RE: proposed pen-test

["Password Crackers, Inc." <pwcrack () pwcrack com>]

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of John Grimes
> Sent: Sunday, March 07, 2010 2:04 PM
> To: pen-test () securityfocus com
> Subject: proposed pen-test
>
> Hi--
>
> A consultant firm has recommended to my university's IT 
> department that we run the following pen-test:
>
> We send, through regular mail, a letter to members of the 
> staff and faculty, that appears to come from a well-known 
> social networking site, that is, it uses a facsimile of the 
> actual letterhead and envelope of the site, including the 
> correct return address. In this letter, we invite the 
> recipient to beta-test a new version of the social networking 
> site by using the program on the enclosed usb stick.
> We offer a gift card to a major online retailer as further inducement.
> If any staff member plugs in the usb stick, they will be told 
> in a pop-up window that they have been duped, and the fact 
> will be logged to a server at the university.
>
> It seems to us that there are two potential legal problems here:
> impersonating the social networking site, and using the US 
> postal service for a fraudulent, if well-intentioned, 
> purpose. Can anyone here comment on this?
>
> Beyond the legalities, does this seem like an effective and 
> worthwhile test?
>
> Thanks for any insight.
>
> --------------------------------------------------------------
> ----------
> This list is sponsored by: Information Assurance 
> Certification Review Board
>
> Prove to peers and potential employers without a doubt that 
> you can actually do a proper penetration test. IACRB CPT and 
> CEPT certs require a full practical examination in order to 
> become certified. 
>
> http://www.iacertification.org
> --------------------------------------------------------------
> ----------
I agree that this might be fracturing some postal laws, but I am not sure it
makes a difference.  Let's take this forward one step.  Assume that the
package is sent to 100 faculty and five of them are duped and you know who
they are.  What has been learned or proven?  That social engineering works?
The bottom line is that from a security perspective, you should assume that
all faculty/client machines are already infected or may become so at any
point in the future and build your security around that assumption.  Whether
five, ten, all hundred or none are duped by the test changes nothing.  If
your security is built around an assumption that client machines are all
secure then this is a faulty assumption.  Do you really need a test to prove
that user security awareness is an important factor and that you need to
train your people on security?  I would think that there are better, more
ethical, and more respectful ways of dealing with your faculty and staff who
are not likely to be enthusiastic about your existing plan.

Bob Weiss
President
Password Crackers, Inc.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------