WEBVTT - The High Tech Heist 0:00:04.440 --> 0:00:12.520 Welcome to tech Stuff, a production from iHeartRadio. Hey there, 0:00:12.560 --> 0:00:15.720 and welcome to tech Stuff. I am your host, Jonathan Strickland. 0:00:15.760 --> 0:00:19.000 I am an executive producer with iHeartRadio. And how the 0:00:19.040 --> 0:00:22.760 tech are you? I am recording live here from the 0:00:22.960 --> 0:00:26.360 iHeart Podcast studio powered by Bose at the House of 0:00:26.480 --> 0:00:30.440 Music at the iHeartRadio Music Festival. I'm sure you're gonna 0:00:30.440 --> 0:00:33.560 be able to hear some of the ambience, let's call 0:00:33.600 --> 0:00:36.640 it here at the festival. And that's just proof that 0:00:36.680 --> 0:00:41.040 I'm actually here. I don't know how that happened. I 0:00:41.080 --> 0:00:44.240 am nowhere near cool enough to have been invited here. 0:00:45.159 --> 0:00:48.360 I guess they didn't listen to the show first. That's 0:00:48.400 --> 0:00:51.480 fine with me, though. There's some pretty incredible musical acts 0:00:51.479 --> 0:00:53.400 that are going to be rocking out in the arena 0:00:53.440 --> 0:00:55.800 that's right in front of me, and I will sit 0:00:55.800 --> 0:00:58.320 here and talk about geeky tech stuff. So the question 0:00:58.480 --> 0:01:01.680 is then, what topic should I cover for this episode? 0:01:01.680 --> 0:01:03.480 And I asked myself that several times. I had a 0:01:03.520 --> 0:01:06.280 lot of possible answers. Maybe I could talk about the 0:01:06.319 --> 0:01:08.640 tech of running a concert, for example, there's a lot 0:01:08.680 --> 0:01:11.039 of tech involved in that. Maybe I could just talk 0:01:11.040 --> 0:01:13.800 about the tech needed to make sure a band's equipment's 0:01:14.040 --> 0:01:18.320 all working properly. I could talk about sound systems, or lasers, 0:01:18.400 --> 0:01:23.400 or pyrotechnics or all sorts of stuff, but I'm in Vegas, baby, 0:01:23.920 --> 0:01:26.240 And what's more, I'm staying at a hotel that's owned 0:01:26.240 --> 0:01:29.840 by MGM Resorts. So I think the topic to tackle 0:01:30.040 --> 0:01:32.840 is the recent hacker attack on that company. So what 0:01:32.959 --> 0:01:36.520 exactly happened, who is responsible or who do we think 0:01:37.000 --> 0:01:40.280 is responsible, how did it unfold, and what are the 0:01:40.319 --> 0:01:43.880 ongoing consequences. So sit back, folks, it's time to do 0:01:43.920 --> 0:01:49.800 a casino heist podcast episode tech stuff style. Now, Originally 0:01:49.840 --> 0:01:53.520 I thought I do a quick history of MGM Resorts International, 0:01:53.640 --> 0:01:56.560 you know, the company that became the target of the hackers. 0:01:57.040 --> 0:02:00.880 But as it turns out, that company's history is, let's say, 0:02:00.880 --> 0:02:05.400 it's super complicated, and it overlaps the history of MGM Studios, 0:02:05.600 --> 0:02:08.800 the film company, as well as numerous other companies both 0:02:09.080 --> 0:02:11.280 within the gambling world and beyond. 0:02:11.840 --> 0:02:14.480 So rather than go through all of that, which would 0:02:14.520 --> 0:02:17.640 be confusing in an entire episode by itself, I'm just 0:02:17.680 --> 0:02:21.840 gonna kind of give you a summary. So, since the 0:02:21.880 --> 0:02:25.160 mid nineteen eighties, the company that we now call MGM 0:02:25.200 --> 0:02:29.040 Resorts International has had some major ups and downs. It 0:02:29.120 --> 0:02:32.639 has also over time swallowed up other companies that operated 0:02:32.680 --> 0:02:36.320 resorts and casinos in Vegas and in other places. Today, 0:02:36.520 --> 0:02:40.840 MGM Resorts International operates but does not own, numerous resorts 0:02:40.840 --> 0:02:44.440 in Vegas and beyond. Among the Vegas properties are the 0:02:44.560 --> 0:02:50.520 MGM Grand and assorted MGM properties like Park MGM, the Blagio, 0:02:51.080 --> 0:02:55.959 the Aria, the Cosmopolitan New York, New York, Excalibur, the Luxor, 0:02:56.320 --> 0:02:59.240 Mandalay Bay, and some more. And it also has a 0:02:59.280 --> 0:03:02.280 more than forty ownership of the T Mobile Arena, the 0:03:02.280 --> 0:03:05.639 building that is directly in front of me, just the building. However, 0:03:05.680 --> 0:03:10.160 they do not own