Slashdot Mirror
Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
... this sounds phishy.
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
is a really dumb idea. Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
As the topic says, but I repeat: What is a high-roller database?
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
IoT devices should be sparingly and carefully deployed.
Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
What is a high-roller database ? What does it contains and is it useful?
"Science will win because it works." - Stephen Hawking
It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
What a great idea for a game and Movie.
Personally, I have just invested companies that manufacture base ball bats, and back-hoes.
I was worried she wouldn't be qualifed to be a tech CEO, but now I have no doubts at all.
I phished out the fact that casino's keep high roller databases on their networks from Slashdot. Is Slashdot an attack vector?
IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
"First they came for the slanderers and i said nothing."
During this hacking attempt. Except whales.
My pet hate, IOS devices that bluetooth to your smartphone as a backdoor:
Android smartphones offer every application default "Full Network Access". So you're not just giving the *app*, access to the location, address book etc., you're giving the *company* that made the app that access remotely too.
Google's explanation for this is total bullshit, something like "apps can access the internet by starting a browser, ergo this has no damage". Really, it's "we need it to spy on you so we enable it". And every shitty little app, that might have a genuine reason to access the address book, also gets full access to send the address book to their server.
So you buy a fitness band, and it won't work unless connected to your smartphone, which in turn needs an app, which in turn needs you register for an account and approve access to the address book and location and other stuff. i.e. to use this device you bought, give us full access to your private data, and your indentity and in exchange we'll promise to use it for any reason and call it a privacy policy.
You trusted Zuck in 2006 when he promised to only share your data with your chosen friends. You gave him your data, and it turns out he sells it all on to anyone who will pay. And Android devices come pre-installed with this stuff, Facebook, Microsoft's snoop ware, anyone with money can buy pre-installed right to data you will put on the phone, and full network access to slurp your private data off that phone.
And we can blame Zuck for farming its customers for sellable data, but a lot of this is Google's fault.
No app should have network access by default.
Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
Too bad the poor kid isn't even up to s'kiddie, nor is his fishtank with pet rocks.
Leave it to the guy that used to run Britain's version of the NSA to claim "there needs to be regulation"..."the market won't fix itself".
Nonsense. You think this casino and banks don't have an interest in finding secure solutions to these once they discover there's a problem?
Anytime you have a new technology there's going to be some security screw ups before people realize the need for it, and they will realize a need for it. Saying the market won't correct itself is literally saying people don't even want security, which is just asinine. They do, and I'm sure if the bank and casino had known these were security risks like this they would have sought solutions that are secure. That's not a lack of regulation, that's just a lack of awareness which will naturally dissipate over time.
I don't need a spy telling me regulation is needed.
...and up to the cloud.
NOTHIN BUT NET!!
https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
---
To ensure these communications remained separate
from the commercial network, the casino configured
the tank to use an individual VPN to isolate the tank’s
data
---
So yes, it was segregated via a VPN link. Clearly that wasn't enough.
bushwhacked etc.. cease fire stand down, there are moms & babys in all of our towns the world around.. the wmd on credit cabalist psychos, originators of our greed fear ego based depopulationing, are fleeing on the fully booked (the crown royals, some slaves, virgins, monkeys & such) great hereafter cruise,, with the desired outcome being to be here after? what, we do not know.. rumors of peace breaking out in many different locations are not false rumors.. in the moms we trust.. no heart no spirit no life.. some still calling this 'weather'? hanging on to our hemispheres.. ponder along,, https://www.youtube.com/watch?v=LvhgVxNCP1c ,, thanks again...
"up to the cloud" is the key term here. It is meaningless. This must be an "AI" company looking for more funding.
and why need local non cloud devices look at target there they hacked to the network from the 3rd party vendors HVAC system.
A big casino should have that on a non cloud non wifi network.
scam calls about there markers may work on some people.
Jay go to western union and send us $5000 NOW! or we will sent someone to beat it out of you!
How many professional football punters are there, maybe 30 globally? And if these how many actually have a good contract?
I watched the first episode of Max Headroom a year or so ago.
I laughed at a scene where they hacked a company, and I shit you not, by connecting to water pipes somehow and then jumping from a urinal in a men's room to a security camera, again not defecating anywhere near or on your person, located there.
The tragedy is that we're at the point where such things seem to be shifted from the realm of uneducated entertainment to reality.
Is that some type of weird voyeur?
Why are they in casinos? Shouldn't they be swimming in the ocean?
Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.
the Max Headroom hacker is still unknown
Maybe if more high profile targets get finally hit by the security hole IoT is, we'll finally see some movement in this field.
I mean, FFS, these things have security standards I have not seen since the millennium rolled over! You can go down the OWASP Top 10 (of any year of your choice) and the average IoT crapware is guilty of all of them!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.
Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.
It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Wasn't this the plot of the first season of Mr Robot? Although he snuck in and fiddled with the device to make it accessible.
Rather than upload the data to the cloud - he sought to erase the cloud.
VLANs baby
Life is not for the lazy.
You mean through the insecure device connected to the network that just so happens to set the temperature too?
What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.
The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.
Have gnu, will travel.
see the problem is that you are crying about it. Do your job and take it down regardless of what the boss or his pet brown noser thinks about it. If a single shred of your job includes you taking responsibility for network security then it is a lose lose situation for you and you should be looking for a new job because either you will get hacked and everyone will shit on you or you disable it and everyone shits on you (meaning the boss and his pet brown noser).
