Penetration Testing mailing list archives
RE: proposed pen-test
From: Gorgon Beast <gorgonbeast () hotmail com>
Date: Tue, 9 Mar 2010 16:24:39 -0800
Legalities aside, since I'm not a lawyer, what are you trying to prove? This seems like a form of social engineering, which works very well with many companies. If you want to prove something ins a SAS70 type of setting, tell everyone NOT to attach any USB stick to their computer. Have them sign a piece of paper stating that they understand not to attach the USB stick and they must bring it to you. Wait a month, then send it out and see how many you get. At a security conference I attended, our Corporate office handed out USB sticks advertising the new name. There weren't any files on them. When I got up to give my presentation a couple of days later, I waited for all 450 people to quiet down and then I asked, "How many people have attached the USB drives to your laptops, and scanned them for viruses". You could feel the fear. I told them it was safe, I had tested mine on someone elses laptop. ;) One more point then I'll shut up. I would also worry about people inside your organization. The disgruntled worker might bring in a box of USB drives and set them in the cafeteria with a note that says, "Free! Take one!" (I did this as part of a full Pen Test, they were all gone within an hour) John Forristel Intrusion Stop
Date: Sun, 7 Mar 2010 11:03:31 -0800 Subject: proposed pen-test From: john.k.grimes () gmail com To: pen-test () securityfocus com Hi-- A consultant firm has recommended to my university's IT department that we run the following pen-test: We send, through regular mail, a letter to members of the staff and faculty, that appears to come from a well-known social networking site, that is, it uses a facsimile of the actual letterhead and envelope of the site, including the correct return address. In this letter, we invite the recipient to beta-test a new version of the social networking site by using the program on the enclosed usb stick. We offer a gift card to a major online retailer as further inducement. If any staff member plugs in the usb stick, they will be told in a pop-up window that they have been duped, and the fact will be logged to a server at the university. It seems to us that there are two potential legal problems here: impersonating the social networking site, and using the US postal service for a fraudulent, if well-intentioned, purpose. Can anyone here comment on this? Beyond the legalities, does this seem like an effective and worthwhile test? Thanks for any insight. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
_________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/201469228/direct/01/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- proposed pen-test John Grimes (Mar 08)
- Re: proposed pen-test Tracy Reed (Mar 08)
- RE: proposed pen-test Password Crackers, Inc. (Mar 08)
- Re: proposed pen-test John Kinsella (Mar 08)
- Re: proposed pen-test Steve Friedl (Mar 11)
- Re: proposed pen-test Matt Gardenghi (Mar 11)
- Re: proposed pen-test Steve Friedl (Mar 11)
- Re: proposed pen-test Terry Cutler (Mar 08)
- Re: proposed pen-test Shohn Trojacek (Mar 08)
- RE: proposed pen-test Gorgon Beast (Mar 11)
- Re: proposed pen-test Eric Milam (Mar 11)
- <Possible follow-ups>
- Re: proposed pen-test krymson (Mar 08)