Penetration Testing TV Series Coming

ChazeFroy writes "CourtTV (TruTV) has a new series starting Dec. 25 at 11 pm called 'Tiger Team.' It follows a group of elite penetration testers hired to test organizations' security using social engineering, wired/wireless penetration testing, and physically defeating security mechanisms (lock picking, dumpster diving, going through air vents/windows). They do all of this while avoiding the organizations' various security defenses as well as law enforcement. The stars of the show also did a radio spot this morning in Denver." Wonder how they socially engineer away the presence of a camera team in the air vents.

Sounds a bit like...

[1zenerdiode]

...some sort of interactive pr0n... I don't want to see the set-top box.

Re:Sounds a bit like...

[renegadesx]

Im just glad the usual trolls are not around (goatse, gay sex writer, pony lover, etc)

They would have a field day with the title alone

Next up in the cable technology space...

[ravenspear]

Set top boxes that give you feedback on the presence of any loose male cables dangling from their backsides through a series of audio tones.

Sources familiar with the development of the units indicate that the cable integrity is calculated through an internal "fulfillness meter" each box has that is dynamically calibrated to the thrusting force of initial cable insertion by the owner.

The audio tones are said to become louder as the internal weight of the portion of cable inserted decreases on a linear scale.

New owners feel the new design could be a boon to children, who lacking a cohesive concept of proper cable pairment, had difficulty before in detecting the causes of abnormal video problems with the units.

Re:

[bidule]

The audio tones are said to become louder as the internal weight of the portion of cable inserted decreases on a linear scale.

I suppose both pitch and volume modulation go hand in hand. That would result in a richer, more natural sound.

New owners feel the new design could be a boon to children, who lacking a cohesive concept of proper cable pairment, had difficulty before in detecting the causes of abnormal video problems with the units.

You know how funny noise can keep kids amused for hours? The last thing I want is a 4y old playing with home entertainment devices.

If you're antropomorphizing, might as well go all the way. It would be more useful to have a "hey!" sound if you put it in the wrong place, but it's hard to detect before it is fully inserted.

Re:

[bidule]

Woosh!

Woosh!
May the little hamster make your wheel go "squeek! squeek!" now.<VBEG>

Set-top box

[Dr. Cody]

"I'm sick of all this sex on the tellyvision--I MEAN, I keep falling off!"

- Mrs. Nesbit

All I have to say is

[steelfood]

It better be hard or it won't be interesting.

Re:All I have to say is

[Arthur Grumbine]

That's what she said...

How times have changed.

[fahrbot-bot]

(lock picking, dumpster diving, going through air vents/windows)

Funny, when I did that they called it B&E - sigh.

Re:

[Tuoqui]

Yeah but you werent hired to try and break the security

Re:

[Opportunist]

Hey, I was!

It just wasn't by the company I visited.

Re:How times have changed.

[sammy baby]

BANK EMPLOYEE: (typing on a check) So, people hire you to break into their places... to see if you can break into their places?

BISHOP: It's a living [imdb.com].

BANK EMPLOYEE: (looks at check, hands it to BISHOP with sympathetic expression) Not a very good one.

Re:

[sumdumass]

The cops might not either. Recently in the news there was some movie crew shooting a bank robbery scene and the real cops showed up and shot five of the actors. I think 3 are dead, one was close to dea and the other should live.

Not being caught by the cops is something that they shouldn't play around with. Even if they aren't using guns in their actions, there have been quite a few instances where someone thought a keychain, flashlight or a pimped out wallet was a gun and the cops opened fired Now with thin

Re:How times have changed.

[PhxBlue]

Funny, when I did that they called it B&E - sigh.

Yes, because you got caught. :)

First 50 seconds on Youtube

[ChazeFroy]

Opening montage of the show is on Youtube: http://www.youtube.com/watch?v=4Be-ZzcXVLw [youtube.com]

Re:First 50 seconds on Youtube

[elrous0]

Breaking into all those places is easier for any clever hacker or thief. If they really want to impress us here on /., they need to accept the ultimate challenge: break into a girl's pants.

