Social Engineering & Security Testing Thinking Exercises
10 exercises for our readers.
#SE01 → Your enemy resides in a different country and you want to spy on all his activities on his computer
// He connects to the internet to check his email
// He uses anti-virus that is a free edition
// He is attracted to piracy and porn
Write down your approach or your thoughts about gaining access to every bit of data on his computer.
#SE02 → You want to know the IP address of a target and you need to know this without the knowledge of the target.
// Target is available on the social media platform. That’s twitter.
// Target likes freebies
#SE03 → You need to get into a physical infrastructure of a multinational company. The company entrance has a security guard and if you bypass him through social engineering, you can accomplish your goal. What are your ideas to get through the security guard?
#EX01 → Your job is to help the customer with the 5 good security questions and 5 bad security questions. Please list down.
#EX02 → Identify the possible threats in your company. These can be notorious developers, rogue insiders, employees who hold a grudge and so on. Also, list down reasons why you think they are a threat to your company. Basically, identify threat agents or threat drivers.
#EX03 → Passive Reconnaissance → You have been assigned a task to gather information or do a passive recon for http://tuppad.com/
Gather information as much as you can and list down the highlights of your exploration.
EX04 → Develop a functional design / algorithm for forgot password feature in web application. Your goal is to help the customer achieve secure enough forgot password feature.
// application type: food delivery / ecommerce
// email address is used as a username
EX05 → What’s the best password according to you and why?
EX06 → Username enumeration attack → Which of the below error message is secure enough and why are others not good enough?
Invalid username / password
The username entered is incorrect. Please retry!
Username and password are both incorrect. Try again!
The password entered for username Santhosh is incorrect. (WordPress way)
EX07 → Your task is to stop the bots from cracking the username and password in the login form. And also stop the human employed bots to stop manual brute-force attack. As a security consultant, what suggestions would you like to give in order to secure login form against brute force attacks?