Re: Email Pen-testing

From: Rainer Duffner (rainer_at_ultra-secure.de)
Date: 03/23/04

  • Next message: Michael Richardson: "Re: Email Pen-testing" 
    Date: Tue, 23 Mar 2004 17:45:38 +0100
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>

    Michael Richardson wrote:

    >-----BEGIN PGP SIGNED MESSAGE-----
    >
    >
    >
    >
    >>>>>>"Blake" == Blake <netspan@hotmail.com> writes:
    >>>>>>
    >>>>>>
    >
    > Blake> of normal pen-testing. Generally speaking, my code of
    > Blake> ethics doesn't allow me to social engineer. I don't like
    >
    > Well, trojan'ed email that needs to be double-clicked *IS* social
    >engineering.
    >
    >

    In my old company, the CxO once sent out an email with an .exe
    attachement and instructions that could be summarized with "double-click
    this file".
    To add insult to irony, it was, of all things, a new AUP that had to be
    accepted by everybody.
    The funny thing is that mails by "higher-ups" always looked like they
    were faked anyway (headers faked/munged, so that the
    idiots^H^H^H^H^H^Husers who clicked "Reply All" wouldn't swamp the CxO's
    mailbox.)

    It's moments like those (how long did /you/ train your users *not* to
    click on .exe-attachments, even if it seems to come from a well known
    person ?), that make me want to sentence these people to two months
    with only ksh, vi and elm on a box with no X.

    Nowadys, they're big in "homeland security". Go figure.

    So, who needs social engineering, if you have chief executives ?

    Rainer

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Michael Richardson: "Re: Email Pen-testing"