the land. The company made somewhere 0:03:10.160 --> 0:03:14.600 in the neighborhood of thirteen billion dollars in revenue last year. 0:03:14.880 --> 0:03:17.800 That was an increase from nearly nine point seven billion 0:03:17.919 --> 0:03:20.799 from the year before, and it seems that twenty twenty 0:03:20.840 --> 0:03:23.679 two saw the highest revenues in the company's history so far. 0:03:24.040 --> 0:03:27.160 Of course, revenue is not the same as income. That's 0:03:27.280 --> 0:03:30.160 more to the tune of one point four billion dollars 0:03:30.160 --> 0:03:34.119 for twenty twenty two. That's a lot of money, princely 0:03:34.400 --> 0:03:38.280 sum as I might say they own more than thirty 0:03:38.440 --> 0:03:41.920 billion dollars worth of assets. So, in other words, to 0:03:42.280 --> 0:03:48.360 enterprising thieves, MGM Resorts International is a tempting target. Heck, 0:03:48.760 --> 0:03:51.520 that's the stuff of heist movies, right, except a heist 0:03:52.120 --> 0:03:55.000 is typically a high risk endeavor and it's almost bound 0:03:55.040 --> 0:03:58.120 to fail. Successful heists have happened in the past, even 0:03:58.160 --> 0:04:01.480 in Vegas, but more often not, the house comes out 0:04:01.480 --> 0:04:05.760 on top. Moving the heist into the realm of computer 0:04:05.840 --> 0:04:10.120 systems becomes a different matter. However, it's more likely that 0:04:10.160 --> 0:04:12.400 you can find a way to pull off your crimes 0:04:12.440 --> 0:04:15.480 while you protect yourself. Now, before we move on to 0:04:15.560 --> 0:04:18.839 the actual hacking attack, I also need to mention the 0:04:18.920 --> 0:04:24.400 company Caesar's Entertainment. Like MGM, Caesar's has a really, really 0:04:24.440 --> 0:04:28.719 complicated history. It's filled with mergers and acquisitions and sales 0:04:28.760 --> 0:04:33.000 and even bankruptcies. It gets bonkers. The most recent move 0:04:33.080 --> 0:04:35.479 of that company was in twenty twenty. That's when another 0:04:35.520 --> 0:04:40.800 company called El Dorado Resorts Incorporated acquired Caesar's Entertainment Corporation. 0:04:41.360 --> 0:04:45.159 Then El Dorado Resorts changed its own name to Caesar's Entertainment. 0:04:45.560 --> 0:04:47.760 But there are other companies that are lumped in there. 0:04:47.800 --> 0:04:51.479 As well, like Hera's Entertainment is part of that. Anyway. 0:04:51.480 --> 0:04:54.520 In twenty fifteen, Caesar's went into bankruptcy, and as part 0:04:54.520 --> 0:04:56.920 of the effort to get out of bankruptcy, the company 0:04:57.000 --> 0:05:00.039 split into two entities. One would be a company that 0:05:00.040 --> 0:05:04.039 would actually operate the various resorts and casinos. The other 0:05:04.080 --> 0:05:06.760 would be what is called a real estate investment trust 0:05:06.839 --> 0:05:11.599 or REIT, which would actually own all the properties. To 0:05:11.640 --> 0:05:14.320 get into riits is beyond the scope of the show, 0:05:14.320 --> 0:05:18.280 but y'all, they can be monsters anyway. The spin off 0:05:18.480 --> 0:05:23.039 OREIT took the name VICH after Vinnie vid Vic. You know, 0:05:23.120 --> 0:05:27.040 I came, I saw I conquered, So VICH technically owns 0:05:27.080 --> 0:05:31.800 many nineteen in fact of Caesar's properties. Here's the wild thing. 0:05:32.080 --> 0:05:36.680 Last year VICH acquired ownership of thirteen MGM properties. So 0:05:36.800 --> 0:05:40.960 both Caesar's Entertainment and MGM Resorts International pay rent to 0:05:41.040 --> 0:05:44.760 VICE in order to operate their respective casinos. So you 0:05:44.800 --> 0:05:46.880 want to know what the power behind the throne is, 0:05:47.560 --> 0:05:52.120 look to vch. Anyway, while all those dealings are worthy 0:05:52.200 --> 0:05:54.960 of a deep and engrossing podcast series, this is a 0:05:55.040 --> 0:05:59.400 hint somebody make a podcast series about these real estate 0:05:59.440 --> 0:06:04.560 companies and their involvement in Las Vegas because it is fascinating, 0:06:05.000 --> 0:06:07.920 but our focus should really be on the hacker attacks. Now. 0:06:07.960 --> 0:06:10.440 It is important that I mentioned Caesar's because while the 0:06:10.480 --> 0:06:14.080 attack on MGM's properties was the