Re: Security Audit

["bacano" <bacano () esoterica pt>]

hi2all

Well ... if an auditor is used to perform social engineering it is most
likely that some specific audit tools are on his pocket. Those are just not
the usual tools.
This tools can be a simple browser (1), email client (2) or a phone (3). But
tools can be also electronic devices (4)... strange boxes much diferent from
the usual PC.
And of course, tools for this can be clothing and several related extras
(5).

(1) to find as much information as possible from a target
(2) it's always nice to have several accounts from several ISP's and free
accounts
(3) a public phone or a cellphone that you get just for one job
(4) doesn't have to be illegall phone taps, there are many tricks to play
and if this is under a legal contract, it's legal, right?
(5) to test physical security, for example

Also there is the education/trainning issue ... being just a smooth sweet
talker and a smartass may be not enough (in this field, that is the 'script
kid' profile). Knowledge on psychological operations and technics can help a
lot, for example, to make somebody say something that (s)he don't want to
say. The same way that a server may not have as root password as 'password'
(or as the name of the kid/bird/dog/sport club/ whatever you may find on the
target being 'social' to him), people are not always that easy to pull off
in typical enviroments. Not everybody have a 'hole' on the brain, but
sometimes you may have to try to exploit a brain without known 'holes'.

It's one of those issues that no 'ethical hacking' trainning can teach. At
least I don't know any that may have psycological modules.
Also, many times this is the way where legal authorities 'win the game'
against 'criminal hackers' ... usually those are too convinced that they are
smartasses (and the problem is that they are just that, and nothing more).

[  ]'s bacano


----- Original Message -----
From: "Justin Stanford" <jus () security za net>
To: "Renaud Deraison" <deraison () cvs nessus org>
Cc: <pen-test () securityfocus com>
Sent: Friday, September 07, 2001 6:56 PM
Subject: Re: Security Audit


> Plus, no auditing tool can test the social engineering possibilities that
> are often so easy to pull off in typical corporate environments.. ;-)
>
> Is there anyone out there that performs social engineering as part of
> their pentests/audits? I feel that it is to be considered a definite part
> of a pentest/audit, as it's a common tool that can easily be used by smart
> perpetrators, other than computer tools.
>
> Please excuse me if this is old news on the list, I've just recently
> subscribed..
>
> /jus
>
> --
> Justin Stanford
> Internet/Network Security & Solutions Consultant
> 4D Digital Security
> http://www.4dds.co.za
> Cell: (082) 7402741
> E-Mail: jus () security za net
> PGP Key: http://www.security.za.net/jus-pgp-key.txt
>
> On Thu, 6 Sep 2001, Renaud Deraison wrote:
>
> > On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote:
> > > An e-commerce site is supposed to have an application layer or isn't
it ?
> > > What about auditing the application on top?
> > >
> > > Many e-commerce sites have been hacked although you wouldn't find any
> > > vulnerability by running Nessus or such !
> >
> >
> > <off topic, self promotion>
> > Actually, Nessus 1.1.x has some plugins dedicated to the analysis of
> > CGIs. This is not as good as a humain brain with at least a two-digit
> > IQ, but that's better than just doing nothing.
> > (it will catch trivial things such as param=../../../../etc/passwd%00
> > and such, but not dir=/etc&file=passwd, even though the later seems
> > trivial to any human being).
> > </off topic. Sorry for that>
> >
> >
> > But I agree with you - no automated tool can do a security _audit_.
> >
> > There's more to a security audit than just flashing redlights and
> > showing /etc/passwd to the management. Policies have to be read and
> > correlated with the real life on the network. Services that do not match
> > the policy should be told to be disabled, even if they're not vulnerable
> > to anything.
> >
> > A security audit is first a matter of checking that kind of thing rather
> > than licensing the list of vulnerabilities on a network. Vulnerabilities
> > appear and disappear every day. The policy never changes.
> >
> >
> >
> > -- Renaud
> >
> > --
> > Renaud Deraison
> > The Nessus Project
> > http://www.nessus.org
>
> --------------------------------------------------------------------------
--
> > This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities please
see:
> > https://alerts.securityfocus.com/
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/