Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com) 92
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
I don't know... (Score:5, Funny)
... this sounds phishy.
Compromises like this make me eel. It is worth the read for the halibut...
High roller = whale
So an aquarium seems an appropriate attack vector.
Network Separation (Score:2, Insightful)
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
To ensure these communications remained separate
from the commercial network, the casino configured
the tank to use an individual VPN to isolate the tank’s
data
So yes, it was segregated via a VPN link. Clearly that wasn't enough.
and why need local non cloud devices look target (Score:2)
and why need local non cloud devices look at target there they hacked to the network from the 3rd party vendors HVAC system.
A big casino should have that on a non cloud non wifi network.
Good Suggestion.
I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.
Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
You probably don't, but Big Brother does. They're hoping you will give up your privacy in exchange for added convenience of these IoTs.
Say that a bit louder , Alexa didn't hear you
Re:Internet Of Things (Score:5, Insightful)
A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.
This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.
The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.
It would make sense if it's for watching over your senile granny.
If I get to look over granny, sure.
If you get to look over her, no.
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Well, you have to admit, some of the parts you find in IoT devices cost a lot more if bought without the plastic casing...
What is a high-roller database? (Score:1)
As the topic says, but I repeat: What is a high-roller database?
Client list of "big spenders." The people who would actually come and spend large amounts of money gambling.
And what is a high roller then?
Someone who often frequents casinos?
Obviously you don't. Next question?
It is a list of people who due to the influence of puppeteers, and to roll above a seven on two six sided dice. Pierson's Casinos use the list to steer these high rollers to games where odds are more in their favor and away from things like craps where a two is a loss and an eleven is a win. Hackers will use it to place side bets to defraud the casino.
There now you don't have to google it, ya lazy bums.
This is a joke, right? Are you unable to use an online dictoonary or Google?
And what is a high roller then? Someone who often frequents casinos?
A high roller is a whale.
Why are they in casinos? Shouldn't they be swimming in the ocean?
Just read the article. They were in the lobby fish tank.
That could be, strange name though.
In the online gaming world they call them "whales". So... the thing about the aquarium actually makes it even more funny.
Zero sympathy (Score:5, Insightful)
Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
Congratulations.
This.
I can see the practicality of having some things online - a thermometer for a tank of $10,000 fish, sure.
But as you said: HAVE A SEPARATE, TOTALLY BANAL NETWORK FOR THAT SHIT.
*DON'T* connect that to your operating system, your vault doors, or your self-destruct systems, eh?
high-roller database (Score:1)
What is a high-roller database ? What does it contains and is it useful?
It's a list of rich gamblers who like to show up, gamble, spend money on pretty much everything in sight, and come back for more.
Wikipedia is your friend, as is google. Just googling for "casino high roller wiki" yields https://en.wikipedia.org/wiki/... [wikipedia.org] -- basically a high roller is somebody who gambles a lot of money.
scam calls about there markers (Score:2)
scam calls about there markers may work on some people.
Jay go to western union and send us $5000 NOW! or we will sent someone to beat it out of you!
What does it contains and is it useful?
Well... that might depend on what kind of paper it's printed on...
IOT is a disaster waiting to happen (Score:4, Insightful)
It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
Its not even that. There is literally nothing that IoT devices do in the cloud that can't be done completely in the owners network. Anyone that allows devices on their network that basically have you authenticating to a companies servers outside your home or business to do something inside your home or business deserve everything they get.
It sounds like the IT department there wasnt thinking too hard about security.
IT pays for shit and you get about as much respect as the janitor. If a casino cares about security, they would need to pay better and give more respect to get the kind of talent required to actually do a decent job at securing their systems. Their underpaid IT staff is most likely following check lists created at least 10 years ago.
Casino 2 Point OH! (Score:1)
Personally, I have just invested companies that manufacture base ball bats, and back-hoes.
IoT turned DEFCON into a party again (Score:4, Interesting)
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
No fish were harmed (Score:5, Funny)
Oh no! (Score:4, Funny)
Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
Baloney (Score:2)
Tragedy (Score:2)
I watched the first episode of Max Headroom a year or so ago.
I laughed at a scene where they hacked a company, and I shit you not, by connecting to water pipes somehow and then jumping from a urinal in a men's room to a security camera, again not defecating anywhere near or on your person, located there.
The tragedy is that we're at the point where such things seem to be shifted from the realm of uneducated entertainment to reality.
the Max Headroom hacker is still unknown (Score:2)
the Max Headroom hacker is still unknown
IoT devices not on their own VLAN? (Score:2)
Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.