“Nasty-Inc Consulting is looking for a Senior DevOps Engineer with a solid understanding of automation and configuration management technologies for our office in Evilopolis. The ideal candidate will have experience with automating evil infrastructures and continuous code deployment for surveillance systems across multiple data centers.
In This Role You Will:
…
...
•Implement and manage monitoring and analysis tools.
...
...
We would love to hear about it if you contribute to open source, write a blog, or otherwise participate in the technical community.
Qualifications:
•Demonstrated Windows and Linux systems engineering experience in a complex, highly virtualized environment.
• Experience working with cloud environments such as Amazon AWS/E2C, Windows Azure, or Cloud Foundry.
•Experience with Chef, Puppet or CFengine.
•Experience with build systems such as Jenkins, CruiseControl or Travis.
•Experience with continuous deployment systems such as Go.
•Ruby, PowerShell or Unix/OS X shell scripting experience (and prepared to dive into all three).
•Experience managing Windows, Linux, and OS X systems.
•Experience with Git, TFS, and/or other source control systems.
…
…
Why Nasty-Inc?
• One of Evilopolis' Fastest Growing Private Companies & Top 100 Best Companies to Work For (According to Evilopolis Business Magazine and Evil Business Journal)
• Casual environment, surrounded by incredibly intelligent and motivated co-workers, and a performance-driven culture
• Flexible Schedule
• Opportunity for growth
• Great location, great people, exciting projects, and tons of fun.
Nasty-Inc is an award-winning consultancy specializing in Mobile, Cloud, Intelligence gathering, SharePoint, Technology Infrastructure, Custom Development, Visual Design, and Restaffing Services for evil dictatorships all over the world. We focus on delivering true, measurable business value to our evil clients. We have top industry control and are dedicated to delivering dependable and reliable -inators that exceed the most villainous expectations. Nasty-Inc's motto is quality -inators on budget, on time, every time. Send your resume to Jane B. More at Jane.m@EvilMailServer.net”
As you can see, the Job description and qualifications give out the bulk of information about the structure of Nasty-Incs application. There were some less interesting tidbits that got edited out for brevity. The ones I boldfaced drive home the point of searching through job postings during the target enumeration phase. The first bolded line "Implement and manage monitoring and analysis tools" implies that they do not have, or at least do not regularly use, monitoring on their network. You can guess that the majority of work station targets will be windows. Some will be Macs, and some may be Linux. You know that somewhere, someone in the organization is running Powershell scripts they themselves don't maintain. The servers are cloud based and can be either Windows or Linux...but most importantly we have a point of entry and several built in ways to get the HR people to act on our behalf.
First. The line “Send your resume to Jane B. More at Jane.m@EvilMailServer.net” is literally inviting an attempt to find an exploitable hole in their Document Viewer. Secondly that line gives us a target mail server to investigate. EvilMailServer.net goes on the list of targets to scan. Third we know the probable structure of usernames for their email logins. Jane B. More is jane.m so perhaps Bill Johnston is bill.j. Finally, we already have a username we know is valid at EvilMailServer.net
Another line of interest is “ We would love to hear about it if you contribute to open source, write a blog, or otherwise participate in the technical community”
This is an invitation to send them links to sites they are almost guaranteed to click on. Let's say I rent the URL derkEvilness.me and drop a hooked web page there. I could simply copy some good looking Resume content, and keep them interested long enough to profile the browser and underlying operating system...or any other number of nasty things.
The point of this is: Make sure you are reviewing your Job Postings with Security in mind. Do you need to be as specific about qualifications? Do you have to use your corporate Email to receive replies?
No comments:
Post a Comment