Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Internet Programming Security - Real Company Lesson

2 views
Skip to first unread message

pbl...@odstrategies.org

unread,
Oct 22, 2009, 9:10:20 AM10/22/09
to
If you don't have credentials then ask someone that does. It's how
every company works. You get a request to do something and you think
it's real and suddenly the employees are escorting the hacker where
they want to go.

Best security breach tactic is to just walk in and ask. An email
attack works great. Being nice helps and after 20 requests suddenly
you have anything you need to get closer to what you really want. You
don't have to ask for everything to get more. The act of getting
something by asking nice now gives you the credibility to ask for
more. People assume requests made to them are legitimate. In a helpful
work environment people generally do as requested and are happy to do
so.

Security policy attempts to avoid being nice or trusting someone
because they tell you they can be trusted. This seems obvious. The
weakest links in all security systems are the employees. Employees
that are courteous and friendly should never be trusted. There lies
the paradox.

On 21 Oct 2009 19:22:42 -0400, "Stan Keith"
<Stan<AT>@<AT>inno<DASH>pay.com> wrote:

>The main problem is that the hacker used their own code against them. I
>thought it was unique. I don't think any of us would have ever thought of a
>hacker using emails addresses in a database to install a trojan.
---------------------------------------
Paul Blais - Hayes, Virginia

0 new messages