*DISCLAIMER* - I am NOT advocating illegal activity. I am, however, presenting thoughts on activities that have been done in the past to other industries and hypothesize on what information would be valuable. I will NOT provide any instruction or links used to conduct illegal activity.
Generally, casinos do well with physical security (or, at least the illusion of). However, I am referring to a casino's IT Security.
I'm sure there are plenty of casinos that utilize fully networked systems - every system connected 'together', separated either logically or physically, but still sharing the common transfer means (ethernet, wifi, etc) and common back-end systems (processing/storage clusters, VM's, etc). Additionally, the same networks are used when communicating with other entities (national databases, other casinos, etc.)
What exactly am I talking about? For starters, consider the state-of-the-art surveillance system. Everything is digital - HD IP-cameras, HDD storage, VoIP phones, in-house databases, the computer system itself, and an all-important Internet uplink. Next, consider the computer terminals throughout the casino - where staff can enter notes, hosts can access information, or if necessary, the system can query other networked systems. Next, we have public access - maybe free WiFi, a business center, or other publicly-used systems. The list goes on... Every one of these is centrally connected in some way. One of these are most likely the weakest point of entry. Unlike a retail establishment, which might house its publicly-viewed website and internal data in the same place (or replicated among several data centers), the casino industry is likely to have large amounts of information stored, hosted, and accessed in-house. Of course, there are bits and pieces they access over the Internet from other sources, but we'll get to that shortly.
Anyway, thinking back to each of the connected systems within a casino, think for a second about the massive effort required to properly configure every piece of equipment, let alone properly patch the systems when an update is available or vulnerability is discovered. Yes, casinos are not stupid, but they are also no different than other industries when it comes to IT Security - the prevailing mindset is "let's buy X & Y, implement it, and we'll be secure." There is rarely a plan to go back and 'tune' systems and secure them properly. Once a system is in place, management wants results as fast as possible. Granted, the casino might do a great job properly configuring most equipment; however, it is entirely unrealistic for them to properly configure/secure every piece throughout the organization.
One easy example: A friend was recently at casino that offered free wireless internet access (to everyone, not just hotel guests). There is no authentication required. So, once he connected, obviously he can access the Internet. He then went down a list of frequently used 'default' configuration IP addresses (based on manufacturer) for wireless access points. Bingo - an authentication page. He used all known default login combinations for the wireless access point manufacturer. Bingo - he is in. From here, he can not only change the configuration of the access point, he can also view all other internally connected devices! Now, he stopped at this point, because let's face it, if he went any further, it could potentially be considered a crime (although since it was a public access point with little to no ability to track him - especially with the precautions he took, the chances of any prosecution is negligible). My point is - if he wanted to, he could have very easily run a few commands and applications that would have allowed him to create a blueprint of the casino's internal network. From here, he could pick and choose which points he wanted to try to exploit. He could also pick points and set up 'sniffers' to collect, log, track, and display all unencrypted information. Even if encryption were used, he could very easily run other applications to crack it.
Going back to my point of all devices being interconnected, it is not unreasonable to assume that at some point, surveillance data/information could be obtained or viewed in real time. It is even possible to issue remote-wipe commands or send all data streams to an off-site location. The possibilities are endless - surveillance systems, HR systems, marketing systems, etc.
Now, I know I'm oversimplifying the process (I would not detail the preparations required to successfully do this) - but it is not hard to accomplish. It is also relatively cheap to accomplish - even if you needed to practice against real casino software, it is obtainable if you are creative.
Ok, so that is one geeky way to accomplish an information gathering objective. How about this one...
In the same way surveillance uses Google and social networks on suspected patrons, they too are susceptible to too much information published openly. What does this do? It provides potential login information for their e-mail (personal & work), corporate login, etc. Pretty simple. Social engineering at its easiest. If you had enough background information, you could simply CALL AROUND the casino (or any other company) and ask people for their passwords (after spending 10 seconds gaining their trust, of course). You'd be surprised how many people will give you their information.
These are only a few sample scenarios that are easy to accomplish. I'm not here to advocate illegal activities, just pointing out the many weaknesses that still exist in a casino's "secure" environment. These same vulnerabilities can apply to other vendors - such as gaming enforcement, gaming equipment manufacturers/designs, etc. Imagine if you had access to THOSE systems. Outside of the gaming industry, virtually every other industry has the same risks. The number of exploitable holes is astonishing - we're not even talking about unpatched third-party software (which aided in RSA's hack in 2011). RSA was a company that advocated security and provided security solutions to virtually every company in the Fortune 100.
Anyways, if we had access to any company's information, what would be the most relevant? Most important? AP's could change techniques, know how to thwart new 'game protection' mechanisms, etc.
Just some information to chew on.
Bookmarks