The Dark Side of NetSec - Researcher Assaulted after Disclosing Vulnerabilities

[rcmaehl]

FOREWARNING: This is a longer than normal post as it requires some background on the events leading up. I will attempt to trim it down throughout the day.

Source:
Secjuice
 

Summary:
A security researcher was assaulted by Casino Vendor Atrient during ICE London after previously disclosing vulnerable servers being widely used by Casinos worldwide.

Quotes/Excerpts:

Background:

Quote

Two white-hat security researchers, Dylan and Me9187,noticed what looked like a casinos player reward server (with no authentication) exposed to the public internet. After a little more investigation by the researchers, it became obvious that the server was supporting player reward kiosks in different casinos all over Las Vegas. These kiosks are made by a vendor called Atrient who market them as a 'PowerKiosk Marketing Platform' and sell them to casinos globally who then use these kiosks to engage their casino customers with a loyalty reward program. When the researcher discovered that the unauthenticated reward server was directly connected to the kiosks on the casino floor they realized that the API the kiosks used was wide open and extremely vulnerable to criminal abuse. Because there is no SSL protection and because the API is wide open and vulnerable to abuse, it is possible to identify kiosks by their MAC address and use the unsecured API to change details, track users and add credit to user accounts and even spin up a kiosk on a virtual machine in order to have your own personal kiosk at home. The security researchers who first discovered this vulnerability, Dylan and Me9187, told me that the vulnerability was just the tip of the iceberg when it came to sloppy security practices at Atrient. They saw casino WiFi network passwords stored in plaintext, user personal data stored in plaintext and no attempt to secure anything. They even found Atrient's third party contractors (based in India) posting Atrient's source code on Github and asking stack overflow questions about it. The security researchers acted in good faith, followed responsible disclosure best practices and tried to directly contact Atrient. Unfortunately Atrient completely ignored repeated emails to multiple executives and members of the Atrient team.

Disclosure:

Quote

When I sent out the tweet reporting that I was working on a story about the vulnerability, one which affected casinos all over Las Vegas, the tweet was noticed by the FBI's Cyber Fusion Unit who then reached out to me for a conversation. I was asked by the FBI to put together a call with the researchers wanting to act in good faith agreed to join the call. They were scared though, it was the FBI after all. On that the call the researchers thoroughly briefed the FBI on what they had found and the attempts they had made to contact Atrient. Now that the FBI was involved it seemed as if Atrient was finally taking the vulnerability disclosure seriously which gave us hope that the vulnerability would be taken seriously and quickly remediated. The next day I joined the vendor call with the FBI and the security researchers, Atrient was represented by Jessie Gill, their COO and another member of staff.  They clearly explained to Atrient how the risk of abuse was extremely high because there is no way to differentiate the legit calls from the malicious api calls in the Atrient back end system, leaving it wide open to malicious exploitation by criminals. During the call the FBI asked Atrient if they had properly notified their customers of this breach and vulnerability in their systems, their COO Jessie quickly replied "lets talk about this offline", immediately closing down the question. He then blurted out "I want to own this, its IP and what you know". I have been told by the researchers that Jessie Gill promised them a bug bounty of $60,000 and asked them to keep the incident quiet until their lawyers could draw up an NDA and legal agreement for them to sign. Jessie Gill promised the researchers that lawyers would be in touch and send them those agreements, a promise that he made again and again for months.

Assault:

Quote

From that point on Atrient gave the researchers led the researches by the nose with the promise of money and gave them the run around. It became clear over four months that no legal paperwork or bug bounty was forthcoming and Atrient did not at any time ask the researchers to sign an NDA. It also became clear to the researchers that Atrient had made no significant changes to their security policies or the security of their services in that time frame. Almost four months after the initial disclosure to Atrient, the security researchers learned that the Atrient CEO Sam Attisha had big plans for the ICE Conference in London where the security researchers are based, about the new facial recognition feature in their kiosks that scanned users faces, uploaded the biometric data to their servers. This alarmed the researchers who quite rightly identified the facial scans as a serious privacy risk for the users, especially if the back end infrastructure was not properly secured, further compounding the existing security problems Atrient had. They went along to ICE as registered attendees to try and meet with Atrient COO Jessie Gill who they had been talking to for three months and Atrient CEO Sam Attisha in order to raise these concerns and look at them in the eye. When one of the security researchers, Dylan Wheeler, approached COO Jessie Gill and introduced himself as the researcher who Jessie had been dealing with, Jessie suddenly lunged at the researcher and violently grabbed him by his clothes on his chest before then tearing his attendee badge away from him, telling the researcher that he didn't need it anymore and that he would keep hold of it. This whole incident was witnessed by multiple people, including Atrient CEO Sam Attisha who said nothing throughout the whole incident. The researcher started to video the incident on his phone as soon as Atrient COO Jessie Gill released him. You can see in the video below Atrient COO Jessie Gill threatening the researcher with Scotland Yard before then denying that he knew him, when he very obviously knows exactly who the security researcher was. The security researcher has since reported the assault to the London Metropolitan Police who are working with conference organizers on this incident.

