Re: Social Engineering - information disclosing by phone

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Taras P. Ivashchenko wrote:
> Hello, list!
>
> What do you thing about such step of pentest as information disclosing by phone?
> Yes, of course everybody watched "Hackers" with Jolie and Miller and remember moment
> when when some security officer told number of modem by telephone.
> But it's cinema and what about real life?
>
> In Penetration Testing Framework [1] we can read:
>
> Scenarios
>
> IT Department.
> "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
> and I need to re-synchronise the Active Directory usernames and passwords.
>
> This is so that your logon process in the morning receives no undue delays"
>
> If you are calling from a mobile number, explain that the helpdesk has been
> issued a mobile phone for 'on call' personnel.
>
> Results
>
> Contact Details
>  - Name
>  - Phone number
>  - Email
>  - Room number
>  - Department
>  - Role
>
> [1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html
>
> What in your opinion we can take (in pentest) from such method of S.E.?
> Does anybody knows Mitnick here? Please, call him =)

Well, IMHO I think Social Engineering is most valuable to the blackhat,
even in that case he usually don't resort on it; for many reasons.
As a part of penetration testing scenario, it may be required by the
company to perform social engineering "attacks" against people that
doesn't belong to the blue/white teams; to achieve the level of user
knowledge present at the company.
Though, I've personally been asked for this not quite often; as they're
mostly interested in the technical aspects of their security
infrastructure. I'm not saying social engineering is not worth; but as a
part of a penetration testing, in most cases, you'll spend the time
assessing the network security in the technical level.
Other reason may be that in most cases people that know any kind of
information that would be valuable for the pen-test, are basically
instructed to not disclose such information to the outside public, and
never by phone or over unencrypted channels. Maybe a user could give you
an account, but the fact is that in most cases if you have no access to
the network,  unless you break the external layer this information is
useless.
Sincerely.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJWPXZH+KgkfcIQ8cRAhVFAJ93xc7zKggLHBFbZkR6AXUg0AqumACeOuTv
HTZnF3cydF5U6WADn2Pe4Mo=
=2GgZ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------