Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 246
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
I don't know... (Score:5, Funny)
... this sounds phishy.
Re:I don't know... (Score:4, Funny)
Compromises like this make me eel. It is worth the read for the halibut...
Re: I don't know... (Score:5, Insightful)
High roller = whale
So an aquarium seems an appropriate attack vector.
Re: (Score:2)
Re: (Score:2)
I sea what you did there.
Network Separation (Score:3, Insightful)
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
Re:Network Separation (Partial report from vendor) (Score:5, Informative)
https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
---
To ensure these communications remained separate
from the commercial network, the casino configured
the tank to use an individual VPN to isolate the tank’s
data
---
So yes, it was segregated via a VPN link. Clearly that wasn't enough.
Re:Network Separation (Partial report from vendor) (Score:5, Insightful)
VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.
Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.
It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.
Re: (Score:2)
Re:Network Separation (Partial report from vendor) (Score:4, Insightful)
For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."
You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.
Re: (Score:3)
Exactly... it comes down to resources. I would love to proxy and log some specific traffic between a device I don't really trust and the information it needs... but that is a couple days to reverse engineer the communications and there is already too much on my plate.
Re: (Score:3)
There's a third choice, which is rather more correct: Capture the risk, put in place mitigations, ask that the risk gets reassessed at a reasonable frequency.
If you want to be secure switch the damn server off. Anything else, you're already compromising, so just do what you do for any security risk.
Re:Network Separation (Partial report from vendor) (Score:4, Insightful)
What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.
The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.
Re:Network Separation (Partial report from vendor) (Score:4, Interesting)
This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?
My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.
This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.
Re:Network Separation (Partial report from vendor) (Score:5, Interesting)
Re: (Score:2)
This past weekend, I saw an article on creating a VPN server in 30 minutes using, I think, Linode Great.
Then, they said the server could be used for multiple purposes such as serving up web pages to the public and whatnot.
The author lost all credibility at that point.
Re: (Score:2)
Re: Network Separation (Score:2)
To get between networks, you need a layer three device ( aka router ).
Is simple enough to build an ACL that says âoe Do not let devices from network X talk to network Y. âoe
Also simple enough to prevent certain devices from talking to other devices on the same network and / or blocking access to pretty much anything you want.
It just requires a bit of forward planning / thinking.
Assume everything connected to your networks are potential entry points and / or downright hostile.
Re: (Score:2)
No idea why people like to use overlapping subnets, especially in different broadcast domains.
Re: (Score:3)
And I thought
and why need local non cloud devices look target (Score:2)
and why need local non cloud devices look at target there they hacked to the network from the 3rd party vendors HVAC system.
A big casino should have that on a non cloud non wifi network.
Re:Network Separation (Score:4, Interesting)
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
Good Suggestion.
I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re:Network Separation (Score:5, Funny)
I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"
So good manners these days involves, not only offering the workman a cup of tea, but your wifi password too.
"Would you like a spot of tea and a Wi-Fi password whilst you fix our driveway?"
How else are the workmen going to use you-tube to look up how they do their job?
Re: (Score:3)
I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"
A thoughtful host will place a wifi QR code in the bathroom.
Re: (Score:2)
"Event at home I have one wifi for home automation and one for the rest."
But I bet those aren't properly (physically) separated by being on physically-distinct networks. You're still a target.
Zero sympathy (Score:5, Insightful)
Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
Re: (Score:3)
Congratulations.
Re: (Score:3)
No, most other internet enabled device I can audit.
Try it with your average IoT crapbox.
Re: (Score:3)
This.
I can see the practicality of having some things online - a thermometer for a tank of $10,000 fish, sure.
But as you said: HAVE A SEPARATE, TOTALLY BANAL NETWORK FOR THAT SHIT.
*DON'T* connect that to your operating system, your vault doors, or your self-destruct systems, eh?
Re: (Score:2)
He's also a top level DBA and security guy having worked for companies needing to be certified for PCI and DOD level databases. He has firewalls, etc. up the wazoo at home. Just because he can.
Re: (Score:2)
I doubt it was a fish tank thermometer only, it was probably a fish tank controller that had a thermometer as one of it's functions. On something like a saltwater tank where you might have thousands of dollars in corals and such the controller is used to regulate temperature, chemicals and so on. One tiny slip up in parameters and thousands of dollars are down the drain. IOT for that sort of things makes total sense.
Network isolated and all that for sure though.
