Penetration Testing mailing list archives
Re: Papers on Sex as an audit tool?
From: Daniel <daniel () dev ugc-labs co uk>
Date: 10 Mar 2004 09:50:41 -0000
In-Reply-To: <48BE7A35FDE3DB4F8D8C5A96101ACA0E064E492F@aubwm205> Interesting theory you have there.. I've just finished a contract with a big audit firm and i can honestly say that they didnt hire sexy people (if they did, dammit fire the person who was doing so as DAMN!! they could have done better) I did notice a general fear factor during audits whereby the staff were told to co-operate fully with the auditors and generally gave out anything you asked for. A good example of this was me asking about their password policy and them giving me sheets with passwords on even before i started the pen-test But i can see how an attractive women or man could gain detailed info by being sexy and flirty with the IT boss and staff now if you could tell me which firms hire these sexy staff, ill submit my CV for research purposes :0)
Received: (qmail 6894 invoked from network); 9 Mar 2004 21:59:42 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 9 Mar 2004 21:59:42 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id 97488A37EC; Tue, 9 Mar 2004 14:36:02 -0700 (MST) Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Received: (qmail 10131 invoked from network); 9 Mar 2004 14:56:55 -0000 Message-ID: <48BE7A35FDE3DB4F8D8C5A96101ACA0E064E492F@aubwm205> From: "Green, Neale S" <neale.green () eds com> To: pen-test () securityfocus com Subject: Papers on Sex as an audit tool? Date: Wed, 10 Mar 2004 08:10:28 +1100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" No, I'm not referring to the act ( as far as I know ), I'm referring to the common practice of the Big Audit Firms (and others) to pepper/"flesh out" their audit teams with young, attractive people (male and female, but predominantly female due to the predominantly male base of the IT Industry ) with little or no skills or experience in technical, security or audit fields, to get information more easily through taking the proven "sex sells" sales tool, and using it as a social engineering tool to more easily get the information they want out of an organisation. This trend has been increasing for years, and I have been trying to get the point across to our customers of what is happening, with little or no success, so I was wondering whether anyone knows of any papers on the subject that would help me get them to take it seriously. From my observation, external audit teams quite easily get information that they should not have access to ( or at most, controlled, monitored, access ), by using the young, attractive, members of the team to charm it out of the business or IT people who control the information. When queried on the process issues, the business or IT people in question can very rarely, if ever, see that they have been "played" and will invariably create excuses as to why they gave out the restricted information so readily. Obviously, we have a scenario whereby the average person would much rather believe that the people like them and/or are interested in them for themselves, and will refuse to accept that they have been used to get what the outside parties want ( especially if they are ordinary, middle aged, married men who's egos are titillated to have a young, attractive appear to be interested in them, it is an unfortunate fact of life that many men are susceptible to this ). The social engineering exercise and impact is no less notable because the external audit firms are supposedly "white hats" ( or at most, Grey hats" ), rather than a "black hat" cracker who uses this mechanism for an outright attack, in that, no matter the final outcome, a significant degree of deception and social engineering is involved. Therefore, given that it is almost impossible to gain acceptance of the situation directly, and I have found no papers on the subject in personal searches, I was interested whether others in the Security community have any knowledge of papers on this subject? Thanking you in anticipation. NB: Standard disclaimer, the views expressed are personal views of the author, and are in no way indicative of the views or policies of EDS as a Corporate entity. Regards, Neale Green CISSP Information Security Phone: +61 2 937 80225 Mobile: 0414 979 627 Fax: +61 2 9312 6116 Email: neale.green () eds com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Papers on Sex as an audit tool? Green, Neale S (Mar 09)
- RE: Papers on Sex as an audit tool? Jerry Shenk (Mar 10)
- Re: Papers on Sex as an audit tool? ttz (Mar 11)
- <Possible follow-ups>
- RE: Papers on Sex as an audit tool? Botwick, Jason (GEI, MORT, Contractor) (Mar 09)
- Re: Papers on Sex as an audit tool? Daniel (Mar 10)
- RE: Papers on Sex as an audit tool? Green, Neale S (Mar 10)
- RE: Papers on Sex as an audit tool? Sriram Lakshmanan (Mar 10)
- RE: Papers on Sex as an audit tool? no-google (Mar 11)
- Re: Papers on Sex as an audit tool? Raven Alder (Mar 11)
- Re: Papers on Sex as an audit tool? Yassir Ab (Mar 11)
- Re: RE: Papers on Sex as an audit tool? countz3r0 (Mar 11)
- Re: RE: Papers on Sex as an audit tool? Walter Wart (Mar 12)
- RE: Papers on Sex as an audit tool? Flory Jeffrey D Contr 59 MDSS/MSISI (Mar 12)
- RE: Papers on Sex as an audit tool? Jerry Shenk (Mar 10)