[ISN] IT security goes Prime Time

From: InfoSec News (alerts@private)
Date: Fri Dec 28 2007 - 01:26:25 PST


By Matt Hines
December 27, 2007

If the watermark for attaining hip-ness in American culture is landing 
on TV or in Hollywood, in addition to the endless video annals of the 
Web -- such as YouTube [1] -- then IT security, and penetration testing 
in particular, has finally made it.

Yes, we've been seeing some pretty sophisticated hi-tech gadgetry in 
films since before the Sean Connery era of "James Bond," and some truly 
awful attempts to flesh out the perils that exist in the electronic 
environment, but now things have gotten so absolutely wild in the real 
world that security gamesmanship has gone reality TV.

Last week, CourtTV began running a new series dubbed "Tiger Team" in 
which experts in IT and physical security engage in a pre-planned game 
of cat-and-mouse pitting them against high-priced protection systems put 
in place by actual businesses.

The initial results aren't pretty. That is, for those companies who 
think that they've invested sufficient time and energy in trying to 
defend their physical and informational assets.

In the show's initial episode, available for viewing here [2] in four 
clips offered via official the CourtTV site (with minimal advertising 
inter-dispersed I might add), the Tiger Team experts take on San Diego's 
famed Symbolic Motors, a dealer of the ultimate forms of motor vehicular 
expression -- Lamborghinis, Lotuses and Bentleys, yum.

Without ruining all the details for you, the team makes it perilously 
clear that they can and will defeat expensive IT security, video 
monitoring, motion detection and physical defenses with a little 
easily-pulled off reconnaissance (including a free test drive in a new 
Lotus Elise, nice bonus dudes!) and virtually no resistance.

One of the most shocking aspects of the exercise is when after doing 
some rudimentary dumpster diving, the team uncovers details of the 
dealer's IT services provider (hi there LANSolutions! "We provide 
comprehensive, impenetrable safeguards for your business!" Hahaha!), and 
merely pose as one of its employees to gain access to Symbolic's server 
room and all the data therein.

Having nearly fully compromised the organization's entire perimeter 
defenses beforehand, the team carries out its plan and breaks in during 
the night and has its way with another free test drive.

And oh yeah, they also find a sales contract with all the personal 
information of an individual who appears to be well-known Hollywood car 
aficionado Nicholas Cage, and the records of a lot of other celebrity 
customers. So if they get tired of driving their free Lambo Murcielagos, 
Tiger Team can carry out some uber-targeted identity theft (if Cage has 
any money left from all those divorces, that is) whenever they feel like 
it (perhaps his next role should be "All my career earnings gone in 60 

Not detailed in the CourtTV show, but fed to Zero Day blog, is the 
information that the Tiger Team utilized automated penetration testing 
tools made by vendor Core Security as part of its arsenal for finding 
ways to crack the dealership's IT systems.

Nice product placement, but the usage also points out, as recently 
described to me by Symantec security research guru Carey Nachenberg, how 
bad guys are using the same commercially-produced tools as used for 
protection by the white hats to find ways to get inside company 

The high-price of such products is clearly no longer an issue for people 
backed by a billion-dollar cyber-crime industry it would seem.

I'm still waiting for someone to hire Steven Spielberg to make Richard 
Clarke's "Breakpoint" into a Hollywood blockbuster (and if done right I 
think it could be), but in the meantime we can let the Tiger Team's work 
speak to the real world relevance of IT security and the increasingly 
dire landscape of criminal activity being carried out by technologically 
advanced criminals.

CourtTV is promising more Tiger Team episodes in the near future.

Until then, keep it tuned here for further details.

[1] http://www.youtube.com/watch?v=4Be-ZzcXVLw
[2] http://www.courttv.com/onair/shows/red/red_player.html?id=870&link=REDshlk

[On January 1 2008, Court TV becomes truTV - www.trutv.com ]  - WK

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Fri Dec 28 2007 - 01:46:01 PST