Schneier on Security
A blog covering security and security technology.
« Santa and the TSA |
| "Holy Schneier" »
December 26, 2007
"Tiger Team" Reality TV Show
On Court TV:
This vérité action series follows Tiger Team a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world’s most sophisticated security systems, defeating criminals at their own game. Tiger Team is comprised of Security Audit Specialists Chris Nickerson, Luke McOmie and Ryan Jones who employ a variety of covert techniques electronic, psychological and tactical -- as they take on a new assignment in each episode.
Watch the trailer. Look at the photo. Okay, so it'll be unrealistically sensationalist. But it might be fun.
First episode is tonight.
EDITED TO ADD (12/26): My apologies. The episodes aired last night, on Christmas Day. If there are any recordings out there, please post URLs.
Posted on December 26, 2007 at 7:50 AM
• 64 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Wonder how covert it will be with a camera team following them around. More like, just another scripted "reality" tv show.
@Shawn: True, but given the subject matter it should still be somewhat interesting.
I heard about this the other day and am really excited about it.
Watching the trailer, I didn't see any evidence of a camera crew. Some security camera footage, hidden cams, remote shots...
I watched it last night and I was surprised at the level of detail they chose to reveal, and how seemingly well done it was.
It's nice to see some attention cast on real security and what it takes to really be secure.
The thumb drive usage in the jewelry store episode was particularly good to see - although since they tripped the alarm anyway, then jamming it and cutting its comm line, they could have accomplished the same without that code.
Like Shawn I am skeptical about how "realistic" this show will be. People are already the weakest link in the security chain and the presence of cameras will only reduce their intelligence and their resistance to any tactics these guys employ. Bruce, any thoughts on the qualifications on these Security Audit Specialists?
I found it interesting that they cloned the guys access card, and then told him the countermeasure is a faraday sleeve.
Um, hello? Rely on 100% user compliance much? Why ignore the guy down the hall snarfing RF codes as you swipe the door?
Better they should have told him to dump the RF access system for a swipe + pinpad. 2 factor, baby.
Is it online anywhere? I missed setting the old DVR and it's apparently not scheduled for any reruns.
I also thought that was probably the weakest recommendation they could have used. If he was going to use his (divulged to a faux magazine interviewer) daughter's birthday for that PIN too it would not likely have taken much longer to get through, however.
I know all three of these guys very well and their qualifications are quite impressive. Chris's resume reads 10 pages long and has worked for some of the largest companies in the world. With certs such as CISA, CISSP, and BS7799 he has 13 plus years of expereince at age 28. Luke is also a CISSP and a PSP which is the highest accredidation for Physical Assessments. He also has more then 15 years expereince. Ryan is also a CISSP with 10 plus years of hacking expereince. If I'm not mistaken he cut his teeth at IBM.
As far as the level they revealed, keep in mind that even though they mentioned the sleeve it was probably not the only option they gave the manager, (I actually know this to be fact), just the cheapest.
Times and dates for reruns will be released soon.
I watched both episodes last night; overall I believe it was presented very well. They performed their "attack" with a sense of methodology phases, plus they showed several techniques from social engineering to RFID capturing.
I did see some concerns I would like to point out.
First there is NO disclaimer about the fact that these individuals are "professional" and they have written consent to perform these attacks. (e.g. "Get Out of Jail Free"). Without the proper document, there are potential up and coming "Security Professionals" trying to help someone's security status without consent and end up finding themselves in jail.
Secondly, the intro of the show stated that they are the ONLY Civilian Tiger Team in existence: Really? I know that is not true, but I think this is Tru TV spinning them not the team themselves.
Also, back to documentation; they never showed any record of written document given to the client with their findings, which is a standard for pen testing methodologies.
Lastly, there attack, just as in any pen test or audit revealed flaws that only this team has found. This does not me the risk is complete mitigated after the client changes the suggested remediation. An example is in the car showroom episode they stated that they saw a few "unsafe" ways but decided to take the skylight. These "unsafe" ways are still vulnerable to a thief with less fear.
In closing, I believe it is a good realistic security show that will hopefully open some minds in the corporate world to tighten their security.
