Tweet
duke, well, first off that's not how it's done. We could not compromise their data, at least not until we are very well established and even then it's a bit iffie, most likely we will leave marks at places so they can be verified later on that we did visit there (server, folders etc).
I don't need to test run this, I have done it. Well not like you think so don't worry. And besides, I guarantee I could do this to a fortune 10 company right now and steal a crapload of info and not break a sweat, be detected and possibly even make them pay salary for me under fake name, and break away free and easy and never be found out what truly happened. Talk is cheap, let's just say it's not something that is 'not feasible', it's more of a question of how easy it will be and how fast can we compromise data before one single question will be asked. So why do I boast about being able if willing? because I work in one and it's HORRIBLE, the security that is. There's LOTS of things they could do to improve the security, starting from few policies and enforcing them. And also perhaps hiring someone who is up to date with this stuff. And loads of other things, most likely it means organizational change in security etc.
But yes, I most likely will be able to do this, I mean, there likely is a company that will let me do this on a research purpose at least. Not sure about actual auditing yet. I'd love to do it though.
And the talk about trojans, that's just one thing to show off, stealing few passwords for later on purposes, just as one thing. The idea is to compromise the security in all levels, as many times as possible, it's mostly to show the customer how easy it was and how their security sucked horribly, so that they change the attitude and start looking at new ways to improve it, mainly focusing on the user, not the system only.
Security screening, I don't mean anything new that is not already done in some places. I don't mean anything illegal.
And one important aspect is not to make new obstacles for work. Most helping solutions are easy and mostly a question of attitude. And this is to for example... demonstrate why ID badges are used. If I can get in for example without one, and no one asks me a single question and I can be there for a week, stealing and messing around, it's a problem. A rule that is not enforced or cared after. What's the point if you don't use them? Might as well not use the whole system at all, it only costs to make them badges.
There are kazillion things that needs to be reminded, focusing on the key weaknesses. This is of course if you have valuable information you want to protect. If not, they you don't need to pay that much attention, however if you do, then they should pay attention that they are living with false sense of security, and false sense of security kills
Many places and I know this with first hand experience have problems with help desk. Basically it's their job to help, but they should know what they can not tell, indicate or even tip off. Social engineering is basically manipulating people to tell things they aren't supposed to. And that's why it works, because people are people.
I don't need to test run this, I have done it. Well not like you think so don't worry. And besides, I guarantee I could do this to a fortune 10 company right now and steal a crapload of info and not break a sweat, be detected and possibly even make them pay salary for me under fake name, and break away free and easy and never be found out what truly happened. Talk is cheap, let's just say it's not something that is 'not feasible', it's more of a question of how easy it will be and how fast can we compromise data before one single question will be asked. So why do I boast about being able if willing? because I work in one and it's HORRIBLE, the security that is. There's LOTS of things they could do to improve the security, starting from few policies and enforcing them. And also perhaps hiring someone who is up to date with this stuff. And loads of other things, most likely it means organizational change in security etc.
But yes, I most likely will be able to do this, I mean, there likely is a company that will let me do this on a research purpose at least. Not sure about actual auditing yet. I'd love to do it though.
And the talk about trojans, that's just one thing to show off, stealing few passwords for later on purposes, just as one thing. The idea is to compromise the security in all levels, as many times as possible, it's mostly to show the customer how easy it was and how their security sucked horribly, so that they change the attitude and start looking at new ways to improve it, mainly focusing on the user, not the system only.
Security screening, I don't mean anything new that is not already done in some places. I don't mean anything illegal.
And one important aspect is not to make new obstacles for work. Most helping solutions are easy and mostly a question of attitude. And this is to for example... demonstrate why ID badges are used. If I can get in for example without one, and no one asks me a single question and I can be there for a week, stealing and messing around, it's a problem. A rule that is not enforced or cared after. What's the point if you don't use them? Might as well not use the whole system at all, it only costs to make them badges.
There are kazillion things that needs to be reminded, focusing on the key weaknesses. This is of course if you have valuable information you want to protect. If not, they you don't need to pay that much attention, however if you do, then they should pay attention that they are living with false sense of security, and false sense of security kills
Many places and I know this with first hand experience have problems with help desk. Basically it's their job to help, but they should know what they can not tell, indicate or even tip off. Social engineering is basically manipulating people to tell things they aren't supposed to. And that's why it works, because people are people.
Comment