Ransomware: The gangs vs. the casino
Even by Las Vegas standards, the cyberattack on MGM’s casinos brought a new level of chaos, said Jeremy C. Owens in Market Watch. Guests at hotels including the Bellagio, the MGM Grand, and Mandalay Bay faced “hours-long lines to check in” because computer systems were down. “Restaurants were only accepting cash, even though the casino-hotel’s ATMs were not working.” And when some guests did manage to get to their rooms, they were met with an unwelcome surprise: Other guests already sleeping inside, the rooms having been double-booked by mistake. The meltdown continued for 10 days, until computer systems at the casino chain, which appears to have resisted ransom demands, were finally brought online last week.
The casino hack was orchestrated by an “extraordinarily skilled” group of Gen Z cyberthieves, said Zeba Siddiqui and Raphael Satter in Reuters. “Known in the security industry variously as Scattered Spider, Muddled Libra, and UNC3944,” these hackers are English-speaking, mainly from Western countries, and believed to be between the ages of 17 and 22. But cyber experts describe them as “sophisticated” at deploying “social engineering” to work around conventional corporate cybersecurity. They breached two of the world’s largest gambling companies, MGM and Caesars, by calling their IT help desk “posing as an employee” pretending to have lost log-in details. “They had all the employee information needed to sound convincing.” The group’s “willingness to deploy crippling ransomware while demanding money is a major escalation,” said Joseph Menn in The Washington Post. Security experts worry that the teen hackers’ skills have “attracted recruiters for the Russian gangs who want to combine their business savvy with the techniques and local knowledge of the native English speakers,” a troubling alliance.
Most organizations’ computer systems remain easy prey for hackers, said Interior Department inspector general Mark Lee Greenblatt, also in The Washington Post. We recently tested the Interior Department’s cybersecurity controls, spending less than $15,000 on a well-known system designed to crack passwords using free, publicly available software. And still “we cracked more than 18,000 passwords—or 21 percent” of the department’s total. The most commonly used password was, you guessed it, “Password-1234.” But actually “99.99 percent of the hacked accounts met the department’s password complexity requirements.” How do we establish stronger defenses? Twofactor authentication is a start. But also consider “passphrases” rather than passwords. “A more easily remembered passphrase that strings together several unrelated words totaling more than 16 letters, such as ‘DinosaurLetterTrailChance’” would take a computer a much longer time to break than a single word.