I have always wondered about Casino IT security. I can name you atleast 3 Las Vegas casinos that I've visited recently and I've noticed an extremely out-of-date Windows OS being used within plain sight.

Are these airgapped, highly firewalled computers? I hope so...

but when I see casinos with Windows 7 and Windows 8 machines in use, in plain sight and I can see this as a casual customer, I have to wonder what an unethical threat actor must think knowing that there are dozens of known vulnerabilities for these operating systems. Most organizations have policies prohibiting EOL operating systems.

These types of vulnerable systems can be used a pivot point for a future attack, should they somehow gain access.

These are just my arm chair anecdotal observations. I really wouldn't be surprised if the social engineering story is true. There are plenty of well educated, highly informed people who fall for these sorts of things all day, every day.

And a lot of them make exceptions for systems that run legacy software even though they really shouldn't. I recently saw a computer run Windows 3.1 (albeit in a virtual machine) for a vector graphics software from the early 90s. Obviously asked if I could play some original Minesweeper.

The US Military still uses Windows XP.

Yeah and they pay Microsoft very large sums for patches and updates for it. You can get Microsoft to support any EOL OS' if you have enough money.

See people post things like this without any context and understanding that Microsoft still supports these things. It's not like they are running Windows XP without any kind of patching for vulnerabilities in the last 10 years.

From what I'm reading, I'm starting to think there was likely was an element of social engineering in play.

How many times do we hear about underpaid employees who DNGAF and throw out all of their training because they fell prey to a skilled social engineer?

To that $18 an hour employee, who cares if they get fired. There's plenty of places that pay that.

My point being, when corporations start paying people a living wage, they might take their training more seriously since this is a job they may not want to lose. If said person who was social engineered was paid way more than that, yikes, shame on MGM for hiring folks and not constantly reminding them of their IT policies to help promote social engineering awareness.

I think sometime in the mid 2010s, cybercrime became more profitable than the drug trade. Most people do not realize this, and it will only get worse from here unless people and organizations start taking things more seriously. Once this is taken more seriously, the biggest threat, in my mind, would be insider threats.

There are some extremely sharp poker playing cyber security professionals in the world.

I feel like poker and cyber have a lot of cross over, and that's something that isn't commonly pointed out.

Like poker, cyber is a game of incomplete information. To be good at cyber, you have to be good at predicting what people will do, or what they may be capable of doing. You literally have to plug leaks when you find them (I.e. patch a server, firewall rules, etc)

Ive probably went to far off topic, but wanted to point that out there is a potential for poker skillset crossover for anyone thinking about a career in cybersecurity.

this is a bit of a stretch IMO

Maybe, maybe not.. but some of the top cyber security researchers call themselves Poker Players and I thought that was interesting.

https://www.cybersecpeople.com/podca...kelton-codingo

There's plenty of overlap.

Poker is a puzzle to be solved. So is cyber. There are weaknesses you target if you're on the attack and weaknesses to protect if you're on defence. There's lots of skills to learn and a lot of depth to all of them. It's an entirely appropriate comparison imo.

Im an idiot with this kind of stuff.

How long can this take mgm to get this fixed?

A lot easier to pay the "foolish" employee $10K and pretend you conned them than to run the risk your con fails.

Should I be worried if I have funds in my front $ account?

They’re claiming 2 weeks… but I’ll take the under.

How hard could getting a network back up possibly be?

What’s the benefit of them doing it this way rather than just upgrading the OS?

Source: https://gist.githubusercontent.com/B.../gistfile1.txt

Along with personal files this is probably some form of a DDOS attack, flooding MGM's servers inoperable. Somewhat amusing to think about the Casino Giants squirming. Robbed people of billions, now the tables turn and they get exploited. I'd pay up, buy time for adapting to an entirely new system. But we know how big these Egos are.

If you read the ^^ gist, they've been completely owned, are locked out of all their own servers, and are refusing to negotiate. This thread sounds like when Trump tried to talk about "the cyber". Are you all MGM's IT team?

I don't know anything about IT or understand a lot of that statement so perhaps this is my ignorance talking, but if it were directed at me I would be terrified.

so what does this mean exactly? if they don't pay up they're ****ed for a very long time?

Here, I'll translate some to less technical words:


They tried to talk to MGM, but MGM won't respond.

They didn't use ransomware until MGM shut it's systems down.

MGM shut down their internal authentication servers and locked themselves out.

MGM no longer had admin access to their servers and their security team is bad at their job.

MGM didn't respond so ransomware was deployed.

MGM logged into chat, but didn't adequately identify themselves as authorized MGM personnel.


That's pretty much it, It says MGM is incompetent and not cooperating with hackers. If the posted text is legit, MGM can't do anything but cooperate as all data compromised and the hackers own their servers.

any guesses to how much Caesars paid or how much the Hackers want from MGM?

I read they originally demanded Caesars pay 30 million but Caesars negotiated down to 15 million lol, what a world

Caesars cyber insurance probably covered up-to 15 million, so 15 million was what they paid....

That's actually a pretty good non technical summary.

But makes the assumption that the blackmailers are telling the truth. Do you believe all criminals?