Penetration Testing mailing list archives
RE: Papers on Sex as an audit tool?
From: Flory Jeffrey D Contr 59 MDSS/MSISI <Jeffrey.Flory2 () LACKLAND AF MIL>
Date: Fri, 12 Mar 2004 06:55:55 -0600
I have seen this both in the computer security world as well as in the computer selling world. I am not a female, but my being in the computer security business, and a former purchasing agent,I have had numerous occasions when I have been approached by the good looking female that worked in their contracts department and/or accounts department. I have also ran across the opposite sex (Female) using their appeal trying to sway me to set up accounts, purchase from their companies, etc. Since I did not bite on their offers, they ceased to come back around. Also, in the computer security business I have found that they will use their appeal to bypass security. Watching these types of individuals do their thing, and my biggest pet peev is Social Engineering. If people fall for this type of con, they are fools. To sit there and let someone take advantage of you in such a manner, having never met this particular individual tells exactly what type of person this individual really is. The individual that is being taken advantage of, is most likely unsuccessful in the dating world, and is not confident in themselves as a person. This is just my two cents concerning this matter. Thanks. Jeff -----Original Message----- From: Raven Alder To: pen-test () securityfocus com Sent: 3/11/2004 3:29 AM Subject: Re: Papers on Sex as an audit tool? Hiya -- Quoth Sriram Lakshmanan (Wed, Mar 10, 2004 at 02:17:07PM +0530):
Really interesting Point. In my limited audit experience, yet to come across "fairer sex" being used to ferret info from clients.
It is a definite factor. I am both female and a pen-tester. Even if I'm not trying to social-engineer, I find that being a reasonably attractive woman can be immensely helpful. People tend to bend over backwards to be charming and helpful, try to impress you with their knowledge, talk more freely than they would to some unknown guy, or vastly underestimate your technical skill level. There are times when it's actually an advantage to be dealing with a sexist jerk. [grin] "Wow, that looks really *difficult*, you must be so *smart*." "Well, let me show you, little lady..." "Oh, that's so cool!" [mentally records details of login challenge-response...] While I normally focus much more on the technical aspects of pen-testing than the social ones, I have had co-workers ask me on multiple occasions to be the one to try the social engineering tactics. They (correctly) estimated that my chances of success would be much greater, simply by virtue of looking like the girl next door. And if the specs of your pen-test contract include social engineering and physical security, a savvy female with both social engineering skills *and* technical know-how can do really well. Get in the door, find the machine, FIRE CD, ba da bing. Corporate security desks tend not to search purses, either. I haven't authored any formal papers on the subject, but probably could. (More of a case study of my own experiences than anything statistical/canonical, but still.) I'll add it to the "Things to do in my Copious Spare Time" list. [grin] Cheers, Raven ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Papers on Sex as an audit tool?, (continued)
- Re: Papers on Sex as an audit tool? ttz (Mar 11)
- RE: Papers on Sex as an audit tool? Botwick, Jason (GEI, MORT, Contractor) (Mar 09)
- Re: Papers on Sex as an audit tool? Daniel (Mar 10)
- RE: Papers on Sex as an audit tool? Green, Neale S (Mar 10)
- RE: Papers on Sex as an audit tool? Sriram Lakshmanan (Mar 10)
- RE: Papers on Sex as an audit tool? no-google (Mar 11)
- Re: Papers on Sex as an audit tool? Raven Alder (Mar 11)
- Re: Papers on Sex as an audit tool? Yassir Ab (Mar 11)
- Re: RE: Papers on Sex as an audit tool? countz3r0 (Mar 11)
- Re: RE: Papers on Sex as an audit tool? Walter Wart (Mar 12)
- RE: Papers on Sex as an audit tool? Flory Jeffrey D Contr 59 MDSS/MSISI (Mar 12)