Penetration Testing mailing list archives

Re: proposed pen-test

From: Shohn Trojacek <trojacek () gmail com>
Date: Mon, 8 Mar 2010 17:16:54 -0600

I haven't thought this very far through, but wanted to comment that
this is hilarious for many reasons. I can imagine the look of surprise
on the user's face.

I'm not sure there would be a whole lot of value in performing this
unless your users have been trained quite well in this area. I'm
operating under the presumption that this is a "normal" user
population not used to security protocols and such. In other words,
I'd probably spend my money on training instead, but that is just me
and I don't know the particulars. Of course, if done regularly it
could provide invaluable training. The shock and awe would only have
to happen once for each user in many cases for them to pay more
attention to such things.

Shohn

On Sun, Mar 7, 2010 at 1:03 PM, John Grimes <john.k.grimes () gmail com> wrote:

Hi--

A consultant firm has recommended to my university's IT department
that we run the following pen-test:

We send, through regular mail, a letter to members of the staff and
faculty, that appears to come from a well-known social networking
site, that is, it uses a facsimile of the actual letterhead and
envelope of the site, including the correct return address. In this
letter, we invite the recipient to beta-test a new version of the
social networking site by using the program on the enclosed usb stick.
We offer a gift card to a major online retailer as further inducement.
If any staff member plugs in the usb stick, they will be told in a
pop-up window that they have been duped, and the fact will be logged
to a server at the university.

It seems to us that there are two potential legal problems here:
impersonating the social networking site, and using the US postal
service for a fraudulent, if well-intentioned, purpose. Can anyone
here comment on this?

Beyond the legalities, does this seem like an effective and worthwhile test?

Thanks for any insight.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

proposed pen-test John Grimes (Mar 08)
- Re: proposed pen-test Tracy Reed (Mar 08)
- RE: proposed pen-test Password Crackers, Inc. (Mar 08)
- Re: proposed pen-test John Kinsella (Mar 08)
  - Re: proposed pen-test Steve Friedl (Mar 11)
    - Re: proposed pen-test Matt Gardenghi (Mar 11)
- Re: proposed pen-test Terry Cutler (Mar 08)
- Re: proposed pen-test Shohn Trojacek (Mar 08)
- RE: proposed pen-test Gorgon Beast (Mar 11)
- Re: proposed pen-test Eric Milam (Mar 11)
- <Possible follow-ups>
- Re: proposed pen-test krymson (Mar 08)