Five Lessons Learned From Breaking Into A Casino Confessions of a Pentester & Other Stories
Tom Eston
Agenda
• My Background
• Pentest Stories
– The Energy Company
– The Casino
• Top 5 Ways We Break In
– What can you learn?
2
About Your Presenter
• Tom Eston
• Manager, SecureState Profiling & Penetration Team
• CISSP, GWAPT
• Physical/Network Penetration Testing, Web/Mobile Application Assessments, Social Engineering
• Penetration Testing Team Lead for a Fortune 500 Regional Bank
• Speaker at Black Hat USA, DEFCON, ShmooCon, SANS, OWASP AppSec
• Blogger (SpyLogic.net) and Podcaster (Security Justice, Social Media Security)
3
• Hacking (breaking in) is illegal without permission!
4
Disclaimer: Don’t Try This At Home
Pentest Stories
5
• High Security Facility
– Barbed wire fence
– Roving patrols
– Guard station with camera coverage
• Objective: Breach the facility, gain access to the control station
• SecureState deployed two teams…
6
The Energy Company
• Team A found an area not protected by security fence
• Team B gained access to the control facility through social engineering the gate guards
• Rendezvous with Team A at the control station (Administration Building)
• Gained access to shut down the entire facility (big red button), password written on wall
• Installed a Wireless Access Point that allowed remote connection into the network
7
The Energy Company
8
9
10
• No “Ocean’s Eleven”
required
• Casino’s have Hotels right?
• SecureState was able to
hack the Casino Wireless
Network…from the hotel!
• Weak Wireless Encryption
+ Poor Network
Segmentation = $$$
11
The Casino
“Ocean’s Eleven” ©2001 Warner Bros. Pictures. All Rights Reserved.
• While on the Gaming Network we had the ability to see all slot machines, including:
– Payout information for each machine
– Ability to manipulate odds, generate bogus/free plays and modify systems which generate revenue for the Casino
• Access to the internal security camera system
– Ability to shut down and move cameras
• We were met by security when attempting to visit the Casino floor
12
What could we do?
13
Top 5 Ways We Break In
“Lessons Learned”
14
#5 Poor Network Segmentation
• Many networks are still “flat”
• Poor ACLs
• Compromised systems can be used to “pivot” to segmented networks
• Example, host on a DMZ compromised. Pivot to internal network containing financial systems
15
• Some companies are still using WEP (sad but true)
• Some companies are using weak passphrases with WPA/WPA2 configurations
• Wireless clients can be misconfigured with WPA2 Enterprise configurations
• Once the wireless network is accessed, we find poor network segmentation
16
#4 Weak Wireless Encryption
• The “human layer” is always the weakest link in a security program
• Used to convince someone to do something they normally wouldn’t do
• Everyone wants to be helpful!
• Who would attack/scam us attitude “We would never fall for that…”
17
#3 Social Engineering
• Very common to still find systems without MS08-067 (2008) critical Microsoft patch!
• Systems with ports and services that should be closed (RDP)
• Default Credentials
– Apache Tomcat/JBoss
• Lack of minimum security baselines for systems
– Still challenging for many companies
18
#2 Unpatched/Misconfigured Systems
19
Happy Birthday MS08-067!
• Password1 This meets Windows complexity requirements!
• Many use easy to guess dictionary words
– Seasons of the year are quite popular “Summer12”
– Anything based off of common names…
• Lack of user security awareness
• Easy targets: Citrix, RDP Servers, SSL VPN, Webmail
20
#1 Weak Passwords
Questions?
• Visit http://www.securestate.com for more
information on our services
• My Blog: http://SpyLogic.net
• Email: [email protected]
• Twitter: @agent0x0
21