Re: proposed pen-test

[Eric Milam <emilam () coretechsg com>]

I don't know if someone already pointed this out, but you are dealing
with enticement versus entrapment.

What you have described is entrapment, because as you state you are
offering "rewards" for the behavior.  You are working hard to induce the
behavior.

If you sent out an e-mail with a link to the new "University Social
Site" that would be fine, everything else from the Social Networking
site is copyright I am sure and you would need expressed permission from
them to use.  (Just look at the bottom of their homepage I am sure you
will see the CR)  If you do this, you guys could be in big trouble.

Send them the USB key with a note that says its free, but not to use on
school property is a better test.  Because you are flushing out the true
people who would do something like that no matter what.  Those are who
you really want to catch.  (Because users don't think they'll get caught
for something like that.)

Either way talk to your legal department before doing anything.  My
words are opinion, not recommendation.

Best of Luck,
Eric


On Sun, 2010-03-07 at 11:03 -0800, John Grimes wrote:
> Hi--
>
> A consultant firm has recommended to my university's IT department
> that we run the following pen-test:
>
> We send, through regular mail, a letter to members of the staff and
> faculty, that appears to come from a well-known social networking
> site, that is, it uses a facsimile of the actual letterhead and
> envelope of the site, including the correct return address. In this
> letter, we invite the recipient to beta-test a new version of the
> social networking site by using the program on the enclosed usb stick.
> We offer a gift card to a major online retailer as further inducement.
> If any staff member plugs in the usb stick, they will be told in a
> pop-up window that they have been duped, and the fact will be logged
> to a server at the university.
>
> It seems to us that there are two potential legal problems here:
> impersonating the social networking site, and using the US postal
> service for a fraudulent, if well-intentioned, purpose. Can anyone
> here comment on this?
>
> Beyond the legalities, does this seem like an effective and worthwhile test?
>
> Thanks for any insight.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------