Ping Rmus

Thought you'd get a smile on after reading this:
http://www.theregister.co.uk/2010/03/04/social_penetration/
Particularly this stroke of (?) genius

The enterprise phishing weaknesses are often at the top IMO...

 

The younger folk are more savvy ... but the older ones are the executives. Not particularly surprising, although executives are supposed to be *smart*, and this does make you wonder.

 

I suppose it would be funny if it potentially weren't serious!

----
rich

 

Rmus; Truly, I am onside with your expertise and your lessons and insights; you have given me excellent information and 'templates' for safety in the food chain of the www. Make no mistake about that.
(response to other '..had enough..' thread in production. )

Yes very serious.
Should've posted:

It is of course an excellent example of 2 truisms: "the chain is only as strong as...", and, "pride goeth..."
Outstanding lesson in hubris to anyone .
I was captivated by the razor-sharp insight into human nature and the sheer bravura of the pen testers, as well the vision of that CEO with a giant omelette all over his dial.

Regards.

 

Hi Longboard,

Egg in the face has happened before! One that stands out from 4 years ago:

Social Engineering, the USB Way
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

To me, this demonstrated

1) Human fallibility.

2) That the company had no protection in place against Autorun exploits.

3) That the company had no protection in place against the intrusion of unauthorized executables.

regards,

rich

 

Re: http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
Ya. I remember that episode.
Again brilliant exploitation of gullibility and security holes.
I well remember the "kick in the pants" for many users re 'autoruns'
As you point out : failure at many levels.

Acknowledging your palpable disappointment re baseline security at some organisations: the "benign" or contracted pen testers seem to do a valuable job identifying holes.
What other way is there to audit security performance across the board??
Heh: : believe the marketing of the Paid consultants or software providers ??

The social engineering pen testers continue to demonstrate lateral thinking as per the "LOL is this U" on Twitter: seems to have pinged a lot of cluey users.

 

Why should a System Adminstrator in an organization need a pen tester to prove that allowing Autorun on the company workstations is just inviting trouble? These System Admins certainly have some credentials, the awarding of which should demonstrate some basic knowledge of security exploits and prevention.

It's not that Autorun exploits are anything new:

Microsoft Windows autorun.inf Vulnerability
Published: Feb 18 2000
http://www.securityfocus.com/bid/993/info

As far as preventing that pen tester trojan from infiltrating the company network, it's not like reliable protection is something new:

Using Software Restriction Policies to Protect Against Unauthorized Software
Published: January 01, 2002
http://technet.microsoft.com/en-us/library/bb457006.aspx

No matter how much user training employees are given, with so many using company computers, the System Admin just can't take a chance with open roads into the system as shown in that example.

Two things should have taken place following that incident with the USB drives in the parking lot,

1) The CEO should have asked the System Admin why company workstations need Autorun for company work.

2) The CEO in a nice way should have suggested that the System Admin return to school for further training, and wish him success in his next job, since this one terminates immediately.

So there! Show no mercy!

----
rich

 

Seems simple enough eh ?