http://weblog.infoworld.com/zeroday/archives/2007/12/it_security_goe.html By Matt Hines InfoWorld.com December 27, 2007 If the watermark for attaining hip-ness in American culture is landing on TV or in Hollywood, in addition to the endless video annals of the Web -- such as YouTube [1] -- then IT security, and penetration testing in particular, has finally made it. Yes, we've been seeing some pretty sophisticated hi-tech gadgetry in films since before the Sean Connery era of "James Bond," and some truly awful attempts to flesh out the perils that exist in the electronic environment, but now things have gotten so absolutely wild in the real world that security gamesmanship has gone reality TV. Last week, CourtTV began running a new series dubbed "Tiger Team" in which experts in IT and physical security engage in a pre-planned game of cat-and-mouse pitting them against high-priced protection systems put in place by actual businesses. The initial results aren't pretty. That is, for those companies who think that they've invested sufficient time and energy in trying to defend their physical and informational assets. In the show's initial episode, available for viewing here [2] in four clips offered via official the CourtTV site (with minimal advertising inter-dispersed I might add), the Tiger Team experts take on San Diego's famed Symbolic Motors, a dealer of the ultimate forms of motor vehicular expression -- Lamborghinis, Lotuses and Bentleys, yum. Without ruining all the details for you, the team makes it perilously clear that they can and will defeat expensive IT security, video monitoring, motion detection and physical defenses with a little easily-pulled off reconnaissance (including a free test drive in a new Lotus Elise, nice bonus dudes!) and virtually no resistance. One of the most shocking aspects of the exercise is when after doing some rudimentary dumpster diving, the team uncovers details of the dealer's IT services provider (hi there LANSolutions! "We provide comprehensive, impenetrable safeguards for your business!" Hahaha!), and merely pose as one of its employees to gain access to Symbolic's server room and all the data therein. Having nearly fully compromised the organization's entire perimeter defenses beforehand, the team carries out its plan and breaks in during the night and has its way with another free test drive. And oh yeah, they also find a sales contract with all the personal information of an individual who appears to be well-known Hollywood car aficionado Nicholas Cage, and the records of a lot of other celebrity customers. So if they get tired of driving their free Lambo Murcielagos, Tiger Team can carry out some uber-targeted identity theft (if Cage has any money left from all those divorces, that is) whenever they feel like it (perhaps his next role should be "All my career earnings gone in 60 seconds"). Not detailed in the CourtTV show, but fed to Zero Day blog, is the information that the Tiger Team utilized automated penetration testing tools made by vendor Core Security as part of its arsenal for finding ways to crack the dealership's IT systems. Nice product placement, but the usage also points out, as recently described to me by Symantec security research guru Carey Nachenberg, how bad guys are using the same commercially-produced tools as used for protection by the white hats to find ways to get inside company perimeters. The high-price of such products is clearly no longer an issue for people backed by a billion-dollar cyber-crime industry it would seem. I'm still waiting for someone to hire Steven Spielberg to make Richard Clarke's "Breakpoint" into a Hollywood blockbuster (and if done right I think it could be), but in the meantime we can let the Tiger Team's work speak to the real world relevance of IT security and the increasingly dire landscape of criminal activity being carried out by technologically advanced criminals. CourtTV is promising more Tiger Team episodes in the near future. Until then, keep it tuned here for further details. [1] http://www.youtube.com/watch?v=4Be-ZzcXVLw [2] http://www.courttv.com/onair/shows/red/red_player.html?id=870&link=REDshlk [On January 1 2008, Court TV becomes truTV - www.trutv.com ] - WK __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Fri Dec 28 2007 - 01:46:01 PST