by Buddy Frank
CDC Gaming Reports September 2022
There is a 100+ year history of gamblers trying to cheat card games, load dice, rig roulette wheels and manipulate slot machines. Yet in the early 2000s, the threat of “hacking,” “malware,” or “cybercrime” was not really a priority of most gaming regulators. One of the first wake up calls came from Eddie Tipton who was working for the Multi-State Lottery Association (MUSL)
Tipton was on MUSL’s digital security team that was supposed to make sure computerized lottery games like “Hot Lotto” were fair and honest. Instead, Tipton, who was an avid Dungeons & Dragons player, used his game and technology skills to do a firmware hack on the system’s Random Number Generator (RNG). His first attack in Colorado in 2005 netted a phony $4.8 million jackpot. He followed that with other big wins in Kansas, Oklahoma, Wisconsin, and his home state of Iowa. He was eventually caught, tried, and convicted for a phony $14.3 million win.
After serving seven years of his 20-year sentence in an Iowa prison, he was paroled just four months ago. They are still working on restitution claims for the phony jackpots.
You can even unwittingly invite a cyber-attack. In October 2013, the late casino mogul Sheldon Adelson (a strong supporter of Israel) suggested at a public conference that the U.S. should detonate a nuclear weapon in the Iranian desert. The final line of his provocative quote was, “See? The next one is in the middle of Tehran!”
Four months later, the first nation-state “hack” on a casino hit his Sands Corporation. While they’ve not admitted guilt, few doubt that it was the Iranian government that corrupted Adelson’s website, took down thousands of the Sands’ workstations across the country and leaked sensitive customer, financial and employee data.
While specific details were never confirmed, rumors in the industry are that a weak password on an HVAC system in their Bethlehem, PA casino opened a door that led to an account of a senior IT systems engineer, which then gave them the digital keys to unlock the entire corporation. It’s hard to put a price on the Sands hack, but most would estimate the damage to be double or triple Tipton’s Iowa haul. Bloomberg Businessweek headlined their story on the event with: “Now At The Sands; Iranian Hackers In Every Server.”
Beginning in 2016, casinos across the U.S. were hit with ransomware attacks. The corporate casino giants were not immune, but most of the attacks were (and are still) aimed at Native American operations. In September of 2020, Cache Creek Casino in central California generated headlines as it was forced to close for three weeks. It is unknown which casinos did, or did not pay ransom on these attacks, but either way the damage was still in the millions in lost revenue and/or increased expenses each day they were down.
Unlike 2005, digital attacks today create the most nightmares for casino security professionals. At this month’s TribalNet Conference held in Reno, NV, cyber security dominated the seminar sessions. Likewise, the Indian Gaming Association is sponsoring a three-day seminar on “Cybersecurity Training” near the end of October in Las Vegas.
In the late 1990s, firms like Bulletproof, Cisco, Dell, Fortinet, Proofpoint, RSA, SeNet, and TrendMicro were already offering data protection and cyber recovery solutions for various industries. Within the last few years, there are now many more like BIG Cyber, Cyber One, Crowdstrike, Darktrace, and others.
But as early as 1989, James Maida’s GLI (Gaming Laboratories International) was a leader in testing, training, certification, education, and fraud detection for casino operators and equipment manufacturers. So, with the emergence of cyber threats, it made sense when GLI announced the acquisition of BULLETPROOF in June of 2016 to take on these challenges in a new division.
Maida says, “We didn’t just want to offer cybersecurity services; we wanted to offer cybersecurity services by gaming professionals, and Bulletproof’s years of experience in the gaming industry was, and is, a key differentiator.”
After their Iranian attack, the Sands Corp. hired Dell Technologies to help restore and strengthen their platforms. Yet, GLI’s background and experience in gaming hardware and systems probably make them one of the best fits to build a casino cyber defense team.