You are absolutely correct in your assumptions about the name Tiger Team. This was a CourtTV idea not Chris's team.
As far as documentation goes, well let's just say the two businesses are still swimming in the paperwork and reports they were given. Not only did they get physical assessment reports but technical as well. I'm not sure why they didn't show that part other then it wasn't good TV but I agree it would have been nice to note.
You are also right about their recommendations not being fool proof. In the final reports these guys give they state clearly that they are making recommendations based on best business practice and their own expereinces and in no way are they guaranteeing that someone with less fear would not attempt to break in. After all, there is no such thing as eliminating risk only managing it.
I do agree with you about the disclaimer. I would have liked to see that these guys are "professionals" and have certifications that are recognized at a global level.
I will send your comments to Chris and his team to see if they have any additional comments they would like to mention. I'm sure they will appreciate everyone watching and the interest is has created.
Surge> Ryan is also a CISSP
I know several people with CISSP certs who have nothing more than the ability to study for and take tests, no practical security experience at all. CISSP has become as meaningless as any other cert.
I'm sure the Tiger Team guys are qualified. Though I enjoyed the program, I was a little put off by their arrogance--"In the civilian world, there's only one 'Tiger Team'," "We're the best, hands down." If the former is Court TV's spin, it doesn't show in the latter. But they do seem to be quite knowledgable and experienced.
I was perplexed that they are contracting with people to invade their premises seemingly without ever even meeting in person. There was no indication of how clients are supposed to authenticate that they are dealing with the real "Tiger Team" and not a criminal organization. I assume it involves a bunch of lawyers, but some elucidation is needed, especially in view of the social engineering tactics they use in the second episode.
Nonetheless, a worthwhile show with interesting and concise presentation. The music and suspense aren't too overdone, and it's quite well edited, packing a lot of information into a very watchable 30 minutes.
The two episodes re-air 2007/12/28 at 0330h US/Eastern.
I imagine that this can, like anything else, be misunderstood by the wrong people. If you don't really understand the concepts, or what the TigerTeam is doing, aren't you just easy prey for the next snake oil vendor?
A MUST SEE show! I hope they make this a regular series. I'd also be willing to bet they identified the other "few unsafe ways" to penetrate the dealership. Great Job! Thanks!
Thanks for the comments guys! Unfortunately things like "we are teh best.."and such arrogant shit is a pitch for tv.... if you ask around...we are not like that.
We are truly out there to make something that catches teh public ear and gives them one more thing to think about. The real goal is to get those execs watching "quality TV time with their kids" thinking about security. One step at a time...
I agree... some of it is a bit lacking in expl and content, but unfortunately we could only do the show for 30 min. I will , however , try and get as many reccomendations as i can incorp'd into the next show.... if there is one. Feel free to send comments to email@example.com.
And for the record... none of us are huge fans of the name.... but it is , what it is..
ps. I hear its out on the torrents.
Any chance to see this show outside US? Is it available as a torrent?
I checked my Tivo and they aren't re-airing the show anytime in the next two weeks. If anyone can confirm a link or a torrent it'd be much appreciated.
NooneSpecial> I checked my Tivo and they aren't re-airing the show anytime in the next two weeks.
My DVR says, as I noted above, that the two episodes re-air at 0300h and 0330h US/Eastern on 2007/12/28. It may be wrong, but that's what it says.
nickerson> Unfortunately things like "we are teh best.."and such arrogant shit is a pitch for tv.... if you ask around...we are not like that.
Glad to hear it, and I'm not surprised this is a side-effect of TV production. In fact, the techniques speak for themselves, so it's too bad the producers think they need to punch up the tone. Then again, here I am talking about it. :^)
As I say, it was enjoyable, interesting, and informative, and I do hope to see further episodes. I also plan to recommend or even loan tapes of the first two to various people I am unfortunate enough to work with, especially in physical security. Theoretical attacks just don't impress some of the more thick-skulled people out there, whereas showing a documentary video of, say, a real penetration using RFID cloning, may actually get the neurons firing.
If there's any contact at CourtTV we can write to to say we want to see more, please let us know.
