Casino Sues Security Firm For Failing To Contain Malware Infection

An anonymous reader writes: US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity's servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation. Mandiant was brought in to mop up Trustwave's job later on. Affinity is now suing for $100,000 (or more) in damages.

So a Normal Business Matter

This could read as:

    Company hires accounting firm,

    Company hires Auditing firm who notices accounting firms errors.

    Company hires OTHER accounting firm to fix problems from first accounting firm.... sues 1st accounting firm for breach of contact.

How is this not business as normal?

Re:So a Normal Business Matter

It is the old "on a computer" fallacy. Everything is new again when it is done on a computer. Just look at how many patents are granted for things people have done for years but are new because they are on a computer or all the sky-high IPOs in the dot-com era or today.

Re:So a Normal Business Matter

[Opportunist]

It's more

Go to a doctor to cure your back pain.
Have another doctor examine your foot a few months later.
Sue the first doc for not finding the wart on your foot when he examined your back.

Re:So a Normal Business Matter

[gstoddart]

No, no it isn't:

"Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined," the lawsuit reads. "Trustwave willfully disregarded other evidence that the breach was more widespread than first believed."

According to the Mandiant report, the attacker accessed at least 93 systems and deployed credit card harvesting malware on 76, 12 of which were PCI (Payment Card Industry)-compliant servers, which Trustwave was specifically told to inspect.

This really sounds like they hired Trustware, who did a half-assed job, and failed to look at things they had been contracted to look at.

So, take your pick: incompetence, laziness, or fraud.

Re:So a Normal Business Matter

How is this not business as normal?

Normally, for a casino, they'd hire Guido and Luigi, who would solve problems in another way.

Re:So a Normal Business Matter

[ark1]

If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun. 2. Surgeon identifies and removes some shrapnel but fails to identify it all. 3. Guy show-ups for an annual medical check. 4. Routine tests reveal presence of shrapnel. 5. Guy sues initial Surgeon. If negligence is suspected based on initial scope contract, Casino has all the rights to sue and likely win.

Re:So a Normal Business Matter

[laurencetux]

http://instantrimshot.com/inde...

AC will be here all week
PLEASE TRY THE FISH

Re:So a Normal Business Matter

[mysidia]

If you want a medical world analogy for this case: 1. Guys gets shot with a shotgun.

I'm going to go with... 1. Guy gets sick. Hires doctor to find and fix all infections for a fixed pre-paid contract.

2. Doctor identifies invasive skin cancer and administers radiation therapy.

3. Apparent infection dies off.... All the visible anomalies are gone according to all analysis order... doctor pronounces Guy cured.

4. Guy show-up at Doctor2 a year later for a detailed scan.

5. Doctor2 identifies lung cancer in Xray.

6. Guy wants to sue Doctor 1; presuming Doctor 1 must have done his job improperly, if another Doctor is now able to find an infection a year later.

Re:So a Normal Business Matter

[mysidia]

Company hires accounting firm,

Malware detection and removal is not like accounting.

Malware can make itself undetectable and dormant for years, and then popup on command.

For example: there's no such thing as an antivirus with a 100% detection rate.

If any security firm is representing that they can make a 100% assurance that all malware is gone, not involving a rebuild or restore of system from backup, Or offline comparison against a gold image, then they are lying, and they deserve to get burned; because they should know better.

Only $100,000?

Sounds like they're just wanting the money they wasted on them back.

It's a gamble

[penguinoid]

Hire the wrong security, and you might be wasting your money or even exacerbating the problem. The cheapest security is usually not the cheapest.

Re:It's a gamble

[gstoddart]

Hey, it's entirely possible to be expensive and incompetent.

Lousy companies never cease to over-value their services.

Re:It's a gamble

[Opportunist]

That is if you're actually interested in security. Most of the time companies are just interested in getting certified for compliance.

This is why there still are snake oil peddlers in this business. If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

Re:It's a gamble

You've worked with Oracle before I see.

Re:It's a gamble

[arth1]

Hiring someone to do security after the fact is like hiring someone to fix a badly designed house. It's going to cost a fortune, and the design will still be bad.

At times like that, eat crow, and build a replacement product from the ground up, this time with security as part of the integral design from get-go. Yes, it will be expensive, but less so than re-occurring breaches.

