[unisog] Pen testers after my own heart...

Paul Asadoorian Paul_Asadoorian at brown.edu
Mon Jun 12 13:28:25 GMT 2006


I agree, they were certainly "thinking outside the box" :)

Just as much as pen testers need to think like black hats, organizations
need to approve this type of testing in order to identify and reduce risk.

Also, a cheaper alternative to scattering USB keys in the parking lot is to
email employees.  One can too easily craft an email that slips through SPAM
filtering and provides a link to the end user that exploits a client-side
exploit which installs an agent that goes undetected by Anti-Virus software.

I am curious as to what their recommendations were for this particular test,
"Tell employees not to put things in their computer" or  "fill the USB ports
with epoxy". Not so practical....

Paul

On 6/9/06 4:25 PM, "Valdis.Kletnieks at vt.edu" <Valdis.Kletnieks at vt.edu>
wrote:

> These guys rock.  They think like black hats.
> 
> http://www.theinquirer.net/?article=32311
> 
> How many of you are ready if the black hats try this stunt? :)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

--
Paul Asadoorian, GCIA, GCIH
Brown University
3 Davol Square
Suite B 250, Campus Box 1885
Providence, RI 02903
Phone: 401.863.7553

IT Securty Blog
http://blogs.brown.edu/project/security



More information about the unisog mailing list