In a darkened hotel room lit only by the flickering screens of computer terminals, figures slouch over keyboards, tapping their way into a company's network in a rattling staccato.
Down the road, their cohorts are trawling through dumpsters outside the target company's building, looking for further evidence that would give them access to the network. They're not above lifting security badges that give them all-areas access. Anything to get closer to the heart of the corporate beast: the server closet, housing a record of everything from the most mundane intra-office memos to the most secret strategic documents.
In the morning, armed with proof of their success, these hackers will collect a pay cheque - not from some shady underworld figure, but from a Big Six accounting firm. They are part of a new breed of military-style hackers for hire. Tiger teams, they're called - elite squads of computer and security experts whose mandate is to find and penetrate a company's vulnerable spots, by any means necessary.
In recent years, the assaults have become standard practice among the Fortune 500, the military and huge financial institutions. But lately, tiger teams have started taking on the dotcom set, as companies have to assure consumers that their most private details are safe - and assure big prospective partners that they're safe to do business with.
"We're just worried about how much damage they're going to do to the building," says a director at one Internet company, readying for a tiger-team assault prior to closing a deal with a major European bank.
"Every night, I lay awake in bed thinking, Did I close the fire door?'" echoes the head of security for another small technology company, which is building partnerships with large e-commerce ventures. Like representatives of many of the companies put under tiger-team review, these officials asked to remain anonymous.
In recent days, computer security has become a black mark on the Internet Economy, as attacks on Yahoo, E-Trade and Amazon.com have demonstrated surprising vulnerabilities. Surprising, that is, to the general public. Security experts had been expecting such attacks for some time. After all, e-commerce companies, having operated for just a few years, have had little time to finesse their security policies.
That's where the tiger teams come in
"We have one hundred per cent success," says Dave Buchwald, cofounder of Crossbar Security and an early consultant on Ernst & Young's Attack and Penetration Division. Buchwald says it's the rare startup that can even pose a challenge to his assault.
Eric Schultze, a tiger-team member formerly of Ernst & Young, agrees. "We've been very successful, particularly [against] new companies, dotcoms," he says. "It's very typical to have full access within a day and a half."
The tiger-team concept comes from the military. The term is borrowed from the US Air Force, which has used elite squads of security experts to test for computer system vulnerabilities at bases since the early 1970s.
Throughout the 80s and early 90s, tiger teams were used primarily by big companies that had complicated national or international networks. A rash of publicity about malicious hackers in the late 80s gave tiger teams still more business. The attacks also showed them new ways to approach the task.
If hackers were crawling through trash bags looking for some scrap of paper that would open up a computer network, tiger teams would dumpster dive, too. If hackers called up random employees and cajoled system passwords out of them, so did tiger teams.
"Most people's security is external, not internal," says Pete Shipley, the chief security architect at KPMG, who has worked in computer security for 15 years. "Your security is a rent-a-cop at the door or a secretary in the lobby. One time, we just stole a bunch of security badges. A friend went in and said he really had to go to the bathroom. He grabbed the badges on the way."
In addition to e-commerce and service-related Internet companies, Internet service providers hosting big sites are increasingly asked to submit their networks to this rigorous inspection. ISPs are very hesitant to agree to assessment by a tiger team, but when a big contract is on the line, they rarely have a choice. The tiger team won't act without permission - and signed exoneration - from the head of the company it is targeting, but system administrators and security staff aren't told.
The stress can be gut-wrenching for both parties, particularly when there's plenty of cash on the line. "They had me in the office a hundred hours a week for a month," says the director of security at one e-commerce firm, who asked to remain anonymous. "We would have lost the deal [without the preparation]."
But even the most prepared company can look like Swiss cheese to a skilled hacker team. "Our server room has floor-to-ceiling bars around it, so you can't just go in," says a director of security at an e-commerce company that has partnerships with Visa, Wells Fargo and Bank of America. Price Waterhouse recently put the company under a tiger-team assessment. "They went in through the ceiling panels. I knew physical hacking goes on but the thought that someone would crawl through the ceiling tiles had never crossed my mind."
Even worse: the tiger team spliced into the company's DSL, or data subscriber line. In so doing, it gained access to the entire network.
For most companies, the fear isn't that they will fail in the face of a tiger-team assault; that's almost a given. The fear is that lucrative deals will fall through because they are contingent on a passing grade.
George Kurtz says one of his recent targets lost a contract because Kurtz' team penetrated.
"[The bank] was looking to us to provide a yes' or no' answer," he says. "We said no'. The deal didn't go through. The [smaller company] needed to change the way they were passing data."