Re: Social Engineering - information disclosing by phone

["Shomiron Das Gupta" <chaff0 () gmail com>]

Hey Taras,

Compliments of the season, most clients we have worked for typically
look at security as a technical 'only' subject. However we have died
and born again explaining the social (larger) aspect of security.

Chaff

On 12/25/08, Taras P. Ivashchenko <naplanetu () gmail com> wrote:
> Hello, list!
>
> What do you thing about such step of pentest as information disclosing by
> phone?
> Yes, of course everybody watched "Hackers" with Jolie and Miller and
> remember moment
> when when some security officer told number of modem by telephone.
> But it's cinema and what about real life?
>
> In Penetration Testing Framework [1] we can read:
>
> Scenarios
>
> IT Department.
> "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
> and I need to re-synchronise the Active Directory usernames and passwords.
>
> This is so that your logon process in the morning receives no undue delays"
>
> If you are calling from a mobile number, explain that the helpdesk has been
> issued a mobile phone for 'on call' personnel.
>
> Results
>
> Contact Details
>  - Name
>  - Phone number
>  - Email
>  - Room number
>  - Department
>  - Role
>
> [1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html
>
> What in your opinion we can take (in pentest) from such method of S.E.?
> Does anybody knows Mitnick here? Please, call him =)
>
> --
> Тарас Иващенко (Taras Ivashchenko), OSCP
> www.securityaudit.ru
> ----
> "Software is like sex: it's better when it's free." - Linus Torvalds

-- 
Sent from my mobile device

-------------------------------------------------------
 He who lives dangerously,
 rocks the world!!
-------------------------------------------------------