RE: proposed pen-test

[Gorgon Beast <gorgonbeast () hotmail com>]

Legalities aside, since I'm not a lawyer, what are you trying to prove?  This seems like a form of social engineering, 
which works very well with many companies.  If you want to prove something ins a SAS70 type of setting, tell everyone 
NOT to attach any USB stick to their computer.  Have them sign a piece of paper stating that they understand not to 
attach the USB stick and they must bring it to you.  Wait a month, then send it out and see how many you get.
 
At a security conference I attended, our Corporate office handed out USB sticks advertising the new name.  There 
weren't any files on them.  When I got up to give my presentation a couple of days later, I waited for all 450 people 
to quiet down and then I asked, "How many people have attached the USB drives to your laptops, and scanned them for 
viruses".  You could feel the fear.  I told them it was safe, I had tested mine on someone elses laptop.  ;)  
 
One more point then I'll shut up.  I would also worry about people inside your organization.  The disgruntled worker 
might bring in a box of USB drives and set them in the cafeteria with a note that says, "Free!  Take one!"  (I did this 
as part of a full Pen Test, they were all gone within an hour)
 
John Forristel
Intrusion Stop
 
 
> Date: Sun, 7 Mar 2010 11:03:31 -0800
> Subject: proposed pen-test
> From: john.k.grimes () gmail com
> To: pen-test () securityfocus com
>
> Hi--
>
> A consultant firm has recommended to my university's IT department
> that we run the following pen-test:
>
> We send, through regular mail, a letter to members of the staff and
> faculty, that appears to come from a well-known social networking
> site, that is, it uses a facsimile of the actual letterhead and
> envelope of the site, including the correct return address. In this
> letter, we invite the recipient to beta-test a new version of the
> social networking site by using the program on the enclosed usb stick.
> We offer a gift card to a major online retailer as further inducement.
> If any staff member plugs in the usb stick, they will be told in a
> pop-up window that they have been duped, and the fact will be logged
> to a server at the university.
>
> It seems to us that there are two potential legal problems here:
> impersonating the social networking site, and using the US postal
> service for a fraudulent, if well-intentioned, purpose. Can anyone
> here comment on this?
>
> Beyond the legalities, does this seem like an effective and worthwhile test?
>
> Thanks for any insight.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>                                         
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/201469228/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------