RE: proposed pen-test




Legalities aside, since I'm not a lawyer, what are you trying to prove? This seems like a form of social engineering, which works very well with many companies. If you want to prove something ins a SAS70 type of setting, tell everyone NOT to attach any USB stick to their computer. Have them sign a piece of paper stating that they understand not to attach the USB stick and they must bring it to you. Wait a month, then send it out and see how many you get.

At a security conference I attended, our Corporate office handed out USB sticks advertising the new name. There weren't any files on them. When I got up to give my presentation a couple of days later, I waited for all 450 people to quiet down and then I asked, "How many people have attached the USB drives to your laptops, and scanned them for viruses". You could feel the fear. I told them it was safe, I had tested mine on someone elses laptop. ;)

One more point then I'll shut up. I would also worry about people inside your organization. The disgruntled worker might bring in a box of USB drives and set them in the cafeteria with a note that says, "Free! Take one!" (I did this as part of a full Pen Test, they were all gone within an hour)

John Forristel
Intrusion Stop


Date: Sun, 7 Mar 2010 11:03:31 -0800
Subject: proposed pen-test
From: john.k.grimes@xxxxxxxxx
To: pen-test@xxxxxxxxxxxxxxxxx

Hi--

A consultant firm has recommended to my university's IT department
that we run the following pen-test:

We send, through regular mail, a letter to members of the staff and
faculty, that appears to come from a well-known social networking
site, that is, it uses a facsimile of the actual letterhead and
envelope of the site, including the correct return address. In this
letter, we invite the recipient to beta-test a new version of the
social networking site by using the program on the enclosed usb stick.
We offer a gift card to a major online retailer as further inducement.
If any staff member plugs in the usb stick, they will be told in a
pop-up window that they have been duped, and the fact will be logged
to a server at the university.

It seems to us that there are two potential legal problems here:
impersonating the social networking site, and using the US postal
service for a fraudulent, if well-intentioned, purpose. Can anyone
here comment on this?

Beyond the legalities, does this seem like an effective and worthwhile test?

Thanks for any insight.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

_________________________________________________________________
Hotmail: Free, trusted and rich email service.
http://clk.atdmt.com/GBL/go/201469228/direct/01/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: proposed pen-test
    ... social networking site by using the program on the enclosed usb stick. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: proposed pen-test
    ... I'd vote that you setup a variety of electronic scams, use XSS somewhere with a crafted email etc.... ... social networking site by using the program on the enclosed usb stick. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: proposed pen-test
    ... It will be very effective...interesting question, though...has anybody heard of precedence set by a popular company being used as part of a social engineering attack in a pentest? ... social networking site by using the program on the enclosed usb stick. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: proposed pen-test
    ... If the device does anything strange whatsoever to a system, that person may contact the popular social networking site, and then you've got a problem brewing. ... It seems to us that there are two potential legal problems here: ... Information Assurance Certification Review Board ...
    (Pen-Test)