 

My Thoughts:

This story shines light on some of the dark sides of the cyber security field. Vendors and software companies who don't take you seriously, Legal threats instead of patches, and assault instead of proper disclosure due to the fear of their livelihood being affected. While larger companies are setting the standard for vulnerability disclosure, a very large number of companies continue to not take this seriously, or take offense at the disclosure in the form of lawsuits. It really isn't a fun field.

[CarlBar]

f they're operating anywhere i the EU wouldn't this be a breach of EU privacy policies?

 

At this point someone needs to nail them over the security issues badly.

[HarryNyquist]

That's how mafia works.

 

No seriously. They need legal and physical protection. They're on lists now.

[WereCatf]

32 minutes ago, rcmaehl said:

This story shines light on some of the dark sides of the cyber security field. Vendors and software companies who don't take you seriously, Legal threats instead of patches, and assault instead of proper disclosure due to the fear of their livelihood being affected. While larger companies are setting the standard for vulnerability disclosure, a very large number of companies continue to not take this seriously, or take offense at the disclosure in the form of lawsuits. It really isn't a fun field.

Absolutely nothing new under the sun. It's cheaper to just ignore everything and do a quick-and-dirty job than do things properly, and it's still cheaper to harass anyone who tries to report bugs or to threaten them or to try to paint them publicly as crooks themselves. This has been happening for a long while already and it'll keep happening, nothing one can do about basic human greed and disregard for other people.

[givingtnt]

Yikes.
Times a fucking million.

[MrFixitBlankFace]

1 minute ago, givingtnt said:

Yikes.
Times a fucking million.

@givingtnt, I didn't about your avatar...

My avatar has the same character!

[jeddhor]

Wonderful man, this Jessie Gill.

 

https://www.leagle.com/decision/infdco20180828d81

 

Quote

Defendant claims that a few months after her initial employment, around January 2017, her immediate supervisor, Jessie Gill, began sexually harassing her. (ECF No. 6). Defendant alleges that Mr. Gill would make lewd suggestive comments, grope defendant's body, claim that there is a sex tape of defendant, make sexual overtures, and forcefully pry defendant's legs apart as if to impose sexual behavior. (ECF No. 14). Defendant continues that when she would reject these advances, Mr. Gill would criticize her work performance. Id.

 

[Salv8 (sam)]

white hater: *tries to help*

casino owner: *assaults him*

white hater: WTF?!?!?

 

in all seriousness, he really tried to help and got assaulted as a result, in Australia casino laws are extremely strict and they are separate from the rest of the building (if the building has other functions). as in, when you walk in, you don't hear *CLING CLING CLING DING DING DING*, this is done to prevent children from getting into gambling at a young age.

when i stayed at a Las Vegas hotel a year ago, when i got to my hotel, i thought i was at the wrong place, cause i was at a casino, walked out and checked, yes i'm at the right place, looked around for a front desk, it's there..., at the other end of the building...., right in the middle of a lot of casino machines...

i god damn hate the U.S...

[kasugatei]

I know a similar story about one guy who managed to find a serious vulnerability of the web banking site of his bank at the time just by accident. By just editing URL he managed to see other people's transactions without knowing to whom those accounts belong. Being a nice guy he sent a mail to the bank with the description of the issue just to receive a month later legal threat from the bank's legal team that, paraphrasing, "it is not vulnerability on it's own because no one discovered it before. So, since he discovered it, he made that vulnerability a real vulnerability so he should fix it". What I know is that he just replied them with some links about web security and definition of the word "vulnerability" and that on the following day he closed his banking account at that bank.

