Slashdot Mirror
Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)
From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.
... this sounds phishy.
And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
IoT devices should be sparingly and carefully deployed.
Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
It's a list of rich gamblers who like to show up, gamble, spend money on pretty much everything in sight, and come back for more.
Client list of "big spenders." The people who would actually come and spend large amounts of money gambling.
IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.
"First they came for the slanderers and i said nothing."
During this hacking attempt. Except whales.
My pet hate, IOS devices that bluetooth to your smartphone as a backdoor:
Android smartphones offer every application default "Full Network Access". So you're not just giving the *app*, access to the location, address book etc., you're giving the *company* that made the app that access remotely too.
Google's explanation for this is total bullshit, something like "apps can access the internet by starting a browser, ergo this has no damage". Really, it's "we need it to spy on you so we enable it". And every shitty little app, that might have a genuine reason to access the address book, also gets full access to send the address book to their server.
So you buy a fitness band, and it won't work unless connected to your smartphone, which in turn needs an app, which in turn needs you register for an account and approve access to the address book and location and other stuff. i.e. to use this device you bought, give us full access to your private data, and your indentity and in exchange we'll promise to use it for any reason and call it a privacy policy.
You trusted Zuck in 2006 when he promised to only share your data with your chosen friends. You gave him your data, and it turns out he sells it all on to anyone who will pay. And Android devices come pre-installed with this stuff, Facebook, Microsoft's snoop ware, anyone with money can buy pre-installed right to data you will put on the phone, and full network access to slurp your private data off that phone.
And we can blame Zuck for farming its customers for sellable data, but a lot of this is Google's fault.
No app should have network access by default.
A list of people with a lot more money than sense.
I'm no internet genius, but I'm wagering it's some sort of database that contains the names of high rollers who frequent the casino, along with their details. You might want to do some sleuthing on the dank webs to confirm.
Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
Wikipedia is your friend, as is google. Just googling for "casino high roller wiki" yields https://en.wikipedia.org/wiki/... -- basically a high roller is somebody who gambles a lot of money.
John_Chalisque
WTF, does no one here know how to use a fucking search engine?
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Geez, i don't know for sure... but maybe a list of rich people??
Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
You probably don't, but Big Brother does. They're hoping you will give up your privacy in exchange for added convenience of these IoTs.
Say that a bit louder , Alexa didn't hear you
Pain is merely failure leaving the body
What does it contains and is it useful?
Well... that might depend on what kind of paper it's printed on...
Something not too rough... absorbent would be useful... but that doesn't come apart; that's the worst.
https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
---
To ensure these communications remained separate
from the commercial network, the casino configured
the tank to use an individual VPN to isolate the tank’s
data
---
So yes, it was segregated via a VPN link. Clearly that wasn't enough.
"up to the cloud" is the key term here. It is meaningless. This must be an "AI" company looking for more funding.
But I think the original question remains: of what use is it to someone other than the casino that has it? Does it contain credit information? Could a competitor use it to woo these clients? I would think it would not contain actionable credit information, and any casino caught using such information would find themselves a shallow desert grave. The hackers may as well have stolen the fish tank temperature for all the good this information will do them.
It would make sense if it's for watching over your senile granny.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
That could be, strange name though.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
It gives you a list of rich people easily persuaded to put money in risky enterprises, who will accept a total loss.
A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.
This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.
It is a list of people who due to the influence of puppeteers, and to roll above a seven on two six sided dice. Pierson's Casinos use the list to steer these high rollers to games where odds are more in their favor and away from things like craps where a two is a loss and an eleven is a win. Hackers will use it to place side bets to defraud the casino.
There now you don't have to google it, ya lazy bums.
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Gosh how was society able to do that for centuries before these wonder device....
and why need local non cloud devices look at target there they hacked to the network from the 3rd party vendors HVAC system.
A big casino should have that on a non cloud non wifi network.
scam calls about there markers may work on some people.
Jay go to western union and send us $5000 NOW! or we will sent someone to beat it out of you!
And what is a high roller then? Someone who often frequents casinos?
A high roller is a whale.
I browse on +1 so AC's need not respond, I won't see it.
What's a google?
I browse on +1 so AC's need not respond, I won't see it.
I watched the first episode of Max Headroom a year or so ago.
I laughed at a scene where they hacked a company, and I shit you not, by connecting to water pipes somehow and then jumping from a urinal in a men's room to a security camera, again not defecating anywhere near or on your person, located there.
The tragedy is that we're at the point where such things seem to be shifted from the realm of uneducated entertainment to reality.
Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.
the Max Headroom hacker is still unknown
Why are they in casinos? Shouldn't they be swimming in the ocean?
Just read the article. They were in the lobby fish tank.
The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If I get to look over granny, sure.
If you get to look over her, no.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, you have to admit, some of the parts you find in IoT devices cost a lot more if bought without the plastic casing...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In the online gaming world they call them "whales". So... the thing about the aquarium actually makes it even more funny.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Maybe if more high profile targets get finally hit by the security hole IoT is, we'll finally see some movement in this field.