If it were me, i would go above the boss and show how easily that link could be hacked to his bosses. The risk that a direct remote link exists to critical infrastructure is astronomical as the company could essentially be dead in the water for days at the minimum, months at the maximum, and if the people that run the company see that as acceptable then RUN! get away from that shit show as quickly as possible.
So, you have two choices, either take control of the link (which is what i would do) or leave the company. Hack the other guys machine and shut down the link hard from here, that way when the forensics is done you can rub it in his face that it came from his machine. Channel your inner BOFH and take control of the situation
This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?
My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.
This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.
Only complete and utter morons gamble. Let alone in a casino!
I mean how fuckin' brain-dead do you have to be? The bank/casino always wins. A six year old realizes that after a few hours of playing casino at home!
The again, you probably live in a country where people still believe in imaginary schizophrenic alter egos in the sky. So ...
Now modifying the list, THAT'S where the fun's at!
I wonder how many weeks of free luxuries they would lavish you with before they notice that you aren't gambling :D
"When information is power, privacy is freedom" - Jah-Wren Ryel
Well VLANned, guys.
I mean, seriously. What are you playing at?
When I worked for IGT 20 years ago selling and supporting their player tracking systems, we ran them on AIX and Oracle, and security up the wazoo. Guess cost-cutting has hit even the casino industry when it comes to doing things right...
That's definitely how you get fired.
Anyone who allows IoT in their business deserves the consequences.
Really.
The only secure IoT devices are the ones you never install.
Scruting the inscrutable for over 50 years.
For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."
You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.
Someone had to do it.
data dump mirror here
Please don't go spear phising for big charismatic endangered species.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Exactly... it comes down to resources. I would love to proxy and log some specific traffic between a device I don't really trust and the information it needs... but that is a couple days to reverse engineer the communications and there is already too much on my plate.
....wut? Ok guys, it's time to accept that we're living in a cyberpunk novel. They were windows into the future and that future is now. So make with the pink mohawks and techno music.
Remember, only only Keanu can save us. I think all those John Wick movies were just prepping him.
There's not much information in the pdf which doesn't even mention accessing the high-roller database. Why or how would accessing the sensor provide enough privilege to go much further than what it's reporting on? Sneaking into a bank doesn't provide access to the vault.
Have no fear. APK will be along shortly to tell us that if the casino had just installed his hosts file engine on the fish tank thermometer it would have prevented this attack because hosts stops incoming connections and does port filtering. Well he will once he finds a hosts file somewhere that blocks a domain name that some attackers may have been operating from, or maybe that the attackers just visited. So I guess this is today's attack not stopped by APK's work. Maybe he can call us all fake name slashdot lusers while gong off on one of his schizophrenic rants.
The data was exfiltrated from the FISH tank to FINland!
This past weekend, I saw an article on creating a VPN server in 30 minutes using, I think, Linode Great.
Then, they said the server could be used for multiple purposes such as serving up web pages to the public and whatnot.
The author lost all credibility at that point.
Where EXACTLY do you work? We might be able to get you some free pen testing ;)
GPP's point is that "yes, but that's not enough - also have real security inside each network". Also, the casino had the IoT bit on a different VPN, and that didn't help much. Networks that are isolated physically, not just logically, are ideal from a security perspective, but may not be practical to manage.
Socialism: a lie told by totalitarians and believed by fools.
There's a third choice, which is rather more correct: Capture the risk, put in place mitigations, ask that the risk gets reassessed at a reasonable frequency.
If you want to be secure switch the damn server off. Anything else, you're already compromising, so just do what you do for any security risk.
Can't wait to wake up one morning and discover my fridge decided to drain my bank account to help some poor Prince somewhere.
They may have pulled this out of their ass!
This story is pure clickbait. Are there any depths to which slashdot will not sink? It has become a shell of its former self. The editors should have never have let this minnow slip through the net. It's up to us, dear readers, not to let them off the hook.
Document the risk. Document the mitigation suggestions. Document the reason why it remained. Document everything.
Then when the fecal matter hits the air circulation device, they can't fire you, because you warned them repeatedly. If they are setting you up to be the fall guy, document EVERYTHING.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
In 1991
I'm wondering how many other experts have been paranoid enough with their own infrastructure.
For example, if you (like me) have a TV, settop box or microcell connected to your internal home network, don't forget that those devices can and do receive data from a medium (cable, cellular, broadcast TV) that you don't control. I got to thinking about this after I connected a microcell to my internal network. The microcell was kindly provided by AT&T (free!) because their cellular signal is so crappy for my area (anywhere north of Amundsen-Scott Station). I suspect there are as-yet undiscovered vulnerabilities that allows someone to access the internet side of the microcell using spoofed or forged cellular signals. I would expect similar vulnerabilities for the set-top cable box. Accessing the TV's internet connection from the airwaves would be more challenging. If any of these devices also have wi-fi, bluetooth or IR (for remote control), well that's just more attack surface.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Always remember, "The 'S' in 'IoT' stands for Security."
Vlans do nothing. You have to have separate infrastructure, cabling, the whole shot.
Basically if you can create it from a single location you can expect someone on the outside to be able to do the same thing.
Vlans do nothing. You have to have separate infrastructure, cabling, the whole shot.
Basically if you can create it from a single location you can expect someone on the outside to be able to do the same thing.
What is the problem with VLANs? At least the way I use them, every ethernet domain is isolated from every other ethernet domain by a router. So as far as the IOT (internet of things) fish tank thermometer is concerned, it is the only device on the network and it can only see the internet if the router allows it.