As part of a social engineering engagement one of my guys got into a hospice facility via the smokers door / hangout. Got inside and grabbed a doctors laptop. When he brought it back to the office I bypassed the Windows login, located an unencrypted database, and grabbed a few patient records and doctors scripts. Of course this was all part of our Statement of Work.
This was a great exercise for the client as it was eye opening and caused them to implement many much needed changes. Sent from my Nexus 5 On Jan 14, 2014 11:24 AM, "Jamil Ben Alluch" <ja...@autronix.com> wrote: > Hello, > > I was working on a mental exercise to see how far a pen test could be > taken, and came up with this question for which I'd like to have some input > from those who have done it or would never do it and why (any specific case > that could be shared). > > Has it ever come in your scope/rules of engagement the concept of stealing > a corporate laptop/device from a given employee given the possibility (with > the organization's blessing of course) and use that to leverage access say > to a VPN, admin panels, etc? > > The concept itself seems to be at the very edge of legality, but I was > wondering if this is something that has been attempted and successfully > bore fruit. > > The given scenario I was thinking was about people who work out of the > office but still have access to critical systems/data within the > organization and become careless with their devices outside of the work > place (starbucks, restaurant, airport, bus station, etc..) - It's not hard > to imagine somebody snatching or borrowing the device in order to gain > access to a deeper level. > > Anyways, food for thought. > > Best Regards, > > -- > Jamil Ben Alluch, B.Ing., GCIH > <http://www.autronix.com> > ja...@autronix.com > +1-819-923-3012 > ᐧ > > _______________________________________________ > Pauldotcom mailing list > Pauldotcom@mail.pauldotcom.com > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list Pauldotcom@mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
