Slashdot Mirror

← Back to Stories (view on slashdot.org)

Casino Sues Security Firm For Failing To Contain Malware Infection (softpedia.com)

Posted by samzenpus on from the keeping-it-cool dept.

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.

50 comments

  1. So a Normal Business Matter by Anonymous Coward · · Score: 3, Insightful

    This could read as:

        Company hires accounting firm,

        Company hires Auditing firm who notices accounting firms errors.

        Company hires OTHER accounting firm to fix problems from first accounting firm.... sues 1st accounting firm for breach of contact.

    How is this not business as normal?

    1. Re:So a Normal Business Matter by Anonymous Coward · · Score: 1

      It is the old "on a computer" fallacy. Everything is new again when it is done on a computer. Just look at how many patents are granted for things people have done for years but are new because they are on a computer or all the sky-high IPOs in the dot-com era or today.

    2. Re:So a Normal Business Matter by Opportunist · · Score: 1

      It's more

      Go to a doctor to cure your back pain.
      Have another doctor examine your foot a few months later.
      Sue the first doc for not finding the wart on your foot when he examined your back.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:So a Normal Business Matter by gstoddart · · Score: 4, Interesting

      No, no it isn't:

      "Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

      According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

      This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

      So, take your pick: incompetence, laziness, or fraud.

      --
      Lost at C:>. Found at C.
    4. Re:So a Normal Business Matter by Anonymous Coward · · Score: 2, Funny

      How is this not business as normal?

      Normally, for a casino, they'd hire Guido and Luigi, who would solve problems in another way.

    5. Re:So a Normal Business Matter by Anonymous Coward · · Score: 0

      It is the old "on a computer" fallacy. Everything is new again when it is done on a computer. Just look at how many patents are granted for things people have done for years but are new because they are on a computer or all the sky-high IPOs in the dot-com era or today.

      Well, there are way too many people who work on computers who think they're not subject to such things as what the GP termed "normal business matter[s]."

      You know, like actually being held accountable and liable for shitty work.

      Seriously - when Target leaked your CC data, didn't you want their IT folks and management held accountable?

    6. Re:So a Normal Business Matter by Anonymous Coward · · Score: 0

      Don't you think it's possible that Mandiant came in later and trumped up its findings to make itself look good, and to make Trustwave look bad?

    7. Re:So a Normal Business Matter by ark1 · · Score: 3, Insightful

      If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun. 2. Surgeon identifies and removes some shrapnel but fails to identify it all. 3. Guy show-ups for an annual medical check. 4. Routine tests reveal presence of shrapnel. 5. Guy sues initial Surgeon. If negligence is suspected based on initial scope contract, Casino has all the rights to sue and likely win.

    8. Re:So a Normal Business Matter by laurencetux · · Score: 1

      http://instantrimshot.com/inde...

      AC will be here all week
      PLEASE TRY THE FISH

    9. Re:So a Normal Business Matter by Anonymous Coward · · Score: 0

      I do, and after careful consideration as a qualified slashdot commenter (I didn't read the article nor the summary), my ruling is that someone is guilty. I find in favor of the internet 2000 outrages per offense.

    10. Re:So a Normal Business Matter by mysidia · · Score: 1

      If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun.

      I'm going to go with... 1. Guy gets sick. Hires doctor to find and fix all infections for a fixed pre-paid contract.

      2. Doctor identifies invasive skin cancer and administers radiation therapy.

      3. Apparent infection dies off.... All the visible anomalies are gone according to all analysis order... doctor pronounces Guy cured.

      4. Guy show-up at Doctor2 a year later for a detailed scan.

      5. Doctor2 identifies lung cancer in Xray.

      6. Guy wants to sue Doctor 1; presuming Doctor 1 must have done his job improperly, if another Doctor is now able to find an infection a year later.

    11. Re:So a Normal Business Matter by mysidia · · Score: 1

      Company hires accounting firm,

      Malware detection and removal is not like accounting.

      Malware can make itself undetectable and dormant for years, and then popup on command.

      For example: there's no such thing as an antivirus with a 100% detection rate.

