RE: Email Pen-testing

From: Reava, Jeffrey (jeffrey.reava@pfizer.com)
Date: Sun Mar 21 2004 - 23:32:41 EST


"Doing a pen-test...A friend of mine suggested [sending] a backdoor
trojan attachment via an email. If they clicked on it, the backdoor
performs [miscellaneous evil things] ... I think this type of testing is
becoming more relevant nowadays, especially with whats out there..."

>> Absolutely more relevant. Why would an attacker do any more work then
they have to in order to get what they want? Every organization with
assets worth protecting should fully expect that they're going to get
Googled, their staff and operations profiled, and their end users
attacked directly. It happened to Valve software last September, rather
spectacularly: http://mac.ign.com/articles/453/453038p1.html?fromint=1

"I spoke with a previous customer of mine about the idea. He said he
would be very upset if he was not told prior to that type of test as
part of normal pen-testing...Generally speaking, my code of ethics
doesn't allow me to social engineer. I don't like lying and misleading
people. Also people tend to hate you after they've been punk'd."

>> With the IE and Outlook holes, it may not even be necessary to
socially engineer anyone. You'd just need a small number of "high value"
targets to send messages to.

What's your ideas on the email pen-tesing?

>> Even if it puts the success of your efforts at risk, I think you need
to get permission to go this road. You can still mine for information
without lying, but walking that line will take some serious effort.
Check out http://www.csoonline.com/read/050103/snooping.html

If you make people feel stupid, they'll definitely hate you. But if you
approach it within some reasonable bounds and they give you small pieces
that individually appear innocent and yet make your technical attack
much more focused and effective, your client will benefit by recognizing
the problem because the gap in their policies and practices will be
painfully evident.

Jeff

------------------------------------------------------------------------

---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT