[Techtalk] Gender as a weapon? Pen-testing and female auditors

Mon Mar 15 23:35:02 EST 2004

On 15/03/04 09:44 -0500, Raven Alder wrote:
<snip>
> 	There was recently a thread on pen-test at securityfocus.com about
> companies using female pen-testers and security auditors to essentially
> scam lonely guys out of information.
I should return to reading all my previous lists. So much to read, so
little time. Oh well, 10 lists to subscribe to is a bit too much to ask
for. Maybe if I get 30 hour days, or a direct connection to my brain.
<snip>

> strong community demand for me to write a case study about my
> experiences testing security, it seems. I'm up for it, but I want to
> keep it professional and interesting without encouraging anyone to treat
Good idea. However, the whole point of social engineering is to get
access to the $secret via *any* social means possible. It doesn't matter
if the means used is an attacker pretending to be your CEO, or a
clueless user in need of help, or a contractor, or a woman after a
lonely single geek.

> me like a piece of meat. I am still very of two minds about using my
> sexuality in my line of work. Yes, it could be devastatingly effective,
> and the point of a vulnerability assessment is to test the strength of
> their defenses. Holding back or refusing seems like doing less than a
I agree. The question to ask is, will the possible threat scenario
include this particular threat? Will a competitor hire a prostitute to
bribe the victim, or send in a corporate spy with an alluring body,
or....
If you are dealing with three letter agencies, this is definitely part
of the game.  http://www.google.com/search?q=Mata+Hari

> full job. And in an industry where it actually does kind of suck to be a
> girl sometimes, it seems mad not to use every advantage I've got. But on
> the other hand, I can't constantly be telling me people "just treat me
> like any other geek, not like a piece of meat" and then turn around and
> act like a piece of meat. That's hypocritical.
Its not. Remember that when you are pen testing, you are /not/ a geek,
you are a spy with one mission: Get the information at any cost. You can
be a geek when not social engineering. Come to think of it, being a
woman geek who does not want to be treated as a piece of meat should get
you a lot more leverage with male geeks.
So long as you are not doing something that violates your personal moral
principles here, its perfectly all right. Just remember that you are
acting (as in a play/movie) and that this is not your real character.

> 	I normally solve this problem by staying mostly on the tech side
> of the house and letting others do the social engineering.  I'm a rotten
> liar anyway.  But the few times that I have even dipped my toes in, it's
> been shockingly effective.  But ew.  Slimy.
Sex, or the promise thereof, has been just another spy tool throughout 
the centuries. Like it or not. Its just another form of a stranger
offering toffee to a child.

> 	So, I'd like to poll some other geekfemmes. If you have any
> stories about being able to get what you wanted in a tech capacity or a
> social engineering capacity, and you think being a girl had anything to
> do with it (or, conversely, if you're a guy who has used his sexuality
> to social engineer), I'd love to hear about it.  Is it okay to do this
I have done neither. This is a professional opinion. I haven't had
reason to be social engineered yet, but I just don't talk technical
secrets with strangers.

> sort of thing?  Is it encouraging or setting back feminism?  (That bit
Perhaps neither? In the best case, it might expose the guy who fell for
your charms to a certain amount of ridicule, and that will hopefully
keep him from treating women as just another piece of meat (yeah, right!
But hope springs eternal and all that jazz). In the worst case, it makes
no difference to said persons attitudes.

But yes, in a penetration testing context, sex is a perfectly
appropriate tool to obtain information that might otherwise be
unavailable.
Its a weakness. Corporations are not known to be ethical. Penetration
testers are being paid to be unethical in a limited fashion.

Devdas Bhagat