Archive | March, 2006

Should Social Engineering be a part of Penetration Testing?

Find your website's Achilles' Heel


This is actually a very interesting debate.

Just to introduce if you don’t know..

What is Penetration Testing

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Wikipedia

What is Social Engineering

It’s a bit cheesy, but we often call this hacking the wetware (hardware, software and wetware meaning people).

Social Engineering is a form of intrusion making use of weaknesses in the non-technical aspects of the system, the wetware also known as people. A common phrase would be ‘Con man’, the most well known form of social engineering. In the technological realm, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses.

In the historical sense con men would engineer their way into certain resources, someone’s bank account, shoe box under the bed and so on. In this context the social engineer would target someone that is authorized to use the network, or resource they wish to access and attempt to leverage some confidential information out of them that would compromise the network security.

This is what Mitnick was famous for, and what his book The Art of Deception is about.

I’ll probably cover this more later.

Does Social Engineering have a place in Penetration Testing?

Some people say yes, it’s the most effective way..Actually I’ve found this true, the human element and the lack of education in the workplace is often the weakest link in the chain.

Does it have any place in security testing, I would say definately yes. Some people would say perhaps it should be a seperate project, not in the ‘technical’ assessment of a security perimeter.

Or course it depends on the scope given by the client, but it should be part of any good Penetration Test or Vulnerability Assessment.

Why Social Engineering Should be in a Pen Test

For me whatever you do to get into the network, or escalate your access is part of a pen-test. If you are able to get users to divulge some kind of information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine, or get them to run an executable or disable a firewall. You might be able to get them to do under false pretenses, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test.

Many recent studies have shown people are still incredibly gullible and especially when presented with a ‘Free CD‘ or something, they will happily put it in their drive and run it.

This mean in reality social engineering is an easy option to attack a network no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of network and internal devices bycalling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. They will often say “No we don’t need a new Firewall we already have a Cisco PIX”.

Why Social Engineering Shouldn’t be in a Pen Test

Some would say social engineering is a altogether a different game, the pen testing results could be used to socially engineer someone within the company, perhaps an extension of the pen-test rather than a part of it.

The target of the pen-test might be in a physically different location (Makes the SE more difficult) or the native language of the target may be different (Makes the SE pretty much impossible).

Some people say don’t bother, because you WILL suceed with social engineering.

The main problem being technical testing is fairly scientific, you can apply metrics to it, you can measure it and you can track its effectiveness.

With social engineering, it’s still pretty much an artform and totally differs from person to person, it’s very hard to be scientific when it comes to conning people. Social Engineering may well be left out by large corporations unless it can be scientifically defined and metrics applied to it.

Things to Keep in Mind

However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere.

Also there are many questions to be answered before doing an SE test – questions of legality, ethics and possible personal consequences for the people who were “duped”. These have to be taken into consideration and could mean the social engineering part is not possible.

Please bear in mind the wellfare of the employees too, consider also adding a clause that protects the end-user from getting fired. Human nature is to be helpful, the problem is a lack of education, not a mistake from the user.

Summary

Social Engineering, you can include it or not based on the above information, if you don’t include it, you can always demonstrate it for information purposes to the management team or contact of the target organisation.

References: Discussion on SF Pen Test List


Posted in: General Hacking

Tags: , , , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,911 views
- Hack Tools/Exploits - 631,039 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,547 views

Get protected with Sucuri


Prostitutes want GTA (Grand Theft Auto) Banned

Find your website's Achilles' Heel


A little bit crazy eh?

Sex workers cry foul, say game “accrues points to players for the depiction of rape and murder of prostitutes.”

The Grand Theft Auto franchise is getting attacked from all angles. Joining the ranks of politicians, policemen, and attorneys in their crusade to see the game lifted from shelves are the nation’s sex workers. On its Web site, the Sex Workers Outreach Project USA is asking parents to assist them in calling for a ban of Take-Two Interactive’s controversial game.

Citing a 2001 document from the National Institute on Media and the Family’s David Walsh, SWOP is calling “on all parents and all gamers to boycott Grand Theft Auto.”

