Penetration Testing mailing list archives
RE: Pen-Test and Social Engineering
From: "Terry Vernon" <tvernon24 () comcast net>
Date: Tue, 7 Feb 2006 14:53:09 -0600
If we're going to fly off topic we may as well include locating external wire boxes and setting up a passive sniffer using an old laptop somewhere. There's a line drawn somewhere between contracting a pen test and hiring a company to send in a james bond-like person who will defeat physical security and repel down out of the ceiling and snatch the hotswap drives out of the old company netfinity and then write up a report that says "see...your network security is penetrable". Under those conditions that old "only safest computer is in a bunker unplugged blah blah blah" adage applies. Every company with client makes up its own guidelines. To me a 'network' pen-test should include what you can pry out of the company using only a computer(s) and the internet as 95% of cracked nets happen over the internet. In the quest to sound smart in front of our peers we cannot forget reality and that is this: Majority of crackers are script kiddies and the majority of crackjobs happen over the internet. The majority of companies looking for a pen-test don't own information important enough to anybody who would actually repel down out of their ceiling (or print up badges). I personally think the extent of the social engineering aspect should be what you can accomplish remotely, using the phone and email or whatever else in place. The rest are pipedreams and speculation until the situation changes. I WISH a company would call my company asking for a james bond like person to come penetrate their security. Being a cat burglar without fear of prison is the equivalent of...i dunno, something awesome. Who knows, maybe our discussions here will lead to an industry merger between physical and network security devices. Maybe the IPS of the future will monitor more than data. -Terry -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Tuesday, February 07, 2006 8:38 AM To: Fixer Cc: Erin Carroll; 'Bob Radvanovsky'; 'Steven'; burzella () inwind it; pen-test () securityfocus com Subject: Re: Pen-Test and Social Engineering Hi, Fixer wrote: <SNIP>
Probably one of the best attacks that I've used is as follows: Create a handful of CDs with some legitimate looking (but totally bogus) data on it, an autorun script and a customized backdoor (one that on-demand AV won't see).
I don't think I'm the only one who sees this as so dangerous as to be insane to implement. Any number of problems can happen where once it leaves the building you are responsible for putting a trojan on systems you can't clean up. Maybe this is what SONY was trying to do too....
Also, if you want to invest a little more time (and money) into it, register a web site and create a simple site. My favorite is to use a
Actually, something like this can be a measurable test. Where you mimic the employee's credit union site and start phishing to see how many recognize changes, basic insecurities, and those who also report the problem. All measurable and very helpful as you can specifically make the site with exactly the problems you expect them to know to be wary of (because they've been taught this or have signed off on a contract saying they read and understand this) and the phishing exercises across many channels like phone, e-mail, company mail, and in person, to discover areas requiring improvements.
Even something as simple as knowing what their badges look like can help. It's amazing how simple it is to forge an ID badge once you know what they look like. Ten minutes and the right hardware and you can make yourself an "employee" of anyone from CNN to the DoD (not to pick on them).
I understand where this can be helpful in assisting a type of test but only if the target is trained to recognize a forged badge. -pete. www.isecom.org - www.isestorm.org ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Pen-Test and Social Engineering, (continued)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)
- Re: Pen-Test and Social Engineering Neil (Feb 07)