Ping Rmus

[Longboard]

Thought you'd get a smile on after reading this:
http://www.theregister.co.uk/2010/03...l_penetration/
Particularly this stroke of (?) genius

Quote:

Bailey employed a similar trick last year, when he and two other ethical hackers claimed a $10,000 prize for breaking into the email account of StrongWebMail CEO Darren Berkovitz.

The XSS, or cross-site scripting, vulnerability they identified could only be exploited if the victim clicked on a link while logged in to his account. The solution: They sent him an email with the subject line "we think we've already won this contest," with the attack link in the body. Berkovitz took the bait, and they won the prize.

The enterprise phishing weaknesses are often at the top IMO...

[dalecosp]

Quote:

Originally Posted by Longboard

The enterprise phishing weaknesses are often at the top IMO...

The younger folk are more savvy ... but the older ones are the executives. Not particularly surprising, although executives are supposed to be *smart*, and this does make you wonder.

[Rmus]

Quote:

Originally Posted by Longboard

Thought you'd get a smile on after reading this:
http://www.theregister.co.uk/2010/03...l_penetration/
Particularly this stroke of (?) genius



The enterprise phishing weaknesses are often at the top IMO...

I suppose it would be funny if it potentially weren't serious!

----
rich

[Longboard]

Rmus; Truly, I am onside with your expertise and your lessons and insights; you have given me excellent information and 'templates' for safety in the food chain of the www. Make no mistake about that.
(response to other '..had enough..' thread in production. )

Quote:

I suppose it would be funny if it potentially weren't serious!

Yes very serious.
Should've posted:

Quote:

Thought you'd get a GRIM smile on after reading this..

It is of course an excellent example of 2 truisms: "the chain is only as strong as...", and, "pride goeth..."
Outstanding lesson in hubris to anyone .
I was captivated by the razor-sharp insight into human nature and the sheer bravura of the pen testers, as well the vision of that CEO with a giant omelette all over his dial.

Regards.

[Rmus]

Quote:

Originally Posted by Longboard

I was captivated by the razor-sharp insight into human nature and the sheer bravura of the pen testers, as well the vision of that CEO with a giant omelette all over his dial. Regards.

Hi Longboard,

Egg in the face has happened before! One that stands out from 4 years ago:

Social Engineering, the USB Way
http://www.darkreading.com/document.....svl=column1_1

To me, this demonstrated

1) Human fallibility.

2) That the company had no protection in place against Autorun exploits.

3) That the company had no protection in place against the intrusion of unauthorized executables.

regards,

rich

[Longboard]

Re: http://www.darkreading.com/document.....svl=column1_1
Ya. I remember that episode.
Again brilliant exploitation of gullibility and security holes.
I well remember the "kick in the pants" for many users re 'autoruns'
As you point out : failure at many levels.

Acknowledging your palpable disappointment re baseline security at some organisations: the "benign" or contracted pen testers seem to do a valuable job identifying holes.
What other way is there to audit security performance across the board??
Heh: : believe the marketing of the Paid consultants or software providers ??

The social engineering pen testers continue to demonstrate lateral thinking as per the "LOL is this U" on Twitter: seems to have pinged a lot of cluey users.

[Rmus]

Quote:

Originally Posted by Longboard

Acknowledging your palpable disappointment re baseline security at some organisations: the "benign" or contracted pen testers seem to do a valuable job identifying holes.

Why should a System Adminstrator in an organization need a pen tester to prove that allowing Autorun on the company workstations is just inviting trouble? These System Admins certainly have some credentials, the awarding of which should demonstrate some basic knowledge of security exploits and prevention.

It's not that Autorun exploits are anything new:

Microsoft Windows autorun.inf Vulnerability
Published: Feb 18 2000
http://www.securityfocus.com/bid/993/info

Quote:

The Windows Autorun feature was designed to allow an executable and an icon to be specified for any piece of removable media. Upon insertion, the icon would be displayed for the drive, and the executable would automatically run.

This could be used in privilege escalation attacks.

As far as preventing that pen tester trojan from infiltrating the company network, it's not like reliable protection is something new:

Using Software Restriction Policies to Protect Against Unauthorized Software
Published: January 01, 2002
http://technet.microsoft.com/en-us/l.../bb457006.aspx

Quote:

This important feature provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute.

No matter how much user training employees are given, with so many using company computers, the System Admin just can't take a chance with open roads into the system as shown in that example.

Two things should have taken place following that incident with the USB drives in the parking lot,

1) The CEO should have asked the System Admin why company workstations need Autorun for company work.

2) The CEO in a nice way should have suggested that the System Admin return to school for further training, and wish him success in his next job, since this one terminates immediately.

So there! Show no mercy!

----
rich

[Longboard]

Quote:

No matter how much user training employees are given, with so many using company computers, the System Admin just can't take a chance with open roads into the system

Seems simple enough eh ?

Quote:

Show no mercy!