      If any security firm is representing that they can make a 100% assurance that all malware is gone, not involving a rebuild or restore of system from backup, Or offline comparison against a gold image, then they are lying, and they deserve to get burned; because they should know better.

    12. Re:So a Normal Business Matter by Anonymous Coward · · Score: 0

      This sounds better.

  2. Only $100,000? by Anonymous Coward · · Score: 1

    Sounds like they're just wanting the money they wasted on them back.

  3. It's a gamble by penguinoid · · Score: 4, Insightful

    Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    1. Re:It's a gamble by gstoddart · · Score: 5, Insightful

      Hey, it's entirely possible to be expensive and incompetent.

      Lousy companies never cease to over-value their services.

      --
      Lost at C:>. Found at C.
    2. Re:It's a gamble by Opportunist · · Score: 4, Interesting

      That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

      This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:It's a gamble by Anonymous Coward · · Score: 5, Funny

      You've worked with Oracle before I see.

    4. Re:It's a gamble by Anonymous Coward · · Score: 0

      Price is no guarantee of anything. If you market yourself as a security company, be prepared to incur the liability associated with failing to do due diligence.

    5. Re:It's a gamble by Anonymous Coward · · Score: 0

      It's a gamble, but not in this way.

      1) Hire cheap security
      2a) It may secure the systems with low cost, in that case goto 4)
      2b) or it may not, then sue for massive statutory damage
      3) ...
      4) Profit!

    6. Re:It's a gamble by arth1 · · Score: 2

      Hiring someone to do security after the fact is like hiring someone to fix a badly designed house. It's going to cost a fortune, and the design will still be bad.

      At times like that, eat crow, and build a replacement product from the ground up, this time with security as part of the integral design from get-go. Yes, it will be expensive, but less so than re-occurring breaches.

    7. Re:It's a gamble by ericloewe · · Score: 2

      That's unfair.

      Everyone at Oracle is extremely competent. How else would they manage to so consistently screw people over?

    8. Re:It's a gamble by Anonymous Coward · · Score: 0

      You've worked with Oracle before I see.

      And Arthur Anderson and the list goes on...

    9. Re:It's a gamble by Anonymous Coward · · Score: 0

      Screwing people over is something you do if you're a monopoly. Complaining about Oracle prices just makes you sounds like a Microsoft shill.

    10. Re:It's a gamble by NormalVisual · · Score: 1

      If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

      This is why SSAE 16 certification doesn't mean a lot to me. Having been through the certification process personally, I've seen firsthand a lot of crap signed off that shouldn't have been. Our "data center" was located in a suite in the office building next door, connected to us via directional WiFi, with no cameras, no facility access logs, and only a glass front door between the sidewalk outside and the servers in the rack. Keys were freely available to whoever wanted them in our office, plus the DC's owner gave keys to his other customers, and all of the racks were exposed to whoever might have wanted to start swapping cables around - no locking cabinets whatsoever. Despite all of that, and other questionable practices that I'd constantly been bugging the boss about fixing (especially since we were handling financial data for a number of banks), we got our Type II certification with no problems at all. Going into the process, I was sure we were screwed, but the auditor didn't even ask for the 6-month historical documentation. I didn't get to see the final report, so I'm guessing a lot of it was sheer fiction. "Write a check, get your certification", it seems with at least some vendors.

      --
      Please stand clear of the doors, por favor mantenganse alejado de las puertas
    11. Re:It's a gamble by Anonymous Coward · · Score: 0

      Same goes with ISO-27001 and FedRAMP certifications. My personal experience is that the auditors will check that there is a documented process for security related changes, the fact that the process is actually implemented in practice is non important and they will never verify what you tell them to be actually true.

    12. Re:It's a gamble by rtb61 · · Score: 1

      Security, nothing should be more secure than say elevator servicing but the cheapest elevator servicing contractors, go up there wipe over some fresh grease and leave, doing nothing else, good luck. Problem with private anything and lowest tenders is, highest profit means trying to get away with doing nothing and when caught blaming others for it. Trusted companies who do good work with high costs, no problem con artists come in with corrupt bank support, buy them out and turn them into cheating shit, inflate profits and then sell them before they implode, leaving behinds trails of death, suffering and bankruptcy. Catch with proper auditing and monitoring it costs lots of money and generates no profit, hence psychopath corporate douche bag executives routinely cripple it to pump up bonuses regardless of consequences.

