Re: EXAMPLE: Why OOO is *BAD* [WAS: Re: OOO FLAME]

["M.B.Jr." <marcio.barbado () gmail com>]

Dear Jon,
that was a helluva-moron help desk. Is this redundant?

Stupid employee allowed to access compromising content.

"Joe"'s company certainly needs reviewing on their
privileges/permissions management.
"Joe"'s fault, no doubt. He was the CSO, right?

LISTENING ONLY - SILENCE IS GOLD
The first thing help desks should do in those situations is writing
the caller's phone number down and hanging up; then, consulting their
policies.
Do their policies allow confidential content handling instructions to
be passed by phone calls?
If so, the help desk should call up his boss to confirm and, being
truth, getting his instructions, directly.

Well, the point however deserves considerations concerning our policy
template lol

Best regards,


On 9/14/08, Jon Kibler <Jon.Kibler () aset com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  Erin Carroll wrote:
>  > List,
>  >
>  > Let's take Ray's tangent and run with it. What (if any) ways are OOO
>  > messages useful from a pen-test perspective? How would you use the knowledge
>  > that someone is away/on vacation in a pen-test? Would you alter your
>  > techniques or target those accounts specifically in the hopes that brute
>  > force or other account specific techniques might have a window to go
>  > unnoticed?
>  >
>  > I'm just trying to get a conversational ball rolling here. I know where I
>  > would modify my tactics but I'm curious to see what members say. I know that
>  > one area many companies are historically weak is in logging of security
>  > events. Or rather, in having someone actually pay attention to all those
>  > alerts.
>  >
>
>
>  Okay, since I started this, you're on!
>
>  Real world example...
>
>  I was teaching a pen-test bootcamp several years ago. One of the
>  students (who I will call 'Joe') pooh-poohed the whole OOO message
>  issue. He even indicated that he used them all the time, that they were
>  harmless, and they saved him from getting calls to his cell phone at
>  roaming rates when he was out of town. (This was back in the days before
>  nationwide calling plans.)
>
>  I then sent Joe a test email message at his work email address. I got
>  back an OOO message saying that he would be out of the office for two
>  weeks of training and would only have very limited email at night. His
>  signature line showed that he was the dep-CSO for his organization.
>
>  I then displayed the email for the whole class to discuss. Next, I
>  proposed that we demonstrate why OOO messages are an issue.
>
>  What I proposed was to social engineer the help desk into providing
>  sensitive information. Rather arrogantly, he said, "Sure, why not? Those
>  guys are well trained and would never fall for anything you could
>  contrive." We then got permission (in writing) from the CIO, the CSO,
>  and the organization's legal department to do the social engineering attack.
>
>  Next, I wrote up a script for a secretary (who I will call 'Sue') at
>  that ed center to use to call the organization's help desk. It basically
>  went as follows:
>
>    Sue: "Hi, I'm Sue with abc training company. One of your employees,
>  Joe, is taking a security course from us and he forgot that he was
>  supposed to bring the /etc/shadow file from the user file store server.
>  He needs it to use in class to test password cracking. He asked that you
>  please gzip it and email it to him."
>
>    Help Desk: "Okay, but I will have to check with his manager first."
>
>    Sue: "Oh, Joe said that if you needed to verify that he was taking a
>  course from us, just send him an email and the OOO reply it will have
>  everything you need to know."
>
>    Help Desk: "Alright, give me a minute. (Pause) Okay, I guess this has
>  everything I need. But, it says that he has limited email access; does
>  he want it sent to his office email address?"
>
>  (This just shows that help desks are trained to be helpful!!! Despite
>  continual security awareness training, the possibility that this might
>  be social engineering attack never even occurred to this guy!)
>
>    Sue: "No, I was just about to tell you that he asked to have you it
>  send to his Hotmail address, which is: joe.... () hotmail com."
>
>    Help Desk: "Okay, no problem, he should have it in about 5 minutes."
>
>  Needless to say, we had just created the hotmail account a few minutes
>  prior to the phone call.
>
>  In just a couple of minutes, we owned the shadow file from the file
>  server where all user accounts have their data stored. In other words,
>  we now pwned the passwords for every one of his users.
>
>  After that b-slap with a clue-by-4, Joe started singing a different tune.
>
>  Jon K.
>  - --
>  Jon R. Kibler
>  Chief Technical Officer
>  Advanced Systems Engineering Technology, Inc.
>  Charleston, SC  USA
>  o: 843-849-8214
>  c: 843-224-2494
>  s: 843-564-4224
>  http://www.linkedin.com/in/jonrkibler
>
>  My PGP Fingerprint is:
>  BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v1.4.8 (Darwin)
>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>  iEYEARECAAYFAkjNccsACgkQUVxQRc85QlOwCwCgl54SNlQMmB6/USWoYaKXTGiz
>  74kAoIuGzu3M2pYIcOuiQNiVewO478Rd
>  =BBer
>  -----END PGP SIGNATURE-----
>
>
>
>
>  ==================================================
>  Filtered by: TRUSTEM.COM's Email Filtering Service
>  http://www.trustem.com/
>  No Spam. No Viruses. Just Good Clean Email.
>
>
>
> ------------------------------------------------------------------------
>  This list is sponsored by: Cenzic
>
>  Top 5 Common Mistakes in
>  Securing Web Applications
>  Get 45 Min Video and PPT Slides
>
>  www.cenzic.com/landing/securityfocus/hackinar
>  ------------------------------------------------------------------------



-- 
Marcio Barbado, Jr.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------