So long and tanks for all the data
August 4, 2017 2:46 PM   Subscribe

Attackers recently penetrate a North American casino's network via an Internet-connected fish tank and made off with more than 10GB of data.

    In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino's network, the hacker managed to break through to the mainframe and steal data from the organization.
    "The data was being transferred to a device in Finland," says [cybersecurity firm] Darktrace [pdf]. "No other company device had communicated with this external location."
    "No other company device was sending a comparable amount of outbound data," experts added. "Communications took place on a protocol normally associated with audio and video." In total, the hacker managed to steal over 10GB of data by siphoning it off via the IoT fish tank.
Internet of things previously.
via
posted by not_the_water (48 comments total) 31 users marked this as a favorite
 
Can we just rename it "The Internet of Things That Are Huge Security Holes" already?
posted by GenjiandProust at 2:49 PM on August 4 [23 favorites]


*ctrl-f "phishing"*

No? Really? Admirable restraint, WaPo.
posted by The Bellman at 2:53 PM on August 4 [40 favorites]


Cue everyone running to Shodan to try and find similar devices.......
posted by inflatablekiwi at 2:54 PM on August 4 [1 favorite]


Is there an award for best title? Because this post wins it.
posted by twilightlost at 2:54 PM on August 4 [20 favorites]


"In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino's network, the hacker managed to break through to the mainframe and steal data from the organization."

Those words, I do not think they mean what the author thinks they mean.
posted by Frayed Knot at 3:01 PM on August 4 [19 favorites]


Is there an award for best title? Because this post wins it.

Don't forget the bonus eponystericality.
posted by howfar at 3:01 PM on August 4 [12 favorites]


The Internet Of Fins...
posted by Devonian at 3:02 PM on August 4 [5 favorites]


Paging William Gibson, William Gibson to the white courtesy neural jack please...
posted by Sangermaine at 3:03 PM on August 4 [9 favorites]


Internet of [fish] shit
posted by not_the_water at 3:05 PM on August 4 [3 favorites]


Internet connected? You gotta keep your waterwall updated.
posted by thelonius at 3:09 PM on August 4 [3 favorites]


to be fair, the fishtank software was still in betta
posted by cortex at 3:12 PM on August 4 [69 favorites]


As for what people can do to protect themselves against these kinds of attacks, customers should educate themselves about IoT products and take advantage of any security protection the product offers, Nigam said. He added that people should use the latest operating systems and software and constantly update them.

On one hand, yes, surely. On the other, when people buy a fish tank/toaster/thermostat, they are thinking convenience, not that they will have to constantly check settings and patch things. Honestly, all IoT items should come with the equivalent of the warnings that we put on booze and cigarettes -- "use of this device may compromise your security and personal information."
posted by GenjiandProust at 3:18 PM on August 4 [3 favorites]


As of press time it's unknown whether such an aquarium-based attack can work at scale.
posted by 7segment at 3:21 PM on August 4 [6 favorites]


These people are bottom feeders #nofilter
posted by Kafkaesque at 3:22 PM on August 4 [6 favorites]


In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino's network,

Ron Howard: It wasn't

There's good and bad ways you can isolate from the rest of the network. A VPN does not do that. A VPN has never done that.
posted by Talez at 3:26 PM on August 4 [14 favorites]


IoT: the 'S' stands for 'secure'.
posted by signal at 3:28 PM on August 4 [37 favorites]


It's honestly not surprising because in my time working in IT I've heard some dumb shit said by people who are supposedly professional network security people.

It's like someone coming up to a teacher and suggest they can be more protected from false accusations of molesting students by wearing a condom while they teach. Sure, in certain situations condoms offer great protection from things like unwanted pregnancy and STDs, and I'm sure one would want those qualities in their protection if one does end up seducing a minor. But I'm not quite sure they get what the situation actually calls for.
posted by Talez at 3:32 PM on August 4 [2 favorites]


I think I would have gone with "So long and tanks for all the phish". But that's just me...
posted by jim in austin at 3:37 PM on August 4 [6 favorites]


Talez, you should draw a little comic of that analogy; it's pretty funny. Don't worry if you're not a great artist. Stick figures would be fine.
posted by straight at 3:41 PM on August 4 [1 favorite]


Someone's already made a similar comic.
posted by JiBB at 4:11 PM on August 4 [3 favorites]


Someone's already made a similar comic.

[thatsthejoke.jpg]
posted by Talez at 4:15 PM on August 4 [4 favorites]


I didn't mean to steal from xkcd. I honestly didn't remember where I heard the phrase from.
posted by Talez at 4:15 PM on August 4


The Internet of Fins
posted by Thorzdad at 4:28 PM on August 4 [1 favorite]


The original plan was to air gap the fish but that didn't work as well as expected.
posted by Hairy Lobster at 4:41 PM on August 4 [14 favorites]


Can we just rename it "The Internet of Things That Are Huge Security Holes" already?