      --
      Chaos - everything, everywhere, everywhen
    13. Re:It's a gamble by mysidia · · Score: 1

      will check that there is a documented process for security related changes, the fact that the process is actually implemented in practice is non important and they will never verify what you tell them to be actually true.

      Well, it may be that they don't need to actually verify that what you say is true. If your company or an officer attests to a lie in an engagement with an auditor, then under federal law, there's a crime called fraud that it falls under, and I believe the risk of being prosecuted occurs after there's an incident which should not have occurred, and then the later forensic audit including interviews of management and staff turn up that the claimed policies had not actually been implemented

    14. Re: It's a gamble by Anonymous Coward · · Score: 0

      That's when the 'few bad engineers who didn't follow policy' defense is invoked by the CEO.

      See VW for details.

    15. Re:It's a gamble by ericloewe · · Score: 1

      Clearly someone has never worked with Oracle nor has met someone who has worked with Oracle.

  4. YOU created the mess in the first place by Anonymous Coward · · Score: 0

    The casino created the problem in the first place, by not securing their own servers. The lawsuit is completely bogus.

    1. Re: YOU created the mess in the first place by Frosty+Piss · · Score: 2

      No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re: YOU created the mess in the first place by arth1 · · Score: 3, Interesting

      No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

      Yes, that is the second problem that's also the Casino's fault: They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.

      Yes, the security company is at fault for not delivering what they signed up to deliver, but the Casino messed up several times.
      A good king's ruling would be to award the Casino a payback in full, with interest, only to be paid once the casino has fully replaced the broken systems, and shown that they have processes in place to prevent insecure designs from being approved and implemented.

    3. Re: YOU created the mess in the first place by peragrin · · Score: 1

      Most businesses don't develop their own software. it gets contracted out. in fact they may not even contract out the development but contract out the usage of an existing product. Combine with maybe a few custom overlays specific for their needs and they are done.

      When we switched to a new ERP software a couple of years ago that is exactly what we did. the new vendor even supplies updates and upgrades as part of their maintenance and support contract. however I am currently stuck as the PCI-DSS compliant version requires us to stop using a part of their software that we need. The official solution is to hire out to a third party for credit card authorization system. Except we can't do that for business reasons(we have specific government contracts). So we are stuck with a slowly aging non updatable system until we figure it out.

      --
      i thought once I was found, but it was only a dream.
    4. Re: YOU created the mess in the first place by Anonymous Coward · · Score: 0

      They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.

      Doesn't PCI-DSS mandate retaining outside firms to do these audits? So the casino couldn't (legally) direct everything themselves, lest there be the appearance that they weren't letting the auditor work independently. It just demonstrates how PCI-DSS is less about security and more about theatrics and blame-passing.

    5. Re: YOU created the mess in the first place by arth1 · · Score: 1

      Doesn't PCI-DSS mandate retaining outside firms to do these audits? So the casino couldn't (legally) direct everything themselves, lest there be the appearance that they weren't letting the auditor work independently. It just demonstrates how PCI-DSS is less about security and more about theatrics and blame-passing.

      From what I understand (which, granted, is based on summaries), the regulations try to prevent blame passing, by specifically making the company who brings in outside help responsible for what the outside companies do or don't do, no matter what contracts say. You cannot pass the buck, but you're certainly free to sue your contractors.

    6. Re: YOU created the mess in the first place by mysidia · · Score: 1

      Doesn't PCI-DSS mandate retaining outside firms to do these audits?

      PCI-DSS itself does not say who audits a company against the standard, But depending on transaction volumes and assessed risk, banks certainly will required that audits be conducted both internally and by an approved 3rd-party QSA.

