Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)

← Back to Stories (view on slashdot.org)

Hackers Stole a Casino's High-Roller Database Through a Thermometer in the Lobby Fish Tank (businessinsider.com)

Posted by msmash on Monday April 16, 2018 @01:05AM from the internet-of-shit dept.

From a report: Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday: "There's a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface and most of this isn't covered by traditional defenses."

Eagan gave one memorable anecdote about a case Darktrace worked on where an unnamed casino was hacked via a thermometer in a lobby aquarium. "The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud," she said.

43 of 246 comments (clear)

Min score:

Reason:

Sort:

I don't know... by Anonymous Coward · 2018-04-16 01:07 · Score: 5, Funny

... this sounds phishy.
1. Re:I don't know... by ctilsie242 · 2018-04-16 01:42 · Score: 3, Funny
  
  Compromises like this make me eel. It is worth the read for the halibut...
2. Re: I don't know... by Anonymous Coward · 2018-04-16 02:16 · Score: 5, Insightful
  
  High roller = whale
  So an aquarium seems an appropriate attack vector.
Network Separation by Anonymous Coward · 2018-04-16 01:11 · Score: 3, Insightful

And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
1. Re:Network Separation by Oswald+McWeany · 2018-04-16 02:28 · Score: 3, Interesting
  
  And that is why one should be almost religious about separating networks. In particular networks for "home automation" from the rest. Event at home I have one wifi for home automation and one for the rest.
  Good Suggestion.
  I'm not a fan of my current home router and have been considering getting a new one. I think I might follow your suggestion and do the same. Keep the old one for my IOT devices and put computers and cell phones on a new one.
  
  --
  "That's the way to do it" - Punch
2. Re:Network Separation by the_skywise · 2018-04-16 02:33 · Score: 2
  
  Probably won't be too much longer and you'll be seeing routers supporting dual network spaces for just this reason. (like the DMZ)
3. Re:Network Separation by Oswald+McWeany · 2018-04-16 04:04 · Score: 5, Funny
  
  I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"
  So good manners these days involves, not only offering the workman a cup of tea, but your wifi password too.
  "Would you like a spot of tea and a Wi-Fi password whilst you fix our driveway?"
  How else are the workmen going to use you-tube to look up how they do their job?
  
  --
  "That's the way to do it" - Punch
4. Re:Network Separation by Mr+D+from+63 · 2018-04-16 06:35 · Score: 2
  
  I'd like to do the same, but I am considering a third for guests. I've noticed in the last few years that "can I get on your wi-fi?" has become as common as "can I use your restroom?"
  A thoughtful host will place a wifi QR code in the bathroom.
5. Re:Network Separation by Mr+D+from+63 · 2018-04-16 06:42 · Score: 2
  
  I never thought about that. I'd have just naturally set the second network to a different subnet.
  
  And I thought /. was becoming totally useless.
Zero sympathy by olsmeister · 2018-04-16 01:13 · Score: 5, Insightful

IoT devices should be sparingly and carefully deployed.

Anyone who uses one as a fish tank thermometer deserves to be hacked. I know the tank probably had tens of thousands of dollars worth of tropical fish in it - don't care. If you absolutely NEED need to have an IoT thermometer in it, rather than a simple visual one, then put it on a different network than your client databases. Hell, have it use the cellular network. If it wasn't this, it would have been something else.
1. Re:Zero sympathy by oh_my_080980980 · 2018-04-16 02:00 · Score: 2
  
  You just made the argument against EVERY fucking internet enabled device.
  
  Congratulations.
2. Re:Zero sympathy by argStyopa · 2018-04-16 02:06 · Score: 2
  
  This.
  I can see the practicality of having some things online - a thermometer for a tank of $10,000 fish, sure.
  But as you said: HAVE A SEPARATE, TOTALLY BANAL NETWORK FOR THAT SHIT.
  *DON'T* connect that to your operating system, your vault doors, or your self-destruct systems, eh?
  
  --
  -Styopa
3. Re:Zero sympathy by Opportunist · 2018-04-16 03:00 · Score: 2
  
  No, most other internet enabled device I can audit.
  Try it with your average IoT crapbox.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Zero sympathy by barjam · 2018-04-16 03:00 · Score: 2
  
  I doubt it was a fish tank thermometer only, it was probably a fish tank controller that had a thermometer as one of it's functions. On something like a saltwater tank where you might have thousands of dollars in corals and such the controller is used to regulate temperature, chemicals and so on. One tiny slip up in parameters and thousands of dollars are down the drain. IOT for that sort of things makes total sense.
  Network isolated and all that for sure though.
  On the other hand if the casino's security were properly setup even an IOT device wouldn't be a concern as it would have required at least two weaknesses to got to this point. In my opinion you have to treat an internal network as if it was public anyhow.
IOT is a disaster waiting to happen by pablo_max · 2018-04-16 01:15 · Score: 4, Insightful

It is really crazy that the IOT stuff is pushed so hard even though there are no security standards in place.
I do have internet connected things myself. Heating system and some home automation. While these are internet facing, they do not have access to my home network as they use a physically different network system. I assumed it would only a matter of time before someone hacked my network via my light switch to at least put up the basic security road blocks.
It sounds like the IT department there wasnt thinking too hard about security.
1. Re:IOT is a disaster waiting to happen by rtkluttz · 2018-04-16 01:28 · Score: 4, Insightful
  
  Its not even that. There is literally nothing that IoT devices do in the cloud that can't be done completely in the owners network. Anyone that allows devices on their network that basically have you authenticating to a companies servers outside your home or business to do something inside your home or business deserve everything they get.
  
