Slashdot Mirror
Penetration Testing TV Series Coming
ChazeFroy writes "CourtTV (TruTV) has a new series starting Dec. 25 at 11 pm called 'Tiger Team.' It follows a group of elite penetration testers hired to test organizations' security using social engineering, wired/wireless penetration testing, and physically defeating security mechanisms (lock picking, dumpster diving, going through air vents/windows). They do all of this while avoiding the organizations' various security defenses as well as law enforcement. The stars of the show also did a radio spot this morning in Denver." Wonder how they socially engineer away the presence of a camera team in the air vents.
...some sort of interactive pr0n... I don't want to see the set-top box.
Funny, when I did that they called it B&E - sigh.
It must have been something you assimilated. . . .
Opening montage of the show is on Youtube: http://www.youtube.com/watch?v=4Be-ZzcXVLw
I thought it was a reality TV show about life in a condom factory.
Kudos to the first group to penetrate the series' offices and make off with their tapes.
I was going to write something witty and mildly suggestive. like "hey, so THOSE are the guys that inspect all those condoms that say things like inspected by No.4. I could be that number 4! Look out ladies." (Score:3, Funny)
...But THEN I realized once again that this is Slashdot, and that this story contains computers and myriad potential for dick jokes! (Score:5, Super Awesomeness OMG)
...something something computer security!
Then I realized that this is Slashdot, and most of us couldn't get laid if it was our jobs. (badum pum. ah-thankyou) Score:2, Funny or Score:2, Insightful.
So uh.... I could totally be that Number 4 inspector!
????
Profit!!
I got a fever...and the only cure is more cowbell!
They have signed papers indicating they are permitted to do penetration testing, by request of the organization they are testing. If they get arrested, they show the papers, the police verify them, and they get released.
"I'm sick of all this sex on the tellyvision--I MEAN, I keep falling off!"
- Mrs. Nesbit
It better be hard or it won't be interesting.
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
From the looks of the trailer/montage, it looks like these are people who are paid by the site owners to test the security systems; the tech security equivalent of "secret shoppers".
Not very surprising, but what does surprise me is that the site owners are letting CourtTV broadcast to the world that their facilities are insecure.
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
"...(lock picking, dumpster diving, going through air vents/windows)..."
Aha! Out of that list, looks like "going through...Windows" will be the fastest, easiest way to breach security.
Ok, airvents yes, but social engineering would probably benefit from these cameras. A secretary might not stop a guy in an IT suit walking out with a computer, but you think he/she'd be more likely to stop a guy carrying out a computer while he's talking to a 3 man camera team with boom microphones etc. "Hey, where are you going with that computer?" "Oh, I'm John from tech co, is having me lead this team from around about IT in the modern world." (turns to camera) "One thing paramount to security is patching your systems, this machine here has been exhibiting bizzare behavior on the network, most likely due to spyware and that is why it has been removed from the network to undergo analysis in the IT lab." Really, I think the hardest part would be getting the crew to go along with whatever quick responses you give to anyone who really questions you. It only takes 1 guy that acts a bit suspicious and unsure to ruin the whole thing.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
So from the radio interview, they explain one of their breakins into an expensive car dealership. The weak point is as usual the employees who let them video tape the place and let one of them into the data center just because he managed to get (through dumpster diving) the business card of their support company.
I know these guys. One of them is a Defcon Goon and has a book or three published oo, the other's a better lockpicker than you will ever dream of being, the third guy's a prtty slick business brain. I'd happily bet any single one of them against you and a team of your choice for skills.
The one pen-test group I consulted for long ago had a very serious procedure in place to verify and document everything before starting the job. This was just electronic/internet/social penetration, no testing of physical security. Much of what they did was related to legal (through the courts) attacks, they would mostly have meetings with the in-house council or retained law firms to ensure they were ready to respond to lawsuits, indictments, and media accusations. The electronic pen-test was a sideline to verify legal compliance where personal and financial data was stored or processed.
Before they would do any kind of network scanning, database testing, or even attach one of their laptops to the network, they would require a face-to-face meeting with the entire board of directors and senior management. The meetings would be video taped and documented, and all sides would sign the agreement stating the entire scope of the work, and work wouldn't start until after the video tapes and legal documents were safely stored off-site and reviewed. They required the head of legal council to affirm on video and in a signed document that the company was aware of the testing to be done, and held the pen-test firm free of any liability (I don't remember the exact British legal term they used).
It was good they got this level of protection for us, I've heard many stories from ex-pen testers about being hired by the supposed head of IT, only to discover the CTO was unaware of the agreement. Even having a signed document from someone in the company isn't good enough in the short term if the company turns around and bites you. One friend was driven out of business by court costs despite a signed document, his company just didn't perform due-diligence on the authority of the IT director. Another friend was blamed for hacking and destroying the main database, before they had even arrived on site to plug into the network. While they were still in the IT directors office looking for a working network jack, the DBA accused them of hacking and destroying the main data base. They didn't get paid for that job, they just walked away when the IT director didn't side with them.
I don't do security pen-testing any more, most companies who hire pen-testers do so in place of either writing a policy, or implementing it. They want pen-testers to break things so they can get more budget, and that's it. Even asking up front for the basics like a list of equipment or range of IP addresses shows most companies don't know their own inventory. Pen-testers then become scapegoats, often with associated criminal complaints.
The video clip commercial looks downright scary. This show has the potential to turn public opinion into laws preventing any kind of security consulting, whether it's something simple like a paper audit of a security policy or a complex review of network configuration. You just know this show is edited for maximum Rambo/DieHard/IndianaJones effect because preparation and meetings are boring.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on