Slashdot Mirror
Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
"First they came for the slanderers and i said nothing."
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
Good Suggestion.
I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.
"That's the way to do it" - Punch
This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?
My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.
This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.