Re:It's a gamble

[ericloewe]

That's unfair.

Everyone at Oracle is extremely competent. How else would they manage to so consistently screw people over?

Re:It's a gamble

[NormalVisual]

If all you're really interested in is a sheet of paper so you can get a contract, what you want is the auditor that tells you everything in your company is in a great security shape. Not that pesky one that would actually find something wrong with your security.

This is why SSAE 16 certification doesn't mean a lot to me. Having been through the certification process personally, I've seen firsthand a lot of crap signed off that shouldn't have been. Our "data center" was located in a suite in the office building next door, connected to us via directional WiFi, with no cameras, no facility access logs, and only a glass front door between the sidewalk outside and the servers in the rack. Keys were freely available to whoever wanted them in our office, plus the DC's owner gave keys to his other customers, and all of the racks were exposed to whoever might have wanted to start swapping cables around - no locking cabinets whatsoever. Despite all of that, and other questionable practices that I'd constantly been bugging the boss about fixing (especially since we were handling financial data for a number of banks), we got our Type II certification with no problems at all. Going into the process, I was sure we were screwed, but the auditor didn't even ask for the 6-month historical documentation. I didn't get to see the final report, so I'm guessing a lot of it was sheer fiction. "Write a check, get your certification", it seems with at least some vendors.

Re:It's a gamble

[rtb61]

Security, nothing should be more secure than say elevator servicing but the cheapest elevator servicing contractors, go up there wipe over some fresh grease and leave, doing nothing else, good luck. Problem with private anything and lowest tenders is, highest profit means trying to get away with doing nothing and when caught blaming others for it. Trusted companies who do good work with high costs, no problem con artists come in with corrupt bank support, buy them out and turn them into cheating shit, inflate profits and then sell them before they implode, leaving behinds trails of death, suffering and bankruptcy. Catch with proper auditing and monitoring it costs lots of money and generates no profit, hence psychopath corporate douche bag executives routinely cripple it to pump up bonuses regardless of consequences.

Re:It's a gamble

[mysidia]

will check that there is a documented process for security related changes, the fact that the process is actually implemented in practice is non important and they will never verify what you tell them to be actually true.

Well, it may be that they don't need to actually verify that what you say is true. If your company or an officer attests to a lie in an engagement with an auditor, then under federal law, there's a crime called fraud that it falls under, and I believe the risk of being prosecuted occurs after there's an incident which should not have occurred, and then the later forensic audit including interviews of management and staff turn up that the claimed policies had not actually been implemented

Re:It's a gamble

[ericloewe]

Clearly someone has never worked with Oracle nor has met someone who has worked with Oracle.

Reminder..

[TechyImmigrant]

>PCI (Payment Card Industry)-compliant servers

PCI-DSS, the security standards for payment processing have nothing to do with security. There is a veneer of 'we are doing this for security', but none of it makes sense. This is why we keep seeing PCI-DSS compliant systems getting hacked and revealing card and personal details by the million.
 

Re:Reminder..

[rakslice]

The PCI DSS is a set of basic set of system/network administration goals related to security. It means what it means. It doesn't mean that known vulnerabilities have been patched, or that specific security measures have been taken to secure card data. It does mean that system default passwords have been changed, that users have unique IDs, and that there is some kind of auditing going on.
It's a fair assessment IMO to say it's a "veneer" that is going to continue to allow giant breaches because it doesn't prescribe specific security measures. But it is definitely related to security.

I should also add: In many cases, it's all there is ever going to be in terms of policy. While most sophisticated organizations are in a position to hire staff who know and understand normal security practices and will allow them to be put into place, there are as many transactions going through those as through small businesses where no one knows anything about network security and no one would ever do any reading to learn about anything under any conceivable circumstance. The PCI DSS is as much a security policy as it is a message to the public about how little security it thinks is actually achievable in real businesses.

Re:Reminder..

[rakslice]

about how little security it thinks

By "it" there I meant the credit card industry.

Re:Reminder..

[TechyImmigrant]

My family has a small business. But I have a day job as a security engineer. I design security circuits and work in cryptographic standards.