  5. Reminder.. by TechyImmigrant · · Score: 5, Interesting

    >PCI (Payment Card Industry)-compliant servers

    PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
     

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Reminder.. by rakslice · · Score: 1

      The PCI DSS is a set of basic set of system/network administration goals related to security. It means what it means. It doesn't mean that known vulnerabilities have been patched, or that specific security measures have been taken to secure card data. It does mean that system default passwords have been changed, that users have unique IDs, and that there is some kind of auditing going on.
      It's a fair assessment IMO to say it's a "veneer" that is going to continue to allow giant breaches because it doesn't prescribe specific security measures. But it is definitely related to security.

      I should also add: In many cases, it's all there is ever going to be in terms of policy. While most sophisticated organizations are in a position to hire staff who know and understand normal security practices and will allow them to be put into place, there are as many transactions going through those as through small businesses where no one knows anything about network security and no one would ever do any reading to learn about anything under any conceivable circumstance. The PCI DSS is as much a security policy as it is a message to the public about how little security it thinks is actually achievable in real businesses.

    2. Re:Reminder.. by rakslice · · Score: 1

      about how little security it thinks

      By "it" there I meant the credit card industry.

    3. Re:Reminder.. by TechyImmigrant · · Score: 1

      My family has a small business. But I have a day job as a security engineer. I design security circuits and work in cryptographic standards.

      So I got exposed to the PCI-DSS specs when I was implementing the point of sale system for my family's business and many of their requirements ran counter to security. They should have concentrated on more specific details of how computers handle personal details and card details.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    4. Re:Reminder.. by Anonymous Coward · · Score: 0

      That is not true. PCI-DSS set a very low standard for security but the whole purpose is to establish minimum security controls.

      The reason they keep getting hacked is, transaction data or credit related personal data is really valuable, and PCI-DSS sets such a low standard.

    5. Re:Reminder.. by TechyImmigrant · · Score: 1

      That is not true. PCI-DSS set a very low standard for security but the whole purpose is to establish minimum security controls.

      The reason they keep getting hacked is, transaction data or credit related personal data is really valuable, and PCI-DSS sets such a low standard.

      PCI and the card standards they set and the compliance they regulate is the direct cause of all the insecurity. It all happened on their watch.
      Setting low standards isn't an excuse, it's the cause. It's their fault.

      We would be better served if the job was handed over to IEEE. P802 got screwed the first time around when they asked the government for help and got given WEP by the NSA, but they wised up and have since proven capable of secure and implementable standards to sound engineering standards.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Comments needed by John+Da'+Baddest · · Score: 1

    Let's see what Trustwave has to say about this. If their lawyers will let them comment. And why not? About time "silence is deafening" becomes a legal deficiency.

  7. Exactly what we need ... by CaptainDork · · Score: 1

    ... to fix security -- litigation.

    Instead of shrugging our shoulders with the fail of, "Well, that's just the Internet," we need to identify the incompetent and make them pay.

    Businesses are not motivated to give a shit unless there's financial gain or cost avoidance.

    That's the ONLY reason businesses have fire extinguishers, sprinklers, smoke alarms and fire exits.

    --
    It little behooves the best of us to comment on the rest of us.
  8. Call Phule by Anonymous Coward · · Score: 0

    His crew can sort this out.

  9. Trustwave and Target by Anonymous Coward · · Score: 0

    Wasn't Trustwave also Target's security vendor when they failed to prevent that massive malware infection and huge payment card data breach?

    1. Re:Trustwave and Target by mysidia · · Score: 2

      Yes..... Trustwave was initially being sued over the Target breach as well. Seems this is like Strike 2 for Trustwave.

      I imagine that cases like this coming to the media must be quite damaging to their reputation, and they should want to avoid further occasions and settle it quickly.

  10. At least get the name right by Ralph+Wiggam · · Score: 1

    Is it too much to ask for the article, or Slashdot's editors, to get the name of the affected company correct? It says right at the top of the lawsuit that their name is Affinity Gaming, not Affinity Games.

  11. I wonder by Ol+Olsoc · · Score: 1

    Any wagers on how this will turn out?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.