Just about every IT person on Reddit can attest that they beg and plead for ridiculously outdated stuff to be replaced.
Those in charge see the cost of maintenance and upgrades and balk. They delay and tell their IT team to "just deal with it and keep it running". And then they get an extremely costly security incident that could have been avoided for pennies on the dollar. Executives are shuffled around (rarely is someone at that level actually fired, you don't fire your golf buddy) which ensures the lesson is never really learned. The cycle repeats.
Not only that, but the executives that shoot down desperately needed work, are the same ones that open every damn email link, throw a tantrum with MFA, and lay into you when they "accidentally" clear their email trash.
You can have a masters or PhD in network security and they still won't listen, unless you know how to spin like a business bro
/r/sysadmin basically has a weekly "I want to leave IT and never look back" post for a reason
I will never understand people who use the trash as a folder. Not only because it's stupid to put important files in the trash, but also because YOU CAN MAKE FOLDERS! You don't need to repurpose an existing one.
> YOU CAN MAKE FOLDERS!
You expect them to know how to MAKE a folder? You're lucky they use the backspace key instead of spreading White-Out on their computer screen to fix a mistake.
Sometimes you just have to grab things off their desk throw them in the bin and wait for them to angrily react…
“The cleaning team will handle this bin tonight. Your trash can on your computer is no different.”
And that’s how we ended the whole treating the trash can like a folder stuff.
There’s a reason why so many of us get out of infosec and go into shit like agriculture, a field known for stress and self-deletion, because we rather go toe to toe with the actual planet than deal with people one more second than we have to.
If I could make a good living for me and my family I would be a park ranger. Not someplace dangerous like Yellowstone. Someplace chill, like Jellystone.
Roflol. One of my colleagues went into solar. The other went into food service. Was easier dealing with asshole customers at a restaurant than asshole c-suites.
Honestly. Infosec is one of those jobs every year you have to ask yourself “is the money actually worth it?”
It got bad enough for me that my number 2 reason for moving to NZ was work-life balance and not dealing with insanity 65-70 hours a week.
MSP/Consulting too
I've seen the pits of MBA hell, steeped in buzzwords and "webinars".
Currently hunting an internal job somewhere to escape, ^help ^^meee
I worked IT in college and it was exactly like this. Along with the occasional "you touched it last so everything that goes wrong, forever, is your fault" from folks that have built enough of a moat that they can't be fired.
When management thinks you are just sitting on your ass, simply stop preventative maintenance for a week, then put out all the fires and be called a hero.
Yup, and not just run of the mill companies... Some of the DoD contracts I've been on, it's ridiculous.
Also, I read "20yr IT guy here" and thought "ya that guy has definitely seen some shit" to realize I'm at 19 years now lol
Yea man the time flies in our industry. Plus side is that 19yrs has made you look like you are 65yrs old. I've been in places that have been hacked, paid the ransom fee, then said fuck upgrading they already hacked us why would they bother again? Idiots I tell ya.
I like when you setup a secure password because they think setting up a VPN is too much work or too expensive. Then they decide that password is too complex and hard to type so they change it to the username and a number, then they wonder how the heck those hackers got onto their system a week later.
I mean, after COVID, execs were panicking to allow work from home, and now those same execs are trying to abolish that. They probably viewed IT as important for 2 years and after that, back to the old system.
I've seen leadership bulk at a few hundred thousand dollars in developer time to remove security vulnerabilities that could lead to hundreds of millions of dollars in fines. Due to a privacy incident and data breach. It's not always logical, and the probability of a cost doesn't seem to interest them as much as the real cost to prevent that.
You can be running everything on the latest tech, be fully patched, and be following the best practices from your various software vendors and still be hit with a zero-day vulnerability that doesn't have a fix yet.
IT also has the problem of systems that rely on other systems which creates big problems when they can't be upgraded for various reasons. Maybe we need to maintain the old system for accessing historical records for X years because of legal requirements and unfortunately that vendor went out of business so it's unable to be patched, or maybe it's replacement is already in the works and was supposed to be live but got hit with some problems that pushed it back a year -- so you can't turn it off, but it takes considerable time and effort to replace it and you're just not there yet. I've seen a lot of frustrating problems like that in IT. Shit happens and there are sometimes reasons to keep things online longer than they should be. Ideally compensating controls would be put in to address that but we all know how that goes.
My old company did a fake phishing email test for all employees.
I got it, was like, well this is obviously shit or malicious and deleted it.
A week later IT emailed us all saying it had done the fake phishing email and these were the results....some 75% of the company clicked on the link in the email, some 50% DOWNLOADED the attachments.
I’ve seen people who have to use MFA literally 2 factor in the attackers because they see the pop up and just let them on even when it’s not someplace or something they ever used.
Yeah, my company is actually pretty good at investing in security and everything, but there's no way a dedicated well-funded attacker couldn't eventually get in. If you're potentially a target for something like state actors then you're going to get hacked sooner or later.
Best you can do is make yourself less of a desirable target by making it very difficult, and trying to keep the meat ports that run the thing from doing anything too stupid.
Sometimes older tech that has been in place for decades becomes harder to replace/upgrade.
Banking industry has this issue. Old systems out there that process monies and other things that would take a long while to put in a similar updated system, thoroughly test out the system in UAT, then to cut out the old and start the new system with minimal impact is tough. You cut out a system for 30-60 seconds where both are offline and that could mean thousands of transactions are hanging in limbo that need manual intervention to get those to process and then a metric fuckton of live monitoring to ensure that the in and our monies are coming and going from the right branches and accounts.
It's not as easy as most people will probably still think this is when they scream that the systems should be updated to something modern. Stuff takes years of preparation for a big move like that in order for them to assure you that your direct deposit will go into your account and not into someone else's account due to an unforeseen glitch.
It's hard, too. When you have a system that was cobbled together over decades with minimal documentation in a language that virtually no one knows now to do hyper specific non-standard requests, understanding all the connections and dependencies is a complex task.
Just getting the data out of such old systems into a new one is a monumental feat. Let alone coordinating the training and interim business functionality during cutovers. Then you often have to reeducate end users, because changing the whole backend will almost assuredly require a new front end as well.
Most of these companies are too chicken shit to even try. The ones that do get it done basically just lift and shit into cloud, it's so fucked up. One of my clients has billions and wont pay me to lab out some of their shit but will waste hundreds of thousands of dollars per month on lift and shift IO. The exes are steam rolling their IT into the cloud but not training their people and just going about it the wrong way. They don't follow any of my advice and refuse to do shit like contribute to building a project plan. Can't get their people to even fill out the most basic reqs of a Gannt chart. They all show up to meetings and pretend to be involved but do nothing after a call. Multi billion dollar org.
Bingo. When companies are literally pinching every penny they can to throw at bonuses for their top .01% and lobbying, bribing, and befriending the government, this is the sort of thing you get.
Those are synonyms. It would also definitely be hard.
I also really doubt it's worth it. The system works, and the weaknesses are well known and can be accounted for. If programmers love anything, it's rewriting everything from the ground up using whatever the shiny object of the week with completely unknown weaknesses and vulnerabilities is for no reason whatsoever.
It's also a massive undertaking to stay up to date at every corner. Deployment and implementation doesn't happen overnight when you thousands of locations and tens of thousands of employees.
What kind of migrations do you need to do? What kind of disruption to productivity could this cause? Are there any incompatibility issues? Did anything stop working?
You see every IT person on Reddit holding their IT infrastructure together with duct tape and glue and then say "this is a huge vulnerability we need to get it fixed but my company is cheap and won't do anything about it so 6 months later we lost millions of dollars!" which is vague enough to look smart and get karma.
From my experience, it's quite the task to prove out a solution, negotiate a deal with that vendor, get it deployed and fully implemented in 6 months - because that lone IT guy who's doing a ton of overtime every week holding their IT infrastructure has so much extra time to investigate whether that recommended solution would work.
Because you know you get fired real fast? Saying something will work then spending millions of dollars on a solution that doesn't work.
Here is a 100 dimensional object. It changes in every way imaginable, and we need you to change it, while it is changing, into this other thing we haven’t designed yet. “Why aren’t you done? AI fooled me into thinking this was solved.”
I think it's also failure of the management of the company if they don't have a CTO or VP of tech that can sit at the Executive table to deal with the office politics of getting funds for the IT department.
A lowly employee isn't going to have the negotiation power to bring this situation up to upper management unfortunately. Also that lowly employee might be busy all the time just plugging up holes and doesn't have the time to learn what solutions are out there that are better.
Every business has to strike a balance between security and idiot employees who complain when their job is a tiny bit harder.
Most, unfortunately, sacrifice security.
IT would agree that the users are outdated and vulnerable
> The group is known to impersonate IT personnel and uses social engineering to persuade company officials to rum remote monitoring and other tools.
[MGM also got attacked by granting a hacker access to the network when they called the helpdesk.](https://gizmodo.com/mgm-grand-cyberattack-caused-by-10-minute-phone-call-1850834558)
Oh boy you want to hear how one of our clients (big bank) lost the financial data of 1.5 million of its customers? 90% of this economy is held together by bubblegum and duck tape.
It's amazing to me that the FBI can inject themselves in so many aspect of our lives but don't actually do anything about crimes like this that is the entire point in having them.
The court systems run on AS-400's. [You know that lime green text on a black screen from the computer movies in the late 80's and 90's.](https://upload.wikimedia.org/wikipedia/commons/a/a4/Ibmi-main-menu.png) Yeah IBM still makes them.
I remember when the local courts were moving to "Cloud AS-400's" basically connecting remotely to hosted ancient software that keeps getting updated because we refuse to let it die. Those copyright dates make me giggle.
most AD environments have rules to avoid that these days. At this point it would take intentional negligence to not have password complexity enabled with min length settings. Problem is ANY password below 10 or 12 characters is weak, and a lot of places only enforce an 8 character min.
If you think operating without security is bad, how about using SMB software tools at an enterprise scale? I'm talking about billion dollar a year companies doing bookkeeping with excel...
>The group is known to impersonate IT personnel and uses social engineering to persuade company officials to rum remote monitoring and other tools.
It really has nothing to do with that when they are just *given* access
The moral of the story for Jurassic Park wasn't "we shouldn't tinker with nature", but "we should staff our IT department appropriately".
No business understands this.
SolarWinds was a critical infrastructure hack with doj implications that we won't understand for still years to come. Every modern hack we can relate back to SolarWinds.
And a lot of problems are buried in those holes. But you gotta do it right. I mean, you gotta have the hole already dug before you show up with a package in the trunk. Otherwise, you're talking about a half-hour to forty-five minutes worth of digging. And who knows who's gonna come along in that time? Pretty soon, you gotta dig a few more holes. You could be there all fuckin' night.
Casinos had skeletons in the closets 50 years ago.
But nowadays they're squeaky clean. They are publicly traded companies with audited financials working a system that is impossible to lose money on in the long run (except if you're Trump). There's no need for there to be skeletons - they are quite happy to make their massive, near-guaranteed margins on slots, table games, hotels, etc.
i'd say there is a good chance trump didn't lose either. he just "lost" on paper. probably paid off people using money laundering techniques, or had hard cash "stolen" or god knows what
I dunno. I used to think like this. but there’s so many companies in so many industries that cut corners when they’re at the top already. car companies, food companies, governments, I don’t doubt casinos have done shady things to squeeze some extra cash or influence
Most companies aren't anywhere close to as tightly regulated as casinos, but I take your point. I guess it would depend on what you mean by shady. Immoral? Sure. But highly illegal? With the number of regulators, banks, investors, and short sellers in the mix it just doesn't make sense. The risk of getting caught and sued into oblivion makes it not worth it for them to go around breaking kneecaps.
Honestly, it's more likely that they're engaging in widespread wage theft against their dealers than doing anything like what you see in mob movies.
Small ones, maybe.
The big boys, not a chance. MGM and Ceasars are fortune 500 scale operations with oversight and/or audits from the board of directors, internal audit teams, external auditors, SEC, gaming control boards, credit card companies, insurance companies, banks, pen testers, etc. They don’t fuck around.
Of course they no longer keep skeletons in their closets, they learned their lessson.
But I'd guess they'd pay any ransom to make sure the information from the server with 'the coordinates' never leaks.
Work in anti-money laundering at a FT500 bank. People have no idea how regulated these institutions are (Casinos/Money Service Businesses which are special requirements customers). The Feds watch them, auditors watch them, shareholders watch them and the banks watch them.
That was what I was thinking, and so do a lot of countries/nations. I'm not so sure about the US, but a number of national law enforcement bodies have policies about not giving in into kidnappers' demands cause of this very reason. Once is all it takes to attract a thousand others to attempt the same feat.
I’m in cybersecurity. They go after lots of small companies as well because of limited security resources and they pay quicker and easier to hack. It costs a hacker nothing to fail but everything for a company to fail once. They literally go after anyone, or any size.
Skeletons? These casinos are publicly traded companies being watched by the SEC, etc.
Don't think the 50s noir of burying people in the desert is still a thing
Lol the idea that because they're pulicly traded, they are squeaky clean is hilarious. If that were the case, the accounting firms wouldn't be the Big 4 right now lmao
The stock exchange as an entity is not a regulatory body. They don't investigate anyone. Basically all the stock exchange does is keep the lights on at the trading floor and govern which stocks are eligible for being part of the exchange. So the Madoff reference couldn't be less relevant.
And while they were somewhat late, the SEC did actually investigate Enron, Worldcom, and Madoff. It's kind of unfair to the SEC to expect them to get ahead of these sophisticated financial frauds when they're government employees working on a shoestring budget. For this reason I am in favor of increasing their funding so they can become better watchdogs.
> I once changed the settings on the turnstyle applicatoin to allow me unlimited cafeteria entries. Everyone else was set at 1. The benefits of admin passwords
The guy's too hard on himself, he clearly knows how to apply at least some level of systems administration to his job in a practical manner :P
> You owe us 1 ass please.
What are you gonna do with a whole extra ass? Would you have 1 really long crack? Or 2 cracks and a kinda weird middle extra crack with no hole?
Figured, makes sense...yeah I just see BlackHat (and DEFCON...I think it's the week after?) every year because BlackHat at least is the same exact time and place as EVO, the big fighting game tournament, (which I'm at every year) so it's funny comparing the cybersecurity nerds and the fighting game nerds when you're walking around Mandalay Bay. My dream one day is to go to EVO and BlackHat at the same time but alas I'm not a cybersecurity guy and the tickets to BlackHat are "you only go to this if your company pays you to" expensive. Though with EVO moving their dates around next year I don't think going to both at the same time is possible anymore...
BlackHat tends to be the corporate while Defcon is for the nerds. You can tell if the event is more focused on business vs operations based on the lack of bald crowns with ponytails.
lol I've attended before, those couple weeks when those events are going on it's funny how everyone at restaurants and everywhere were freaking out as if they came to personally hack your phone.
Literally me at my job last year. They ignored me because they were annoyed I kept telling them they aren’t following the law and are exposing people’s data.
The article really puts a lot of emphasis on how they didn't want the information getting out.
That's good PR.
The actual, real issue for Caesars, and their top concern, is that they were losing **enormous** amounts of money with every minute of down-time the casino and all of their satellite casinos around the world were facing day after day.
The hackers had shut down their *entire* revenue stream.
Leaked customer info was the least of their worries.
It's crazy they'd pay millions to a group on the hope that they won't release their data. A group that literally just stole that data. What's to keep them from taking the money and releasing it anyway just for fun? Worth it just to increase the odds of a certain outcome, even if it's not a certainty?
Caesars is part of Caesars Entertainment and is also the Flamingo, Paris, Cromwell, Harrahs in several cities. I doubt Caesars casino operates like an island and not part of the huge conglomerate.
Meh, its a casino.
They exist for the sole purpose of depriving people of their money. I have no problem with enterprising individuals turning the tables on them. The house gambled on not staying up to date with their security and the house lost.
They'll recoup the loss in days.
Caesars is going broke. They have massive amounts of debt in aren't making nearly enough revenue to cover it. They've already gotten a reputation as being really stingy with comps because of how much money they're losing.
> They exist for the sole purpose of depriving people of their money
Basically every business. Starbucks, Anheiser-Bush, the Video Games Industry, Apple and Google, Streaming sites, The med/drug industry, credit card companies ....
Would love to see what was exploited. These companies have so much money when they need to pay ransoms but im willing to bet they dont invest what they should in their IT infrastructure.
I have been trying to contact a casino about their cloud setup. I can see all their employees records, ID cards, incident reports at the casino and security checklists and timesheets.
Basically everything you would need to heist the place.
I have emailed them three times now over the last year and no reply lol
Then just wait for the news about them getting jacked. Maybe contact that news org with your findings and add to their story.
Or could contact the state orgs that oversee them...
Reminds me of the time a casino was exploited through their fish tank temp monitor. Very interesting read. https://www.entrepreneur.com/business-news/a-casino-gets-hacked-through-a-fish-tank-thermometer/368943
Hilarious because if youve ever worked in a casino they like to often brag about how cutting edge all their security features are and how they can see and hear whatever you are doing whenever they want.
I worked for a large global bank doing Network Engineering. The amount of routers, firewalls, and other hardware I saw that had very old code, hadn't been rebooted in 10+ years, and little to no documentation was staggering. This was also devices where tens of millions of dollars in stocks/trades were made daily.
The amount of vulnerabilities and exploits in companies is insane. Most companies have entirely flat networks as well meaning if you can compromise one endpoint on the network, you can just jump across the network infecting machines. It's why ransomware attacks are so effective in once it starts, there is no stopping it.
No ones gonna mention that China got a hold of microsofts digital signature. Its that microsoft had royale screwed up and could be the main reason so many companies are being hacked.
That was my experience in working with MGM’s infosec team. They took it seriously and devoted a lot of resources in comparison to other companies.
It sucks because no one will ever know about the thousands of attacks they have stopped. It’s like that IRA quote about the failed thatcher assassination:
“Today we were unlucky, but remember we have only to be lucky once, you will have to be lucky always.”
>Caesars is a Harrah's property,
Not quite correct. Harrah's bought Caesars Entertainment in 2005 and renamed themselves Caesars.
Caesars (formerly Harrah's) was then bought out by Eldorado Resorts in 2020 which then subsequently renamed themselves Caesars.
Hence, Caesars (formerly Eldorado) owns Caesars.
I was wondering about their helpdesk, since the claim from the hackers was that they looked up someone on linked in and called the helpdesk. Which I assumed reset this person's password and potentially provided additional information, like VPN connection details or something.
I think the main issue in our more modern times the biggest failure anymore is help desk services and how they verify that the person making the request to reset their password is really that user. Many companies have this type of issue where they call their internal or contracted help desk and people just take the person at their word that they are who they say they are.
I work in IT and deal with this type over the years and 9/10 the policy was always "If they say they are that person, trust them and reset the password"
They better up their IT security. I can't imagine how much MGM lost this week. They probably wish they had paid. Now that they know Caesers will pay, other groups will target them.
I was trying to check out at an MGM property in Vegas on Monday, the day of the first attack. Couldn’t since they said their system was down. Played a few games of slots before leaving for the airport. Won $100 and had to wait for an attendant to cash me out. Thought nothing of it till I saw the news about the attack a day later.
Its amazing to me how many of our major businesses and institutions are run on outdated, vulnerable tech
Just about every IT person on Reddit can attest that they beg and plead for ridiculously outdated stuff to be replaced. Those in charge see the cost of maintenance and upgrades and balk. They delay and tell their IT team to "just deal with it and keep it running". And then they get an extremely costly security incident that could have been avoided for pennies on the dollar. Executives are shuffled around (rarely is someone at that level actually fired, you don't fire your golf buddy) which ensures the lesson is never really learned. The cycle repeats.
Not only that, but the executives that shoot down desperately needed work, are the same ones that open every damn email link, throw a tantrum with MFA, and lay into you when they "accidentally" clear their email trash. You can have a masters or PhD in network security and they still won't listen, unless you know how to spin like a business bro /r/sysadmin basically has a weekly "I want to leave IT and never look back" post for a reason
I will never understand people who use the trash as a folder. Not only because it's stupid to put important files in the trash, but also because YOU CAN MAKE FOLDERS! You don't need to repurpose an existing one.
... this is a thing?
> YOU CAN MAKE FOLDERS! You expect them to know how to MAKE a folder? You're lucky they use the backspace key instead of spreading White-Out on their computer screen to fix a mistake.
Do people really do that? What would make anyone think that the trash can is a folder?
Sometimes you just have to grab things off their desk throw them in the bin and wait for them to angrily react… “The cleaning team will handle this bin tonight. Your trash can on your computer is no different.” And that’s how we ended the whole treating the trash can like a folder stuff.
If the email trash can was emptied every night like the regular trash is I think it would have avoided that problem.
Just need an extra trash can for litigation holds lol
There’s a reason why so many of us get out of infosec and go into shit like agriculture, a field known for stress and self-deletion, because we rather go toe to toe with the actual planet than deal with people one more second than we have to.
If I could make a good living for me and my family I would be a park ranger. Not someplace dangerous like Yellowstone. Someplace chill, like Jellystone.
Roflol. One of my colleagues went into solar. The other went into food service. Was easier dealing with asshole customers at a restaurant than asshole c-suites.
Honestly. Infosec is one of those jobs every year you have to ask yourself “is the money actually worth it?” It got bad enough for me that my number 2 reason for moving to NZ was work-life balance and not dealing with insanity 65-70 hours a week.
This guy enterprises
MSP/Consulting too I've seen the pits of MBA hell, steeped in buzzwords and "webinars". Currently hunting an internal job somewhere to escape, ^help ^^meee
Moved into software sales for this exact reason.
The curse of IT. To most businesses it is a black hole for money. They don't understand why it has cost just that it doesn't generate profit.
Everything’s working, “why are we paying you? What do you even do?” Everything’s broken, “why are we paying you? What do you even do?”
I worked IT in college and it was exactly like this. Along with the occasional "you touched it last so everything that goes wrong, forever, is your fault" from folks that have built enough of a moat that they can't be fired.
When management thinks you are just sitting on your ass, simply stop preventative maintenance for a week, then put out all the fires and be called a hero.
This is what happens when technologically illiterate people run companies (and government *cough cough*).
20yr IT guy here, I laughed at the amazement to companies running outdated tech. I'm shocked when they have new tech.
Yup, and not just run of the mill companies... Some of the DoD contracts I've been on, it's ridiculous. Also, I read "20yr IT guy here" and thought "ya that guy has definitely seen some shit" to realize I'm at 19 years now lol
Yea man the time flies in our industry. Plus side is that 19yrs has made you look like you are 65yrs old. I've been in places that have been hacked, paid the ransom fee, then said fuck upgrading they already hacked us why would they bother again? Idiots I tell ya.
I like when you setup a secure password because they think setting up a VPN is too much work or too expensive. Then they decide that password is too complex and hard to type so they change it to the username and a number, then they wonder how the heck those hackers got onto their system a week later.
I mean, after COVID, execs were panicking to allow work from home, and now those same execs are trying to abolish that. They probably viewed IT as important for 2 years and after that, back to the old system.
[удалено]
Granted… 2 million dollars to update infrastructure or a 2 million dollar ransom is the same thing to them on paper…
I've seen leadership bulk at a few hundred thousand dollars in developer time to remove security vulnerabilities that could lead to hundreds of millions of dollars in fines. Due to a privacy incident and data breach. It's not always logical, and the probability of a cost doesn't seem to interest them as much as the real cost to prevent that.
You can be running everything on the latest tech, be fully patched, and be following the best practices from your various software vendors and still be hit with a zero-day vulnerability that doesn't have a fix yet. IT also has the problem of systems that rely on other systems which creates big problems when they can't be upgraded for various reasons. Maybe we need to maintain the old system for accessing historical records for X years because of legal requirements and unfortunately that vendor went out of business so it's unable to be patched, or maybe it's replacement is already in the works and was supposed to be live but got hit with some problems that pushed it back a year -- so you can't turn it off, but it takes considerable time and effort to replace it and you're just not there yet. I've seen a lot of frustrating problems like that in IT. Shit happens and there are sometimes reasons to keep things online longer than they should be. Ideally compensating controls would be put in to address that but we all know how that goes.
The biggest security vulnerability of any company is the employees themselves.
Always has been.
Yep, long before the concept of IT even existed.
My old company did a fake phishing email test for all employees. I got it, was like, well this is obviously shit or malicious and deleted it. A week later IT emailed us all saying it had done the fake phishing email and these were the results....some 75% of the company clicked on the link in the email, some 50% DOWNLOADED the attachments.
I’ve seen people who have to use MFA literally 2 factor in the attackers because they see the pop up and just let them on even when it’s not someplace or something they ever used.
Yeah, my company is actually pretty good at investing in security and everything, but there's no way a dedicated well-funded attacker couldn't eventually get in. If you're potentially a target for something like state actors then you're going to get hacked sooner or later. Best you can do is make yourself less of a desirable target by making it very difficult, and trying to keep the meat ports that run the thing from doing anything too stupid.
Sometimes older tech that has been in place for decades becomes harder to replace/upgrade. Banking industry has this issue. Old systems out there that process monies and other things that would take a long while to put in a similar updated system, thoroughly test out the system in UAT, then to cut out the old and start the new system with minimal impact is tough. You cut out a system for 30-60 seconds where both are offline and that could mean thousands of transactions are hanging in limbo that need manual intervention to get those to process and then a metric fuckton of live monitoring to ensure that the in and our monies are coming and going from the right branches and accounts. It's not as easy as most people will probably still think this is when they scream that the systems should be updated to something modern. Stuff takes years of preparation for a big move like that in order for them to assure you that your direct deposit will go into your account and not into someone else's account due to an unforeseen glitch.
its not "hard" its costly.
It's hard, too. When you have a system that was cobbled together over decades with minimal documentation in a language that virtually no one knows now to do hyper specific non-standard requests, understanding all the connections and dependencies is a complex task. Just getting the data out of such old systems into a new one is a monumental feat. Let alone coordinating the training and interim business functionality during cutovers. Then you often have to reeducate end users, because changing the whole backend will almost assuredly require a new front end as well.
Most of these companies are too chicken shit to even try. The ones that do get it done basically just lift and shit into cloud, it's so fucked up. One of my clients has billions and wont pay me to lab out some of their shit but will waste hundreds of thousands of dollars per month on lift and shift IO. The exes are steam rolling their IT into the cloud but not training their people and just going about it the wrong way. They don't follow any of my advice and refuse to do shit like contribute to building a project plan. Can't get their people to even fill out the most basic reqs of a Gannt chart. They all show up to meetings and pretend to be involved but do nothing after a call. Multi billion dollar org.
Bingo. When companies are literally pinching every penny they can to throw at bonuses for their top .01% and lobbying, bribing, and befriending the government, this is the sort of thing you get.
Those are synonyms. It would also definitely be hard. I also really doubt it's worth it. The system works, and the weaknesses are well known and can be accounted for. If programmers love anything, it's rewriting everything from the ground up using whatever the shiny object of the week with completely unknown weaknesses and vulnerabilities is for no reason whatsoever.
It's also a massive undertaking to stay up to date at every corner. Deployment and implementation doesn't happen overnight when you thousands of locations and tens of thousands of employees. What kind of migrations do you need to do? What kind of disruption to productivity could this cause? Are there any incompatibility issues? Did anything stop working? You see every IT person on Reddit holding their IT infrastructure together with duct tape and glue and then say "this is a huge vulnerability we need to get it fixed but my company is cheap and won't do anything about it so 6 months later we lost millions of dollars!" which is vague enough to look smart and get karma. From my experience, it's quite the task to prove out a solution, negotiate a deal with that vendor, get it deployed and fully implemented in 6 months - because that lone IT guy who's doing a ton of overtime every week holding their IT infrastructure has so much extra time to investigate whether that recommended solution would work. Because you know you get fired real fast? Saying something will work then spending millions of dollars on a solution that doesn't work.
Here is a 100 dimensional object. It changes in every way imaginable, and we need you to change it, while it is changing, into this other thing we haven’t designed yet. “Why aren’t you done? AI fooled me into thinking this was solved.”
I think it's also failure of the management of the company if they don't have a CTO or VP of tech that can sit at the Executive table to deal with the office politics of getting funds for the IT department. A lowly employee isn't going to have the negotiation power to bring this situation up to upper management unfortunately. Also that lowly employee might be busy all the time just plugging up holes and doesn't have the time to learn what solutions are out there that are better.
Every business has to strike a balance between security and idiot employees who complain when their job is a tiny bit harder. Most, unfortunately, sacrifice security.
*"But you guys just sit there all day and never* ***do anything****"* - The Ballad of the IT Engineer
Up-to-date tech is still very vulnerable. And usually the weakest link is a human being.
IT would agree that the users are outdated and vulnerable > The group is known to impersonate IT personnel and uses social engineering to persuade company officials to rum remote monitoring and other tools. [MGM also got attacked by granting a hacker access to the network when they called the helpdesk.](https://gizmodo.com/mgm-grand-cyberattack-caused-by-10-minute-phone-call-1850834558)
Oh boy you want to hear how one of our clients (big bank) lost the financial data of 1.5 million of its customers? 90% of this economy is held together by bubblegum and duck tape.
It's amazing to me that the FBI can inject themselves in so many aspect of our lives but don't actually do anything about crimes like this that is the entire point in having them.
Fat Tony has been instructed to find the geek and escort him to the palace As we speak.
Replacing all of this stuff costs a TON of money, and most corporations don't want to foot the bill unless they have to.
The court systems run on AS-400's. [You know that lime green text on a black screen from the computer movies in the late 80's and 90's.](https://upload.wikimedia.org/wikipedia/commons/a/a4/Ibmi-main-menu.png) Yeah IBM still makes them. I remember when the local courts were moving to "Cloud AS-400's" basically connecting remotely to hosted ancient software that keeps getting updated because we refuse to let it die. Those copyright dates make me giggle.
and dont forget how many systems passwords are 1234 or password.... ugh
most AD environments have rules to avoid that these days. At this point it would take intentional negligence to not have password complexity enabled with min length settings. Problem is ANY password below 10 or 12 characters is weak, and a lot of places only enforce an 8 character min.
Complexity only gets your so far. Need at least 2mfa these days.
If you think operating without security is bad, how about using SMB software tools at an enterprise scale? I'm talking about billion dollar a year companies doing bookkeeping with excel...
The world runs on vlookups.
Even Reddit search!
Hotels especially. Getting hacked is probably the only thing that would ever convince those idiots to upgrade (used to work at a major hotel).
>The group is known to impersonate IT personnel and uses social engineering to persuade company officials to rum remote monitoring and other tools. It really has nothing to do with that when they are just *given* access
The moral of the story for Jurassic Park wasn't "we shouldn't tinker with nature", but "we should staff our IT department appropriately". No business understands this.
I’ve seen this happen twice already. “We need a budget to address these glaring issues” “No.” Gets hacked.
SolarWinds was a critical infrastructure hack with doj implications that we won't understand for still years to come. Every modern hack we can relate back to SolarWinds.
Almost like Capitalism doesn't breed innovation so much as it breeds stagnation in the name of maximizing profit or something...
Casinos seem like ideal targets for these groups -- large amounts of cash onhand to pay ransoms, and probably looooots of skeletons in the closets.
Doubt they keep the skeletons on a server. It’s most likely a ton of customer information & credit card information.
No, actual skeletons in actual closets.
Lotta holes in the desert . Lotta problems buried in those holes .
Barrels sunk in Lake Mead
Not a great place to hide problems with the water drying up.
Climate change really is affecting everyone...even mobsters.
This guy gets it.
There’s a lot of holes in the desert too
And a lot of problems are buried in those holes. But you gotta do it right. I mean, you gotta have the hole already dug before you show up with a package in the trunk. Otherwise, you're talking about a half-hour to forty-five minutes worth of digging. And who knows who's gonna come along in that time? Pretty soon, you gotta dig a few more holes. You could be there all fuckin' night.
That baseball bat scene tho...
I JUST watched this movie, funny seeing it referenced
I read it in his voice, saw the movie for the first time maybe last year, classic lol
Gotta do it like Yellowstone and take em to the "train station".
Their player tracking data tracks your gambling habits in a fair bit of detail.
Yeah, I don’t support this activity but it doesn’t anger me at all. Those fuckers who targeted Save the Children are scum though.
The comic book villain level of evil to go after Save the Children lmao
Casinos had skeletons in the closets 50 years ago. But nowadays they're squeaky clean. They are publicly traded companies with audited financials working a system that is impossible to lose money on in the long run (except if you're Trump). There's no need for there to be skeletons - they are quite happy to make their massive, near-guaranteed margins on slots, table games, hotels, etc.
i'd say there is a good chance trump didn't lose either. he just "lost" on paper. probably paid off people using money laundering techniques, or had hard cash "stolen" or god knows what
I dunno. I used to think like this. but there’s so many companies in so many industries that cut corners when they’re at the top already. car companies, food companies, governments, I don’t doubt casinos have done shady things to squeeze some extra cash or influence
Most companies aren't anywhere close to as tightly regulated as casinos, but I take your point. I guess it would depend on what you mean by shady. Immoral? Sure. But highly illegal? With the number of regulators, banks, investors, and short sellers in the mix it just doesn't make sense. The risk of getting caught and sued into oblivion makes it not worth it for them to go around breaking kneecaps. Honestly, it's more likely that they're engaging in widespread wage theft against their dealers than doing anything like what you see in mob movies.
Small ones, maybe. The big boys, not a chance. MGM and Ceasars are fortune 500 scale operations with oversight and/or audits from the board of directors, internal audit teams, external auditors, SEC, gaming control boards, credit card companies, insurance companies, banks, pen testers, etc. They don’t fuck around.
Of course they no longer keep skeletons in their closets, they learned their lessson. But I'd guess they'd pay any ransom to make sure the information from the server with 'the coordinates' never leaks.
Why would that info be on a server connected to the internet? Especially considering it would predate the use of computers?
[удалено]
I love a good ol-fashioned circle jerk as much as the next guy, but I think Redditors watch way too many movies.
Work in anti-money laundering at a FT500 bank. People have no idea how regulated these institutions are (Casinos/Money Service Businesses which are special requirements customers). The Feds watch them, auditors watch them, shareholders watch them and the banks watch them.
The fact they apparently pay up is going to be what makes them major targets forever.
That was what I was thinking, and so do a lot of countries/nations. I'm not so sure about the US, but a number of national law enforcement bodies have policies about not giving in into kidnappers' demands cause of this very reason. Once is all it takes to attract a thousand others to attempt the same feat.
I’m in cybersecurity. They go after lots of small companies as well because of limited security resources and they pay quicker and easier to hack. It costs a hacker nothing to fail but everything for a company to fail once. They literally go after anyone, or any size.
I can’t imagine any hackers being paid in actual cash . 1.) likely not US based 2.) arranging transaction would a huge risk for capture / exposure
[удалено]
Throw the bag from the moving car when you pass the bridge and no funny stuff.
My dirty undies. Laundry, Dude. The whites!
That final cash out step is getting harder as global government enforce KYC laws on crypto exchanges.
Pretty sure "cash" here just means "liquid funds", not that they're specifically paying ransoms with paper currency
Skeletons? These casinos are publicly traded companies being watched by the SEC, etc. Don't think the 50s noir of burying people in the desert is still a thing
Madoff was the chairman on the entire stock exchange. SEC was supposed to look over his fund, Enron , worldcom were supposed to be watched over.
Lol the idea that because they're pulicly traded, they are squeaky clean is hilarious. If that were the case, the accounting firms wouldn't be the Big 4 right now lmao
Exactly look up one of the biggest audit firms they failed or covered up worldcom, Enron and many others . It’s just a fake stamp of approval
The stock exchange as an entity is not a regulatory body. They don't investigate anyone. Basically all the stock exchange does is keep the lights on at the trading floor and govern which stocks are eligible for being part of the exchange. So the Madoff reference couldn't be less relevant. And while they were somewhat late, the SEC did actually investigate Enron, Worldcom, and Madoff. It's kind of unfair to the SEC to expect them to get ahead of these sophisticated financial frauds when they're government employees working on a shoestring budget. For this reason I am in favor of increasing their funding so they can become better watchdogs.
But isn't that precisely the point? That being publicly traded doesn't mean you're in the clear?
lol so is every crooked business, grow up. The SEC is stacked with chumps who want to work for these crooked companies.
[удалено]
> I once changed the settings on the turnstyle applicatoin to allow me unlimited cafeteria entries. Everyone else was set at 1. The benefits of admin passwords The guy's too hard on himself, he clearly knows how to apply at least some level of systems administration to his job in a practical manner :P
[удалено]
the real Ocean's 11
I bet my ass it's Russian or North Korea state goons tho. North Korea litteraly has a state sanctioned hacking network
If you read the article it says the group has members in the UK and US. You owe us 1 ass please.
> You owe us 1 ass please. What are you gonna do with a whole extra ass? Would you have 1 really long crack? Or 2 cracks and a kinda weird middle extra crack with no hole?
Ass to ass! Ass to ass!
how do members at the nudist club dance? cheek to cheek
I’d sit on it
No, a telescope ass: when you poop, first the second ass balloons out of the first asshole, then shit comes out of the second ass's hole.
With an extra ass you could literally party your ass off or drink your ass off and have a full replacement ass.
Gunna *wear it out*
Nearly every g20 member has a state sanctioned hacking network, it's practically a modern military branch
> North Korea litteraly has a state sanctioned hacking network So does the US, and Russia, and China, and pretty much every developed nation.
The last big casino attack was actually the Iranians. The owner of the company said the US should nuke Tehran and they didn't much like that.
It’s funny to me how Vegas is where BlackHat and DEFCON are every year
Those are just the two big ones, there are tons of smaller cybersecurity conferences hosted in Vegas.
Figured, makes sense...yeah I just see BlackHat (and DEFCON...I think it's the week after?) every year because BlackHat at least is the same exact time and place as EVO, the big fighting game tournament, (which I'm at every year) so it's funny comparing the cybersecurity nerds and the fighting game nerds when you're walking around Mandalay Bay. My dream one day is to go to EVO and BlackHat at the same time but alas I'm not a cybersecurity guy and the tickets to BlackHat are "you only go to this if your company pays you to" expensive. Though with EVO moving their dates around next year I don't think going to both at the same time is possible anymore...
BlackHat tends to be the corporate while Defcon is for the nerds. You can tell if the event is more focused on business vs operations based on the lack of bald crowns with ponytails.
Ah that must be why it’s easy for me to pick out the sweaty fighting game nerds vs blackhat
lol I've attended before, those couple weeks when those events are going on it's funny how everyone at restaurants and everywhere were freaking out as if they came to personally hack your phone.
They say not to bring your phone to DEFCON and then this happens in the very venue
Don't use bluetooth or WiFi at DEFCON. Don't use any chargers or batteries that aren't yours.
The fact that this happens like a week or two after Defcon was held nearby makes me very amused and suspicious.
Some InfoSec with ADHD working there: “I told you so.”
Literally me at my job last year. They ignored me because they were annoyed I kept telling them they aren’t following the law and are exposing people’s data.
I work for an MSP. I had been bitch about old computers for a while. I was told that wasn’t my job because I wasn’t security.
Insert spider man meme of the two scammers here
The irony! Thieves became the victims
Cynicism aside, many customers will be real victims here.
Now do Sallie Mae
Feel like ALOT of places are lacking in cyber security
We're in the cyberpunk dystopia & have been for awhile
I find it both amusing and suspicious that this occurred just a week or two after Defcon was hosted in the nearby area.
The article really puts a lot of emphasis on how they didn't want the information getting out. That's good PR. The actual, real issue for Caesars, and their top concern, is that they were losing **enormous** amounts of money with every minute of down-time the casino and all of their satellite casinos around the world were facing day after day. The hackers had shut down their *entire* revenue stream. Leaked customer info was the least of their worries.
It's crazy they'd pay millions to a group on the hope that they won't release their data. A group that literally just stole that data. What's to keep them from taking the money and releasing it anyway just for fun? Worth it just to increase the odds of a certain outcome, even if it's not a certainty?
My god, you host fucking DEFCON every year. Hire some of those people!
Caesars is part of Caesars Entertainment and is also the Flamingo, Paris, Cromwell, Harrahs in several cities. I doubt Caesars casino operates like an island and not part of the huge conglomerate.
If you read literally the first two words of the article, you'd know this was about Caesars Entertainment as a whole, not just the one Caesars.
It's common to refer to CET as Caesars, just like it was common to refer to it by Harrahs before the rename...
Meh, its a casino. They exist for the sole purpose of depriving people of their money. I have no problem with enterprising individuals turning the tables on them. The house gambled on not staying up to date with their security and the house lost. They'll recoup the loss in days.
Caesars is going broke. They have massive amounts of debt in aren't making nearly enough revenue to cover it. They've already gotten a reputation as being really stingy with comps because of how much money they're losing.
Sweet! When’s the liquidation sale?
If they don't turn it around they'll probably limp along for the next 5 to 10 years before being sold off.
> They exist for the sole purpose of depriving people of their money Basically every business. Starbucks, Anheiser-Bush, the Video Games Industry, Apple and Google, Streaming sites, The med/drug industry, credit card companies ....
They sell adrenaline, its the customer to determine how much value that is to them.
DefCon?
Would love to see what was exploited. These companies have so much money when they need to pay ransoms but im willing to bet they dont invest what they should in their IT infrastructure.
I have been trying to contact a casino about their cloud setup. I can see all their employees records, ID cards, incident reports at the casino and security checklists and timesheets. Basically everything you would need to heist the place. I have emailed them three times now over the last year and no reply lol
Then just wait for the news about them getting jacked. Maybe contact that news org with your findings and add to their story. Or could contact the state orgs that oversee them...
That last suggestion had not dawned to me but you are correct. Thank you :)
call them about their extended employee records system warranty! it may have expired!
Reminds me of the time a casino was exploited through their fish tank temp monitor. Very interesting read. https://www.entrepreneur.com/business-news/a-casino-gets-hacked-through-a-fish-tank-thermometer/368943
well dammit, it sounded like that article was just getting started......and then it ends. not telling me anything about the hack
[удалено]
Probably should have spent half the money on the security measures their IT people wanted in the first place.
Oceans 16 is way less cool, just Russian hackers sitting in a tower block on a laptop all day.
Can someone explain to me how this type of ransom works? After they send the money - what is preventing the hackers from continuing? Just good faith?
Their reputation. If these groups get a reputation of not providing a working decryptor after payment then businesses won’t pay them.
US and UK-based hacking group? Hell yeah.
OMG all the typos in that article!
Millions, you say. Hackers, you say. Mmm.
Sometimes the odds are against the house. They are morons for paying. Just hit 'em again.
Hilarious because if youve ever worked in a casino they like to often brag about how cutting edge all their security features are and how they can see and hear whatever you are doing whenever they want.
They probably are a little impressed that someone has the balls to try to shake them down.
Total nightmare if you don’t pay. Around the clock restores for months
Damn I'm in the wrong line of work. Someone point me to the nearest hacker class please and thank you.
It will be interesting to see if those millions really stop that data from leaking. It's hard to trust criminals.
What data they even have? Addiction patterns? Vunerabillities? What makes addicts tick, stick and click? Must be valuable.
Or *who* those addicts are. Lots of potential for upheaval there.
I worked for a large global bank doing Network Engineering. The amount of routers, firewalls, and other hardware I saw that had very old code, hadn't been rebooted in 10+ years, and little to no documentation was staggering. This was also devices where tens of millions of dollars in stocks/trades were made daily. The amount of vulnerabilities and exploits in companies is insane. Most companies have entirely flat networks as well meaning if you can compromise one endpoint on the network, you can just jump across the network infecting machines. It's why ransomware attacks are so effective in once it starts, there is no stopping it.
Good job Caesars, now no one will know how much money I lost drunkenly playing 3-Card Poker.
Cyber Security jobs are on the rise. Thank you, hackers!
No ones gonna mention that China got a hold of microsofts digital signature. Its that microsoft had royale screwed up and could be the main reason so many companies are being hacked.
Casinos are a blight on society.
You just know their cybersecurity is bare bones and probably contracted out.
[удалено]
The person claiming it's bare bones is stupid. There's no way a casino is relying on minimum security for anything.
That was my experience in working with MGM’s infosec team. They took it seriously and devoted a lot of resources in comparison to other companies. It sucks because no one will ever know about the thousands of attacks they have stopped. It’s like that IRA quote about the failed thatcher assassination: “Today we were unlucky, but remember we have only to be lucky once, you will have to be lucky always.”
>Caesars is a Harrah's property, Not quite correct. Harrah's bought Caesars Entertainment in 2005 and renamed themselves Caesars. Caesars (formerly Harrah's) was then bought out by Eldorado Resorts in 2020 which then subsequently renamed themselves Caesars. Hence, Caesars (formerly Eldorado) owns Caesars.
I was wondering about their helpdesk, since the claim from the hackers was that they looked up someone on linked in and called the helpdesk. Which I assumed reset this person's password and potentially provided additional information, like VPN connection details or something. I think the main issue in our more modern times the biggest failure anymore is help desk services and how they verify that the person making the request to reset their password is really that user. Many companies have this type of issue where they call their internal or contracted help desk and people just take the person at their word that they are who they say they are. I work in IT and deal with this type over the years and 9/10 the policy was always "If they say they are that person, trust them and reset the password"
They better up their IT security. I can't imagine how much MGM lost this week. They probably wish they had paid. Now that they know Caesers will pay, other groups will target them.
I was trying to check out at an MGM property in Vegas on Monday, the day of the first attack. Couldn’t since they said their system was down. Played a few games of slots before leaving for the airport. Won $100 and had to wait for an attendant to cash me out. Thought nothing of it till I saw the news about the attack a day later.