Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Social Engineering - information disclosing by phone
From: "Shomiron Das Gupta" <chaff0 () gmail com>
Date: Sun, 28 Dec 2008 00:00:31 +0530

Hey Taras,

Compliments of the season, most clients we have worked for typically
look at security as a technical 'only' subject. However we have died
and born again explaining the social (larger) aspect of security.

Chaff

On 12/25/08, Taras P. Ivashchenko <naplanetu () gmail com> wrote:
Hello, list!

What do you thing about such step of pentest as information disclosing by
phone?
Yes, of course everybody watched "Hackers" with Jolie and Miller and
remember moment
when when some security officer told number of modem by telephone.
But it's cinema and what about real life?

In Penetration Testing Framework [1] we can read:

Scenarios

IT Department.
"Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
and I need to re-synchronise the Active Directory usernames and passwords.

This is so that your logon process in the morning receives no undue delays"

If you are calling from a mobile number, explain that the helpdesk has been
issued a mobile phone for 'on call' personnel.

Results

Contact Details
 - Name
 - Phone number
 - Email
 - Room number
 - Department
 - Role

[1] http://www.vulnerabilityassessment.co.uk/Penetration Test.html

What in your opinion we can take (in pentest) from such method of S.E.?
Does anybody knows Mitnick here? Please, call him =)

--
Тарас Иващенко (Taras Ivashchenko), OSCP
www.securityaudit.ru
----
"Software is like sex: it's better when it's free." - Linus Torvalds


-- 
Sent from my mobile device

-------------------------------------------------------
 He who lives dangerously,
 rocks the world!!
-------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]