Penetration Testing mailing list archives
RE: Pen-Test and Social Engineering
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Mon, 6 Feb 2006 20:07:21 -0800
Interesting points Bob. A couple of thoughts inline
Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, penetration testing and analysis. However, if someone were to define specifics weights, based upon an interrogative matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are weighed), might similarly be concluded as being more objective, rather than subjective. The federal government is very good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
Is anyone aware of such a matrix being put to use specifically for pen-testing purposes? While there may be some debate about the relative merits and legal consequences of social engineering, I don't believe anyone with some understanding of the subject would state that SE isn't a viable tool if correctly applied. Most of the posts on this subject thus far have centered around the questions of the legitimacy of SE for inclusion with the technical tools we utilize. I'm wondering if any list members would care to share some actual cases where SE has been used and their methodology.
So...though it may not to appear as conclusive, much of its very being depends upon how it is setup, how it is utilized, what are the expected or anticipated goals, and how is the information (once obtained) utilized -- all of which may be considered a form of social testing of targetted or selected groups of individuals (and their affiliated organizations).
Sometimes social engineering isn't tricking someone into revealing data, sometimes it can be as simple as knowing they'll follow their normal procedures, no matter how security-conscious they may be, and exploiting it. Another list member mentioned targetted email as one SE technique. Here's an example which exploited targetted email and a predictable response to get specific information. (Bear in mind that this is a purposefully watered down version of events for NDA and other considerations): A couple years back I was hired to track down a person committing libel, fraud, and possible corporate espionage for a particular company. Essentially they needed someone to hack the cracker and provide enough evidence to proceed with arrest and court proceedings. The activities of this individual were costing said company an estimated million dollars plus per month. All that was really known for sure about the perpetrator was a yahoo email address and internationally hosted web site setup to compete with the company. Attempts by the company to track the person were blocked by various methods (blackholing of web access from the corp to the site, bouncing emails etc.. including personal addresses and IP's when they attempted it outside the company network). This indicated some method of tracking being used and I figured I'd use it against him. This is where the predictable SE aspect came in - I sent him an email requesting some information related to his business as a potential client and included an embedded webbug hidden as a 1x1pixel transparent .gif. Following the IP the webbug reported to when the email was opened I was able to access the server, grab a database of all transactions/communications he had helpfully kept a log of, and other incriminating data. He was arrested and charged. -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball" -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/252 - Release Date: 2/6/2006 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Pen-Test and Social Engineering, (continued)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)
- Re: Pen-Test and Social Engineering Neil (Feb 07)