Re:

[smittyoneeach]

Let's see:

• They break in to MicroSoft: depressingly easy.
• They break in to Apple: that could be fun, based on Job's sense of humor.
• They break in to the US Government: giant traffic jam amongst the other break-ins, a surprising bore.
• They break in to Theo de Raadt's network: priceless, if they can penetrate Puffy

The next new show...

[techno-vampire]

They do all of this while avoiding the organizations' various security defenses as well as law enforcement.

COPS meets Tiger Team. I see a great need.

Re:

[gmack]

Sounds more like Sneakers the TV series.

Re:

[jenilyn]

I want a Winnebego.

Re:

[cayenne8]

"COPS meets Tiger Team. I see a great need."

I kinda doubt it....not many hackers run around in wife beater t-shirts and mullets.

:-D

Re:

[paralaxcreations]

They don't?

Re:

[sumdumass]

He means not many hackers he has seen portrayed on TV and in the movies.

We all know they are quasi skateboard punks with the unix bible under their arm and rich kids rebelling from their daddies lack of efectione.

Re:

[TheLink]

Well it's going to be hard getting those fat bearded hackers through air vents or windows.

On the bright side, some of them might actually smell better after dumpster diving. ;).

I thought....

[pablo_max]

I thought it was a reality TV show about life in a condom factory.

Re:

[Anonymous Coward]

It would be titled 'Jack, the Disgruntled Condom Factory Worker with a Needle.'

Re:

[deniable]

Every unit hand tested at the factory.

Penetration testing?

[deuist]

On Court TV? I thought that kind of show only aired on Cinemax after midnight.

Re:

[BunnyClaws]

You are thinking of Skin-a-max (Cinemax.)

Reverse engineering?

[Fractal Dice]

Kudos to the first group to penetrate the series' offices and make off with their tapes.

nested humor

[varkatope]

I was going to write something witty and mildly suggestive. like "hey, so THOSE are the guys that inspect all those condoms that say things like inspected by No.4. I could be that number 4! Look out ladies." (Score:3, Funny)

Then I realized that this is Slashdot, and most of us couldn't get laid if it was our jobs. (badum pum. ah-thankyou) Score:2, Funny or Score:2, Insightful. ...But THEN I realized once again that this is Slashdot, and that this story contains computers and myriad potential for dick jokes! (Score:5, Super Awesomeness OMG)

So uh.... I could totally be that Number 4 inspector! ...something something computer security!
????
Profit!!

Re:nested humor

[Erpo]

Golly. It sounds like you think people play Slashdot like some kind of giant MMORPG, grinding for points. But that couldn't be true. The purpose of comment moderation is to encourage people to make posts that are useful to the community and enrich the news, and everyone knows that computer systems are only used for their intended purpose.

Number 2

[DreadSpoon]

You can be the Number 4 Inspector, just so long as I don't have to be the Number 2 Inspector. Because, well.. ew.

Ssssshhh!!!

[TibbonZero]

Don't make Americans even more freaked out. Everyone's already worried about 'security'. Don't make them think that us average dumpster divers and hackers are bad people.

Re:

[Opportunist]

Well, depending on how they do it, they could make those hackers the "cool people". I just hope they manage to do it without overdoing the Sneakers BS.

I mean, this is sensationalist TV. I doubt they'll focus on a lot of puzzle work and the long hours of patient observation to find the flaws in their security setup.

Re:

[aussie_a]

Oh yes, wouldn't that make for fascinating tv! Watching people, watch other, for hours on end! Astounding! You sir should be a tv producer.

Re:

[Opportunist]

I didn't say that it would be exciting. Hacking is a bit like fishing (not phishing, dammit), it's really not a spectator sport.

