Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Pete Herzog <lists () isecom org>
Date: Tue, 07 Feb 2006 15:37:56 +0100
Hi, Fixer wrote: <SNIP>
Probably one of the best attacks that I've used is as follows:Create a handful of CDs with some legitimate looking (but totally bogus) data on it, an autorun script and a customized backdoor (one that on-demand AV won't see).
I don't think I'm the only one who sees this as so dangerous as to be insane to implement. Any number of problems can happen where once it leaves the building you are responsible for putting a trojan on systems you can't clean up. Maybe this is what SONY was trying to do too....
Also, if you want to invest a little more time (and money) into it, register a web site and create a simple site. My favorite is to use a
Actually, something like this can be a measurable test. Where you mimic the employee's credit union site and start phishing to see how many recognize changes, basic insecurities, and those who also report the problem. All measurable and very helpful as you can specifically make the site with exactly the problems you expect them to know to be wary of (because they've been taught this or have signed off on a contract saying they read and understand this) and the phishing exercises across many channels like phone, e-mail, company mail, and in person, to discover areas requiring improvements.
Even something as simple as knowing what their badges look like can help. It's amazing how simple it is to forge an ID badge once you know what they look like. Ten minutes and the right hardware and you can make yourself an "employee" of anyone from CNN to the DoD (not to pick on them).
I understand where this can be helpful in assisting a type of test but only if the target is trained to recognize a forged badge.
-pete. www.isecom.org - www.isestorm.org ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)
- Re: Pen-Test and Social Engineering Neil (Feb 07)