Security Researcher Assaulted Following Vulnerability Disclosure(secjuice.com)
secjuice.com
Security Researcher Assaulted Following Vulnerability Disclosure
https://www.secjuice.com/security-researcher-assaulted-ice-atrient/
117 comments
With articles like this, I often to take out the horrible thing that the company is doing and post the quote to Hacker News, to give a sense of the scale of the issue; in this case me trying to do so would require including the majority of the article. It’s that bad. And yes, apparently the company thought it was ok for the COO to physically assault security researchers at a conference.
One of the Glassdoor reviews mentions the COO getting wasted at tradeshows, so maybe the assault is just normal behavior for him.
Weird, I've gotten "wasted" at tradeshows but never assaulted anyone :)
Angry drunk vs. happy drunk is a good zeroth-order personality test.
> Angry drunk vs. happy drunk is a good zeroth-order personality test.
And to be fair even "happy drunk" can be unprofessional in the wrong context.
But I think anyone who judges someone for how they act in a bar, after dark, and the concern is they were too jovial (absent some kind of sexual harassment or belting out racist jokes) is not someone I'd want to work with anyways.
And to be fair even "happy drunk" can be unprofessional in the wrong context.
But I think anyone who judges someone for how they act in a bar, after dark, and the concern is they were too jovial (absent some kind of sexual harassment or belting out racist jokes) is not someone I'd want to work with anyways.
I was once fired from a state job (USA) for bringing a vulnerability forward in the online ethics training. You can run "setScore(100, 0, 100)" in the developer console and pass the exam without actually taking it. (The state used a third party online exam provider who I contacted). I was fired by the end of the week
I had to do "online traffic school" and noticed there were 2 javascript variables that were on a timer. If you set the variables correctly in the right order, the timer expired and it would let you go to the next page.
I spent the time figuring this out because I read exceptionally fast. When I've read a page in a few minutes and the timer forces me to sit there for an additional 13 minutes, I'm going to figure those things out. It was silly.
I spent the time figuring this out because I read exceptionally fast. When I've read a page in a few minutes and the timer forces me to sit there for an additional 13 minutes, I'm going to figure those things out. It was silly.
Edit: the vulnerability still exists on many online exam styled pages.
Of course it does, half the fucking garbage software you use in a browser is using shitty client side validation.
Sorry you got fired from your old job. Sounds like your new job could be "pay a dollar to skip the exam."
Yeap. Kill the Messenger is the default setting. It's a miracle Snowden is still alive.
I suspect you were fired for trying and using the vulnerability (which you no doubt did merely to confirm your suspicion of it) rather than for bringing it forward, which merely provided the evidence for the reason for firing.
Though you probably would have done better to report the problem through the state authorities overseeing the contractor (or the general government oversight agency, like th Bureau of State Audits in California) rather than the contractor, to whom your report was a threat of revealing their poor performance.
If nothing else, a report to responsible state authorities would be less likely to meet with someone with an incentive to sweep it under the rug (especially a general oversight body) and would be more likely protected by whistleblower protections, which most states have in some form.
Though you probably would have done better to report the problem through the state authorities overseeing the contractor (or the general government oversight agency, like th Bureau of State Audits in California) rather than the contractor, to whom your report was a threat of revealing their poor performance.
If nothing else, a report to responsible state authorities would be less likely to meet with someone with an incentive to sweep it under the rug (especially a general oversight body) and would be more likely protected by whistleblower protections, which most states have in some form.
Did you hire an attorney, or just move on with life?
Online cbts like that are mostly honor system and there’s a zillion ways to get around then.
Now that this is out in the open, I wonder how much longer Atrient will stay in business. These people sell these systems to casinos. Their customers are not going to like this at all.
Atrient mostly handles affinity cards and such. So they have lots of info about customers, including drivers license scans[1], but not much of a connection into the casino's main systems. A basic break-in might get you a suite upgrade or free booze. A more ambitious attacker would obtain the casino's customer list, with enough info to identify big losers and big winners.
[1] http://www.atrient.com/products/card-printing-enrollment/
Atrient mostly handles affinity cards and such. So they have lots of info about customers, including drivers license scans[1], but not much of a connection into the casino's main systems. A basic break-in might get you a suite upgrade or free booze. A more ambitious attacker would obtain the casino's customer list, with enough info to identify big losers and big winners.