Re:

[blindd0t]

I guess it's a double edged sword. If, for example, my next employer was just a little more informed as a result of seeing this show, and took a little extra time to shred any documents containing any sensitive data about me prior to putting it out to the curb, then it may very well be worth while. We as consumers are also very trusting of the various entities we provide our information to as well, so the same applies to the next medical doctor I might see. I'm cautiously optimistic this will contain mor

If my job is so fucking cool can I have a raise

[gelfling]

It's been like 5 years.

Re:

[djcapelis]

Sweet!

That's not the IT-reality show *I* want to see...

[Mr. Roadkill]

No, I'd like to see "I'm A CEO - Get Me Out Of Here".

Steve Ballmer, a stack of chairs, and Larry Page. Oh, and a couple of bottles of tequila. And handguns.

Darl McBride, twelve inches of hosepipe and a bottle of fireants - lube will be optional.

Who else wants to see Mark Burnett or Jon de Mol pick this up and run with it?

Re:That's not the IT-reality show *I* want to see.

[deniable]

Carley Fiorina and Pattie Dunne do The Simple Life, sponsored by HP.

Re:That's not the IT-reality show *I* want to see.

[Opportunist]

I could see Darl in that, but I doubt Steve will come. Remember, that kind of show is usually reserved for ex-stars. So we'd have to use ex-CEOs.

Re:

[sumdumass]

Maybe Steve knows something we don't and will want to get ahead of the curve?

+4, Insightful !?

[grandmofftarkin]

+4, Insightful !?

Ok, it might have changed but that is what it said just now when I read it. That is funnier than the comment! ;-)

Boss is in on it

[RealGrouchy]

From the looks of the trailer/montage, it looks like these are people who are paid by the site owners to test the security systems; the tech security equivalent of "secret shoppers".

Not very surprising, but what does surprise me is that the site owners are letting CourtTV broadcast to the world that their facilities are insecure.

- RG>

Re:

[ookabooka]

I highly doubt that the names of the companies will be part of the show. They'll probably just say: "A electric utilitiy company based in the northeast." or somesuch.

Re:

[deniable]

They'll go for mid-size companies and won't name them. They've probably had the film in the can long enough for the company to action anything that came up and I'm sure they'd remove anything that was still vulnerable.

Re:

[Capt James McCarthy]

This show (like all 'reality' shows) is going to be crap and set up. No drama means no ratings, so they have to create drama. First off, no CEO with any brains would allow his or her company to be placed in this spotlight along with allowing real criminals an opportunity to view their security systems up close. A company has to have customers who trust them and getting burned on a 'reality' show is not a way to earn it.

Re:

[Legion303]

"First off, no CEO with any brains would allow his or her company to be placed in this spotlight along with allowing real criminals an opportunity to view their security systems up close."

You're right, because there's absolutely no way to edit recorded footage these days. Otherwise, shows like this would be possible without a bunch of fake trickery.

The easy way in

[Anonymous Coward]

"...(lock picking, dumpster diving, going through air vents/windows)..."

Aha! Out of that list, looks like "going through...Windows" will be the fastest, easiest way to breach security.

Re:

[calebt3]

Here's my +1 Funny.

I liked it better

[deft]

when they called this red cell, marcinko was kicking butt, and it wasnt compromising fax machines, but military bases.

seal team ftw :)

TV - can it sink any lower

[VonSkippy]

If it's on TV then you know it will be staged and chock full of pseudo-science dumbed down for the unwashed hordes (like Ghost hunters only with even worse acting and cheesy special effects).

May not be too realistic...

[gweihir]

Judging from other reality formats, this may not be too realistic. Show value over accuracy!

Also there are numerous legal issues. For example, instructing people publicly to do this may be illegal in the first place and open you up to liability of somebody uses the methods shown to commit a crime. Also, companies will not agree to have their vulnerabilities shown in public.

I therefore predict that this will only show well-known attack techniques against very common vulnerabilities, but nothing of real infor

Re:

[Opportunist]

Quite likely, but I could see small companies wanting a free penetration test, even at the expense of having their security flaws shown. You won't benefit from them, since it's likely they will be shown how to close them, too.