  --
  Digital is, by definition, imperfect. Analog is the way to go.
2. Re:IOT is a disaster waiting to happen by Anonymous Coward · 2018-04-16 01:32 · Score: 2, Insightful
  
  It sounds like the IT department there wasnt thinking too hard about security.
  IT pays for shit and you get about as much respect as the janitor. If a casino cares about security, they would need to pay better and give more respect to get the kind of talent required to actually do a decent job at securing their systems. Their underpaid IT staff is most likely following check lists created at least 10 years ago.
IoT turned DEFCON into a party again by phantomfive · 2018-04-16 01:21 · Score: 5, Interesting

IoT turned DEFCON into a party again. It was all getting kind of boring, with finding exploits in the major OSes being more time-consuming, but now suddenly there are so many device exploits that people are giving them away free. A lot of times it's as simple as
echo "admin\n admin\n" | telnet device_ip
I thought we were done with the days of telnet exploits but it's a gift that keeps giving.

--
"First they came for the slanderers and i said nothing."
No fish were harmed by jfdavis668 · 2018-04-16 01:21 · Score: 4, Funny

During this hacking attempt. Except whales.
Re:high-roller database by namgge · 2018-04-16 01:23 · Score: 4, Funny

A list of people with a lot more money than sense.
Re:What is a high-roller database? by apparently · 2018-04-16 01:23 · Score: 2

I'm no internet genius, but I'm wagering it's some sort of database that contains the names of high rollers who frequent the casino, along with their details. You might want to do some sleuthing on the dank webs to confirm.
Oh no! by dohzer · 2018-04-16 01:25 · Score: 2, Funny

Oh no. I feel really bad for the casino. Where can I donate money to help them in their time of need?
Re:What is a high-roller database? by Holi · 2018-04-16 01:29 · Score: 2

WTF, does no one here know how to use a fucking search engine?

--
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Re:Internet Of Things by haruchai · 2018-04-16 01:35 · Score: 4, Funny

Why would I want my fridge, lightbulbs, toaster and so on to ever be hooked up to the public internet?
You probably don't, but Big Brother does. They're hoping you will give up your privacy in exchange for added convenience of these IoTs.
Say that a bit louder , Alexa didn't hear you

--
Pain is merely failure leaving the body
Re:Network Separation (Partial report from vendor) by Anonymous Coward · 2018-04-16 01:37 · Score: 5, Informative

https://www.darktrace.com/resources/wp-global-threat-report-2017.pdf
---
To ensure these communications remained separate
from the commercial network, the casino configured
the tank to use an individual VPN to isolate the tank’s
data
---
So yes, it was segregated via a VPN link. Clearly that wasn't enough.
Baloney by 110010001000 · 2018-04-16 01:41 · Score: 2

"up to the cloud" is the key term here. It is meaningless. This must be an "AI" company looking for more funding.
Re:Internet Of Things by ZorinLynx · 2018-04-16 01:55 · Score: 5, Insightful

A lot of these newer "smart" devices are really quite dumb. They REQUIRE the Internet to work, because half the functionality is implemented on the manufacturer's servers. Not only is this a security concern, but if the manufacturer goes out of business, your stuff will stop working.
This has extreme privacy concerns, especially in cases such as video doorbells, thermostats with occupancy sensors, "smart" refrigerators, and so on. It's one of the main reasons I haven't upgraded to any such "smart" stuff in my home, except for the Philips Hue lighting system which is incredibly well implemented and can operate entirely over the local LAN.
Re: What is a high-roller database? by Anonymous Coward · 2018-04-16 01:55 · Score: 2, Informative

It is a list of people who due to the influence of puppeteers, and to roll above a seven on two six sided dice. Pierson's Casinos use the list to steer these high rollers to games where odds are more in their favor and away from things like craps where a two is a loss and an eleven is a win. Hackers will use it to place side bets to defraud the casino.
There now you don't have to google it, ya lazy bums.
Re:Internet Of Things by ctilsie242 · 2018-04-16 01:56 · Score: 4, Insightful

You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Re: Internet Of Things by oh_my_080980980 · 2018-04-16 01:58 · Score: 4, Insightful

Gosh how was society able to do that for centuries before these wonder device....
IoT devices not on their own VLAN? by Archon · 2018-04-16 02:24 · Score: 2

Why the hell should a fish tank thermometer have any sort of network access to where customer data is stored? Their IT staff should be re-vetted for competence.
1. Re:IoT devices not on their own VLAN? by ledow · 2018-04-16 03:45 · Score: 2
  
