Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Petr.Kazil () eap nl
Date: Sun, 5 Feb 2006 20:07:11 +0100
In your opinion, can a Social Engineering test be considered part of a Pen-Test?
In my circles the opinions are divided on this subject: - Some of my colleagues include a social engineering test in their pentests, and they summarize their experience as "it always succeeds". - When I proposed a SE-test to one security officer his response was: "not really necessary, because I can predict the answer already: you will succeed". (!) - Other colleagues say: "we do physical penetration tests, but for legal reasons we're not allowed to tell lies during such a test, so we can't do SE tests". - There are many questions to be answered before doing an SE test - questions of legality, ethics and possible personal consequences for the people who were "duped". - Therefore I never really tried getting permission for a SE test, because I didn't want to plow my way through all the boards and departments (security, IT, legal, human resources). And I think a good SE attack requires special acting and improvisation talents (like the "Talented Mr. Ripley") that I certainly don't have. Personally I would like to do the following "soft" SE-test (as part of a pentest) and would be very curious about the outcome: 1) For "company X" harvest 100 e-mail adresses from Google. 2) Send a spam-like mail to all the adresses, inviting them to download the great "cuddly animals screensaver". 3) Include a personalized link in each spam mail like: http:/webserver/123/animal_screensaver 4) Count how many persons tried to download the screensaver. Has anyone ever tried something like this? This could be part of a security awareness campaign. I tried it out on our (two) secretaries and one of them still has the screensaver running on her desktop :-) ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen-Test and Social Engineering burzella (Feb 05)
- Re: Pen-Test and Social Engineering Marco Ramilli (Feb 05)
- Re: Pen-Test and Social Engineering Steven (Feb 05)
- RE: Pen-Test and Social Engineering John (Feb 05)
- Re: Pen-Test and Social Engineering Peter Wood (Feb 05)
- RE: Pen-Test and Social Engineering K K Mookhey (NII) (Feb 05)
- Re: Pen-Test and Social Engineering Petr . Kazil (Feb 05)
- Re: Pen-Test and Social Engineering Louis Lerman (Feb 05)
- Re: Pen-Test and Social Engineering Fixer (Feb 05)
- Re: Pen-Test and Social Engineering Sysmin Sys73m47ic (Feb 05)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- <Possible follow-ups>
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
(Thread continues...)