In the early 2010s, Maida was looking ahead to the growing trend toward mobile gaming. “We recognized the internet would play an increasingly critical role in delivering both sports betting and igaming, and that would have cybersecurity implications for operators, regulators, and suppliers. We wanted to be ahead of the curve in terms of cybersecurity so we could offer our clients a secure solution and peace of mind.” In April 2019, they also acquired SeNet International Corp. and, in October of that year, promoted SeNet’s Gus Fritschie to Bulletproof’s VP of Information Security Solutions.
While the company’s two divisions are separate, there are often important overlaps. The Tipton case, or the well-known example of Russian hackers who exploited flaws in the RNGs of older Aristocrat Mark VI slot machines in 2014-2016, are good examples of how these crimes can blur the boundaries between gaming hardware, software, and cyber worlds.
If you hired a trusted security provider and/or a data defense team like Bulletproof, where would they start? According to Fritschie, “We would tailor a program to your needs. There is little value in doing a ‘red team’ penetration test if the casino doesn’t already have the basics in place.” However, for those organizations that are more mature, Bulletproof can provide advanced testing services such as adversarial simulations, code reviews, and more.
Fortunately, with the headlines on widespread hacks and ransomware, most casinos have eliminated their “low-hanging fruit” and have started, or are in the process of, getting those “basics” in place.
As noted in an earlier Frank Floor Talk article, phishing remains one of the biggest backdoors to letting intruders into your systems. Who isn’t thrilled to learn that “you’ve won a new iPhone 14”? Or anxious to find out why “your Amazon account has been closed.” It is this constantly changing clickbait that can be hard to resist without proper training.
Most organizations have implemented or contracted with vendors to do simulated phishing attacks to train employees to resist them. However, Fritschie warns, “this training needs to be meaningful and, often, fun. Those who ‘gamify’ the process have a better success rate with participants by creating competitions.” He adds that the scenarios need to be closely related to their jobs or personal lives to be effective.”
News stories of hackers tapping into undersea cables or monitoring vibrations through your office window glass are fascinating, but in the real world the biggest threat comes from simple, easily preventable internal risks: specifically un-trained employees.
As Fritschie relates in one of his PowerPoint decks, “If ‘Joe’ from Marketing or Maintenance carelessly gives out their password, it bypasses all the investment you’ve made to harden your systems.”
There are other simple examples he uses: “One keypad on a security lock to the casino’s server room had such worn out keys on certain numbers, that anyone could crack the code.” Another common vulnerability is open ports on a casino’s Ethernet. “We often plug into these unprotected ports near ATM machines and gain full, unauthorized access to the casino’s network.” (Of course, they do this with the prior permission of upper management as part of their security audit of Surveillance and IT).
When you read about successful attacks on tech giants like the NSA, CIA, Microsoft, and Google, it’s easy to just give up all hope of prevention. It’s not unusual to hear, “there are only two kinds of casinos: those who’ve been hacked and those who will be hacked”.
That may be true. But it should also alert you that an important part of your defense is to focus on “recovery.” Bulletproof strongly recommends “tabletop” sessions where key members of your team discuss how you will respond after an attack. Fritschie says these sessions can often be real “eye-openers”.
Even backup strategies are no longer simple. Some notable hacks in other industries have revealed that the bad guys are often in your network for months and months before making a major strike. “A ransomware notice,” Fritschie says, “is often the last stage of an attack. What you don’t see is the sale of your sensitive data and customer information to other bad actors before they begin to shut down your systems and send demands.” Therefore, restoring your system from a backup that was infected weeks ago is of little help.
Despite the plain fact that no system is 100% secure, shoring up your defenses is still worthwhile, and it should be considered mandatory. A basic principle taught in “Bad Guys 101” is to hit the weakest targets first. The old saying that “you don’t need to outrun the bear; you just need to outrun at least one other person the bear is chasing” also makes sense when applied to cyber defense.
In summary, cybercriminals won’t stop. But your operations may if your security practices and controls are not in place. The better your professional advice, scans, passwords, testing, training, recovery, and backup strategies; the better your odds of escaping with less damage.
Another helpful tip: Think twice before publicly suggesting the use of a nuclear weapon on any foreign adversary.
 An excellent book on Tipton’s lottery exploits is “The $80 Billion Gamble” by Beeman & Rich