  What?
  Are you suggesting that you'd have to compromise the switch? How would that work any differently with physical separation?
  You can request a VLAN, from a list of allowed VLANs, on any decent managed switch. But you can also be FORCED onto a VLAN with no way to override that by such switches too.
  And if Cable 1 is on VLAN 1 and Cable 2 is on VLAN 2, you can't do anything without total compromise of the switch itself (which renders the problem moot anyway). And which is incredibly unlikely to happen, especially if you have any kind of traffic monitoring (e.g. literally blocking the protocols that a device can communicate over), port-authentication (RADIUS etc.), etc.
  Sorry, but VLANs are as-good-as, if not better than, physical cable isolation.
Re:Internet Of Things by Opportunist · 2018-04-16 02:28 · Score: 4, Insightful

The manufacturer doesn't even have to go out of business. As "always online" software has shown us again and again, all that's required is the manufacturer not wanting you to use it anymore.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Network Separation (Partial report from vendor) by Archangel+Michael · 2018-04-16 02:35 · Score: 5, Insightful

VPN link isn't the same as network isolation. Network isolation means you can't get from there to here. That's why you have multiple firewalls, networks routers and DMZ and so on between IOT devices and your critical infrastructure.
Here at my work, we have a VPN tunnel that takes us right into critical networks. It makes me cringe as we have no control over it. I've mentioned it a number of times, but someone (one guy) insists he can't do his job without it. It is bullshit, because he and I have the same duties, and I manage. But the boss says "leave it up, he needs it", and i cry bullshit every time.
It is convenience for security. Or as the boss calls it "usability", because convenience sounds bad.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Mr Robot?! by ripvlan · 2018-04-16 02:42 · Score: 2

Wasn't this the plot of the first season of Mr Robot? Although he snuck in and fiddled with the device to make it accessible.
Rather than upload the data to the cloud - he sought to erase the cloud.
Re:Network Separation (Partial report from vendor) by PPH · 2018-04-16 02:50 · Score: 3, Insightful

What good would that do? For proper security, you have to assume that every IoT device is insecure and can be compromised. You configure a thermostat to use a VPN and the moment you turn your back, it hops on the local LAN again. What should have been done was to secure the database properly. That way, an evil thermostat or casino patron walking in with a WiFi capable device can't get into the database. And if the database is that sensitive, you keep it off the network. Not the appliances.
The approach of securing IoT devices applies only if they themselves have some critical function. You don't want someone to hack in and cook your fish? Secure the thermostat.

--
Have gnu, will travel.
Re:Network Separation (Partial report from vendor) by MightyMartian · 2018-04-16 03:07 · Score: 3, Interesting

This... so much this. It isn't security if you're only thinking about risk in one dimension. Yeah great, you get a segregated network, you isolate your critical network resources, but, um, you allow anonymous users on your network to access your file store?
My operating theory is to assume that everything can fail, so you secure your network, but assume someone somehow is going to get through anyways, so you'd better use ipsec to encrypt the traffic in case someone manages to hook something on to an open RJ45. But, for chrissakes, also imagine internal threats, such as maybe you don't want the kid in the mail room gaining access to the company's financial records.
This really is more a story about total incompetence. Why do I think this casino had a share "S:" and it's just wide open.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Re:Network Separation (Partial report from vendor) by trg83 · 2018-04-16 03:19 · Score: 4, Interesting

The point is that there should not exist an entity known as "the network" in this picture. There should be many. Your casino patrons sure as hell shouldn't be on the same network as either your smart appliances or your corporate databases.
Stealing the list? Meh. by GameboyRMH · 2018-04-16 03:27 · Score: 2

Now modifying the list, THAT'S where the fun's at!
I wonder how many weeks of free luxuries they would lavish you with before they notice that you aren't gambling :D

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:Network Separation (Partial report from vendor) by skids · 2018-04-16 03:56 · Score: 3, Insightful

For some reason, vendors seem to have a knack for producing devices with communications needs that do not fit into whatever scheme you come up with for network segregation. "Yeah it's an IoT device but this one in particular also needs to talk to...."
You're almost never staffed up enough to give this an appropriate level of attention on an ongoing basis.

--
Someone had to do it.
Re:Network Separation (Partial report from vendor) by aaarrrgggh · 2018-04-16 04:02 · Score: 2

Exactly... it comes down to resources. I would love to proxy and log some specific traffic between a device I don't really trust and the information it needs... but that is a couple days to reverse engineer the communications and there is already too much on my plate.
Re: Network Separation (Partial report from vendor by denis.goddard · 2018-04-16 06:47 · Score: 2

Where EXACTLY do you work? We might be able to get you some free pen testing ;)
Re:Network Separation (Partial report from vendor) by Cederic · 2018-04-16 07:49 · Score: 2

There's a third choice, which is rather more correct: Capture the risk, put in place mitigations, ask that the risk gets reassessed at a reasonable frequency.
If you want to be secure switch the damn server off. Anything else, you're already compromising, so just do what you do for any security risk.