On the other hand if the casino's security wer
Re: (Score:2)
I didn't bother to RTFA, but I'm betting it's not actually a simple thermometer, but rather a tank controller. Temperature is among its functions, but it likely also controls the lights, monitors PH (possibly injecting buffer as needed), controls the heater, controls cooling fans, and controls the pumps. These devices have pretty good reporting capabilities to facilitate tank management, and they're pretty essential devices in keeping your tank healthy. But still, no reason it should have been on the same
IOT is a disaster waiting to happen (Score:5, Insightful)
It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
Re:IOT is a disaster waiting to happen (Score:5, Insightful)
Its not even that. There is literally nothing that IoT devices do in the cloud that can't be done completely in the owners network. Anyone that allows devices on their network that basically have you authenticating to a companies servers outside your home or business to do something inside your home or business deserve everything they get.
Re: (Score:2)
Of course, if you really want this sort of functionality, the device should be restricted to your home or business LAN, and your phone should be using a VPN to connect to that LAN to communicate with the device. These d
Re: (Score:2, Insightful)
It sounds like the IT department there wasnt thinking too hard about security.
IT pays for shit and you get about as much respect as the janitor. If a casino cares about security, they would need to pay better and give more respect to get the kind of talent required to actually do a decent job at securing their systems. Their underpaid IT staff is most likely following check lists created at least 10 years ago.
Re: (Score:2)
Then why repeat that mistake with new toys attached to the network?
Yes, the network is insecure. It was never meant to be secure. It was meant to be reliable and resilient against damage. If you want security, secure your endpoint.
Re: (Score:2)
IoT turned DEFCON into a party again (Score:5, Interesting)
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
Re: (Score:2)
Should that be "echo -e"? Or does telnet convert the \n? (I can't try it since I disabled telnet on my servers.)
Re: (Score:2)
The gift that keeps on giving.
Whether you want it to or not.
No fish were harmed (Score:5, Funny)
Oh no! (Score:3, Funny)
Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
Re: (Score:2)
Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
At the casino. Just show up and they'll be glad to help you help them.
Re: (Score:2)
Baloney (Score:3)
Re: (Score:2)
Tragedy (Score:2)
I watched the first episode of Max Headroom a year or so ago.
I laughed at a scene where they hacked a company, and I shit you not, by connecting to water pipes somehow and then jumping from a urinal in a men's room to a security camera, again not defecating anywhere near or on your person, located there.
The tragedy is that we're at the point where such things seem to be shifted from the realm of uneducated entertainment to reality.
the Max Headroom hacker is still unknown (Score:2)
the Max Headroom hacker is still unknown
IoT devices not on their own VLAN? (Score:3)
Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.
Re: (Score:2)
A VLAN may not help if the device can be compromised. It should be operated on a different physical network.
Re: (Score:3)
What?
Are you suggesting that you'd have to compromise the switch? How would that work any differently with physical separation?
You can request a VLAN, from a list of allowed VLANs, on any decent managed switch. But you can also be FORCED onto a VLAN with no way to override that by such switches too.
And if Cable 1 is on VLAN 1 and Cable 2 is on VLAN 2, you can't do anything without total compromise of the switch itself (which renders the problem moot anyway). And which is incredibly unlikely to happen, es
Re: (Score:2)
And if Cable 1 is on VLAN 1 and Cable 2 is on VLAN 2
That is a physical cable isolation.
Re: (Score:2)
Revetted? Sorry, I'm not a native speaker, is that a polite way of saying "fired out of a cannon"?
Re: (Score:2)
Revetted? Sorry, I'm not a native speaker, is that a polite way of saying "fired out of a cannon"?
No, revetted is when you fire the IT staff for incompetence, oursource their function to India, and then use the savings to buy yourself another Corvette.
Re: (Score:2)
Manager: I want to get Internet Enabled thermometers because
IT: Right, no problem except we don't have partitioned corporate wireless networks because we tried to do that last year but our budget was cut and no-one wanted to invest in it
Manager: I don't care about your problems. I got $10,000 of fish to worry about and this vendor promised me they'd remotely monitor my fish to make sure they don't die.
IT: Ok, but..
Manager: NO BUTS. D
Good! (Score:2)
Maybe if more high profile targets get finally hit by the security hole IoT is, we'll finally see some movement in this field.
I mean, FFS, these things have security standards I have not seen since the millennium rolled over! You can go down the OWASP Top 10 (of any year of your choice) and the average IoT crapware is guilty of all of them!
Mr Robot?! (Score:3)
Wasn't this the plot of the first season of Mr Robot? Although he snuck in and fiddled with the device to make it accessible.
Rather than upload the data to the cloud - he sought to erase the cloud.
Stealing the list? Meh. (Score:3)
Now modifying the list, THAT'S where the fun's at!
