Posted via web from danielmiessler.com | posterous

http://danielmiessler.com/writing/va_vs_pt/

hostfind.tar.bz2 hostfind.tar.bz2.sha1 hostfind.tar.bz2.sha1.asc

It took me nearly as long to package this thing as it did to write it. Unfortunately, the packaging is way more leet than the program itself — kind of lame considering there’s no README or anything…

I was working under the idea of, “if you make bzipped tarball of a 10 line shell script and sign it, it’s real software.” Turns out that’s not the case. I checked it again after I got done packaging it and it was still useless.

Anyway, I’m going to be incorporating this “module” into my bigger mst project, which is actually halfway decent in terms of being a time-saver (unlike this hideous token of boredom).

[The really sad part is that I use blog posts like this one as an archive system so that I can find this stuff later. I have plenty of places to put it where it won't get lost, but being able to search for it on my site is just too convenient.]

It was easy because I knew I could go to the CSO if I got caught.

Were I to be there illegally, i.e. without permission from top management, I probably would have had a much harder time pulling off the acting. I think pentesters should keep this in mind when they get the urge to claim that social engineering is easy.

Is it easier or harder to do social engineering in the South?

When you first think about it your gut reaction is that it’s easier, but it turns out that it’s all based on what type of attack is being performed. Getting information over the phone and such is most likely much easier, but attempting to physically access a building and roam around might actually be harder. Here’s why.

Southerners are very personable people. They want to know who’s working near them, who just got fired, who the new person is, etc. They don’t often work in close proximity to someone without having made contact with them in some way, shape, or form. This often manifests as extreme kindness, i.e. inviting new acquaintances to eat with their family, etc.

For a pentester trying to go unnoticed, this presents a problem. As I was on one of these engagements earlier this week I wondered if it would be easier in say, the Northeast, where, as I understand, people commonly don’t care at all who the people are around them.

But then I realized that while Southerners are more likely to be familiar with those around them, they’re also probably less likely to challenge someone who’s not supposed to be somewhere. I ran into this during this job as well; someone found me in their server room and didn’t say anything, most likely for fear of being rude.

Anyone have any additional anecdotal evidence to offer?