[1] http://www.atrient.com/products/card-printing-enrollment/
Regarding a "casino's main systems"..
Going back a few years I was involved with a gaming organisation. We were advised that certain activities legally had to be air gapped (we are not in the US), and I raised an issue of how it is that servers could be accessed by VNC (single dictionary word password) over the Internet if that were the case.
I was advised that the server was installed in a rack with 1RU of space between it and the router connecting it to the internet, and that lawyers had reviewed it and considered that to meet the legal definition.
I strongly suspect you'll find core activities just as vulnerable.
Going back a few years I was involved with a gaming organisation. We were advised that certain activities legally had to be air gapped (we are not in the US), and I raised an issue of how it is that servers could be accessed by VNC (single dictionary word password) over the Internet if that were the case.
I was advised that the server was installed in a rack with 1RU of space between it and the router connecting it to the internet, and that lawyers had reviewed it and considered that to meet the legal definition.
I strongly suspect you'll find core activities just as vulnerable.
Well there was also this:
"...and that you could enter casino cash prize draws with as many entries as you wanted in order to win them, ..."
"...and that you could enter casino cash prize draws with as many entries as you wanted in order to win them, ..."
This is not the first time Atrient has been sloppy with the details of their NDAs, nor the first time Jessie Gill has gotten in trouble for being a touch too eager to get physical.
https://www.leagle.com/decision/infdco20180828d81
https://www.leagle.com/decision/infdco20180828d81
Hahahaha, how terrible is Atrient's lawyer, Mark E. Ferrario, for filing a complaint that didn't even allege a cause of action?!
He just asked the court to do some random stuff without arguing a case. The whole opinion is just, "Plaintiff didn't allege anything, so dismissed".
He just asked the court to do some random stuff without arguing a case. The whole opinion is just, "Plaintiff didn't allege anything, so dismissed".
Geez, what a creep and psychopath. This is what happens when someone thinks that they are too rich to follow the rules of society.
To assault a programmer on the floor of a conference and expect to get away with says a lot about what this person has likely gotten away in their past.
Yeah, especially a tech conference. Everyone has phones with cameras, vloggers and journalists covering things.
I know there are stories of casinos in Vegas breaking people's legs for cheating, but I guess that doesn't happen anymore since big corporations run them now with too much to lose. Plus if that ever happened and went viral, it would hurt their business.
I know there are stories of casinos in Vegas breaking people's legs for cheating, but I guess that doesn't happen anymore since big corporations run them now with too much to lose. Plus if that ever happened and went viral, it would hurt their business.
If you (like me) didn't know what a Shodan safari is, you're in for a fun ride:
https://techcrunch.com/2019/01/21/shodan-safari/
https://techcrunch.com/2019/01/21/shodan-safari/
Without Oath's abusive GDPR wall: https://outline.com/JF28AH
It is unbelievable what, to this day, is still directly connected to the Internet. Everything from pharmacy prescription systems, to large cargo ships in the middle of the pacific, to dam control systems.
Shodan is an awesome tool.
Shodan is an awesome tool.
Also they have a free plan for anyone with an edu email, great way to kill a few hours in between studying!
best $50 I ever spent
Disclosing security vulnerabilities that aren't part of a bug bounty program takes a large amount of either courage or ignorance. Until there are protections in place for a given jurisdiction, far safer to leak it anonymously or just stay quiet. I was surprised that GDPR didn't contain any sort of protections for security researchers. The fines collected are hefty enough they could easily run a very successful bug bounty program.
I agree with you, but it isn't a clear cut issue. Attacking a server right now comes with some legal risk, which is a deterrent to some. It's impossible to tell white hats from black. If it were paired with a law that made it a felony to resell vulns to third parties then it would be much more robust.
The only way you're going to reduce the amount of vulnerabilities being sold on black markets is to provide sufficient financial and social incentive. There are enough people with dubious morals who don't care how illegal it is to find and exploit them, who will eagerly take the biggest payday. Combine no guarantee you'll get paid, poor treatment by authorities and employers and the (albeit low) risk of getting your shit kicked in, I'm not surprised people aren't lining up at the door to report vulnerabilities.
I agree completely, but the issue is that the vulnerability value is asymmetric. It's about $1m to get an iPhone no-click RCE. Up to about $4m for one with a seemingly long shelf life. Apple is not going to pay $Xm for their bug bounty.
