Penetration Testing mailing list archives
Re: Email Pen-testing
From: Rainer Duffner <rainer () ultra-secure de>
Date: Tue, 23 Mar 2004 17:45:38 +0100
Michael Richardson wrote:
-----BEGIN PGP SIGNED MESSAGE-----"Blake" == Blake <netspan () hotmail com> writes:Blake> of normal pen-testing. Generally speaking, my code of Blake> ethics doesn't allow me to social engineer. I don't like Well, trojan'ed email that needs to be double-clicked *IS* social engineering.
In my old company, the CxO once sent out an email with an .exe attachement and instructions that could be summarized with "double-click this file". To add insult to irony, it was, of all things, a new AUP that had to be accepted by everybody. The funny thing is that mails by "higher-ups" always looked like they were faked anyway (headers faked/munged, so that the idiots^H^H^H^H^H^Husers who clicked "Reply All" wouldn't swamp the CxO's mailbox.)
It's moments like those (how long did /you/ train your users *not* to click on .exe-attachments, even if it seems to come from a well known person ?), that make me want to sentence these people to two months with only ksh, vi and elm on a box with no X.
Nowadys, they're big in "homeland security". Go figure. So, who needs social engineering, if you have chief executives ? Rainer --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Re: Email Pen-testing, (continued)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)
- Re: Email Pen-testing Michael Richardson (Mar 22)
- Re: Email Pen-testing Rainer Duffner (Mar 23)
- Re: Email Pen-testing hwertz (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 22)
- RE: Email Pen-testing Eric McCarty (Mar 22)
- FW: Email Pen-testing Intel96 (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 23)