A Computer Security Geek Goes to Las Vegas

Las Vegas:

An IS Perspective on New Slot Machines 188xoso An ongoing outing to Las Vegas incited a “moment of clarity”. After I got over the underlying stun of how much things have changed since the days when I used to every now and again travel to Vegas (I was one of those thousands who used to consistently go to the COMDEX show), I wandered back onto the gaming floor. Beside having much more poker tables than I recollect from 8 years prior, what struck me was that the gaming machines changed. Where once the gaming floors were brimming with the “jing, jing, jing” of coins hitting the metal plate of the gaming machines, there are presently attractive card perusers, standardized identification scanners and separate machines that convert bills into “credits” and back once more. Cash gets changed over to advanced bits, imprinted on bar-coded cards that players plug into gaming machines and “all payouts are with money out slips as it were”. The Gaming Industry has gone cutting edge and like all organizations that have important data assets, they have to secure them. Envision for a second having the option to “sniff” the traffic on the wire between the gaming floor and the club’s server farm! Indeed, I was so keen on the new style of gambling machine that I dedicated the better piece of an evening to exploring “Server Based Gaming”.

For reasons unknown, Server Based Gaming (SBG) is the freshest pattern in gambling machines and isn’t as new as I suspected, having been around since 2006. On the off chance that your brain resembles mine, you are as of now contemplating the security ramifications of turning remain solitary, absolutely independent gambling machines into work stations. Obviously the independent spaces were not without issues however digitizing monetary information and sending it hurdling over a system has an extraordinary arrangement of worries that any money related establishment will verify. Putting away information on a brought together server is Security Best Practice 101 and few could contend against its insight. In any case, the issue turns out to be progressively entangled when we look at that as a gambling club has hundreds, maybe even a thousand, gaming machines dissipated across a huge number of square feet of floor space. Starting security concerns respect the information transmission: what sort of link is utilized (fiber is the most secure yet in addition generally costly and requires unique systems administration gear); are simply the machines even wired to acknowledge fiber or are the associations Cat 5; is each machine “home runned” or would they say they are merged at a switch situated in one of those bolted cupboards under the gambling machines; if Cat 5 link is utilized, what preventive measures are set up to keep somebody from “sniffing” the electronic information spillage from the wire; since players are given a “money out card” with a standardized tag on it, what encryption calculations are utilized to keep gamers from adjusting the information to expand their “payout”? The Gaming Industry has a long history of pulling in smart lawbreakers (recall the understudies from MIT who won $10M?). I wonder how some time before a comparable gathering of mentally skilled and financially inspired people centers around SBG. Actually, an ongoing report supported by the National Indian Gaming Commission (NIGC) has distinguished a few territories of worry for SBG .

The NIGC discoveries sound hauntingly natural to every one of those security experts accused of ensuring endeavor information assets. Worries about unapproved get to, interruption recognition, episode reaction, absence of security strategies and a catastrophe recuperation plan are basic in all Information Security conditions. What proactive measures are being taken to ensure the system? Are inside supported Penetration Tests performed? The test of ensuring hundreds or thousands of PC resources, safeguarding the Availability of the advantage and guarding the Integrity of the information from these benefits is in like manner an ordinary concern for CISO’s. What makes the Gaming Industry distinctive is that if any of these advantages is undermined, the monetary misfortune could be in the a large number of dollars, and the probability is that an assault won’t target just one machine. What’s more, not normal for any gambling club trick of the past, with information currently being put away electronically, the attacker(s) doesn’t need to truly be available. Club are presently dependent upon indistinguishable dangers from money related organizations.

Permit yourself to envision a “Seas 131/2” situation. The dynamic gaming machine big stake is at $14M. A displeased professional at the gaming machine producer keeps up an “indirect access” to the SBG spaces to spare the drive time and the long stroll through the gambling club to a specific machine. An associate is set up turning the haggles dollar after dollar at the dynamic opening. At a predetermined second, the specialist pushes an unapproved “programming update” to the opening which adjusts the money out ticket programming. The assistant presently gets the money for out and gets an adjusted pass which shows $10,000 not $10. The expert at that point replaces the first programming and the trick moves to another opening, another gambling club, another city. With just around 6 gaming machine producers in the US, the chance of “displeased worker” misuse is exceptionally high. While this situation may appear to be outlandish, the idea of 6 understudies beating Las Vegas gambling clubs for $10M over a multi year time span likewise appeared to be too mind boggling to even think about believing. Until it occurred.

In any case, more probable and substantially less “Hollywood-esque” would be a similar sort of security break that occurs at disturbing levels in normal industry. A gathering of programmers finds an intriguing IP address and starts investigating. Maybe the IP address has a place with the gaming machine maker which permits them passage to the producer’s LAN. Or on the other hand maybe the IP address has a place with a gaming machine itself. Or then again envision if the IP had a place with the server which houses the data for all the SBG machines in the gambling club. Jackpot! Notwithstanding a fortune trove of data contained inside the gaming system section, could the aggressors interface with the inn and food administration portions of the club’s framework? In the event that so they would approach reams of PII information as Visa information. As each fanatic of gaming knows, “whales” are the existence blood of gambling clubs and these multi-extremely rich people have Visas with cosmically high spending limits (an American Express dark card is really wondrous to see). An information bargain of this scale would be a calamity for a gaming office.

Safeguarding such a one of a kind foundation presents an overwhelming errand. Corporate assets should be assigned, approaches should be composed and actualized in a territory that recently didn’t require them, and workers should be taught about the new dangers. Maybe most significant is to keep up record verifications on representatives (both in the gambling club itself just as for outsiders) who approach the servers and the SBG machines. Furthermore, these dangers are notwithstanding the “ordinary, regular” dangers of running a server farm where a large number of dollars routinely fly across arrange links. The Information Security Professionals for Las Vegas club certainly have their hands full.

Chaz Sowers is a security expert presently on task with Infotech Consulting. Notwithstanding customary PC security obligations, late exercises have included Incident Response at a significant government safeguard contractual worker just as work in the Gaming Industry. Security systems and security engineering keep on being regions of intrigue. Mr. Sowers holds the accreditations of: CISSP, CISM and QSA.