major attack that's been 0:06:14.080 --> 0:06:16.320 in the news for a couple of weeks, now, those 0:06:16.320 --> 0:06:20.120 same hackers, or at least some of them, first targeted 0:06:20.120 --> 0:06:24.120 Caesar's Entertainment a little earlier. Two of the biggest gambling 0:06:24.160 --> 0:06:26.960 companies in the world have fallen prey to hackers, and 0:06:27.040 --> 0:06:30.600 it appears that the foothold the hackers established came courtesy 0:06:30.640 --> 0:06:34.560 of a third party security firm and also involves a 0:06:34.680 --> 0:06:41.240 very important company in tech, namely Octa. Now, y'all, the 0:06:41.279 --> 0:06:43.960 hacker attack is bad news for MGM, there's no way 0:06:44.000 --> 0:06:46.680 around it. But I would actually argue it could be 0:06:46.760 --> 0:06:49.560 way worse for Octa, at least as far as reputations go. 0:06:49.640 --> 0:06:54.160 And that's because Octa is an identity and access management company. 0:06:54.200 --> 0:06:57.880 This is the company that markets the user authentication system 0:06:58.000 --> 0:07:02.000 that tons of other companies rely upon. With Octa, a 0:07:02.040 --> 0:07:06.120 company can hand over the trickier elements of user authentication. 0:07:06.960 --> 0:07:10.120 So as companies grow more complex, they might add more 0:07:10.200 --> 0:07:13.160 systems that employees rely upon, and it can be a 0:07:13.200 --> 0:07:15.679 hassle if you need a different log in for every 0:07:15.720 --> 0:07:19.320 single service you use. A service like single sign on 0:07:19.440 --> 0:07:22.760 really simplifies things. You have a username and password and 0:07:22.800 --> 0:07:25.680 that gives you access to a suite of different services 0:07:26.200 --> 0:07:29.640 all with just one log in, So you can see 0:07:29.640 --> 0:07:33.520 where the value of that is right well, with Octa, 0:07:33.840 --> 0:07:37.360 a company can hand over all of this and Octa 0:07:37.440 --> 0:07:41.240 handles it, and you pretty much have to just trust 0:07:41.280 --> 0:07:45.960 Octa to be a good steward of this process now. 0:07:46.040 --> 0:07:49.600 Todd McKinnon and Frederick Krist co founded Octa back in 0:07:49.640 --> 0:07:51.960 two thousand and nine. The company has been the focus 0:07:52.000 --> 0:07:55.200 of a couple of security incidences since it's founding. In 0:07:55.240 --> 0:07:58.360 twenty twenty one, a hacker group secured limited access to 0:07:58.400 --> 0:08:02.320 octasystems by compromising a camera network inside the Octa offices, 0:08:02.640 --> 0:08:06.440 specifically a system designed by Verkaida, a company that I 0:08:06.440 --> 0:08:09.400 should probably talk about in a future episode. In early 0:08:09.440 --> 0:08:13.320 twenty twenty two, a different hacker group known as Lapsus 0:08:13.360 --> 0:08:16.760 accessed OCTA's systems. This time, the attack vector was a 0:08:16.800 --> 0:08:23.160 third party support engineer. Lapsus shared information suggesting that the 0:08:23.480 --> 0:08:26.120 data breach was far greater than what Octa was telling 0:08:26.200 --> 0:08:29.720 the public. But Octa executives really held their ground. They 0:08:29.720 --> 0:08:31.800 said that are only around two point five percent of 0:08:31.800 --> 0:08:35.800 OCTA's customers were potentially impacted by this data breach, and 0:08:35.840 --> 0:08:39.200 that the hackers had limited access to customer data. Octa 0:08:39.280 --> 0:08:42.160 said the data breach lasted for less than half an 0:08:42.160 --> 0:08:45.720 hour and it only hit two customers, whereas Lapses claimed 0:08:45.760 --> 0:08:49.960 and maintained a presence in OCTA's systems or this client 0:08:50.040 --> 0:08:53.439 of OCTA's systems for the better part of a week. Now, 0:08:53.480 --> 0:08:56.120 that attack was bad, but it could have been worse, 0:08:56.440 --> 0:08:58.720 And to be totally fair to Octa, it was really 0:08:58.760 --> 0:09:01.679 the third party security person who was at fault for 0:09:01.720 --> 0:09:05.559 the breach. Though I never really saw details on exactly 0:09:05.600 --> 0:09:08.160 what happened with that one, I imagine it was something 0:09:08.200 --> 0:09:11.280 fairly similar to what we are talking about today. So 0:09:11.400 --> 0:09:14.640 let's set