Posts Tagged ‘Security system hacked’

CCTV System Used As Hack Vector

Saturday, March 16th, 2013

Last post I was ranting on about security dealers possibly, inadvertently, opening their customers to criminal hacks.

Most of these situations might occur because the dealer was negligent (leaving the equipment default password unchanged is classic) or the dealer was simply clueless about computer and network security. Or the dealer did every thing correctly within his/ her power, but the IT department or infrastructure was at fault. Or it was an ‘inside job’.

Two days after my post, a casino in Melbourne Australia was robbed of $33,000,000.00 (33 million dollars) by criminal hackers. The crooks were able to gain access to the casinos extensive CCTV system.

You can read the full article here as reported on 03/15/13 by Magazine. The criminals were apparently able to remotely gain access to the high resolution cameras in the high stakes poker room and help a ‘high roller’ player cheat by seeing the other players cards.

It remains to be seen how the hack was actually accomplished, as the investigation is still ongoing. It may have been an inside job, or a savvy criminal hacker may have found an opening in the casino security firewall or equipment and used that as a vector for this exploit (hack).

How would a black hat hacker know about this sort of vulnerability? Hackers of all color hats read manuals (which often have the default log-in information). They also probe the network to find un-patched vulnerabilities. Or some one may have compromised or corrupted an actual employee (called a social engineering hack or pretexting).

U.S. gambling expert Barron Stringfellow was quoted by ABC Melbourne as saying “Accessing a casino’s internal video monitoring system is not as hard as you would think. It’s very easy to intercept a signal from many casinos that don’t take precautions” (and making me cringe). You might think that this kind of attack is common from watching Hollywood movies, but actually, a properly implemented system should be almost impossible to break into. Honeywell has many cameras and DVR’s (digital video recorders) that can tell when they are being tampered with. It is a security system after all and engineered to prevent this sort of thing. The weakest link in the chain almost always comes down to the human element.

It will be very enlightening to find out what actually occurred. Of course, the casino may not want comment on the real events. They (like most financial institutions) that are compromised, would rather lose the money that give their customers the impression that their finances are not safe. The only way to find out what happened may be by paying attention to people (white hats) close to the hacker culture. This can be done by doing things like listening to radio talk shows, listening to pod cats, reading magazines (yes, hackers do all these things and they are available to the general public if you pay attention) and using Google to search for hacking events. Don’t worry, the Fed’s won’t come after you. I was at a hacking conference and the NSA was there openly trying to recruit hackers who were attending. The Director of the NSA made to key note speech at the conference. This is the sort of thing you would notice only if you were looking for this sort of thing.

Security dealers need to be aware of the possibility of an electronic attack as well as a physical intrusion. The line between the two is becoming increasingly thinner.