Penetration Testing mailing list archives

Re: proposed pen-test

From: Matt Gardenghi <mtgarden () gmail com>
Date: Thu, 11 Mar 2010 18:03:46 -0500

I'd vote that you didn't do this. It's cool, but a waste of your time.Unless you work for DOE and this is to prevent a similar event fromChinese or Russian spies, then you should do it.

Anyone can build such an elaborate scheme that you will eventually fallfor it. Realistically, you want to protect your users from the averageattacks not the super well-constructed spear-phishing attacks. Yeah,you need to cover those, but what is more likely in your environment:rogue-av or spear-phishing via snail mail? Which will get more bang forthe buck?

I'd vote that you setup a variety of electronic scams (use SET for onesite), use XSS somewhere with a crafted email etc.... Teach them tointelligently determine if a scam is being thrust upon them. The goalis to educate them not "catch them." We want them to escape.


Matt

On 3/9/2010 1:28 AM, Steve Friedl wrote:

On Mon, Mar 08, 2010 at 12:43:20PM -0800, John Kinsella wrote:

I'll guarantee that real attackers won't worry about the legalities of
impersonation or using the postal service for fraud...who would sue in
the pentest example?

Nobody, because a pen-test is not *actual* fraud, and there is no
actual damage.

There are all kinds of Postal Service rules, such as it being illegal to
open somebody else's mail, but when you dig in, you find that opening
the mail of a previous resident for the purposes of tracking them down
or informing the sender, is NOT illegal.

Fraud requires an actual intend to defraud; saying "gotcha"
is not the same as defrauding.

This may draw some attention, but if you have your approvals in order
and you are scrupulous with not abusing any actual personal data you come
across, you'll be fine.

... and I suspect you'll get plenty of customers - please do let us know
if you try this.

Steve

---
Stephen J Friedl  | Security Consultant |  UNIX Wizard  | 714 694-0494
steve () unixwiz net | Orange County, CA   | Microsoft MVP |  unixwiz.net

I doubt the social engineering network wants to
draw attention to the topic, and I'd hope they would appreciate using
the results to educate your users...I also suspect it's too small of a
fish to fry to the USPS...

John

On Mar 7, 2010, at 11:03 AM, John Grimes wrote:

Hi--

A consultant firm has recommended to my university's IT department
that we run the following pen-test:

We send, through regular mail, a letter to members of the staff and
faculty, that appears to come from a well-known social networking
site, that is, it uses a facsimile of the actual letterhead and
envelope of the site, including the correct return address. In this
letter, we invite the recipient to beta-test a new version of the
social networking site by using the program on the enclosed usb stick.
We offer a gift card to a major online retailer as further inducement.
If any staff member plugs in the usb stick, they will be told in a
pop-up window that they have been duped, and the fact will be logged
to a server at the university.

It seems to us that there are two potential legal problems here:
impersonating the social networking site, and using the US postal
service for a fraudulent, if well-intentioned, purpose. Can anyone
here comment on this?

Beyond the legalities, does this seem like an effective and
worthwhile test?

Thanks for any insight.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

proposed pen-test John Grimes (Mar 08)
- Re: proposed pen-test Tracy Reed (Mar 08)
- RE: proposed pen-test Password Crackers, Inc. (Mar 08)
- Re: proposed pen-test John Kinsella (Mar 08)
  - Re: proposed pen-test Steve Friedl (Mar 11)
    - Re: proposed pen-test Matt Gardenghi (Mar 11)
- Re: proposed pen-test Terry Cutler (Mar 08)
- Re: proposed pen-test Shohn Trojacek (Mar 08)
- RE: proposed pen-test Gorgon Beast (Mar 11)
- Re: proposed pen-test Eric Milam (Mar 11)
- <Possible follow-ups>
- Re: proposed pen-test krymson (Mar 08)