Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Generative Artificial Intelligence: How generative AI works.pdf
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetration Tester & Other Stories
1. Five Lessons Learned From Breaking Into A Casino
Confessions of a Pentester & Other Stories
Tom Eston
2. Agenda
• My Background
• Pentest Stories
– The Energy Company
– The Casino
• Top 5 Ways We Break In
– What can you learn?
2
3. About Your Presenter
• Tom Eston
• Manager, SecureState Profiling & Penetration Team
• CISSP, GWAPT
• Physical/Network Penetration Testing, Web/Mobile Application
Assessments, Social Engineering
• Penetration Testing Team Lead for a Fortune 500 Regional Bank
• Speaker at Black Hat USA, DEFCON, ShmooCon, SANS, OWASP AppSec
• Blogger (SpyLogic.net) and Podcaster (Security Justice, Social Media
Security)
3
4. Disclaimer: Don’t Try This At Home
• Hacking (breaking in) is illegal without permission!
4
6. The Energy Company
• High Security Facility
– Barbed wire fence
– Roving patrols
– Guard station with camera coverage
• Objective: Breach the facility, gain access
to the control station
• SecureState deployed two teams…
6
7. The Energy Company
• Team A found an area not protected by security fence
• Team B gained access to the control facility through social
engineering the gate guards
• Rendezvous with Team A at the control station (Administration
Building)
• Gained access to shut down the entire facility (big red button),
password written on wall
• Installed a Wireless Access Point that allowed remote connection
into the network
7
12. What could we do?
• While on the Gaming Network we had the ability to see all
slot machines, including:
– Payout information for each machine
– Ability to manipulate odds, generate bogus/free plays and
modify systems which generate revenue for the Casino
• Access to the internal security camera system
– Ability to shut down and move cameras
• We were met by security when attempting to visit the Casino
floor
12
15. #5
Poor Network Segmentation
• Many networks are still “flat”
• Poor ACLs
• Compromised systems can be used to “pivot” to
segmented networks
• Example, host on a DMZ compromised. Pivot to
internal network containing financial systems
15
16. #4
Weak Wireless Encryption
• Some companies are still using WEP (sad but true)
• Some companies are using weak passphrases with
WPA/WPA2 configurations
• Wireless clients can be misconfigured with WPA2
Enterprise configurations
• Once the wireless network is accessed, we find poor
network segmentation
16
17. #3
Social Engineering
• The “human layer” is always the weakest link
in a security program
• Used to convince someone to do something
they normally wouldn’t do
• Everyone wants to be helpful!
• Who would attack/scam us attitude
“We would never fall for that…”
17
18. #2
Unpatched/Misconfigured Systems
• Very common to still find systems without MS08-067
(2008) critical Microsoft patch!
• Systems with ports and services that should be closed
(RDP)
• Default Credentials
– Apache Tomcat/JBoss
• Lack of minimum security baselines for systems
– Still challenging for many companies
18
20. #1
Weak Passwords
• Password1
This meets Windows complexity requirements!
• Many use easy to guess dictionary words
– Seasons of the year are quite popular “Summer12”
– Anything based off of common names…
• Lack of user security awareness
• Easy targets: Citrix, RDP Servers, SSL VPN, Webmail
20