Penetration Testing mailing list archives
RE: proposed pen-test
From: "Password Crackers, Inc." <pwcrack () pwcrack com>
Date: Mon, 8 Mar 2010 16:06:59 -0500
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Grimes Sent: Sunday, March 07, 2010 2:04 PM To: pen-test () securityfocus com Subject: proposed pen-test Hi-- A consultant firm has recommended to my university's IT department that we run the following pen-test: We send, through regular mail, a letter to members of the staff and faculty, that appears to come from a well-known social networking site, that is, it uses a facsimile of the actual letterhead and envelope of the site, including the correct return address. In this letter, we invite the recipient to beta-test a new version of the social networking site by using the program on the enclosed usb stick. We offer a gift card to a major online retailer as further inducement. If any staff member plugs in the usb stick, they will be told in a pop-up window that they have been duped, and the fact will be logged to a server at the university. It seems to us that there are two potential legal problems here: impersonating the social networking site, and using the US postal service for a fraudulent, if well-intentioned, purpose. Can anyone here comment on this? Beyond the legalities, does this seem like an effective and worthwhile test? Thanks for any insight. -------------------------------------------------------------- ---------- This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------- ----------
I agree that this might be fracturing some postal laws, but I am not sure it makes a difference. Let's take this forward one step. Assume that the package is sent to 100 faculty and five of them are duped and you know who they are. What has been learned or proven? That social engineering works? The bottom line is that from a security perspective, you should assume that all faculty/client machines are already infected or may become so at any point in the future and build your security around that assumption. Whether five, ten, all hundred or none are duped by the test changes nothing. If your security is built around an assumption that client machines are all secure then this is a faulty assumption. Do you really need a test to prove that user security awareness is an important factor and that you need to train your people on security? I would think that there are better, more ethical, and more respectful ways of dealing with your faculty and staff who are not likely to be enthusiastic about your existing plan. Bob Weiss President Password Crackers, Inc. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- proposed pen-test John Grimes (Mar 08)
- Re: proposed pen-test Tracy Reed (Mar 08)
- RE: proposed pen-test Password Crackers, Inc. (Mar 08)
- Re: proposed pen-test John Kinsella (Mar 08)
- Re: proposed pen-test Steve Friedl (Mar 11)
- Re: proposed pen-test Matt Gardenghi (Mar 11)
- Re: proposed pen-test Steve Friedl (Mar 11)
- Re: proposed pen-test Terry Cutler (Mar 08)
- Re: proposed pen-test Shohn Trojacek (Mar 08)
- RE: proposed pen-test Gorgon Beast (Mar 11)
- Re: proposed pen-test Eric Milam (Mar 11)
- <Possible follow-ups>
- Re: proposed pen-test krymson (Mar 08)