the scene. We're not going to go strictly 0:09:14.679 --> 0:09:19.079 chronologically because some information we wouldn't know about until later, 0:09:19.600 --> 0:09:21.680 so we're going to be jumping around a little bit 0:09:22.200 --> 0:09:25.520 for the purposes of our story. Will begin on September tenth, 0:09:25.760 --> 0:09:30.480 twenty twenty three. That day, some folks who were staying 0:09:30.520 --> 0:09:34.440 at MGM Resort International properties began to encounter errors while 0:09:34.440 --> 0:09:37.960 they were trying to interface with various systems connected to 0:09:37.960 --> 0:09:43.079 those properties. The following day, September eleventh, twenty twenty three, 0:09:43.120 --> 0:09:46.840 things got much worse. Players who were members of MGM 0:09:46.880 --> 0:09:51.760 Resort's loyalty program saw that their loyalty features weren't working. 0:09:52.360 --> 0:09:56.000 The websites went down. People staying at MGM properties found 0:09:56.000 --> 0:09:59.120 that their digital keys that they depended on on their smartphones, 0:09:59.800 --> 0:10:02.120 they they weren't working anymore. They couldn't get into their 0:10:02.200 --> 0:10:06.440 rooms using their digital keys. They these effects got worse. 0:10:06.520 --> 0:10:08.920 You know, a lot of video slot machines went offline. 0:10:08.960 --> 0:10:12.720 That was a huge indicator that something really bad had happened. 0:10:13.160 --> 0:10:17.680 Sports betting features were interrupted even ATMs on casino floors 0:10:18.160 --> 0:10:22.240 went out of service. At eleven twenty seven am Eastern Time, 0:10:22.800 --> 0:10:26.960 MGM Resorts posted on x you know, the platform formerly 0:10:27.000 --> 0:10:30.559 known as Twitter, a little message and it read quote 0:10:31.040 --> 0:10:36.400 MGM Resorts recently identified a cybersecurity issue affecting some of 0:10:36.440 --> 0:10:40.480 the company's systems. Promptly after detecting the issue, we quickly 0:10:40.520 --> 0:10:45.440 began an investigation with assistance from leading external cybersecurity experts. 0:10:45.760 --> 0:10:48.680 We also notified law enforcement and took prompt action to 0:10:48.679 --> 0:10:52.880 protect our systems and data, including shutting down certain systems. 0:10:53.160 --> 0:10:56.560 Our investigation is ongoing and we are working diligently to 0:10:56.640 --> 0:11:01.200 determine the nature and scope of the matter. You know 0:11:01.240 --> 0:11:07.120 it's serious when they say that they responded promptly and quickly. 0:11:07.400 --> 0:11:09.600 When you get both of those back to back, you 0:11:09.720 --> 0:11:15.200 know it's a bad, bad time. And what exactly happened, Well, 0:11:15.240 --> 0:11:18.640 i'll tell you after we come back from this quick break. 0:11:28.400 --> 0:11:32.280 All right, we're back. You are listening to tech stuff 0:11:32.480 --> 0:11:35.920 live at the iHeart Podcast Studio powered by Bows at 0:11:35.960 --> 0:11:40.600 the House of Music at the iHeartRadio Music Festival, in 0:11:40.679 --> 0:11:44.079 the house that John built. This is a pretty incredible experience. 0:11:44.120 --> 0:11:46.440 Whenever I look up, I'm just seeing tons of people 0:11:47.000 --> 0:11:50.720 in various trendy outfits wandering around getting ready for the 0:11:50.760 --> 0:11:54.080 festival and hanging out the House of Music. It's pretty cool. Again, 0:11:54.120 --> 0:11:55.920 I feel like I'm totally out of place here, but 0:11:56.240 --> 0:11:59.000 they invited me, so I guess I should just embrace it. 0:11:59.440 --> 0:12:02.600 So we're going to jump back into this cybersecurity incident 0:12:02.679 --> 0:12:05.760 that hit a couple of major gaming and hotel companies 0:12:06.040 --> 0:12:11.600 and dozens of properties so as you might expect, speculation 0:12:12.360 --> 0:12:16.320 ran rampant regarding the nature of the cybersecurity issue that 0:12:16.440 --> 0:12:20.280 MGM Resorts International mentioned. Some thought that it could just 0:12:20.320 --> 0:12:23.040 be a massive systems failure, like you know, maybe some 0:12:23.520 --> 0:12:28.920 key system that connects everything went down. Some people figured 0:12:29.160 --> 0:12:31.920 it had to be a ransomware attack. Lots of folks 0:12:31.920 --> 