I mean, FFS, these things have security standards I have not seen since the millennium rolled over! You can go down the OWASP Top 10 (of any year of your choice) and the average IoT crapware is guilty of all of them!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.
Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.
It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
What? You don't want your fridge texting you when the milk starts to sour, or your toaster updating you to how many Pop-tarts your kids ate for breakfast this morning ("76 pop tarts seems a little excessive for three children boss, should I cut them off or let their teachers enjoy their sugar psychosis?")
Your lightbulbs could post to Facebook whenever you turn them on letting all your "friends" know when you are home from work in the evening. Your stove will share when dinner is done cooking so they know not to call for half an hour (except the advertisers will hack this info and use it to know when to call).
I'm too lazy to compose a creative sig.
Wasn't this the plot of the first season of Mr Robot? Although he snuck in and fiddled with the device to make it accessible.
Rather than upload the data to the cloud - he sought to erase the cloud.
VLANs baby
Life is not for the lazy.
What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.
The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.
Have gnu, will travel.
People don't want security. Here's why.
Security first and foremost is expensive. It costs money to keep the people who do know a lot about security on this side of the legal fence. Because you can believe me when I tell you, there's WAY more money to be made on the other side. And security costs time. Because your development will be delayed when you finish your product only to have to redo it because in the final test your security crew (that suspiciously isn't involved in the production process... don't ask) finds a few crippling security flaws.
And when you're finally ready to roll, you notice that competitor A already has a product just like yours in the market and has cornered the market. How could he do this? Easy. By not giving a shit about security. And since he's more often than not completely not liable for any damage his insecure crap causes, why should he give half a shit about it?
Why do people buy his shit is the question one should ask. And the answer is simply because they don't know shit about security and they also don't care. And more often than not don't want to know about it either. They care whether it's cheap and whether it does what it promises. They don't even think that someone else could use it for nefarious reasons.
And this is why companies making IoT items don't give a shit about security. They'd probably go bankrupt if they did.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
A list of people with a lot more money than sense.
That's ME! The bummer is that I don't have much money.
Peace is easy to achieve, just surrender. Liberty is much harder get/keep.
Ten duotrigintillion on the short scale, ten thousand sexdecillion on the long scale.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
When you put it that way...
...it sounds even MORE valuable to know.
Bob Smith, is that you?
Which has more power: the hammer, or the anvil?
This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?
My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.
This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.
The world's burning. Moped Jesus spotted on I50. Details at 11.
The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.
Now modifying the list, THAT'S where the fun's at!
I wonder how many weeks of free luxuries they would lavish you with before they notice that you aren't gambling :D
"When information is power, privacy is freedom" - Jah-Wren Ryel
Well VLANned, guys.
I mean, seriously. What are you playing at?
That's definitely how you get fired.
Anyone who allows IoT in their business deserves the consequences.
Really.
The only secure IoT devices are the ones you never install.
Scruting the inscrutable for over 50 years.
For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."
You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.
Someone had to do it.
data dump mirror here
Please don't go spear phising for big charismatic endangered species.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Exactly... it comes down to resources. I would love to proxy and log some specific traffic between a device I don't really trust and the information it needs... but that is a couple days to reverse engineer the communications and there is already too much on my plate.
Security is the same 80/20 game as pretty much everything else. The problem is identifying the 80 percent that can be taken care of with 20 percent of the cost.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
....wut? Ok guys, it's time to accept that we're living in a cyberpunk novel. They were windows into the future and that future is now. So make with the pink mohawks and techno music.
Remember, only only Keanu can save us. I think all those John Wick movies were just prepping him.
Thanx :D
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
As the topic says, but I repeat: What is a high-roller database?
A database is an organized collection of information, generally thought of as being held on a computer with a well-defined structure and method of access.
This past weekend, I saw an article on creating a VPN server in 30 minutes using, I think, Linode Great.
Then, they said the server could be used for multiple purposes such as serving up web pages to the public and whatnot.
The author lost all credibility at that point.
Private customer information. That's the bottom line and why this is a problem for the casino as a business.
/* No Comment */
This is modded informative. Seriously?
It's mildly funny, and completely incorrect. It is incorrect and nonsensical on so many levels that "informative" moderation can only be a cruel joke... especially considering that looking up the term may not be so easy for a non-native speaker. A bit of refinement works just fine, but plain "High Roller" will not get you anywhere.
In any case, here is the real meaning:
A high roller is a person who gambles with a lot of money, usually by favoring high stakes. They may be a chronic loser, or they may win more often than not, by being skilled, knowledgeable, and discriminating in their choice of game.
Casinos keep track of such people, both because they like to pamper losers into remaining with the casino, and because they often ban winners for suspected cheating, or just for being bad for business.
This is a pretty valuable database, similar to databases of elderly people who fall for telephone scams.
No good deed goes unpunished...
That could be, strange name though.
Yea it's only been in common use since the late 1800's. Damn kids and their crazy slang.
