Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Email Pen-testing

From: Rainer Duffner <rainer () ultra-secure de>
Date: Tue, 23 Mar 2004 17:45:38 +0100
Michael Richardson wrote:


-----BEGIN PGP SIGNED MESSAGE-----



"Blake" == Blake  <netspan () hotmail com> writes:


   Blake> of normal pen-testing. Generally speaking, my code of
   Blake> ethics doesn't allow me to social engineer. I don't like

 Well, trojan'ed email that needs to be double-clicked *IS* social
engineering.
In my old company, the CxO once sent out an email with an .exe attachement and instructions that could be summarized with "double-click this file". To add insult to irony, it was, of all things, a new AUP that had to be accepted by everybody. The funny thing is that mails by "higher-ups" always looked like they were faked anyway (headers faked/munged, so that the idiots^H^H^H^H^H^Husers who clicked "Reply All" wouldn't swamp the CxO's mailbox.)
It's moments like those (how long did /you/ train your users *not* to click on .exe-attachments, even if it seems to come from a well known person ?), that make me want to sentence these people to two months with only ksh, vi and elm on a box with no X. 


Nowadys, they're big in "homeland security". Go figure.

So, who needs social engineering, if you have chief executives ?



Rainer


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: