By Matt Hines
December 27, 2007
If the watermark for attaining hip-ness in American culture is landing
on TV or in Hollywood, in addition to the endless video annals of the
Web -- such as YouTube  -- then IT security, and penetration testing
in particular, has finally made it.
Yes, we've been seeing some pretty sophisticated hi-tech gadgetry in
films since before the Sean Connery era of "James Bond," and some truly
awful attempts to flesh out the perils that exist in the electronic
environment, but now things have gotten so absolutely wild in the real
world that security gamesmanship has gone reality TV.
Last week, CourtTV began running a new series dubbed "Tiger Team" in
which experts in IT and physical security engage in a pre-planned game
of cat-and-mouse pitting them against high-priced protection systems put
in place by actual businesses.
The initial results aren't pretty. That is, for those companies who
think that they've invested sufficient time and energy in trying to
defend their physical and informational assets.
In the show's initial episode, available for viewing here  in four
clips offered via official the CourtTV site (with minimal advertising
inter-dispersed I might add), the Tiger Team experts take on San Diego's
famed Symbolic Motors, a dealer of the ultimate forms of motor vehicular
expression -- Lamborghinis, Lotuses and Bentleys, yum.
Without ruining all the details for you, the team makes it perilously
clear that they can and will defeat expensive IT security, video
monitoring, motion detection and physical defenses with a little
easily-pulled off reconnaissance (including a free test drive in a new
Lotus Elise, nice bonus dudes!) and virtually no resistance.
One of the most shocking aspects of the exercise is when after doing
some rudimentary dumpster diving, the team uncovers details of the
dealer's IT services provider (hi there LANSolutions! "We provide
comprehensive, impenetrable safeguards for your business!" Hahaha!), and
merely pose as one of its employees to gain access to Symbolic's server
room and all the data therein.
Having nearly fully compromised the organization's entire perimeter
defenses beforehand, the team carries out its plan and breaks in during
the night and has its way with another free test drive.
And oh yeah, they also find a sales contract with all the personal
information of an individual who appears to be well-known Hollywood car
aficionado Nicholas Cage, and the records of a lot of other celebrity
customers. So if they get tired of driving their free Lambo Murcielagos,
Tiger Team can carry out some uber-targeted identity theft (if Cage has
any money left from all those divorces, that is) whenever they feel like
it (perhaps his next role should be "All my career earnings gone in 60
Not detailed in the CourtTV show, but fed to Zero Day blog, is the
information that the Tiger Team utilized automated penetration testing
tools made by vendor Core Security as part of its arsenal for finding
ways to crack the dealership's IT systems.
Nice product placement, but the usage also points out, as recently
described to me by Symantec security research guru Carey Nachenberg, how
bad guys are using the same commercially-produced tools as used for
protection by the white hats to find ways to get inside company
The high-price of such products is clearly no longer an issue for people
backed by a billion-dollar cyber-crime industry it would seem.
I'm still waiting for someone to hire Steven Spielberg to make Richard
Clarke's "Breakpoint" into a Hollywood blockbuster (and if done right I
think it could be), but in the meantime we can let the Tiger Team's work
speak to the real world relevance of IT security and the increasingly
dire landscape of criminal activity being carried out by technologically
CourtTV is promising more Tiger Team episodes in the near future.
Until then, keep it tuned here for further details.
[On January 1 2008, Court TV becomes truTV - www.trutv.com ] - WK
Visit InfoSec News