I wonder how many weeks of free luxuries they would lavish you with before they notice that you aren't gambling :D
Sigh. (Score:2)
Well VLANned, guys.
I mean, seriously. What are you playing at?
IdIoTs (Score:2)
Anyone who allows IoT in their business deserves the consequences.
Really.
The only secure IoT devices are the ones you never install.
Welcome to cyberpunk (Score:2)
....wut? Ok guys, it's time to accept that we're living in a cyberpunk novel. They were windows into the future and that future is now. So make with the pink mohawks and techno music.
Remember, only only Keanu can save us. I think all those John Wick movies were just prepping him.
Re: (Score:2)
It's a list of rich gamblers who like to show up, gamble, spend money on pretty much everything in sight, and come back for more.
Re:high-roller database (Score:5, Funny)
Re: (Score:2)
A list of people with a lot more money than sense.
That's ME! The bummer is that I don't have much money.
Re: (Score:2)
When you put it that way...
...it sounds even MORE valuable to know.
Re: (Score:2)
Wikipedia is your friend, as is google. Just googling for "casino high roller wiki" yields https://en.wikipedia.org/wiki/... [wikipedia.org] -- basically a high roller is somebody who gambles a lot of money.
Re: (Score:2)
Re: (Score:2)
Ten duotrigintillion on the short scale, ten thousand sexdecillion on the long scale.
Re: (Score:2)
Thanx :D
Re: high-roller database (Score:2)
What does it contains and is it useful?
Well... that might depend on what kind of paper it's printed on...
Re: high-roller database (Score:2)
Re: (Score:2)
Private customer information. That's the bottom line and why this is a problem for the casino as a business.
Re: (Score:2)
scam calls about there markers (Score:2)
scam calls about there markers may work on some people.
Jay go to western union and send us $5000 NOW! or we will sent someone to beat it out of you!
Re: (Score:3)
Re: (Score:3)
Re: What is a high-roller database? (Score:2, Informative)
It is a list of people who due to the influence of puppeteers, and to roll above a seven on two six sided dice. Pierson's Casinos use the list to steer these high rollers to games where odds are more in their favor and away from things like craps where a two is a loss and an eleven is a win. Hackers will use it to place side bets to defraud the casino.
There now you don't have to google it, ya lazy bums.
Re: (Score:2)
And what is a high roller then? Someone who often frequents casinos?
A high roller is a whale.
Re: (Score:2)
Why are they in casinos? Shouldn't they be swimming in the ocean?
Just read the article. They were in the lobby fish tank.
INFORMATION WANTS TO BE FREE! (Score:2)
Please don't go spear phising for big charismatic endangered species.
Re: What is a high-roller database? (Score:2)
Re: (Score:2)
That could be, strange name though.
Re: (Score:2)
In the online gaming world they call them "whales". So... the thing about the aquarium actually makes it even more funny.
Re: (Score:2)
As the topic says, but I repeat: What is a high-roller database?
A database is an organized collection of information, generally thought of as being held on a computer with a well-defined structure and method of access.
Re: Internet Of Things (Score:2)
It would make sense if it's for watching over your senile granny.
Re: Internet Of Things (Score:5, Insightful)
Re: (Score:2)
If I get to look over granny, sure.
If you get to look over her, no.
Re:Internet Of Things (Score:5, Insightful)
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Re: (Score:2)
Well, you have to admit, some of the parts you find in IoT devices cost a lot more if bought without the plastic casing...
Re: (Score:2)
Your lightbulbs could post to Facebook whenever you turn them on letting all your "friends" know when you are home from work in the evening. Your stove will share when dinner is done cooking so they know
Re:Internet Of Things (Score:5, Funny)
Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
You probably don't, but Big Brother does. They're hoping you will give up your privacy in exchange for added convenience of these IoTs.
Say that a bit louder , Alexa didn't hear you
Re:Internet Of Things (Score:5, Insightful)
A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.
This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.
Re:Internet Of Things (Score:5, Insightful)
The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.
Re: (Score:2)
Bob Smith, is that you?
Re: (Score:2)
People don't want security. Here's why.
Security first and foremost is expensive. It costs money to keep the people who do know a lot about security on this side of the legal fence. Because you can believe me when I tell you, there's WAY more money to be made on the other side. And security costs time. Because your development will be delayed when you finish your product only to have to redo it because in the final test your security crew (that suspiciously isn't involved in the production process... don't a
Re: (Score:2)
Security is the same 80/20 game as pretty much everything else. The problem is identifying the 80 percent that can be taken care of with 20 percent of the cost.