A normal penetration test is social engineering. Ok, how
about "should be"? Its a remarkably powerful technique. Sure, Van
Eck boxes are kewl, but a telephone will get you the same information
faster in most cases, and the phone is a lot cheaper. (A nice suit is
also a useful tool, and still cheaper than a van Eck setup.)
We Americans tend to have a thing for using toys. Thats fine,
we build some excellent toys, but when I was consulting, I never found
a site where I had any desire to talk about van eck. The customers
money was always better spent on things other than copper shielding,
such as user training, security for the dialups, a firewall for the
extranet, etc.
If you find yourself at a facility where you want to try van
Eck, try another pass at walking around, calling up, getting hired as
a janitor, or subverting an employee. There is going to be a better
way.
(Incidentally, van eck was the dutch professor who published a
paper on electro magnetic radiation from computers and their use in
spying.)
Adam
Edward Cracknell wrote:
| OK, so call this OTT, (and Marcus...stop me when I go too far!)
|
| Does the group consider the use of Electro-Magnetic Radiation scanning
| tools, keyboard taps etc. outside the scope of a 'normal' test.
|
| I suppose one has to define what a 'normal' penetration test is, and
| certainly it ain't the job of a firewall to cater for that type of
| compromise, but more the job of the policy.
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Received on Oct 02 1997
Intro