The Internet of Theft
posted by Kirth Gerson at 4:47 PM on August 4 [1 favorite]


It's like none of the people who design or install this stuff ever watched the BSG reboot.
posted by idiopath at 4:57 PM on August 4 [10 favorites]


the future is so stupid

what are we even doing
posted by poffin boffin at 4:58 PM on August 4 [26 favorites]


The Fins took the data?
posted by benzenedream at 4:58 PM on August 4 [3 favorites]


I feel the problem was in the wetware.
posted by Miss Otis' Egrets at 5:06 PM on August 4 [4 favorites]


The future is coming to validate our paranoid schizophrenics. Oh, and our POTUS.
posted by es_de_bah at 5:24 PM on August 4


Perhaps it is time to get rid of my Sonos?
posted by grumpybear69 at 5:26 PM on August 4


The fish tank had sensors connected to a PC
I'm not sure this is "the internet of things" as it's usually conceived. Just an unsecured PC on their network.
posted by eruonna at 6:16 PM on August 4 [2 favorites]


Ocean's 11GB
posted by Room 641-A at 6:55 PM on August 4 [15 favorites]


Tank obviously didn't have a detector for leaks.
posted by maxwelton at 7:06 PM on August 4 [4 favorites]


No one noticed anything fishy until it was too late.
posted by bendy at 7:15 PM on August 4 [1 favorite]


To be fair, 10GB of data isn't really all that much data these days. I mean, yes if it was all social security numbers and credit card information - sure - that's a ton, but if their system is anything like ones I have used in the past, the first 10g of queries could be positional sensor data detecting tremors which may impact craps or roulette roles, or guest sign ins at the concierge desk - distinctively by their guest if, but unconnected to their physical address, telephone number or other personal identifying information. Hell - There is so much transactional information that companies record these days, that hackers could be stuck with even good transactional data, but totally missing product tables, or customer tables, or users tables which ultimately renders the information... "meh".

Look, I'm just saying - we're in the age of big data. 10gigs is laughable - especially when you consider it is from a casino.
posted by Nanukthedog at 8:25 PM on August 4 [2 favorites]


why do the fish even need to use the internets

how do they type
posted by poffin boffin at 8:27 PM on August 4 [9 favorites]


how do they type

the problem is, he keeps shorting it out
posted by idiopath at 8:46 PM on August 4


The casino’s name and the type of data stolen were not disclosed in the report for security reasons

But all of the affected consumers were notified promptly, right?



*crickets*
posted by mediareport at 2:49 AM on August 5


So this wasn't a fish cam, right? Just some internal method of regulating and maintaining the tank? Was this common knowledge, or does that point to something of an inside job?
posted by Room 641-A at 6:17 AM on August 5


to be fair, the fishtank software was still in betta

even so its security was carp
posted by flabdablet at 10:45 AM on August 5


Are we sure this was the sole incident? It could be a red herring.
posted by Room 641-A at 11:50 AM on August 5


even so its security was carp

To be fair, carp are more interested in high availability/load balancing issues...
posted by foonly at 1:16 PM on August 5


Was this common knowledge, or does that point to something of an inside job?

Of course! No one would ever suspect the fish and the hack coming from inside the tank!
posted by inflatablekiwi at 6:46 PM on August 5 [2 favorites]


I read this out loud:

why do the fish even need to use the internets

And my partner says:

"They were surfing."
posted by Orlop at 9:29 AM on August 6 [1 favorite]


Honestly, all IoT items should come with the equivalent of the warnings that we put on booze and cigarettes -- "use of this device may compromise your security and personal information."

Please don't make this the answer. All this will do is allow the manufacturer to continue with sloppy practices under the guise of "we warned them...our responsibility here is fulfilled".
posted by kjs3 at 9:05 AM on August 7 [1 favorite]


There's good and bad ways you can isolate from the rest of the network.

True.

A VPN does not do that. A VPN has never done that.

It can, if you've correctly configured your VPN to disable split tunneling and have your routing restricted right.
posted by kjs3 at 9:09 AM on August 7


Look, I'm just saying - we're in the age of big data. 10gigs is laughable - especially when you consider it is from a casino.

Unfortunately for those of us on the pointy end of these issues, we can't use that as an excuse.
posted by kjs3 at 9:10 AM on August 7


« Older DC independent label makes its back catalogue...   |   Who, Or What, Is Geedis? Newer »


This thread has been archived and is closed to new comments