Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetration Tester & Other...

Five Lessons Learned From Breaking Into A Casino Confessions of a Pentester & Other Stories

Tom Eston

Agenda

• My Background

• Pentest Stories

– The Energy Company

– The Casino

• Top 5 Ways We Break In

– What can you learn?

2

About Your Presenter

• Tom Eston

• Manager, SecureState Profiling & Penetration Team

• CISSP, GWAPT

• Physical/Network Penetration Testing, Web/Mobile Application Assessments, Social Engineering

• Penetration Testing Team Lead for a Fortune 500 Regional Bank

• Speaker at Black Hat USA, DEFCON, ShmooCon, SANS, OWASP AppSec

• Blogger (SpyLogic.net) and Podcaster (Security Justice, Social Media Security)

3

• Hacking (breaking in) is illegal without permission!

4

Disclaimer: Don’t Try This At Home

Pentest Stories

5

• High Security Facility

– Barbed wire fence

– Roving patrols

– Guard station with camera coverage

• Objective: Breach the facility, gain access to the control station

• SecureState deployed two teams…

6

The Energy Company

• Team A found an area not protected by security fence

• Team B gained access to the control facility through social engineering the gate guards

• Rendezvous with Team A at the control station (Administration Building)

• Gained access to shut down the entire facility (big red button), password written on wall

• Installed a Wireless Access Point that allowed remote connection into the network

7

The Energy Company

8

9

10

• No “Ocean’s Eleven”

required

• Casino’s have Hotels right?

• SecureState was able to

hack the Casino Wireless

Network…from the hotel!

• Weak Wireless Encryption

+ Poor Network

Segmentation = $$$

11

The Casino

“Ocean’s Eleven” ©2001 Warner Bros. Pictures. All Rights Reserved.

• While on the Gaming Network we had the ability to see all slot machines, including:

– Payout information for each machine

– Ability to manipulate odds, generate bogus/free plays and modify systems which generate revenue for the Casino

• Access to the internal security camera system

– Ability to shut down and move cameras

• We were met by security when attempting to visit the Casino floor

12

What could we do?

13

Top 5 Ways We Break In

“Lessons Learned”

14

#5 Poor Network Segmentation

• Many networks are still “flat”

• Poor ACLs

• Compromised systems can be used to “pivot” to segmented networks

• Example, host on a DMZ compromised. Pivot to internal network containing financial systems

15

• Some companies are still using WEP (sad but true)

• Some companies are using weak passphrases with WPA/WPA2 configurations

• Wireless clients can be misconfigured with WPA2 Enterprise configurations

• Once the wireless network is accessed, we find poor network segmentation

16

#4 Weak Wireless Encryption

• The “human layer” is always the weakest link in a security program

• Used to convince someone to do something they normally wouldn’t do

• Everyone wants to be helpful!

• Who would attack/scam us attitude “We would never fall for that…”

17

#3 Social Engineering

• Very common to still find systems without MS08-067 (2008) critical Microsoft patch!

• Systems with ports and services that should be closed (RDP)

• Default Credentials

– Apache Tomcat/JBoss

• Lack of minimum security baselines for systems

– Still challenging for many companies

18

#2 Unpatched/Misconfigured Systems

19

Happy Birthday MS08-067!

• Password1 This meets Windows complexity requirements!

• Many use easy to guess dictionary words

– Seasons of the year are quite popular “Summer12”

– Anything based off of common names…

• Lack of user security awareness

• Easy targets: Citrix, RDP Servers, SSL VPN, Webmail

20

#1 Weak Passwords

Questions?

• Visit http://www.securestate.com for more

information on our services

• My Blog: http://SpyLogic.net

• Email: teston@securestate.com

• Twitter: @agent0x0

21