The organization quotes various points from Walsh’s paper, including, “Children are more likely to imitate a character with whom they identify with. In violent video games the player is often required to take the point of view of the shooter or perpetrator.”

Source: Gamespot

Apparently, the sex workers of the Sex Workers Outreach Project aren’t too happy about their ingame counterparts being treated violently in the GTA games. They note that the games are a bad influence on children, and might encourage rape and violent behavior towards prostitutes in real life.

SWOP Statement on Grand Theft Auto
The game Grand Theft Auto demonstrates attitudes and behaviors that reflect broader social attitudes toward prostitutes, who are made vulnerable because of their criminal status. Our outrage and disgust at the depictions of prostitutes in games such as GTA renew our call for absolute de-criminalization and repeal of all laws that outlaw the exchange of sex for money in order to end the violence directed at people believed to be prostitutes.

It’s a bit ridiculous if you ask me, are Soldiers going to start suing me because I enjoy blowing them up in Castle Wolfenstein?

Or Special Forces operatives…they will start suing Tom Clancy, omg Rainbow 6, YOU TRAUMATISED ME!?!


Posted in: General News

Tags: , , , , , ,

Posted in: General News | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,443 views
- eEye Launches 0-Day Exploit Tracker - 85,738 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,376 views

Get protected with Sucuri


Who is Navaho Gunleg?

Find your website's Achilles' Heel


Following the recent post by backbone, I decided to post a short introduction as well.

Background
I am from The Netherlands, Europe — a country most people probably have heard about. Either because of the legendary HackTic-foundation that later started the ISP XS4ALL and otherwise undoubtably because of our liberal stance towards soft-drugs and prostitution.

I have always been drawn to computers and remember tinkering with them ever since my parents bought one, a Commodore 64. At that time, we didn’t have that much money to spend so I was forced to write my own programs and games. This experience basically laid the basis for my profession as a programmer, later in life.

As time passed, other computers came into our house-hold, mainly because of my dad’s job. Things started getting really interesting on the PC. MSDOS, PCDOS, various programming languages such as BASIC and Pascal, applications suchs as DBASE.

In contrast to people who have only experience with graphical user interfaces such as Microsoft’s and Apple’s, because of the experience with the command-line, UNIX-flavoured operating systems don’t scare me.

In the Present
Currently, I am a programmer for a media company. The operating systems I work on are all UNIX-flavours. I can ‘speak’ most relevant (programming) languages available on those machines: C(++), Shell scripting, PHP, Javascript, SQL and HTML to name but a few. I have had the privilege to tinker with J2ME (that’s Java for mobile devices such as phones) as well.

I mainly implement the technology behind web-sites, such as content-management systems and various types of server-to-server communication. Additionally, I write plugins for interactive voice response systems such as Bayonne.

Additionally, I also do system administration on few of those servers so I have grown quite interested in server security as well.

In my spare time, because I’m cheap, I still write my own software. If I’m out of suggestion, my girlfriend sometimes has a request for something. For the last couple of years I love to make everything web-based. This fuelled my interest in web-based user-interfaces and the technology behind it, databases, scripting and secure communications.

Future
Being a coder, my articles will mainly focus on programming. How to, and how not to implement stuff safe and secure. Fact is, programs that rely on end-user input are by definition un-safe.

Knowing the business-side of the chain so to speak, I have come to discover that a lot of companies, simply because of the lack of knowledge, money or time, fail to implement online systems secure enough.

Technology is going faster than most people can keep track of it and this has implications that some people might ignore.


Posted in: Authors

Tags: , , , ,

Posted in: Authors | Add a Comment
Recent in Authors:
- Whos is tonyenkiducx? Who the hell are you?
- Who is Haydies? Me my self and quite possibly some one else.
- Who is Darknet?

Related Posts:

Most Read in Authors:
- Who is Haydies? Me my self and quite possibly some one else. - 179,691 views
- Who is Darknet? - 15,800 views
- Who is Navaho Gunleg? - 7,220 views

Get protected with Sucuri