Penetration Testing mailing list archives
RE: Pen-Test and Social Engineering
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Tue, 7 Feb 2006 17:54:29 +1100
Just my 20 cents worth... Not all attackers are created equal, nor do they think the same way. Many attackers prefer to remain 'invisible' if possible, avoiding or minimising the likelihood of being caught and successfully prosecuted/disciplined - a distinctly higher risk in SE situations. Many but not all SE attacks require a presence in the same town, building, floor, or even office area. This increases the risk of being caught on prosecuted - the physicial evidence is much easier to collect and present to a court Often, a good command of the target company's spoken language (English, Italian, French etc) is essential to 'fit in' sufficiently for the attack. As part of the risk profile of the company, SE is just one avenue of attack to be mitigated. If SE becomes too hard, then attacks prevalence wills wing to non-SE methods. Lyal -----Original Message----- From: Dhruv Soi [mailto:dhruv_ymca () yahoo com] Sent: Tuesday, 7 February 2006 5:00 AM To: Ratna Kumar; wolfiroc () earthlink net; burzella () inwind it; pen-test () securityfocus com Subject: Re: Pen-Test and Social Engineering In a real scenario, when some attacker wants to gain access and there is a option to ask the passwords from employees, then why to spend time in understanding, scanning and exploiting the infra.. Same way if an attacker can enter the premises of Target Company then why to waste time in asking the password and downloading the data. Wherein attacker can enter into premises, detach the hard disk and take that away. Looks crazy but that's possible if the value of that data in hard drive is known to attacker. Another option suggested by KK about putting a wireless AP in LAN and then roaming in target network by connecting through laptop and sitting in car from parking area. In any of above-mentioned attacks, network and threats didn't even come into picture and company might face huge information/reputation/financial loss. And social engineering is an easy option to attack a network. no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of network and internal devices by calling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. There are many other tricky options to utilize social engineering.... But yes there is an equal importance to security health check of servers/network devices. You can't rely by securing yourself from only one of attacking scenario (Social engineering, Network threats.). You need to protect yourself both of the attacks. Many companies educate their employees about social engineering attacks including their front desk officers, office boys, security guards etc. Moreover, companies got policies in place about sharing of credentials by employees. And companies get those policy documents signed from their employees. Including social engineering in pen-test one can understand that the training that was provided to employees didn't go waste and employees are still in compliance. cheers! -D --- Ratna Kumar <ratnakumarch () visualsoft-tech com> wrote:
Hi All, I agree with you all,but social engineering is a altogether a different game. It is possible to exploit an individual provided there is a threat on the target network? PT results can be used to build Social Engineering ?? Thank you, Regards, Ratna Kumar ----- Original Message ----- From: "Michael Mooney" <wolfiroc () earthlink net> To: <burzella () inwind it>; <pen-test () securityfocus com> Sent: Monday, February 06, 2006 12:02 AM Subject: RE: Pen-Test and Social EngineeringMost certainly. Social engineering is anexcellent way of doing a reconof your target. It's amazing that, despite all thepress and warning, peoplewill still "give up" the information requested ifyou sound official orappear to be helping them. Human nature, buthuman nature can help youidentify what can "kill" the system.[Original Message] From: <burzella () inwind it> To: <pen-test () securityfocus com> Date: 2/5/2006 1:02:07 PM Subject: Pen-Test and Social Engineering Hi In yuor opinion, can a Social Engineering test beconsidered part of aPen-Test?Thanks
----------------------------------------------------------------------------
--Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts onattacking applications on yourwebsite. Up to 75% of cyber attacks are launchedon shopping carts,forms,login pages, dynamic content etc. Firewalls, SSLand locked-down serversarefutile against web application hacking. Checkyour website forvulnerabilitiesto SQL injection, Cross site scripting and otherweb attacks beforehackers do!Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
---------------------------------------------------------------------------- --
Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts onattacking applications on yourwebsite. Up to 75% of cyber attacks are launchedon shopping carts, forms,login pages, dynamic content etc. Firewalls, SSLand locked-down serversare futile against web application hacking. Check yourwebsite forvulnerabilities to SQL injection, Cross site scripting and otherweb attacks beforehackers do! Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------------------- ---
---------------------------------------------------------------------------- --
Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831
---------------------------------------------------------------------------- ---
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Louis Lerman (Feb 05)
- Re: Pen-Test and Social Engineering Fixer (Feb 05)
- Re: Pen-Test and Social Engineering Sysmin Sys73m47ic (Feb 05)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)