I browse on +1 so AC's need not respond, I won't see it.
is a really dumb idea. Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
None of those would be useful to me. However, I find being able to read and change my home thermostats to be very useful. I am , at this moment, watching some workers in my neighborhood in front of my house. They have the street blocked off and it will be nice to see when they are gone.
What is a high-roller database ? What does it contains and is it useful?
It's a database of people who like to get high and roll around in the grass.
I browse on +1 so AC's need not respond, I won't see it.
Where EXACTLY do you work? We might be able to get you some free pen testing ;)
GPP's point is that "yes, but that's not enough - also have real security inside each network". Also, the casino had the IoT bit on a different VPN, and that didn't help much. Networks that are isolated physically, not just logically, are ideal from a security perspective, but may not be practical to manage.
Socialism: a lie told by totalitarians and believed by fools.
There's a third choice, which is rather more correct: Capture the risk, put in place mitigations, ask that the risk gets reassessed at a reasonable frequency.
If you want to be secure switch the damn server off. Anything else, you're already compromising, so just do what you do for any security risk.
Can't wait to wake up one morning and discover my fridge decided to drain my bank account to help some poor Prince somewhere.
Which is why knowing which customers are willing to visit you and spend several million dollars a year for the entertainment you provide is so important.
They know they're going to lose that much money, and they expect something in return. You look after them, give them the best room in the hotel for free, have aesthetically pleasing person bring them whatever the fuck they want to drink, 24 hour concierge service and tickets to Penn & Teller.
Actually skip the last one, you want to keep them in your casino.
You really have no idea how lazy I get after a hard workout. I mean, I might not get off the couch until it's time to walk to dog and go to bed. If I can control the lights and A/C with my smartphone, even better.
This story is pure clickbait. Are there any depths to which slashdot will not sink? It has become a shell of its former self. The editors should have never have let this minnow slip through the net. It's up to us, dear readers, not to let them off the hook.
O'Really!?
And what do you collect in that database?
People who are known that they statistically roll more sixes than you?
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
A high roller database is a list of all the best roller-coasters in the country. Useful for when you want to show a whale a good time...
In a very small part of the world ... ... Kartoffel!
Damn american idiots that don't grasp that 80% of the world don't live in the US.
"High-roller" (or as I have learned today: whale) is not a term you learn in school (where you learn basic english) nor in university, where you 'work' with the english you need for your job. In my case computer science.
But thank you for your ignorance and implied insult
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Document the risk. Document the mitigation suggestions. Document the reason why it remained. Document everything.
Then when the fecal matter hits the air circulation device, they can't fire you, because you warned them repeatedly. If they are setting you up to be the fall guy, document EVERYTHING.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
>local LAN
Now I read everything
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
In 1991
And what is a high roller then?
I know what a high troller is ...
Socialism: a lie told by totalitarians and believed by fools.
I'm wondering how many other experts have been paranoid enough with their own infrastructure.
For example, if you (like me) have a TV, settop box or microcell connected to your internal home network, don't forget that those devices can and do receive data from a medium (cable, cellular, broadcast TV) that you don't control. I got to thinking about this after I connected a microcell to my internal network. The microcell was kindly provided by AT&T (free!) because their cellular signal is so crappy for my area (anywhere north of Amundsen-Scott Station). I suspect there are as-yet undiscovered vulnerabilities that allows someone to access the internet side of the microcell using spoofed or forged cellular signals. I would expect similar vulnerabilities for the set-top cable box. Accessing the TV's internet connection from the airwaves would be more challenging. If any of these devices also have wi-fi, bluetooth or IR (for remote control), well that's just more attack surface.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
How old is granny that she got to be centuries old without observation?!
Guess they don't teach people outside the US how to deduce from context what something they don't understand means. Because in this case it's glaringly obvious.
Also, to make sure the insult is not just implied: I think you are a trolling asshole who knew what it meant and just wanted to be a dick about it.
I browse on +1 so AC's need not respond, I won't see it.
O'Really!?
And what do you collect in that database?
People who are known that they statistically roll more sixes than you?
Lol, yes, those people. And it would also include people who earn more money than I, which is almost everyone on this continent.
Actually, you shouldn't put high-rollers into databases, they go into binders. It's the same way that one may have binders full of women.
No, I did not know what it means, idiot. ... arrogant asshole.
And there was no context at all from which you could have deduced it
Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank
Care to point our how that indicates a "high roller" is a "whale" and a "whale" is "a rich person"?????
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
If you are too dumb to figure it out or even know how to use google to help you figure it out, you are beyond my help.
that said... https://www.google.com/search?q=What+is+a+high-roller
I browse on +1 so AC's need not respond, I won't see it.
Vlans do nothing. You have to have separate infrastructure, cabling, the whole shot.
Basically if you can create it from a single location you can expect someone on the outside to be able to do the same thing.
What is the problem with VLANs? At least the way I use them, every ethernet domain is isolated from every other ethernet domain by a router. So as far as the IOT (internet of things) fish tank thermometer is concerned, it is the only device on the network and it can only see the internet if the router allows it.