Hacking the Casinos for a Million Bucks This case is about four guys, Alex, Mike, Marco and Larry who worked as consultants in high-tech in the early 1990s and played life loose and casual. Alex, Mike and Marco were good programmers while Larry was a great organizer. One time they were offered an assignment from a technology firm to develop some software and then accompany it to Las Vegas for a trade show.
As we know, Las Vegas is the most populous city in Nevada and an internationally renowned major resort city for gambling; it bills itself as The Entertainment Capital of the World, because of its fame for the number of casino resorts and associated entertainment. While in Las Vegas, a challenge from Alex’s wife to try and do something about the casinos so that they would win more was put across. This challenge triggered the four guys and got them curious. They then decided to look into it.
With their good research work, programming skills and intellects with some social engineering techniques that they used well, they finally did hack the casino system. Thus, as I read through the case, I came to understand that information security is a paramount issue for any organization, or company despite its size. According to Mitnick, a legendary hacker and security specialist “When it comes to information security, most security executives invest the bulk of their time and budget dollars on thwarting technological factors that can snatch data. ” [1].
NO assumptions should be made when it comes to handling or putting in place security measures. The conceptual framework that Alex and his team had was that they would find a “backdoor” which is a software code that allows a later access to the program, that some programmer may have put in for his own benefit. They thought that somehow they might stumble on such a “backdoor” or a simple programming flaw that they could exploit. They also figured out that the slot machines were run by some computer programs and it is easier to beat any computer bases game because computers are completely deterministic.
They also figured out that probably someone had patented his invention and they were right; someone had patented the whole of his video poker machine code. Therefore doing some reverse engineering on the binary code with the help of a disassembler that they wrote, the team was able to analyse the code and rewrite it. In due course they discovered that the logic behind it was the use of a random number generator. What motivated the team I believe was the fact that they didn’t want to lose the challenge and it found it to be intriguing.
They also figured out that if they were going to try it out, it would be as a challenge to their programming skills and intellects. Secondly, the machines and any other equipment required were readily available. The vulnerabilities of these machines were based on the fact that computers are completely deterministic thus computers will unquestioningly process the most nonsensical of input data (Garbage in) and produce nonsensical output (Garbage out), and the slot machines did run on computer programs. 2] Hence, all they needed was a sample code on how the programs did run. This was wasn’t hard since someone had already patented his video poker machine code which Alex came across. This mission was a success because the team successfully did masquerade as regular patrons for three years without raising any eyebrows of the casino security staff. Also having the right number of people and well matched made the attack successful. Each of them had various technical and non-technical skills and potentials that were required to carry out any task hence they were well matched.
On non-technical skills; Mike had a sales-y kind of manners and was a very representable guy. Marco was a dare devil, he approached everything with a can-do, smart-ass attitude. Alex also excelled in programming and more so contributed knowledge of cryptography that the team needed. He was also the main researcher. While Larry wasn’t much of a programmer, but he was a great organizer who kept the project on track and ensured that everyone was focussed on what was needed to be done at each stage.
As defined by Wikipedia, Social Engineering “is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. ” [3]I do believe that this team used some social engineering techniques.
For instance, when they were going to purchase a slot machine, they used a drivers’ licence of someone from Vegas, on the assumption that they were going to use it for illegal gambling business in Vegas and so they chose Mike as the one to talk to seller because he was sales-y mannered and presentable too. Also, I find the way Alex, Mike and Marco came up with a way exhibiting the behavioural characteristics of the roles they were masquerading in to an advanced social engineering techniques. They actually succeeded in the trappings of roles to an extent that the security inferred them to be patrons.
The different risk involved with hacking is getting caught. The only thing that the three were afraid of was getting caught by the casino security cameras or guards who observed keenly all through. Once caught, the Casino never prosecutes you, so their security handles the situation by strict interrogation, threats and even beating and they do it in the worst way than the police. Secondly, you may end up being prosecuted, pay huge amounts of fine, and even face being jailed for a long period. This depends on the company, organization or person pressing judges against you.
Despite these risks, they kept on gambling pushing the edge of the window to just see how far they could go. Secondly, as time went by, they became bolder and confident on what they were doing, and as a result they went for more expensive machines that paid off better, exposing them to even more risks. Finally, after one of the members, Marco, was caught, Alex and Mike were freaked about the situation Marco had got himself into. Since they had made an agreement that they will quit when one gets caught, they had to do exactly that, quit.
Thus they tore up all the equipment and machines they had and dumped the pieces all over the city. This was I believe to get rid of any evidence. In conclusion, information security is a paramount issue for any organization, or company. I do believe that if your firmware is proprietary and considered valuable, then lots of consultations need to be done from the best security firms so as to find out what techniques hackers are currently using. Secondly, the organizations Information technology department’s designers and programmers have to be updated with the latest information pertaining security and technology.
They also need to take all appropriate steps so as to ensure the highest levels of security of organizational data. According to Mitnick “effective countermeasures can be put into place against most types of social engineering attacks. But let’s face reality here–unless everyone in the enterprise understands that security is important and makes it his or her business to know and adhere to a company’s security policies, social engineering attacks will always present a grave risk to the enterprise. “[4] In this case, the ountermeasures that would have been put in place are like; the manufacturers of chips and software need to take into consideration all the possibilities of being vulnerable to attackers. For instance the programmers of the software in the Japanese slot machine never took into consideration about what attacks they were vulnerable to and as a result never took any security measures to protect people from getting at the firmware nor stop someone from gaining access to the machine and remove ROM chip, read the firmware, and even recover the program instructions that tell the machine how to work.
Secondly, they assumed that knowing precisely how the machine worked wouldn’t be enough, figuring that the computational complexity of cracking the random number generator. [5] From the Lasallian values, I find that the four friends never had the spirit of faith, the kind of spirit that allows one to judge and evaluate things in the light of the gospel. If they had this spirit they would have not accepted the challenge of hacking into the casino systems. The second value is the Zeal for the integral salvation of all. This zeal is for service.
The four friends never had the desire to be of greater service to others conditions or needs except they had an urge to win more thus allowing their greed chew up their moral ethics. They also find the hacking quite justified which I see to be like they were revenging on the casinos which they believe steal from the old women patrons. Actually Alex admits that he never felt morally compromised with what they did, because they are casinos. Lastly, despite the four friends had a solidarity and collaboration among themselves, they were never open to each other.
They had made an agreement of informing each other about their whereabouts, but some never did that. If they had involved God and establish a relationship with God, then they would still be close friends, REFERENCES Internet Resources 1. http://mitnicksecurity. com/media/CSC-Testimonial. pdf 2. http://en. wikipedia. org/wiki/Garbage_In,_Garbage_Out 3. http://en. wikipedia. org/wiki/Social_engineering_%28security%29 4. Mitnick, K. & Simon, W. The Art of Deception, Controlling The Human Element of Security [chapter 16] 5. Mitnick, K & Simon, W. The Art of Intrusion, Real Stories Behind the Exploits of Hackers, Intruders & Deceivers