Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Hacking to Xp box
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Fri, 2 Sep 2005 22:51:25 -0500

-----Original Message-----
From: Michael Gargiullo [mailto:mgargiullo () pvtpt com]

One other thing...   Malicious people will go for the low hanging fruit
with high value first.  Your CEO's PC won't be high on the list.

That's a good point, even the secretary of CEO's might have more important
information on their computers than CEO's themselves. 

But you consider that convincing the CEO is critical to obtain support for
an adequate top down security strategy (the secretary is not going to pay
for more security resources if they are badly needed). People in high
positions tend to lose the sense of the importance of resources, in
particular of those they don't interact with. Even if you manage to hack the
most critical of their production servers, it is nothing they are familiar
with, they probably don't even know the thing exists, and they might not
care anyway. 

If you shut down a critical production server you will definitely caught
their attention because of the side-effects, not for the hack of the system
itself. But that strategy should be discarded (hitting hard your own
organization just to show that risks are real will get you kicked out or
jailed, not to mention the damage you could do). Because of this, it might
be a  better idea to make the demonstration with the CEO's personal
computer: You are less likely to hit the organization badly if something
goes wrong, and you will still catch her/his attention. 

From the tone of the original poster, it seems he was challenged by the CEO.
It might not look too professional to engage in games like this, but to be
honest, if he succeeds, he will most probably get more support for security
within his company. In short: the company wins if he wins. 

Many times your most important battles are fought far away from the
technical ground (e.g. policies, culture,...) in this case, the real target
is the CEO's ego (to make him more conscious about security).


Omar Herrera

Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]