That said, that there will be some that continue to engage in illegal activity doesn't mean we shouldn't make it illegal in the first place. I'd even be in favour of treating certain classes of vulnerability sale as an act of terrorism or treason or arms export violation.
I know it is hard, but we have to try to solve this.
That said, that there will be some that continue to engage in illegal activity doesn't mean we shouldn't make it illegal in the first place. I'd even be in favour of treating certain classes of vulnerability sale as an act of terrorism or treason or arms export violation.
I know it is hard, but we have to try to solve this.
Yeah, I'd rather not make security research any more taboo and frowned upon than it already is. Regulation should be put towards forcing companies to put bug bounty programs into place and forcing companies to put the necessary money into it, not disincentivizing the absolutely crucial and important work that researchers do. Apple can easily afford it.
I agree that regulation should be put into place, I've blogged about it in the past and I've argued that it should scale with number of affected users, but that doesn't mean we shouldn't make certain acts illegal. Selling a iOS 0day to the Saudis should be illegal.
Casinos have such a large attack surface that they should be thanking anyone and everyone who exposes any vuln.
So is this still a vulnerability? Time to do some more digging boys!
In the off chance that you're serious, this sounds like a great way to land yourself in federal prison.
As if blackhats in Vladivostok are particularly afraid of the FBI. Once the vulnerability is public, if that stuff is still connected to the public Internet, game over.
I'm pretty sure this article is all that was required for some enterprising people to do their own research and find some of the same vulnerabilities. I imagine we might see some interesting damages outlined in some lawsuits from casinos against Atrient.
> a great way to land yourself in federal prison.
For what? Checking shodan and seeing that people don't know how to write secure code.
For what? Checking shodan and seeing that people don't know how to write secure code.
Dude, just don't.
I get the excitement of knowing how easy it is to do this stuff. But US Federal Laws can be interpreted in creative ways to throw you in Federal Prison. And I think that will continue to be the case until American society (the Jury, in US) learns more about how these things work.
I get the excitement of knowing how easy it is to do this stuff. But US Federal Laws can be interpreted in creative ways to throw you in Federal Prison. And I think that will continue to be the case until American society (the Jury, in US) learns more about how these things work.
For actively exploiting a bug in a piece of software for personal gain, which is much less defensible than simply finding vulnerabilities.
Checking for vulnerabilities IMO shouldn't be considered a crime - it's not a clear malicious intent. Sure if somebody is trying to open car doors in the parking lot that may warrant investigation - but for all we know they were just trying to warn drivers they left it unlocked, no actual crime has yet been committed.
But after you have this data, I jokingly suggested "welp may as well capitalize on it". But missing with somebody elses money, especially a large fin-tech company will get a lot of people upset, people with money to sue, not to mention it's the FBI's job to go after you, especially at this scale.
You could certainly try just be aware the reaction will not be favorable for you at all.
But after you have this data, I jokingly suggested "welp may as well capitalize on it". But missing with somebody elses money, especially a large fin-tech company will get a lot of people upset, people with money to sue, not to mention it's the FBI's job to go after you, especially at this scale.
You could certainly try just be aware the reaction will not be favorable for you at all.
Ask Weev how it worked out for him.
[deleted]
You and a lot of other people are doing some digging right now
Wouldn't the Nevada Gambling Commission be interested in this?
I mean, maybe, but do you really think they have some sort of well-staffed cyber-division that would 1. understand this and 2. know what to do with it? My guess is they're still operating like it's the 1980s. Hopefully I'm wrong!
Curious that the FBI now does vulnerability coordination. Haven't ever heard that before.
Curious that the FBI now does vulnerability coordination. Haven't ever heard that before.
do you really think they have some sort of well-staffed cyber-division that would 1. understand this and 2. know what to do with it?
1. Yes. 2. Also yes.
The Nevada Gaming Commission, all of the big casino companies in its state, and the companies that make the gambling machines, are quite remarkable, technologically speaking.
Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.
1. Yes. 2. Also yes.
The Nevada Gaming Commission, all of the big casino companies in its state, and the companies that make the gambling machines, are quite remarkable, technologically speaking.
Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.
> Sometimes I think the terrible web sites they have for hotel reservations are just a smokescreen.
