From: Terry Vernon (tvernon24@comcast.net)
Date: Tue Feb 07 2006 - 15:53:09 EST
If we're going to fly off topic we may as well include locating external
wire boxes and setting up a passive sniffer using an old laptop somewhere.
There's a line drawn somewhere between contracting a pen test and hiring a
company to send in a james bond-like person who will defeat physical
security and repel down out of the ceiling and snatch the hotswap drives out
of the old company netfinity and then write up a report that says
"see...your network security is penetrable". Under those conditions that old
"only safest computer is in a bunker unplugged blah blah blah" adage
applies.
Every company with client makes up its own guidelines. To me a 'network'
pen-test should include what you can pry out of the company using only a
computer(s) and the internet as 95% of cracked nets happen over the
internet.
In the quest to sound smart in front of our peers we cannot forget reality
and that is this: Majority of crackers are script kiddies and the majority
of crackjobs happen over the internet. The majority of companies looking for
a pen-test don't own information important enough to anybody who would
actually repel down out of their ceiling (or print up badges).
I personally think the extent of the social engineering aspect should be
what you can accomplish remotely, using the phone and email or whatever else
in place. The rest are pipedreams and speculation until the situation
changes.
I WISH a company would call my company asking for a james bond like person
to come penetrate their security. Being a cat burglar without fear of prison
is the equivalent of...i dunno, something awesome.
Who knows, maybe our discussions here will lead to an industry merger
between physical and network security devices. Maybe the IPS of the future
will monitor more than data.
-Terry
-----Original Message-----
From: Pete Herzog [mailto:lists@isecom.org]
Sent: Tuesday, February 07, 2006 8:38 AM
To: Fixer
Cc: Erin Carroll; 'Bob Radvanovsky'; 'Steven'; burzella@inwind.it;
pen-test@securityfocus.com
Subject: Re: Pen-Test and Social Engineering
Hi,
Fixer wrote:
<SNIP>
> Probably one of the best attacks that I've used is as follows:
>
> Create a handful of CDs with some legitimate looking (but totally bogus)
> data on it, an autorun script and a customized backdoor (one that
> on-demand AV won't see).
I don't think I'm the only one who sees this as so dangerous as to be
insane to implement. Any number of problems can happen where once it
leaves the building you are responsible for putting a trojan on systems
you can't clean up. Maybe this is what SONY was trying to do too....
>
> Also, if you want to invest a little more time (and money) into it,
> register a web site and create a simple site. My favorite is to use a
Actually, something like this can be a measurable test. Where you mimic
the employee's credit union site and start phishing to see how many
recognize changes, basic insecurities, and those who also report the
problem. All measurable and very helpful as you can specifically make
the site with exactly the problems you expect them to know to be wary of
(because they've been taught this or have signed off on a contract
saying they read and understand this) and the phishing exercises across
many channels like phone, e-mail, company mail, and in person, to
discover areas requiring improvements.
> Even something as simple as knowing
> what their badges look like can help. It's amazing how simple it is to
> forge an ID badge once you know what they look like. Ten minutes and
> the right hardware and you can make yourself an "employee" of anyone
> from CNN to the DoD (not to pick on them).
I understand where this can be helpful in assisting a type of test but
only if the target is trained to recognize a forged badge.
-pete.
www.isecom.org - www.isestorm.org
----------------------------------------------------------------------------
-- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT