🔗 The Impenetrable Casinos get Hacked

We’re in the thick of the Las Vegas resorts cyber intrusions and compromises, Caesars just filed their 8-K and new facts are released each day on the MGM breach. I had the opportunity to join CNN and discuss the situation. I could have talked about AlphaV or Scattered Spider, the two affiliated Russian hacker groups who are taking claim for the attacks. Or I could have decried how individuals just don’t take security seriously enough. But no, we’ve talked these items to death each and every breach. And they aren’t really the real issues. We will always have organized cybercriminal gangs and we’ll always have users that eventually make mistakes - they are human after all.

The issue we need to be talking about is our fundamentally flawed approaches that require humans to always be perfect.

Let’s Catch Up On the Current Breaches

In both Caesars and MGM data breaches social engineering was the entry vector. For MGM it appears that the attackers gathered publicly available information on employees through sites like Linkedin, then used this data when contacting the outsourced help desk service for MGM. The attackers were then able to fool the helpdesk agent and convince them to reset the password of the MGM employee and provide this to the attacker. Using this access the attackers were able to access the network, navigate to critical hosts and wreak havoc by launching ransomware attacks which encrypt critical data and servers. Between the ransomware attack and MGM proactively taking systems offline to combat the attackers, the result is that critical MGM technology isn’t functioning. Room keys aren’t working, websites for booking reservations are down and there are even situations of handwritten notes given out at the slot machines. This is costing MGM significant amounts of lost revenue every day and huge user frustration. On the other side, Caesar’s decided to pay a $15M ransom to the attackers to regain control of systems in hopes the attackers wouldn’t release the stolen data. It was described like this in the 8-k filed with the U.S. Securities and Exchange Commission

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. “

So when I had the opportunity to discuss the issue on CNN, I focused on the real issue. Yes, corporations are largely underinvesting in cybersecurity. But they’re also investing in the wrong types of cybersecurity defenses. The fundamental issue is that our basic security design primitives for security have failed. We have built critical workflows on the assumption that humans, who are busy working hard every day, will never make a single mistake. And if they do, it may result in catastrophic failure. This is a flawed design - we have to take humans out of the loop.

How Do Our Security Defenses Need to Change?

What does it mean to take humans out of the loop? Essentially we should assume the user will eventually fail, will be tricked, or get convinced to do something undesirable and in these situations the security controls should still work to prevent catastrophic breach. Seems like a reasonable goal, but we’re so far from this reality.

Let’s look at an area where humans and security collide every day. This example shows where we’ve done this wrong for so long but finally have the right technology available. That area is password and authentication security.

We all know the common messaging around password security. Choose a strong password, make it random per website, store it in a password manager. But then we realized that wasn’t sufficient so we stressed two factor authentication (2fa). Now you must use a code that we’ll text you - no wait - texting is not secure enough either. Then the code should be from an app on your smart phone. But here’s the thing, while 2fa is better than just a password, it is still equally weak against phishing. The human can still fail.

As I like to say, if I can fool you to give me your password, then you’ll also provide your 2fa code just as easily. In other words, if the attacker has created a realistic phishing webpage and you’ve been fooled into entering your password, then when the same phishing web page asks for your 2fa code you will of course provide it. Because that’s how the normal login process works! You enter your password then your 2fa code.

But we’ve progressed in login security and finally have a solution that eliminates the risk of human failure. It’s called FIDO2. FIDO2 can be seen in the physical keys such as those sold by Yubikey (and many other companies). The reason these physical keys are so effective is that it has removed the element of human failure from the equation. Instead of entering a 2fa code from a text or your phone app, the user simply taps their FIDO2 physical key that is inserted in their computer. This acts as the 2nd factor for authentication and, this is important, it can not be used by a phisher. So even in the scenario where an attacker fools a victim into entering their password and pressing the FIDO2 key at a phishing site, the attacker won’t be able to log in because the signal sent by the FIDO2 key is unusable by the attacker. The magic here is the technical design leveraging public-key cryptography that has made the system resilient against the human making a mistake by making the exchange data inaccessible to an unauthorized hacker.

Back to MGM and Caesars, the need for human resilient design couldn’t be more clear. These breaches were particularly difficult because the attackers targeted the help desk. The help desk needs to handle the situation where the employee has somehow lost or forgotten their login details and urgently needs access. It is a ripe target for attackers since the help desk has to determine how to verify the other human is actually the employee and not an attacker - all without ever getting tricked. You can see how this all comes together into a big challenge ripe for abuse.

This area is precisely where companies need to invest more into the right kind of security solutions. The solution would need to validate the human through multiple means that don’t solely rely on human judgment. And the reality is that we have the right types of technology in other areas to do this. For example you can validate that the human is in possession of a pre-registered phone through a device ping. Or you could do facial recognition and a liveness check with identity technologies regularly used by Know Your Customer (KYC) applications (one example from stripe). These steps of technology can be interwoven with other validation that don’t rely on “secret questions” or other information that is commonly available through web sleuthing. In combination these approaches eliminate the element of human judgment and rely on technical controls. Lastly, the attackers will claim they can’t do all of those items - they lost their phone and their wallet was stolen with their ID. Oh and they can’t remember any of the questions. In these situations you aren’t optimizing for ease of account recovery - perhaps the employee will need to actually visit an office location or you’ll need to get on a live video call with them and the manager to verify it’s really the person. The options exist and can be intelligently combined for robust security.

The Choice is Yours

Unfortunately, companies have failed to keep pace with the trend of attackers. They tend to have outdated security defenses where users call the helpdesk on the phone and provide some easy to find “semi secret” information. These approaches were questionable in their efficacy ten years ago and are vastly out of touch for today’s threat landscape.

So why haven’t companies widely adopted better technologies that take human failure out of the loop? Mostly cost, and second is likely that the issue hasn’t bitten them yet. The third reason is that the vendors can keep selling the same old outdated generic help desk systems without the integration of new security controls - because customers aren’t demanding it.

But I predict things will change. Unfortunately not through the path of proactive hardening of defenses before a breach, but rather in response to a rampant industry wide increase in these methods of attacks. Remember that cybercriminal entities are a business. They seek a profit and they optimize for the path of least resistance. With the rise of easy voice deep fakes and the ease to scan and gather semi-secret user data they will continue to target and compromise companies through the help desk. The decision for your corporation is whether you want to upgrade your defenses before or after the inevitable breach.

It’s time for companies to step up or become the next victim.

— Michael Coates

_{Remember to subscribe at michaelcoates.co so you don’t miss the next post!}