What you could lose of course is goodwill. I mean, would you trust a company that has been shown on national TV to be insecure? In other words, all those companies that we'd love to see penetrated and shown as insecure would never ever even consider participating in this.

Re:

[gweihir]

And what part of "may" do you not understand?

Re:

[aussie_a]

In that case the lotto numbers may be 12, 34, 63, 1, 79 and 66. Isn't it fun to talk about stuff you have no idea about?

Re:

[gweihir]

You would obviously know.

This has been up for one hour and one minute...

[greenguy]

...without the appropriate movie reference [imdb.com]!

Cameras would make it easier. . .

[ookabooka]

Wonder how they socially engineer away the presence of a camera team in the air vents.

Ok, airvents yes, but social engineering would probably benefit from these cameras. A secretary might not stop a guy in an IT suit walking out with a computer, but you think he/she'd be more likely to stop a guy carrying out a computer while he's talking to a 3 man camera team with boom microphones etc. "Hey, where are you going with that computer?" "Oh, I'm John from tech co, is having me lead this team from around about IT in the modern world." (turns to camera) "One thing paramount to security is patching your systems, this machine here has been exhibiting bizzare behavior on the network, most likely due to spyware and that is why it has been removed from the network to undergo analysis in the IT lab." Really, I think the hardest part would be getting the crew to go along with whatever quick responses you give to anyone who really questions you. It only takes 1 guy that acts a bit suspicious and unsure to ruin the whole thing.

Damn html. . .

[ookabooka]

That was supposed to be: "Oh, I'm John from tech co, <boss's name> is having me lead this team from <media company> around about IT in the modern world."

Re:

[johndiii]

Rather than resorting to ecode, you could use &lt; to give you < and &gt; for >.

Re:

[Opportunist]

Actually, a TV team might even help. Make it big, even show off that "you're coming on TV" and you'll see people cooperate with anything, because hey, they're getting screen time! Start interviewing them, they'll be nervous and distracted, you could even steal their computer underneath their hands without them noticing it because hey, they're on TV!

Re:

[aussie_a]

This is exactly what I was thinking. I'm less likely to question someone who appears as if they're doing some tv show then I am some random slob.

It takes a thief?

[psychicsword]

I am guessing this is something like "It Takes a Thief" [discovery.com] on the Discovery Channel

While I'm sure this makes for good TV and all...

[edunbar93]

This is one of those things where just because you *can*, doesn't mean you *should*. And putting it on TV with a CYA boilerplate of "don't try this at home kids", is an astoundingly stupid idea.

It actually kind of reminds me of a segment in Weird Al's movie "UHF".... "Today boys and girls, we're going to learn to make PLOO-TOE-NEE-UM. Out of common, household items."

Re:

[PlatyPaul]

I hate to burst your bubble, but there's no "boys and girls" in that quote. Here ya go:

Hello, my name is Philo and welcome to Secrets of the Universe. Today we are going to learn how to make plutonium from common household items.

(Anthony Geary [imdb.com] as Philo, "UHF" [imdb.com])

Reminds me of the wonderful nature shows

[MerlynEmrys67]

I am crawling deep into this cave - we don't know what is in there but it could be very dangerous... Followed by a head shot of the lead guy crawling toward the camera into the great danger just beyond in the cave.
This show is so obviously faked, or it would be completely boring for the average person to watch. Who wants to watch someone forging credentials and walking around with a clipboard. No way they could do their job with a full camera crew behind them (Well, they could do it once... make fake cr

Re:

[parcel]

I am crawling deep into this cave - we don't know what is in there but it could be very dangerous... Followed by a head shot of the lead guy crawling toward the camera into the great danger just beyond in the cave.

It is pitch black. You are likely to be eaten by a grue.
>

Don't know how I feel about this

[brit74]

Obviously, it's important for companies to become more aware of security. On the other hand, it will also provide lots of training material for criminals. I remember reading that some of the crime-detective shows have taught the criminals how they were getting caught, and criminals have started taking the exact precautions needed to avoid getting caught. (For example, using bleach to destroy their own DNA evidence, or putting a bunch of random cigarette butts in the ashtray of a car they had stolen - to

Oh No!