Captain Obvious says he'd imagine that the amount of money brought in from room reservations is a drop in the bucket to what is made on the casino floor, hence the comping of rooms for players. The money spent on reservations vs protecting the gaming would be in proportion to that.
Maybe Captain Obvious is being a bit simple minded, but makes sense. Everything about the hotel is geared to get you to lose your money in the casino.
Captain Obvious says he'd imagine that the amount of money brought in from room reservations is a drop in the bucket to what is made on the casino floor, hence the comping of rooms for players. The money spent on reservations vs protecting the gaming would be in proportion to that.
Maybe Captain Obvious is being a bit simple minded, but makes sense. Everything about the hotel is geared to get you to lose your money in the casino.
Everything about the hotel is geared to get you to lose your money in the casino.
That's last century thinking. Gambling's influence on the bottom line domestically is waning.
These days it's all about entertainment, clubs, and restaurants. That's why every casino in Las Vegas is falling all over itself to build new sports and entertainment arenas, and paying huge bucks to put celebrity chef names on their restaurants.
That's last century thinking. Gambling's influence on the bottom line domestically is waning.
These days it's all about entertainment, clubs, and restaurants. That's why every casino in Las Vegas is falling all over itself to build new sports and entertainment arenas, and paying huge bucks to put celebrity chef names on their restaurants.
That sounds like the mindset they must have used when they had the Vegas is family friendly ad campaign. That failed, and the What happens in Vegas campaign took over. I would have a hard time believing concerts, magic shows, celeb chefs generate the same kind of money that the casinos and sports betting brings in. However, if you have something that backs that up, I'd definitely be willing to read it and change my view.
There could be blanket clauses like reasonable efforts to secure private information, access controls, etc. They don't have to specify on the regulation what has to be done, just let prosecutors argue that it's not sufficient.
My guess would be yes, since so much of gambling is electronic. "Wire fraud" is pretty old.
I've not dealt with the NGC directly -- only other gaming commissions and some NGC partners -- but everyone I've dealt with in gambling has cared deeply about security. They often get it wrong, but they take this stuff very seriously.
> Because there is no SSL protection and because the API is wide open and vulnerable to abuse, it is possible to identify kiosks by their Mac address
Eh?
Eh?
It should have said "MAC address" [0]. Nothing to do with Apple Macintoshes.
[0] https://en.wikipedia.org/wiki/MAC_address
[0] https://en.wikipedia.org/wiki/MAC_address
That still doesn't make any sense to me in the context of the rest of the sentence.
Possibly, existing kiosks are registered by MAC address in the API. By querying the API for registered kiosks, you can pretend to be one by spoofing the MAC
I wonder if Casino's run their machines, etc on the same network as guests are on at the hotel, etc...
I'd think they'd at least isolate the networks to at least make things a bit harder... Maybe you could be sneaky and unplug an ethernet cable and plug in a device but apparently, the eye in the sky would catch you, and end up in serious trouble.
I know some probably have apps to check your rewards, etc but that probably would run on the public internet with some sort of proxy into their private databases.
I'm not really into gambling, the family took me once when I turned 21 and was kinda boring. I just waited around while everyone else played video pocket. Free Mt. Dew though...
Also, all the woman seem to wear something to show off their breasts more, I guess more tips... So stereotypical like you'd see on television.
At least they banned smoking in casinos, I guess in the old day's people would be smoking right next to you. Oh, Google'd it and it seems like they allow it in Vegas at the casino and bar, just not restaurants. Wow. I believe in my state it's a standard ban inside completely of any public building.
Also, reports of Atlantic City dying now since more and more states have allowed Casino's to open. I seem to associate gambling with Vegas though over any other city.
I wouldn't mind going to just play the slots someday again, but really not into wasting money right now.
I'd think they'd at least isolate the networks to at least make things a bit harder... Maybe you could be sneaky and unplug an ethernet cable and plug in a device but apparently, the eye in the sky would catch you, and end up in serious trouble.
I know some probably have apps to check your rewards, etc but that probably would run on the public internet with some sort of proxy into their private databases.
I'm not really into gambling, the family took me once when I turned 21 and was kinda boring. I just waited around while everyone else played video pocket. Free Mt. Dew though...
Also, all the woman seem to wear something to show off their breasts more, I guess more tips... So stereotypical like you'd see on television.
