PaulDotCom mailing list archives
Re: Pen Testing - Corporate laptop theft
From: Larry Petty <lspetty () gmail com>
Date: Thu, 16 Jan 2014 21:25:39 -0500
If sanctioned by the employer and you have a fully executed MSA and SOW, it would fly if you are taking it from one of their offices. We do this all the time. However, I would think all that would change if you took it from a user while at Starbucks, etc. What would happen if an undercover cop caught you while in the act? I personally wouldn't do it. Too many things could go wrong. On Wed, Jan 15, 2014 at 11:51 AM, Chris Campbell <chris () ctcampbell com>wrote:
Interesting point, it would essentially be employer sanctioned assault if you snatch the laptop, don't think that would fly. On 15 Jan 2014, at 16:09, Michael Yemane <miketyhs () gmail com> wrote: Interesting hypothetical situation. Never done it, but I would be hesitant on such a test. I would have a good lawyer look at it first. Anything outside a clients physical boundary is a grey area I would think. Mike On 1/8/2014 6:45 PM, Jamil Ben Alluch wrote: Hello, I was working on a mental exercise to see how far a pen test could be taken, and came up with this question for which I'd like to have some input from those who have done it or would never do it and why (any specific case that could be shared). Has it ever come in your scope/rules of engagement the concept of stealing a corporate laptop/device from a given employee given the possibility (with the organization's blessing of course) and use that to leverage access say to a VPN, admin panels, etc? The concept itself seems to be at the very edge of legality, but I was wondering if this is something that has been attempted and successfully bore fruit. The given scenario I was thinking was about people who work out of the office but still have access to critical systems/data within the organization and become careless with their devices outside of the work place (starbucks, restaurant, airport, bus station, etc..) - It's not hard to imagine somebody snatching or borrowing the device in order to gain access to a deeper level. Anyways, food for thought. Best Regards, -- Jamil Ben Alluch, B.Ing., GCIH <http://www.autronix.com> jamil () autronix com +1-819-923-3012 ᐧ
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Pen Testing - Corporate laptop theft Jamil Ben Alluch (Jan 14)
- Re: [GPWN-list] Pen Testing - Corporate laptop theft Robin Wood (Jan 14)
- Re: [GPWN-list] Pen Testing - Corporate laptop theft Tim Krabec (Jan 14)
- Re: Pen Testing - Corporate laptop theft Forgotten (Jan 15)
- Re: [GPWN-list] Pen Testing - Corporate laptop theft Tim Krabec (Jan 14)
- Re: Pen Testing - Corporate laptop theft Larry Petty (Jan 15)
- Re: Pen Testing - Corporate laptop theft Michael Yemane (Jan 15)
- Re: Pen Testing - Corporate laptop theft Chris Campbell (Jan 16)
- Re: Pen Testing - Corporate laptop theft Larry Petty (Jan 19)
- Re: Pen Testing - Corporate laptop theft Chris Campbell (Jan 16)
- Re: [GPWN-list] Pen Testing - Corporate laptop theft Robin Wood (Jan 14)