[Techtalk] Gender as a weapon? Pen-testing and female auditors

Devdas Bhagat devdas at dvb.homelinux.org
Tue Mar 16 05:13:41 EST 2004 

On 16/03/04 06:52 +1100, Mary wrote:
> On Mon, Mar 15, 2004, Devdas Bhagat wrote:
> > Good idea. However, the whole point of social engineering is to get
> > access to the $secret via *any* social means possible.
> 
> Do pen testers balk at threatening violence? At threatening people's
> jobs? At actual violence? At actual fake firings? At extended faux
> devastating office politics? At harrassment?
Like I said, it depends on /what/ the target organization is.
If you are pen-testing the CIA, or the KGB, or other TLA, then the
techniques used will be very different than if you are just trying to
access the secret formula of a soft drink company.

<snip> 
> > I agree. The question to ask is, will the possible threat scenario
> > include this particular threat? Will a competitor hire a prostitute to
> > bribe the victim, or send in a corporate spy with an alluring body,
> 
> Or send in thugs? Maybe we'd better beat our employees up just to make
> sure they don't tell when someone's twisting their broken arm...
>
> My point in saying this is not that I think thugs would work better than
> becoming friends or lovers than someone, so please don't reply with the
> relative success rates of each tactic. What I am trying to point out is
> that there are definitely grey areas to "any means possible". Even if
> you're stopping short of leaving scars, I can imagine exploits that come
> at considerable cost to people's emotional wellbeing in the short and
> long term.
I agree that there /are/ grey areas. Note that I ask the question "Will
the threat scenario include this particular threat?" If it does, and the
secret is valuable enough, then you have to evaluate the risks involved.

Risk evaluation being the keyword. It may or may not be a good idea,
depending on the people involved and a lot of other factors.
Also, how deep are you going when doing a pen-test? Simple flirting? or
more?
I don't see any reason to go beyond a simple flirt in a pen-test, unless
this a three letter agency thing.

> The fact that the enemy/opposition may be willing to try those tactics
> doesn't neatly solve the moral dilemma either, because you still have to
> weigh up the value of keeping the secret safe versus hurting someone
Is the secret the red button? Or just some replacable data? Wouldn't
your answer vary based on that?

Devdas Bhagat

More information about the Techtalk mailing list