At least they banned smoking in casinos, I guess in the old day's people would be smoking right next to you. Oh, Google'd it and it seems like they allow it in Vegas at the casino and bar, just not restaurants. Wow. I believe in my state it's a standard ban inside completely of any public building.
Also, reports of Atlantic City dying now since more and more states have allowed Casino's to open. I seem to associate gambling with Vegas though over any other city.
I wouldn't mind going to just play the slots someday again, but really not into wasting money right now.
I still don't understand it, TCP/IP doesn't transmit MAC addresses. Your knowledge of it ends at the next router... Therefore you definitely can't authenticate/authorize by MAC address.
> Therefore you definitely can't authenticate/authorize by MAC address.
I would be entirely unsurprised to see that the device is calling out to the API with it's MAC address as some kind of authenticator.
eg: http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx
I would be entirely unsurprised to see that the device is calling out to the API with it's MAC address as some kind of authenticator.
eg: http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx
I've used quite a few systems where the MAC address is used as a secondary password to verify that someone didn't just steal the hard drive out of a kiosk.
I thought of this. But the OP stated that the traffic is unprotected making this security measure moot.
Exactly, and then the stored MAC is exposed in its un/or-poorly-authenticated API
Such behavior needs to lead to jail time and not just a trivially payable fine so that the rich like the poor understand that wrongdoing has consequences.
We should not forget the 18 year's old Hungarian "hacker" that was arrested for opening Dev Tools and modified HTML values. https://techcrunch.com/2017/07/25/hungarian-hacker-arrested-...
[deleted]
Wonderful man, this Jessie Gill.
https://www.leagle.com/decision/infdco20180828d81
https://www.leagle.com/decision/infdco20180828d81
Does anyone figure this guy is connected and the third party contractors hired to program the kiosks were some student working from home in his off time?
This one does deserve to be called vulnerability. It is a plain stupidity.
People are complaining a lot about GDPR here but such a case would definitely lead to a fine of 4% or 8% of atrients revenue.
So open season on Atrient?
g’bye atrient. we hardly knew ye.
lucb1e(4)
Play stupid games with mafioso, win stupid prizes. (Pun intended.)
While the behavior of Atrient and specifically Jessie Gill is absurd in terms of working with the researchers to address the issues and pay the bounty, I am always skeptical of these captured videos. We don't have any context of what was said before and what the communication between the researchers and Atrient was like other than their accounts. Maybe I am just being cynical, but I've personally had interactions with security researchers who are extremely arrogant and on a vendetta to show how smart they are, and drift from white hat to grey or in some cases black hat territory.
Does it matter what happened before?
Is there _any_ circumstance under which that's appropriate or even justifiable behaviour for a CxO, no matter what had happened in the preceding few moments? If your CxO isn't capable of maintaining professional behaviour in front of arrogant researchers or blackhats boasting in public, I'd suggest it's well past time to be polishing up your resume and moving on...
Is there _any_ circumstance under which that's appropriate or even justifiable behaviour for a CxO, no matter what had happened in the preceding few moments? If your CxO isn't capable of maintaining professional behaviour in front of arrogant researchers or blackhats boasting in public, I'd suggest it's well past time to be polishing up your resume and moving on...
I personally (and unfortunately) know Jessie Gill of Atrient. I have to, for work purposes. The way his interactions and comments/quotes were described in that article were exactly things that he would say and do. He's a pretty violent guy actually. And the way he's acting in that video, only saying, "I don't know you" and sitting down, he knows he needs to watch what he says because there are a lot of things that that video could tie to later. Anyway, I wasn't there so I can't be 100% sure of anything, but I have known Jessie for years, hell I've been to his house several times, and the behavior is spot on.
hello! thanks for this comment would you be able to contact me on twitter @me9187 (this account is mentioned in the secjuice article for verification) and tell us a little bit more about your experiences?
Unfortunately I can't risk being caught in Jessie's sights right now. He has a way of twisting things into his favor and always seems to get himself out of trouble by turning it on someone else. I have been following this story though and I may contact you in the future. Thanks, and sorry.
Seems like this guy has serious issues after reading this: https://www.leagle.com/decision/infdco20180828d81
I also know jessie gill personally and he don't deserve to be COO of the copy. I don't have any clue why Atrient CEO Sam don't take of this things well. Moreover he knows what jessie behavior is but he still won't bother to take action against him. And just to add it Jessie is pervert he has sexual harassment case going in case.