[mqduck]

(Geeks + tech info + "penetration") = chaos.

Be more careful, Slashdot.

I aleady posted a comment, now I'm posting another

[mqduck]

It follows a group of elite penetration testers

I don't have the slightest clue what an "elite penetration tester" is, but some part of me (i think its the lower/middle part) really wants to major in this field.

Pretty standard stuff

[teslatug]

So from the radio interview, they explain one of their breakins into an expensive car dealership. The weak point is as usual the employees who let them video tape the place and let one of them into the data center just because he managed to get (through dumpster diving) the business card of their support company.

Typical slashdot replies but

[tuomoks]

Take it easy, it is just a show but there is a real life also. Penetration testing wasn't new even when I hit it in an insurance company(70's). We did it and when we did need professionals hired people from an UK company for that, they were good, very good. They were impressed of our computer / systems security but much less of our physical security (heh, I was responsible of systems security). I still remember our CEO really blowing up when the penetration team presented him a couple of very sensitive busi

TV

[Tom]

Wonder how they socially engineer away the presence of a camera team in the air vents.

#1 rule of television: Nothing you see on television is real.

Like any "reality show", they show at best a recreation of actual events.

They will

[DeeQ]

Wonder how they socially engineer away the presence of a camera team in the air vents.

Probably by carrying the cameras themselves like those bad haunted house shows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Incorrect tag

[Karellen]

Tag should be "setec astronomy", not "ctec astronomy"

How to make a camera crew "invisible"

[BorgCopyeditor]

Wonder how they socially engineer away the presence of a camera team in the air vents.

"We're filming here."

Re:

[bladesjester]

Like it's a sport to go rummaging through the trash... LOL

There's a lot more to it than just rummaging through the trash.

When you're going for sensitive information and not just things like parts, common sense dictates that you pick your targets carefully and have a plan for executing the dive (though most of the following would apply to diving for equipment as well):
Knowing which dumpsters and containers are more than likely to have sensitive information.
Knowing how to get in and out of the area without ge

Re:

[Barkmullz]

Like it's a sport to go rummaging through the trash... LOL

I think it is a sport here [newsminer.com].

Re:Season 2?

[The MAZZTer]

They have signed papers indicating they are permitted to do penetration testing, by request of the organization they are testing. If they get arrested, they show the papers, the police verify them, and they get released.

Re:

[The MAZZTer]

Er, at least, that's how these sorts of things are supposedly done. IANAPenetration Tester.

tazer the geek

[mevets]

will be the followup outtakes special.

Re:Season 2?

[Belial6]

Isn't it illegal to knowingly call the cops with a false report? I realize that the specific IT person or security guard won't be in on the joke, but whoever sets up the "penetration test" knowingly is setting up an employee to call in a false report. This means the corporation as an entity is calling in a false report.

Re:

[jerw134]

In one article I read about the practice of penetration testing, the firm doing the testing coordinated with the local police department, so that they would be aware of what was going on.

Re:Season 2?

[Opportunist]

This is the only way I'd do it in a country like the US. Else it could be quite dangerous if you happen to meet a trigger happy cop who mistakes those tapes in your hands for a machine gun.

Re:

[QuantumRiff]

Exactly. Towing companies notify police every time they tow a car, since the owner is likely to call 911, and report their car has been stolen. I would imagine the penetration testing companies do the same thing.

Brian

Re:

[Tony Hoyle]

Or.. the first thing any half decent penetration tester would try to pull.

Aside: WTF is going on with these HP dropdown flash ads filling up half my screen when I'm trying to type?

Re:

[aussie_a]

You actually think corporations are held to the law. How cute, do you still believe in Santa Claus as well?

Re:

[ChrisA90278]

This is easy. You tell the police in advance what's up. You don't tell the night watchman or more likely you tell the night watchman to pretend like he does not know. I mean how could he ignore a TV crew, their white carting trucks the lighting equipment actors and so on.