So I got exposed to the PCI-DSS specs when I was implementing the point of sale system for my family's business and many of their requirements ran counter to security. They should have concentrated on more specific details of how computers handle personal details and card details.

Re:Reminder..

[TechyImmigrant]

That is not true. PCI-DSS set a very low standard for security but the whole purpose is to establish minimum security controls.

The reason they keep getting hacked is, transaction data or credit related personal data is really valuable, and PCI-DSS sets such a low standard.

PCI and the card standards they set and the compliance they regulate is the direct cause of all the insecurity. It all happened on their watch.
Setting low standards isn't an excuse, it's the cause. It's their fault.

We would be better served if the job was handed over to IEEE. P802 got screwed the first time around when they asked the government for help and got given WEP by the NSA, but they wised up and have since proven capable of secure and implementable standards to sound engineering standards.
 

Re: YOU created the mess in the first place

[Frosty+Piss]

No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

Re: YOU created the mess in the first place

[arth1]

No, they hired a company to ferret out and fix their problems, paid a lot of cash for the service, and the company did a half-assed job.

Yes, that is the second problem that's also the Casino's fault: They hired someone else (twice!) to fix a problem instead of pointing out the problems and then make the decisions themselves, whether it would be to paint over the flaws or replace a broken design from scratch.

Yes, the security company is at fault for not delivering what they signed up to deliver, but the Casino messed up several times.
A good king's ruling would be to award the Casino a payback in full, with interest, only to be paid once the casino has fully replaced the broken systems, and shown that they have processes in place to prevent insecure designs from being approved and implemented.

Comments needed

[John+Da'+Baddest]

Let's see what Trustwave has to say about this. If their lawyers will let them comment. And why not? About time "silence is deafening" becomes a legal deficiency.

Re: YOU created the mess in the first place

[peragrin]

Most businesses don't develop their own software. it gets contracted out. in fact they may not even contract out the development but contract out the usage of an existing product. Combine with maybe a few custom overlays specific for their needs and they are done.

When we switched to a new ERP software a couple of years ago that is exactly what we did. the new vendor even supplies updates and upgrades as part of their maintenance and support contract. however I am currently stuck as the PCI-DSS compliant version requires us to stop using a part of their software that we need. The official solution is to hire out to a third party for credit card authorization system. Except we can't do that for business reasons(we have specific government contracts). So we are stuck with a slowly aging non updatable system until we figure it out.

Exactly what we need ...

[CaptainDork]

... to fix security -- litigation.

Instead of shrugging our shoulders with the fail of, "Well, that's just the Internet," we need to identify the incompetent and make them pay.

Businesses are not motivated to give a shit unless there's financial gain or cost avoidance.

That's the ONLY reason businesses have fire extinguishers, sprinklers, smoke alarms and fire exits.

Re: YOU created the mess in the first place

[arth1]

Doesn't PCI-DSS mandate retaining outside firms to do these audits? So the casino couldn't (legally) direct everything themselves, lest there be the appearance that they weren't letting the auditor work independently. It just demonstrates how PCI-DSS is less about security and more about theatrics and blame-passing.

From what I understand (which, granted, is based on summaries), the regulations try to prevent blame passing, by specifically making the company who brings in outside help responsible for what the outside companies do or don't do, no matter what contracts say. You cannot pass the buck, but you're certainly free to sue your contractors.

Re: YOU created the mess in the first place

[mysidia]

Doesn't PCI-DSS mandate retaining outside firms to do these audits?

PCI-DSS itself does not say who audits a company against the standard, But depending on transaction volumes and assessed risk, banks certainly will required that audits be conducted both internally and by an approved 3rd-party QSA.

Re:Trustwave and Target

[mysidia]

Yes..... Trustwave was initially being sued over the Target breach as well. Seems this is like Strike 2 for Trustwave.

I imagine that cases like this coming to the media must be quite damaging to their reputation, and they should want to avoid further occasions and settle it quickly.

At least get the name right

[Ralph+Wiggam]

Is it too much to ask for the article, or Slashdot's editors, to get the name of the affected company correct? It says right at the top of the lawsuit that their name is Affinity Gaming, not Affinity Games.

I wonder

[Ol+Olsoc]

Any wagers on how this will turn out?