Card.", requesting that the 'house' dealer make his move. The 'house' dealer places the cards onto the table, and in a small "awwwwww" from the rather, now large crowd of spectators, has lost the round. The woman takes a puff from her cigarette, and casually looks at the unnamed gent. He looks up at her, and she utters, "Too bad that you lost, Mr...?", while continuing her glazened look into our gents eyes. Without missing a beat, our unnamed gent, non-chalantly, not missing a moments pause to the question answers, "Bond. James Bond."

*theme music* begins, then roars into the background as he gets up from the Baccart table to cash in his chips.

========================================

Yeah, I could see where you'd wish for something like that. But, I'm afraid that those days of elegance no longer exist any more, even if spies do exist today. Chances are, you'd get a kid that looks and lumbers around just like Keanue Reeves, wearing an outfit similar to what he wore from "Bill & Ted's Excellent Adventure", have a few places pierced (including, perhaps, his tongue), and wearing a T-shirt with profane language underneath a flannel or Oxford button-down shirt, making exclamational remarks of "woah" and "heavy" every time he encounters something that he shouldn't be seeing. More than likely, that's the kind of person you'd be dealing with. Or even better yet...a big, heavy-set type (like me -- 6'5", weighing at 280 lbs.) with his left ear pierced, wearing a suit that appears to be far too small for his body, pausing every now and then to change the song on his Apple iPod, whilst listening to retro-80's music. Either way, those are the kinds of people I would tend to picture we'd see perfo
rming the pen-test of today. 8))

Call me a smart-***, but 'ya gotta love the "rosey picture" I'm paintin'. AT-CHA-CHA-CHA!!!

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)

----- Original Message -----
From: Terry Vernon [mailto:tvernon24@comcast.net]
To: 'Pete Herzog' [mailto:lists@isecom.org], 'Fixer' [mailto:fixer907@gmail.com]
Cc: 'Erin Carroll' [mailto:amoeba@amoebazone.com], 'Bob Radvanovsky' [mailto:rsradvan@unixworks.net], 'Steven' [mailto:steven@lovebug.org], burzella@inwind.it, pen-test@securityfocus.com
Subject: RE: Pen-Test and Social Engineering

> If we're going to fly off topic we may as well include locating external
> wire boxes and setting up a passive sniffer using an old laptop somewhere.
>
> There's a line drawn somewhere between contracting a pen test and hiring a
> company to send in a james bond-like person who will defeat physical
> security and repel down out of the ceiling and snatch the hotswap drives out
> of the old company netfinity and then write up a report that says
> "see...your network security is penetrable". Under those conditions that old
> "only safest computer is in a bunker unplugged blah blah blah" adage
> applies.
>
> Every company with client makes up its own guidelines. To me a 'network'
> pen-test should include what you can pry out of the company using only a
> computer(s) and the internet as 95% of cracked nets happen over the
> internet.
>
> In the quest to sound smart in front of our peers we cannot forget reality
> and that is this: Majority of crackers are script kiddies and the majority
> of crackjobs happen over the internet. The majority of companies looking for
> a pen-test don't own information important enough to anybody who would
> actually repel down out of their ceiling (or print up badges).
>
> I personally think the extent of the social engineering aspect should be
> what you can accomplish remotely, using the phone and email or whatever else
> in place. The rest are pipedreams and speculation until the situation
> changes.
>
> I WISH a company would call my company asking for a james bond like person
> to come penetrate their security. Being a cat burglar without fear of prison
> is the equivalent of...i dunno, something awesome.
>
> Who knows, maybe our discussions here will lead to an industry merger
> between physical and network security devices. Maybe the IPS of the future
> will monitor more than data.
>
> -Terry
>
> -----Original Message-----
> From: Pete Herzog [mailto:lists@isecom.org]
> Sent: Tuesday, February 07, 2006 8:38 AM
> To: Fixer
> Cc: Erin Carroll; 'Bob Radvanovsky'; 'Steven'; burzella@inwind.it;
> pen-test@securityfocus.com
> Subject: Re: Pen-Test and Social Engineering
>
> Hi,
>
> Fixer wrote:
> <SNIP>
> > Probably one of the best attacks that I've used is as follows:
> >
> > Create a handful of CDs with some legitimate looking (but totally bogus)
> > data on it, an autorun script and a customized backdoor (one that
> > on-demand AV won't see).
>
> I don't think I'm the only one who sees this as so dangerous as to be
> insane to implement. Any number of problems can happen where once it
> leaves the building you are responsible for putting a trojan on systems
> you can't clean up. Maybe this is what SONY was trying to do too....
>
> >
> > Also, if you want to invest a little more time (and money) into it,
> > register a web site and create a simple site. My favorite is to use a
>
> Actually, something like this can be a measurable test. Where you mimic
> the employee's credit union site and start phishing to see how many
> recognize changes, basic insecurities, and those who also report the
> problem. All measurable and very helpful as you can specifically make
> the site with exactly the problems you expect them to know to be wary of
> (because they've been taught this or have signed off on a contract
> saying they read and understand this) and the phishing exercises across
> many channels like phone, e-mail, company mail, and in person, to
> discover areas requiring improvements.
>
> > Even something as simple as knowing
> > what their badges look like can help. It's amazing how simple it is to
> > forge an ID badge once you know what they look like. Ten minutes and
> > the right hardware and you can make yourself an "employee" of anyone
> > from CNN to the DoD (not to pick on them).
>
> I understand where this can be helpful in assisting a type of test but
> only if the target is trained to recognize a forged badge.
>
> -pete.
> www.isecom.org - www.isestorm.org
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT