Penetration Testing mailing list archives
Re: Assessing the security awareness of web users at a national level
From: J-P <jphml () videotron ca>
Date: Tue, 22 Sep 2009 12:19:51 -0400
Hi Demetris, Not sure about the ethic side of your project (even if I'd be curious to see the results), but to answer your question, the only similar project I saw was done by Didier Stevens back in 2007. See his blog post here http://blog.didierstevens.com/2007/05/07/is-your-pc-virus-free-get-it-infect ed-here/ I hope you'll find useful information there. J-P On 09-09-18 6:29 AM, "Demetris Papapetrou" <dpapapetrou () internalaudit gov cy> wrote:
Dear list members, I am currently setting up a project, in which I will assess the security awareness level of my fellow citizens concerning social engineering attacks that are launched through the web. The scope of the project is to gather statistical data and possibly draw some useful conclusions as to the level of awareness of lets say, male vs female users in my country, young vs old people, linux vs windows users or even firefox vs internet explorer users. The attack methods will simulate real life scenarios such as fake virus detection messages, missing codec messages or even "click me" buttons that are often utilized by attackers to infect computers with viruses/backdoors/malware/etc. I should note here that no harmful programs will be sent to users during the assessment. Instead the "malicious website" will record whether the users clicked on the download button/malicious link or not. I was wondering whether any of you know of similar projects performed and if you are kind enough to point me to any relevant links. Any suggestions regarding the method of distribution (e.g. emails, forums, IRC, facebook, myspace, etc) or the different attack vectors (e.g. virus message, codec missing messages, etc) or anything else that comes to your mind will be much appreciated. Thank you in advance, Demetris ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Assessing the security awareness of web users at a national level Demetris Papapetrou (Sep 22)
- Re: Assessing the security awareness of web users at a national level Dotzero (Sep 22)
- Re: Assessing the security awareness of web users at a national level J-P (Sep 22)