[leadeater]

1 hour ago, Niksa said:

I know a similar story about one guy who managed to find a serious vulnerability of the web banking site of his bank at the time just by accident. By just editing URL he managed to see other people's transactions without knowing to whom those accounts belong. Being a nice guy he sent a mail to the bank with the description of the issue just to receive a month later legal threat from the bank's legal team that, paraphrasing, "it is not vulnerability on it's own because no one discovered it before. So, since he discovered it, he made that vulnerability a real vulnerability so he should fix it". What I know is that he just replied them with some links about web security and definition of the word "vulnerability" and that on the following day he closed his banking account at that bank.

"Sir there is not a hole in the floor, neither was there an issue with a hole in the floor until you showed that there was a hole in the floor, kindly fix the hole in the floor you made"

[Terryv]

I'd don't understand why they react like this. Why can't they just fix it and move on.

 

I have a friend going through the legal process now, I won't give any of the details but the outline goes like this.

 

- Friend discovers serious security flaw on company website

- company sues for security breach, but friend told no one besides company

- friend rakes up tons of debt defending himself

- friend wins

- friend countersues for legal costs.

- results pending but friend will likely win.

 

If I ever find a bug and said company doesn't have a known bug bounty program, I'm just going to anonymously report it to the media. I don't want to go through that crap.

[captain_to_fire]

19 hours ago, rcmaehl said:

It really isn't a fun field.

This reminds me of two videos from Symantec. 

 

[LAwLz]

12 minutes ago, Terryv said:

I'd don't understand why they react like this. Why can't they just fix it and move on.

Because that costs time and money.

[mr moose]

This makes the sister act storyline a little more real than I want it to be.

[Terryv]

33 minutes ago, LAwLz said:

Because that costs time and money.

When the wrong people find the flaw, it's usually much more expensive.

[LAwLz]

2 hours ago, Terryv said:

When the wrong people find the flaw, it's usually much more expensive.

Yes absolutely. But you have to look at things from a business perspective. 

It's either spending money now, or maybe getting away with spending no money. 

 

Or they simply forget it because they aren't a security company and the issue never lands at the desk of the right person. 

[Terryv]

12 minutes ago, LAwLz said:

Yes absolutely. But you have to look at things from a business perspective. 

It's either spending money now, or maybe getting away with spending no money. 

 

Or they simply forget it because they aren't a security company and the issue never lands at the desk of the right person. 

I get that, but outright attack or sue whoever pointed this out to you is wrong.

[Trik'Stari]

10 hours ago, LAwLz said:

Yes absolutely. But you have to look at things from a business perspective. 

It's either spending money now, or maybe getting away with spending no money. 

 

Or they simply forget it because they aren't a security company and the issue never lands at the desk of the right person. 

It'll cost them bigger, later, when someone steals a crap ton of information and they get sued by the corporate customers as well as the people who's information and money possible get stolen.

 

What a bunch of dumbasses. I would drop them like a rock if I was a customer of theirs. Especially now, if the vulnerability is still in play.

[LAwLz]

16 hours ago, Terryv said:

I get that, but outright attack or sue whoever pointed this out to you is wrong.

Yea, attacking went way over the line and should not have happened even from scummy companies.

However, I am playing devil's advocate here and just talking about why other companies often don't fix their security issues.

 

And sadly, companies suing or attacking (legally, not physically) security researchers is quite common. There are constantly laws being pushed to make it illegal to do things such as inspect how software works, try and find security issues, or reverse engineer things.

 

5 hours ago, Trik'Stari said:

It'll cost them bigger, later, when someone steals a crap ton of information and they get sued by the corporate customers as well as the people who's information and money possible get stolen.

 

What a bunch of dumbasses. I would drop them like a rock if I was a customer of theirs. Especially now, if the vulnerability is still in play.

Well, someone stealing stuff might not happen. So it's fix stuff now for a lot of money, or ignore it and hopefully nothing bad happens. Sadly a lot of times companies take the risk of not fixing it.

 

And chances are you wouldn't be able to just drop them if you were a customer. When your own business relies on someone else's technology, you are essentially a slave to them. Switching to some other provider might be a very money and time demanding task you might not even have the staff to carry out.

[Teddy07]

I would just rob the casino

[zombienerd]

I spent far too long reading two different stories about this lol.

 

What a ride.  I really hope Atrient goes under after all this.  

 

Good riddance if they do.

[Guest]

On 2/8/2019 at 12:04 AM, Terryv said:

When the wrong people find the flaw, it's usually much more expensive.

Maybe the wrong people should rediscover the flaw after this. 

[TetraSky]

They are totally not going to get any sort of bug bounty now. 

Hope Casino owners smart up and drive Atrient to bankruptcy.