People who believe that reality shows are not scripted and shot with multiple takes, likely believe pro wrestling is real too.

Have you been following the writer's strike. One of the things the writers want is for their work on reality s

Re:

[Lord Ender]

The law is not a computer algorithm! We have judges and opposing arguments for a reason. Subjective phrases, such as "good faith" and "fair and reasonable" are used in laws for a reason.

Penetration testing is a big industry. Lawyers on both sides of the contract OK these things before they get signed.

Re:

[Opportunist]

In theory, nice.

In practice... well, you get to see a lot of prisons for a night. How many bosses can be reached to verify those papers during your "work hours" (read: after the usual work hours)?

Re:Season 2?

[anticypher]

The one pen-test group I consulted for long ago had a very serious procedure in place to verify and document everything before starting the job. This was just electronic/internet/social penetration, no testing of physical security. Much of what they did was related to legal (through the courts) attacks, they would mostly have meetings with the in-house council or retained law firms to ensure they were ready to respond to lawsuits, indictments, and media accusations. The electronic pen-test was a sideline to verify legal compliance where personal and financial data was stored or processed.

Before they would do any kind of network scanning, database testing, or even attach one of their laptops to the network, they would require a face-to-face meeting with the entire board of directors and senior management. The meetings would be video taped and documented, and all sides would sign the agreement stating the entire scope of the work, and work wouldn't start until after the video tapes and legal documents were safely stored off-site and reviewed. They required the head of legal council to affirm on video and in a signed document that the company was aware of the testing to be done, and held the pen-test firm free of any liability (I don't remember the exact British legal term they used).

It was good they got this level of protection for us, I've heard many stories from ex-pen testers about being hired by the supposed head of IT, only to discover the CTO was unaware of the agreement. Even having a signed document from someone in the company isn't good enough in the short term if the company turns around and bites you. One friend was driven out of business by court costs despite a signed document, his company just didn't perform due-diligence on the authority of the IT director. Another friend was blamed for hacking and destroying the main database, before they had even arrived on site to plug into the network. While they were still in the IT directors office looking for a working network jack, the DBA accused them of hacking and destroying the main data base. They didn't get paid for that job, they just walked away when the IT director didn't side with them.

I don't do security pen-testing any more, most companies who hire pen-testers do so in place of either writing a policy, or implementing it. They want pen-testers to break things so they can get more budget, and that's it. Even asking up front for the basics like a list of equipment or range of IP addresses shows most companies don't know their own inventory. Pen-testers then become scapegoats, often with associated criminal complaints.

The video clip commercial looks downright scary. This show has the potential to turn public opinion into laws preventing any kind of security consulting, whether it's something simple like a paper audit of a security policy or a complex review of network configuration. You just know this show is edited for maximum Rambo/DieHard/IndianaJones effect because preparation and meetings are boring.

the AC

Re:

[jollyreaper]

They have signed papers indicating they are permitted to do penetration testing, by request of the organization they are testing. If they get arrested, they show the papers, the police verify them, and they get released.

God, I hope the cops verify the papers quickly. I certainly wouldn't want to be them if they get sent to federal "penetration test" prison.

Re:Season 2?

[aproposofwhat]

You should read my paper "Waterboarding as a Social Engineering Tool" .

Great for those pesky situations when you need the CEO's password in a hurry - 35 seconds [independent.co.uk] should do it in most cases.

:P

Re:I can't wait.

[databeast]

I know these guys. One of them is a Defcon Goon and has a book or three published oo, the other's a better lockpicker than you will ever dream of being, the third guy's a prtty slick business brain. I'd happily bet any single one of them against you and a team of your choice for skills.

Re:

[SCHecklerX]

Ah cool. Now where are my mod points?

Re:

[Leebert]

acronym for "Too many secrets" remember?

Not quite, it was an anagram of "Too many secrets".

But yes, it was SETEC Astronomy