The second episode, vs. the car dealer, was far better in re: exposition and the relationship established between the tester and the team, but was still lacking.
I hope Court TV can be convinced to air more of the remediation rather than go for the high-impact stuff like the faraday sleeve bit. This is something that Discovery's "It Takes A Thief" did much better--break in, show the remediations, and then re-test at a later date.
Personally I enjoyed the shows so far. It's fun to watch programs about things I do professionally. :)
Unfortunately, the CourtTV website's schedule does not show the reruns for the time mentioned by previous commenters.
(But I'll check my cable/DVR system when I get home too.)
I spoke with one of the boys, and the show will be on torrent this evening...
I spoke with one of the boys, and the show will be on torrent this evening...
Which tracker? PirateBay, Isohunt, ?
I watched it. It was well-done. :-)
Watched both shows...fun.
What sort of mitigation is the show doing to protect the customers premises after TT leaves? Additionally, I'm not a fan of running ops out of a hotel room...Too much of a CI risk.
Well, see ya all at the Wardman.
@J2K - Do you mean mitigation between the time of the operation & when the show airs, or are you talking about mitigation between when they leave the premises (all but the cameraman, director, etc.) and when the manager shows up (in response to the director's phone call)? If the former, I expect that the deal they have is that they won't air the show until the customer says "OK, we've remediated the problems you showed us". If the latter, I would expect that the camera crew and other folks there would probably be as useful in preventing theft as having the staff during the normal workday - especially since the manager was probably told "Hey, you need to be ready to come down to the showroom sometime between Monday and Wednesday."
Oh, and how many ops do you run (whether or not you're running them out of a hotel room) and where would you suggest they work out of?
[OT-Q] how "legal" is a P2P torrent download of something having been made public by CourtTV, themselves? Does it come closer to the P2P linux distros type of (perfectly legal) downloads/sharing, or is it under the MPAA/RIAA restrictions?
I just watched the car dealership episode streamed on court tv website. It was better then what I was expecting however, when I hear the words 'computer security professional' I start googling names. Who are you? What vulnerabilities have you found? Papers you've written? etc... Especially when there made out to be 'the best'.
Despite all of this, it wasn't bad. Ill probably watch it again
i forgot to mention... I did google luke, and he certainly knows his stuff.
Cool show, watched them both... I just wonder about two things:
1. Are the TT customers getting some kind of a discounted price for agreeing to be the subject of a TV show about security holes? I'm sure it's no fun to have someone on national TV showing how he's got ahold of your customers' confidential records.
2. How long can the team keep it up? Social engineering was essential in the first two episodes, and it is likely that it will continue to be essential in future shows (it often is a factor in complex breaches). The problem is that the success of the TV show will make their lives more difficult... if their faces air on TV, they risk someone at the business recognizing them when they're pretending to be a customer or a copier technician or a magazine writer.
I got to say I was pretty impressed, but it was a shame the TV company had to blow things up a bit. Luckily it was still watchable and not over slick (aka hackers).
Quick question for the comment people. Although not the same but has anyone seen the BBC's The Real Hustle show? Its about social engineering, cons and exploits but centered around more user centric scenarios and short scams. Its less slick and maybe of interest to you guys who are looking for other shows like this one.
Here's a couple of favorites on youtube
To be fair, the real hustle isn't too hot on computer exploits - http://www.youtube.com/watch?v=ScEaD-SikrM
Great show! I figured that some of what was said/done was added for TV though.
IMO, this show really needs to be an hour. Many of the interesting details are being left out due to lack of time.
Not to fill this blog with too much OT talk...please send me a note at firstname.lastname@example.org. Be glad to discuss as much as possible.
Anyone that has comments for us directly are more than welcome to send to email@example.com. We really appreciate teh support that the whole community has given!!
Myself,Ryan, or luke will try to get to them asap.
That last comment itself being a social engineering attack by someone looking for ...?
Besides the 3LL+ spelling, improper grammar, and inability to properly spell 'his' own name, what's not to trust? :p
The big problem with any "reality" show is that reality isn't very entertaining. Otherwise we wouldnt be watching TV in the first place. So they script stuff after the first couple of episodes or go off the air.
