Mark, that's straight up evil... I love it. Just let me know what sorts of credit you want for that little trick.
It's every bit as good as me sending them status reports with a few extra payloads attached. Customer: this file's encrypted Me: Of course, you don't want a mail admin to be able to see this kind of sensitive data... here's how you open the file Customer: Oh you need macros? Why? Me: Formatting. And if you see any popups just click yes. Sad thing is it *works*... I *love* what I do for a living! What a fun and amazing field. - Mick On Wed, Oct 20, 2010 at 9:58 AM, Baggett, Mark <[email protected]> wrote: > This probably wont affect your purchasing decision, but I think it is > interesting that most network admins don't really think twice about > allowing their employees to use SSL VPN to connect to a third party > network. They don't think about the fact that some other admin (the > one who owns the SSL VPN Concentrator) controls the split tunneling > policy on the clients and decides whether or not your internal > workstations can be used to pivot mercilessly through your environment. > > > Dear Pen test customer, > In order to provide you with instant, up to date access to the results > of our ongoing penetration we have established a project status portal. > Obviously this data is sensitive and most be protected. Please use the > following username and password to login to our SSL VPN to access the > status page. > > Moooohahhahaa > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Michael > Douglas > Sent: Tuesday, October 19, 2010 9:41 AM > To: [email protected] > Subject: [Pauldotcom] SSL vs IPSec VPNs > > Hey all, > > I'm trying to determine what protocols should be permitted on a new VPN > concentrator. > > I'd like to stick with IPSec, it's tried and true, and to quote Garth: > "We fear change". However, it seems that all the vendors are going down > the SSL route. Now I know SSL is 'safe', but it seems like it's more > open to attacks like SSLStrip (thanks again Moxie for making us aware of > the problems!) I get that SSL is easier for administrators and end > users alike, but is that convenience at too high a cost? > > So what are your thoughts? Am I being too paranoid? If there are > articles or places where I should RTFM, that's cool... I just need to > know what FM to read!! Please send the links/info ;-) > > > Thanks for your input, and have a nice day! > - Mick > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