0:12:34.280 assumed that the issue would receive a ton of coverage 0:12:34.320 --> 0:12:39.439 on certain podcasts. No one mentioned me, which just hurts 0:12:39.440 --> 0:12:43.080 my feelings, and folks were complaining right away about the 0:12:43.080 --> 0:12:46.560 issues they encountered. One x user posted quote, we are 0:12:46.679 --> 0:12:50.720 at one of your resorts. It's pretty widespread. We can't 0:12:50.920 --> 0:12:55.199 check in, pay with card, use comps, receive our gifts, 0:12:55.600 --> 0:12:59.120 get tickets out of machines. End quote. Others claimed they 0:12:59.160 --> 0:13:02.720 had unexplained charges on their bills. Some of these incidents 0:13:02.800 --> 0:13:08.400 happened before September eleventh, so whether they are accurate, or 0:13:08.440 --> 0:13:11.280 maybe they reflect some other issue that's unrelated to this, 0:13:11.880 --> 0:13:14.760 or maybe they're the attempt of cashing in on a 0:13:14.800 --> 0:13:17.920 bigger problem, I can't say. I don't know. I just 0:13:18.000 --> 0:13:22.360 know people reported it. The websites for various MGM resorts, 0:13:22.679 --> 0:13:25.920 as well as the sites for restaurants on MGM properties 0:13:26.280 --> 0:13:30.160 all went down. MGM replaced its website with kind of 0:13:30.160 --> 0:13:33.400 a landing page that directed people to call resorts directly, 0:13:33.720 --> 0:13:35.960 so it just listed each resort and its phone number, 0:13:36.200 --> 0:13:38.000 so you would have to call them on the phone, 0:13:38.160 --> 0:13:42.720 you know, like a caveman. That's a joke. I'm old 0:13:42.720 --> 0:13:46.360 I still call places on occasion. The following day, MGM 0:13:46.400 --> 0:13:49.360 Resorts gave an update saying that much of its services 0:13:49.400 --> 0:13:53.400 were operational, including entertainment, dining, and gaming, but people were 0:13:53.440 --> 0:13:56.880 still encountering issues. There were still problems with slot machines. 0:13:57.440 --> 0:13:59.640 Hand pay became the method to cash out. This is 0:13:59.640 --> 0:14:02.160 when you have to signal for a casino employee to 0:14:02.200 --> 0:14:06.080 come over and count out by hand your winnings rather 0:14:06.200 --> 0:14:08.600 than getting the machine to print out a ticket, and 0:14:08.640 --> 0:14:11.040 you take that ticket to a payout machine feeded in 0:14:11.120 --> 0:14:13.680 and then you get your cash that way. The ATMs 0:14:13.920 --> 0:14:17.720 were still having issues. People still couldn't check in online, 0:14:17.760 --> 0:14:20.360 They could not make a card payment to book a room. 0:14:20.560 --> 0:14:23.680 At that point, lines were forming at the desks of 0:14:23.760 --> 0:14:26.920 various MGM resort properties because you couldn't use your digital 0:14:27.000 --> 0:14:28.720 keys at all, so you couldn't just check in with 0:14:28.760 --> 0:14:30.440 your phone and then use your phone to get into 0:14:30.480 --> 0:14:32.160 your room. You had to go and get a physical 0:14:32.440 --> 0:14:36.240 key card. It was still like an RFID chip key card, 0:14:36.280 --> 0:14:38.120 so you could hold it up to the door and 0:14:38.160 --> 0:14:40.040 it would open, but you had to have one. You 0:14:40.040 --> 0:14:42.600 couldn't just use your phone to do it. So that 0:14:42.640 --> 0:14:45.000 meant everybody had to go and wait in line to 0:14:45.040 --> 0:14:48.720 get a key. On September twelfth, we heard that a 0:14:48.720 --> 0:14:53.760 hacker group called Alpha ALPHV. Actually that's the way they 0:14:53.960 --> 0:14:57.280 style their name. Sometimes they're also called black Cat. We 0:14:57.360 --> 0:15:00.520 heard that they could have been behind the attack. Now, 0:15:00.680 --> 0:15:03.960 the black Cat name actually comes from malware that this 0:15:04.000 --> 0:15:08.280 group has created, you know, some malicious software, ransomware to 0:15:08.360 --> 0:15:12.280 be precise, and Alpha introduced that in late twenty twenty one. 0:15:12.360 --> 0:15:16.000 And here's how an Alpha attack would typically work out. 0:15:16.440 --> 0:15:20.080 So the group would end up collaborating with someone to 0:15:20.200 --> 0:15:23.920 inject the malware into a targeted system. That person might 0:15:23.960 --> 0:15:27.760 be a disgruntled employee of the target. Maybe they're not 0:15:27.800 --> 0:15:31.240 even disgruntled, maybe they're just very greedy. Because Alpha would 0:15:31.240 --> 0:15:34.680 offer up to ninety percent of a ransom to the 0:15:34.800 --> 0:15:38.720 quote unquote affiliate. The affiliate could also be some other 0:15:38.800 --> 0:15:42.240 hacker group that its job is just to gain access 0:15:42.280 --> 0:15:45.840 to a system through some means, and Alpha would provide 0:15:45.880 --> 0:15:48.520 the malware while the other group actually would get access 0:15:48.560 --> 0:15:51.120 to the target. It would become this, you know, this 0:15:51.280 --> 0:15:55.000 collaborative effort. Now, this means the business model for Alpha 0:15:55.160 --> 0:15:59.880 is r a as that stands for ransomware as a serve. 0:16:00.800 --> 0:16:05.080 That as a service trend has gotten out of control, y'all. 0:16:05.520 --> 0:16:09.640 So these hackers, who primarily communicate on Russian language platforms, 0:16:10.080 --> 0:16:13.360 build the tools, but they don't necessarily carry out the 0:16:13.400 --> 0:16:18.880 attacks themselves. They're facilitators. The black cat and malware encrypts 0:16:18.920 --> 0:16:22.520 a target computer system, so it makes it inaccessible to 0:16:22.640 --> 0:16:26.680 the system's rightful owner. So imagine you log into your computer, 0:16:27.480 --> 0:16:30.040 but you find out you can't access anything. All the 0:16:30.080 --> 0:16:34.520 files are encrypted, all the methodologies are encrypted. You can't 0:16:34.880 --> 0:16:38.360 decrypt it, so it's just a brick without the key. 0:16:38.760 --> 0:16:41.120 The data on your machine stays out of your reach. 0:16:41.600 --> 0:16:44.240 And then you see a message, and the message tells 0:16:44.280 --> 0:16:47.160 you that the hackers will give you access back to 0:16:47.200 --> 0:16:49.680 your data. They will give you the decryption key, but 0:16:49.920 --> 0:16:54.360 only if you pay them a ransom. Usually this is 0:16:54.560 --> 0:16:59.800 in the realm of millions of dollars. Typically they ask 0:16:59.840 --> 0:17:03.280 for it in the form of cryptocurrency to avoid being 0:17:03.320 --> 0:17:06.680 traced back to the people responsible. And if you don't 0:17:06.720 --> 0:17:10.240 pay up, the hackers will say either you will not 0:17:10.320 --> 0:17:12.760 get access to your data again, it's just gone, or 0:17:12.840 --> 0:17:16.160 they'll delete it. Sometimes they'll say, all right, we won't 0:17:16.160 --> 0:17:17.840 delete it. Instead, what we're going to do is we're 0:17:17.840 --> 0:17:21.320 going to release all that data on a public platform 0:17:21.640 --> 0:17:26.000 so that anyone and everyone can see what it is. Typically, 0:17:26.119 --> 0:17:29.360 ransomware hackers want to target organizations that have a lot 0:17:29.400 --> 0:17:33.080 of money and a lot of incentive to protect data. Now, 0:17:33.119 --> 0:17:37.040 pretty much every organization has an incentive to protect its 0:17:37.119 --> 0:17:41.119 data at least to some extent. Information is the currency 0:17:41.160 --> 0:17:43.879 of the modern era, after all, and while you can't 0:17:43.960 --> 0:17:47.359 spend information, you can sure affect the value of a 0:17:47.440 --> 0:17:52.280 company by stealing their information. But ransomware hackers typically want 0:17:52.320 --> 0:17:58.359 to target organizations that have access to buckets of cash. 0:17:58.520 --> 0:18:04.399 So prime targets for these hackers ideally fall into a 0:18:04.480 --> 0:18:08.239 couple of categories. If it's a really big company and 0:18:08.280 --> 0:18:11.960 its business depends upon the safe keeping of information, particularly 0:18:12.640 --> 0:18:16.600 really personal information, that ends up being a big target. 0:18:17.480 --> 0:18:21.920 So hospitals and other healthcare companies fall into that category. 0:18:22.240 --> 0:18:26.320 By law, these companies are meant to keep patient data secure. 0:18:26.359 --> 0:18:29.359 There in big trouble if they don't, And obviously any 0:18:29.359 --> 0:18:33.320 healthcare company that fails to live up to that would 0:18:33.359 --> 0:18:36.879 have a massive problem, not just from the government or 0:18:36.920 --> 0:18:39.720 from law enforcement, but you know, they would lose the 0:18:40.400 --> 0:18:44.359 confidence of patients, and patients could have their lives really 0:18:44.480 --> 0:18:49.600 upturned if their personal health information gets shared everywhere. So 0:18:49.640 --> 0:18:53.000 the thinking goes that those companies are more likely to 0:18:53.000 --> 0:18:55.160 pay a ransom in order to make the problem go away. 0:18:56.000 --> 0:19:01.520 That's why ransomware hackers target healthcare companies so frequently. They 0:19:01.560 --> 0:19:04.800 have a very high incentive to get the problem fixed 0:19:04.840 --> 0:19:09.200 as quickly as possible. Well, casinos and resorts definitely fall 0:19:09.280 --> 0:19:13.560 into a similar category. Right first, you've probably heard the 0:19:13.560 --> 0:19:17.239 phrase the house always wins. Well, that phrase references the 0:19:17.240 --> 0:19:20.800 fact that the odds are ever in the favor of 0:19:20.840 --> 0:19:25.080 the house. You might have a good night at the tables, 0:19:25.320 --> 0:19:27.320 and you might leave with more money than you brought 0:19:27.359 --> 0:19:30.359 with you, but lots of other people will end the 0:19:30.520 --> 0:19:34.120 night down with less money than what they started with. 0:19:34.480 --> 0:19:37.199 Or maybe you'll also be down a little bit, and 0:19:37.240 --> 0:19:40.280 other folks will also be down a bit, and some 0:19:40.359 --> 0:19:44.080 of them might be down a lot. All casino games 0:19:44.400 --> 0:19:47.439 favor the house, and that makes sense because if they 0:19:47.440 --> 0:19:49.920 didn't favor the house, then casinos would soon be out 0:19:49.920 --> 0:19:54.200 of business, right So instead, collectively the casinos in Nevada 0:19:54.320 --> 0:19:57.600 can make at least a billion dollars every month. That's 0:19:57.760 --> 0:20:01.480 across all the casinos in Nevada. Some games will give 0:20:01.520 --> 0:20:05.399 you better shot at winning that other games. Blackjack is 0:20:05.400 --> 0:20:08.080 a game that has fairly decent odds, somewhere in the 0:20:08.080 --> 0:20:10.760 neighborhood of forty percent to win. Dealers have about a 0:20:10.800 --> 0:20:14.520 forty nine percent chance to win. And you might think, oh, 0:20:14.640 --> 0:20:17.320 forty nine plus forty's that's not one hundred. Well, that's 0:20:17.359 --> 0:20:19.239 because the rest of the odds kind of cover the 0:20:19.280 --> 0:20:21.840 case where you could have a draw or a push 0:20:21.880 --> 0:20:25.520 where you go to the next hand. Meanwhile, games like 0:20:25.840 --> 0:20:28.680 kino or the Wheel of Fortune, they have some of 0:20:28.720 --> 0:20:31.920 the worst odds in gambling. So that doesn't mean you're 0:20:31.960 --> 0:20:36.080 destined to lose if you play, but the chances are 0:20:36.160 --> 0:20:42.640 pretty darn high. So anyway, this means that casinos make 0:20:43.000 --> 0:20:46.200 a lot of money. If I might elaborate, they make 0:20:46.240 --> 0:20:49.160 a crap ton of money and that puts them firmly 0:20:49.240 --> 0:20:52.200 in one of the categories that ransomware hackers love to target, 0:20:52.520 --> 0:20:56.040 companies that are flush with cash. On top of that, 0:20:56.800 --> 0:21:00.000 these casinos deal with a lot of customer data, whether 0:21:00.119 --> 0:21:03.080 it's someone staying at a resort or a gambler who 0:21:03.119 --> 0:21:05.840 has signed up to participate in a loyalty program, which 0:21:05.880 --> 0:21:08.399 is a pretty frequent thing, because the casinos here have 0:21:08.440 --> 0:21:10.480 lots of incentives to get people to sign up to 0:21:10.520 --> 0:21:15.879 their loyalty programs. You can get gifts, you can redeem credits, 0:21:16.280 --> 0:21:19.440 you can get a free room if you're a frequent 0:21:19.520 --> 0:21:22.760 gambler and you're part of the loyalty program. There are 0:21:22.800 --> 0:21:25.399 a lot of reasons for that. In return, one, the 0:21:25.440 --> 0:21:29.000 casino has a repeat customer, which is very valuable, and two, 0:21:29.080 --> 0:21:32.280 the casino can gather data about the people who visit 0:21:32.320 --> 0:21:34.640 their resorts and learn more about them and thus cater 0:21:34.840 --> 0:21:39.239 to them more and make even more money. So this 0:21:39.359 --> 0:21:41.800 information has value not just because of how it can 0:21:41.840 --> 0:21:44.639 be used to advertise to individuals, that's often what we 0:21:44.640 --> 0:21:47.600 talk about when we talk about data in the modern world, 0:21:48.240 --> 0:21:51.240 but it has value because the customers are trusting the 0:21:51.280 --> 0:21:54.439 casinos with this information. Even if they aren't aware of 0:21:54.480 --> 0:21:57.240 the implications, and so when there is a data breach, 0:21:58.000 --> 0:22:01.080 suddenly customers get very much concerned about that data. It 0:22:01.119 --> 0:22:05.040 affects them directly. If there's the possibility that the customer's 0:22:05.040 --> 0:22:09.159 own finances could be compromised, that's a huge problem for 0:22:09.240 --> 0:22:14.159 both the customer and the casino. So this means casinos 0:22:14.160 --> 0:22:18.600 and resorts are in that sweet spot for ransomware hackers. 0:22:19.000 --> 0:22:23.720 So how did we find out about Alpha's alleged involvement 0:22:23.920 --> 0:22:27.960 with the MGM Resorts International hack. Well, one early statement 0:22:28.680 --> 0:22:32.000 came from the x account, the Twitter account of a 0:22:32.040 --> 0:22:36.639 group called VX Underground. Vx Underground bills itself as the 0:22:36.760 --> 0:22:40.800 largest collection of malware source code, samples and papers on 0:22:40.920 --> 0:22:44.400 the Internet, and they work with lots of researchers, They 0:22:44.400 --> 0:22:47.680 work with hackers, They work with tons of people largely 0:22:47.720 --> 0:22:51.880 to educate about malware. They are rather cheeky, I would 0:22:51.920 --> 0:22:55.639 say they kind of have that cheeky sense of hackers. 0:22:56.080 --> 0:23:01.720 They do not necessarily come across as being buttoned down, 0:23:01.840 --> 0:23:07.480 let's say. So. On September twelfth, VX Underground posted all 0:23:07.720 --> 0:23:12.160 Alpha ransomware group did to compromise MGM Resorts was hop 0:23:12.200 --> 0:23:16.440 on LinkedIn, find an employee, then call the help desk. 0:23:16.920 --> 0:23:22.040 A company valued at thirty three billion, nine hundred million 0:23:22.160 --> 0:23:27.920 dollars was defeated by a ten minute conversation end quote. Now, 0:23:28.080 --> 0:23:30.840 MGM did not comment on this, and as far as 0:23:30.880 --> 0:23:34.720 I'm aware, has never actually referenced their cybersecurity incident as 0:23:34.840 --> 0:23:37.720 an attack, but lots of other folks have not been 0:23:37.960 --> 0:23:41.080 in the mood to mince words, and the information that 0:23:41.119 --> 0:23:43.600 would come out later seem to align with what VX 0:23:43.640 --> 0:23:49.200 Underground was claiming. The attack happened through social engineering. So 0:23:49.359 --> 0:23:53.760 stage one, you learn about the person you're going to impersonate. 0:23:53.880 --> 0:23:57.240 You find someone on LinkedIn who has listed their job 0:23:57.280 --> 0:24:01.120 title and where they work. If you can find someone 0:24:01.160 --> 0:24:04.520 who has a very high profile job title, something that's 0:24:04.560 --> 0:24:08.600 really high up in an organization, that's potentially much better, 0:24:08.920 --> 0:24:10.720 or if it's not high up, at least someone who 0:24:10.760 --> 0:24:14.400 works within the IT department, because that typically means you're 0:24:14.440 --> 0:24:16.440 going to find someone who has a lot of access 0:24:16.480 --> 0:24:19.760 to the systems if you're able to compromise their account. Now, 0:24:19.760 --> 0:24:24.040 I've talked about social engineering a ton on this show, 0:24:24.760 --> 0:24:28.119 how it is a huge part of hacking. See if 0:24:28.119 --> 0:24:30.240 you've got a system that is at least in theory, 0:24:30.600 --> 0:24:33.840 really well secured. Your best bet of infiltrating the system 0:24:33.920 --> 0:24:37.640 is to target a vulnerability. And sometimes you find out 0:24:37.680 --> 0:24:40.520 about technical vulnerability, right. You might find out that there's 0:24:40.520 --> 0:24:43.560 a vulnerability in some software that a company is dependent upon, 0:24:43.880 --> 0:24:48.680 and by targeting that software vulnerability, you can penetrate the system. 0:24:48.720 --> 0:24:50.399