Furthermore, the people watching the show dont think about the fact that there is a camera(s) there. But a professional video system is large and bulky and obvious, and people change their behavior knowing its being recorded (other than possibly "Jackass").
Glad to see that everyone liked the show ;)
If you liked the show we need a few emails to the CourtTV folks
600 Third Avenue
New York, NY 10016
bob> Furthermore, the people watching the show dont think about the fact that there is a camera(s) there.
In fact, the presence of cameras was an explicit issue in the second episode, because the camera crew made stealth significantly more difficult. This is not a "reality" show in the "Survivor" or "Big Brother" model; it's much more in the style of a nature documentary.
Didn't realize I spelled my name incorrectly? Its actually me. You are more than welcome to email me at the tig3rt3am address (tiger_team and Tigerteam were taken) and we can chat on the phone. As for the grammar, its a blog not a remediation report so i tend to type a bit faster/looser.
Thanks for watching the show. Would love to hear any comments you may have.
I really enjoyed the show especially how it emphasized the need to secure sensitive paper information (i.e. contracts) in administrative offices that are many times overlooked.
I tried emailing the CourtTV addresses mentioned above, but got a return "undeliverable" for Deborah Reichig (Reichigd@courttv.com) ? Maybe they are switching to their BluTV domain?
While I agree that the remediation and reports are important in an actual test, I don't think it would be very fun and it would definitely take away some of the sexiness to watch them typing up that 200 page report and giving the real outbrief to the customer.
keep up the good work tigerteam
Faith - the links you posted don't seem to work. A search of Courttv.com for TT produces only one hit. Are the vids gone?
Will there be more episodes? There is nothing about Tiger Team on the new TruTV website. Bummer....
Thanks, Liz. They were the only ones that I could find except for the ones on torrents (see above). I was not sure which ones were safe.
"meet the real tiger team?"
maybe meet the really -old- tiger team. Does the osteoporosis slow down your physical pen tests?
Although... I give that Joseph guy on your management page huge props for the most ridiculous jacket ever.
Interesting, In part of the car store episode they show the team setting up a WAP. And the state they need to connect to the 192.168.1.0 "namespace" err, namespace is a DNS term, not an IP network term from what I recall :-)
They MUST be the best out there with this kind of 1337 language skills...lol
Now we see why this show is on CourtTV or whatever, and not a major network..haha
CourtTV may want to consider hiring a technical consultant to edit out the sill mistakes.
I talked with their PR people and she said "the show was a 'special' and there are no more episode"
She said "it might possible they will make more episodes but..." sounds like the show got canceled.
Was not as popular as it should be??
If Nickerson or one of the other guys is still reading this, we'd all like to know the scoop on them cancelling the show.
Yea, that show really kicked arse...I can't believe they'd cancel it. I guess it would be tough to constantly do this though with the same guys - kinda like jackass or punk'd. Eventually everyone knows who you are and/or things get old. Or...maybe they're actually making a bunch of episodes now before they get popular and will show 12 - 15 in one go????
I work in the RFID field , and something i dont understand is the RFID Cloning problem. I work with card from Phillips (Mifare,Desfire) and some from Keycorp(FIPS 201) and Oberthur. The CHUID is clonable because it can be read from any reader, but if we dont use FIPS , you cannot read sector you dont have key for. The only thing in the ISO procotol you can see is the ESN of the card.
Yea, on the RFID side of things, you could easily program the software so that it locks at a locked sector of the card versus having the dude use a sleeve to "protect" it. I think that was still pretty cool the way the guy had a reader in his backpack and had a mini-antenna to read it. Using UHF cards, they could use one of the new Motorola phones with RFID to read the cards - this could become huge in the next few years as RFID (UHF) becomes more prevelant.
UPDATE ! ! !
They are re airing the Episodes and trying out the show for a Monday timeslot.
Googled "chris nickerson social engineering" and saw that he developed and is teaching a Social Engineering boot camp. Sweet! Wouldn't that be awesome to learn from this guy? Check out ChicagoCon May 4 - 8, 2009: http://www.chicagocon.com/2009s/...
i want to work with you, can i ?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.