RE: Pen-Test and Social Engineering

From: Erin Carroll (amoeba@amoebazone.com)
Date: Mon Feb 06 2006 - 23:07:21 EST


 
Interesting points Bob. A couple of thoughts inline

> Thus, based upon its very nature as being subjective, it
> could be concluded that SE is not a part of, or subset to,
> penetration testing and analysis. However, if someone were
> to define specifics weights, based upon an interrogative
> matrix (specific questions to be asked to targetted
> individuals, and the anticipated types of responses -- all
> are weighed), might similarly be concluded as being more
> objective, rather than subjective. The federal government is
> very good at interrogative functions, esp. certain law
> enforcement branches, such as the NSA, CIA, and the FBI.

Is anyone aware of such a matrix being put to use specifically for
pen-testing purposes? While there may be some debate about the relative
merits and legal consequences of social engineering, I don't believe anyone
with some understanding of the subject would state that SE isn't a viable
tool if correctly applied. Most of the posts on this subject thus far have
centered around the questions of the legitimacy of SE for inclusion with the
technical tools we utilize. I'm wondering if any list members would care to
share some actual cases where SE has been used and their methodology.

> So...though it may not to appear as conclusive, much of its
> very being depends upon how it is setup, how it is utilized,
> what are the expected or anticipated goals, and how is the
> information (once obtained) utilized -- all of which may be
> considered a form of social testing of targetted or selected
> groups of individuals (and their affiliated organizations).

Sometimes social engineering isn't tricking someone into revealing data,
sometimes it can be as simple as knowing they'll follow their normal
procedures, no matter how security-conscious they may be, and exploiting it.

Another list member mentioned targetted email as one SE technique. Here's an
example which exploited targetted email and a predictable response to get
specific information. (Bear in mind that this is a purposefully watered down
version of events for NDA and other considerations):

A couple years back I was hired to track down a person committing libel,
fraud, and possible corporate espionage for a particular company.
Essentially they needed someone to hack the cracker and provide enough
evidence to proceed with arrest and court proceedings. The activities of
this individual were costing said company an estimated million dollars plus
per month. All that was really known for sure about the perpetrator was a
yahoo email address and internationally hosted web site setup to compete
with the company. Attempts by the company to track the person were blocked
by various methods (blackholing of web access from the corp to the site,
bouncing emails etc.. including personal addresses and IP's when they
attempted it outside the company network). This indicated some method of
tracking being used and I figured I'd use it against him.

This is where the predictable SE aspect came in - I sent him an email
requesting some information related to his business as a potential client
and included an embedded webbug hidden as a 1x1pixel transparent .gif.
Following the IP the webbug reported to when the email was opened I was able
to access the server, grab a database of all transactions/communications he
had helpfully kept a log of, and other incriminating data. He was arrested
and charged.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 
-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006
 
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT