As an "ethical hacking" software maker for gambling turned into a complete nightmare

"Ethical hackers" tried to open the eyes of a company that makes programs for gambling, for errors in its products - but in the end everything went to hell

People discovering security problems with a company often have difficulty trying to tell her about it. However, much less often such situations acquire the character of fairground confrontations and mutual accusations of attacks and blackmail.

And yet, this is exactly what happened when top management at Atrient, a casino-technology company with headquarters in West Bloomfield (Michigan), stopped responding to messages from two British researchers working in the field of cybersecurity, and about the alleged shortcomings in the protection of the company. Researchers thought that they had agreed to pay for their work, but they never received anything. On February 5, 2019, one of them, Dylan Wheeler, a 23-year-old Australian living in Britain, came to the Atrient booth at the London exhibition to deal personally with the company's chief operating officer.

What happened next is not entirely clear. Wheeler said that Jesse Gill, the operating director of Atrient, argued with him and eventually pulled the badge off of him; Gill insists that he did nothing of the kind, and accuses Wheeler of trying to extort.
')
These troubles resulted in legal threats and mutual muddling, with tweeting. Tod Beardsley, director of research from Rapid7, was one of the spectators of this performance. “My first reaction,” Beardsley jokes, “was,” Oh, I wish the supplier would hit me for disclosing vulnerability. It is better than any reward for errors found "".


Bingo for disclosing vulnerabilities:
- we still have not had any hacks;
- we cannot accept your report without a technical support contract;
- our regular users will not do that, this is not a problem;
- this product will close soon;
- The order to ban unlawful acts;
- complete silence;
- we called the police;
- we use military quality encryption;
- so it was intended;
- we know about it, we are working on a new version;
- we do not consider it a vulnerability;
- we left all the default settings;
- who do you work for?
- this restriction is reflected in the documentation and everyone knows about it, there is no reason to fix it;
- this product is intended for internal use and should not have access to the Internet.

This story is simply a textbook example of the problems that may arise when researching and uncovering vulnerabilities.

Many large companies and equipment suppliers support “reward for mistakes” programs that redirect the efforts of third-party hackers and security researchers to solve problems in software and infrastructure — however, the vast majority of companies do not have a clear mechanism for third parties to share with them information about holes in security.

Revealing vulnerabilities for such companies, says Beardsley, “in response, I received everything, from silence to active ignoring -“ I don’t want to hear this! ”- and letters demanding an end to illegal actions. It was all that, but I received a lot of positive feedback. I worked with people who do not have enough experience with the disclosure of vulnerabilities, and I helped them understand everything. ”

In this case, two relatively inexperienced “ethical hackers” tried to understand the security problem, which seemed relatively serious to them, and the directors of Atrient thought that a couple of unscrupulous hackers were trying to make money from them. Thanks to call recording and month-long email correspondence between Wheeler, Atrient, and other shareholders — including a major casino operator in the US and the FBI cyber subdivision — we have a good idea of ​​how things have evolved.

Company

The Atrient Las Vegas office is close to McCarran International Airport.


Atrient headquarters in West Bloomfield is located in this building

Atrient is a small company that works with a very narrow niche of the casino and gaming industry.

Atrient, founded in April 2002 by Sam Attish and Dashinder Gill, was first named Vistron, Inc., and a year later, renamed, according to the state registry, initially engaged in technical advice. She offered “non-standard solutions” regarding IT recruitment, software development, creative services and project management. Not long after, the company took up the wireless business by opening Vistron Wireless Inc. To "provide marketing and technology services for the wireless industry," as listed in the company's registration documents.

For several years of its existence, the integration of software for online casinos has entered the field of activity of the company. By 2015, Atrient mainly focused on the loyalty system of users of the casino PowerKiosk, combining individual slot machines, electronic devices and mobile applications to keep track of gamblers and give them awards, special games and marketing offers. The system can track users through loyalty cards or via Bluetooth beacons and geolocation using mobile applications, as well as store the value of bonuses received by the player.

Atrient has an office in Las Vegas for sales and customer support, but is headquartered in a small business center in West Bloomfield (MI). It is located on the second floor along with the dentist’s office and the H & R Block Advisors office, and under them are a cafe donut and a mattress shop. Atrient has another IT company, Azilen , an outsourcing company that has two more offices in India and one in Belgium. The Atrient and Azilen relationships are not fully understood; At least one developer from Azilen now works in the Atrient division in Hyderabad (India), registered in May 2018.

Atrient, apparently, feels good in its niche, and has partners among the largest companies in the field of casinos and gambling. In 2014, Konami made a deal with it for exclusive rights to distribute the Atrient software product to Konami’s existing customers. Atrient also integrated its software into Scientific Games Bally Technology gaming systems and International Game Technology.

Over the past year, Atrient negotiated with Everi Holdings, a company producing games and financial programs - their culmination occurred on March 12, 2019, when the announcement was made that Everi "would acquire certain assets and intellectual property" from Atrient. A $ 40 million deal was made through $ 20 million in cash and additional payments in the next two years based on certain conditions stipulated in the contract. Security researchers sought to be heard in the process of these negotiations.

Researchers

Our researchers have some experience in information security, but you will not call them industry veterans. Wheeler is 23 years old, and his Atrient partner was a 17-year-old Briton who was called Ben by email and telephone. Ben studies information technology, and on Twitter and other networks he writes @ Me9187, or simply “Me”.

Wheeler in the past had quite serious problems with the law - Gill immediately noted this in the editorial response, commenting on the events of February 5 at the London exhibition. Once in Australia, Wheeler was accused of hacking when he was a minor, and then at the age of 20 he escaped from bail to the Czech Republic in order to avoid criminal prosecution. Wheeler himself claims that in Australia his case was closed and they decided not to pursue him further. He is now legally present in Britain, and the authorities are aware of his “criminal past,” he said.

“He was filed when I was 14,” Wheeler told the editorial office, and said that according to Australian law, his case could not be published in the press (although many Australian newspapers described the case in detail). “But still, the past is over.” I try to be as transparent as possible, and I don’t like my past to tinker with Atrient. This is an information security industry, and many people have a dark past. ”

Hunting through Shodan

From the Internet, you can access more than 100,000 Jenkins servers; Many of them have vulnerabilities that can be found through Shodan.io and Censys.io.

On October 29, 2018, Wheeler and Me searched for vulnerable systems on the Internet. They sent requests to two search engines that specialize in finding vulnerabilities — Censys and Shodan — through a combination of web requests and direct commands via the command line that these tools support. During the search, they stumbled upon an “open door” —the Jenkins server, which, they say, did not have access control enabled.

The Jenkins project, originally owned by Sun Microsystems, needs to be used in the software development process. It allows you to continuously integrate, compile, and deploy assemblies. He has quite serious security problems, including past flaws that allowed him to remotely execute the code, which enabled the attacker to organize a bridgehead in the software development chain in the company. Wheeler and Me claim that the Jenkins server of Atrient, which was running on a Windows virtual machine in the cloud, did not have user authorization configured - and a simple login to the web console of the server gave the user administrative rights. At the same time, in its statement, Atrient claims that this couple used brute force brute force to gain access to the server.

Wheeler and Me decided to dig there and see if they could determine the owner of the server. Using access to the server to perform a two-line Groovy script, they created a remote command line that allowed them, they said, to examine the entire server. Based on the documents and data found, they decided that the server was used by Atrient and Azilen employees to develop and send error messages about the PowerKiosk platform, as well as code repositories for mobile applications and kiosk options for various casinos. They also found that the FileZilla File Transfer Protocol file transfer protocol was set up on the server, as well as connection to several databases, a source code repository, and working code serving the API for PowerKiosk.

Gill claims that the couple found just a demo platform, where there was no working code. At least one of the casinos listed on the server was a demonstration environment. Casino Monaco was a fake casino used to showcase product at fairs and marketing materials from Atrient.

On November 4, 2018, Me and Wheeler sent emails to a whole set of addresses in Atrient and Azilen — including director Sam Attish — with a warning about the security issue on the server. “Please pass on these details to the appropriate security teams and advise them to contact me,” the emails said. There was also a list of databases and APIs associated with PowerKiosk, its web interface and mobile applications, sharpened by certain Atrient clients.

Often, such emails remain unanswered. They were full of grammatical errors and typos, and they did not look like typical professional correspondence. Wheeler said that Attisha told him that these letters were in the Spam folder.

But Beardsley said that from his experience even professionally designed messages can be ignored. “We made a report about Guardzilla, a home surveillance camera that works over WiFi and is sold in large supermarkets. And we have not achieved anything, he said. “We issued a request for support, tracked people working for the company through LinkedIn, and one journalist even found representatives of the company and spoke with one of them.”

And after all this, the company has not responded. “It’s still dangerous to use the camera,” said Beardsley. “Its AWS S3 repositories, where all your home videos are located, are not protected.”

Wheeler did not go so far. She and Me started Twittering, trying to draw public attention to the occasion. At that moment, Guise Bule was involved in the situation.

Attention drawn

Guise Bule, a former government security contractor and co-founder of WebGap, a company that provides secure web usage, also founded SecJuice, a “information security author club”. Trying to enlist the help in promoting the situation, Wheeler and Me turned to Beule, who repented the notes concerning Atrient. Now these tweets have already been deleted.

Bjula's help attracted the attention of two interested organizations - a large casino operator using software from Atrient and the FBI.

On November 9, a casino security officer contacted Me. On November 10, Wheeler intervened and sent them a brief description of the couple found:

I am a colleague of Me, with whom you spoke via Twitter, and then sent a letter. The vulnerability is related to one of your suppliers, Atrient, and their terrible approach to security, due to which kiosks process and transmit unprotected data via HTTP.

These shortcomings, which we are trying to make them correct, have forced us to publicly announce their existence. Among them there are both small problems (I will not disclose all the details, but one of the good examples is that your data stored at the supplier lies on FTP, the login and password for which are just company names in lower case letters) and large holes associated with their products (PowerKiosk).

On the same day, Bjul was contacted by the FBI about his retweet. Bewle organized a general telephone conversation with Wheeler, Me, and the FBI agents from the Cybercrime Division and the Las Vegas Office. Wheeler recorded their conversation.

Wheeler told the FBI that he and Me had no intention of publishing the information they found, because they were worried about the seriousness of the problems. It could, in fact, be used to “print money,” Wheeler told agents. He also said that he and Me talked to the casino operator, but could not reach Atrient.

“Perhaps we can help you with this,” said one of the FBI agents.

Wheeler’s talk with the casino on November 11 was praised by the company's security director in a letter. He wrote to Wheeler, “I wanted to personally thank you for the professional approach to information disclosure, and that although you did not receive an immediate response from the supplier, you gave him a second chance to fix everything.” He offered to "send Wheeler any merch", asked about his size of a T-shirt and headdress.

On the same day, the FBI organized another joint call - this time with the involvement of Gill from Atrient. During the conversation, also recorded by Wheeler, Gill said: “The information you gave us is amazing. We would like to own it. How can this be arranged? ”

Up to this point, money was not mentioned in conversations. Researchers had planned to present their findings at a computer security conference sometime, so Wheeler and Me asked only a “merch” from a casino operator so that they could “shine” during a performance.

However, after the idea of ​​a non-disclosure agreement appeared in the negotiations, Wheeler mentioned a reward for finding a bug. He proposed that Atrient paid his company the equivalent of 140 hours of consultations, which is about $ 60,000. Apparently, at that moment everything began to turn out.

The check, please

“When I make a consistent disclosure of information about a vulnerability — I’m calling a software provider for the first time — it’s very important for me to emphasize that“ I’m not trying to sell anything, I’m not blackmailing you, I’m not trying to make this call a presentation to sell my future products ”, - says Beardsley. “I always say so for a couple of reasons. First, I don't want to go to jail. Secondly, for most people this is a very emotional event, especially for those who have not previously dealt with disclosing vulnerabilities. ”

Beardsley said that often when disclosing vulnerabilities to them, "I find myself the first third-party security specialist with whom people talk." Therefore, “I am trying to mitigate the situation to the maximum, and it seems to me that this skill in IT security is just not enough for us”.

However, now the idea of ​​payments appeared in the conversations, and the researchers decided that they would be paid. That call ended, but negotiations continued. After the requests to remove the negative tweets related to Atrient from the Me account, and after requests for the location of the data that the couple downloaded from the Atrient server, Gill, Attisha, and the Atrient lawyer communicated with Wheeler during 2018. They said they would send him a draft non-disclosure agreement so that he could discuss it with his lawyer.

On December 7, 2018, Atrient's lawyer wrote an email to Wheeler, saying: “We have a draft copy ready. Would you like us to send it to your lawyer. " Wheeler asked to send a draft to him. But he was never expelled.

A week later, Gill told Wheeler in a letter that the draft “arrived here this week. Sam and I study it. We can send it to you by Monday [December 17]. " But all the holidays from them there was no news. January 4, 2019 Attisha explained in the email that he and Gill are traveling on business trips.

A few weeks passed in silence. Then, on January 21, 2019, Attisha wrote:

I am sending an agreement soon. In late January - early February, we will be in London. We can meet there and sign an agreement if that suits you.

Wheeler agreed, and said he could come to the ICE conference in London, because he registered as a visitor. But as the conference date approached, letters from Atrient stopped coming.

At this time, Atrient was negotiating a purchase with Everi. At the ICE conference, Everi announced the start of a “partnership” with Atrient, and both companies shared one stand to demonstrate joint products. Wheeler began to suspect that he was just thrown out and not paid - and he wanted to personally talk with the directors of Atrient.

Hot party

When a company faces a vulnerability disclosure, Katie Moussouri, founder and director of Luta Security, told us, “At least it's always better not to resort to unethical measures.” Companies can do this by creating or clarifying their attitude to the disclosure of vulnerabilities, and limiting their public statements to the statement that the company is aware of the problem and is engaged in its solution [holding statement].

“It’s impossible to win a public opinion trial,” explained Moussouri. “The bigger the organization, the more ethical its actions should be, or it will get the image of a rude person.” She says that researchers, “the easier it is to defend myself legally and before public opinion than they are more professional.”

However, in this case no one went this way.

Together with a friend, Wheeler visited the joint Atrient and Everi booth at the ICE conference on February 5. There he saw Gill, which led to a skirmish. Wheeler states that Gill mentioned something related to Wheeler's “friends.” Wheeler immediately posted a video of how he accuses Gill of the attack - although there was no attack on the video itself. Gill denied everything.

In an email to Wheeler, and in a subsequent telephone interview with our editorial staff, Gill accused Wheeler of participating in the blackmailing of Atrient. Gill soon sent a letter to Wheeler, Me, and Bealus to read:

Regarding your letter of today, and the appearance of your accomplice at our company's booth at the ICE fair, who made certain statements regarding the security of our systems.

You and your colleagues are responsible for the unauthorized hacking of our demonstration platform in November 2018, as a result of which confidential information belonging to us and our clients fell into your hands. You and your accomplices demanded money from us in exchange for this information. We are not ready to pay you compensation for your illegal actions and DO NOT RESPOND TO THREATS.

As you know, we contacted the Federal Bureau of Investigation about your illegal actions last November, and are now working with the relevant authorities in Britain, Europe and Australia.

We demand that you immediately:

• They stopped threatening us, our employees, representatives, clients and advisers.
• Returned all copies of confidential information in your possession.
• They reported where confidential information is stored electronically, whether it resides on a device or storage system that you have, or on a server or in a cloud storage, took all the steps necessary to ensure complete and irreversible erasure of all confidential information. including all its copies and backup copies, all temporary or other copies, so that no one has access to confidential information or any of its parts.

You should not publish any part of confidential information or any information related to illegal burglary, or in any other way spread the confidential information to the public.

Please confirm by reply letter no later than 9 am tomorrow UK time that you will satisfy these requests.

We consult with lawyers about the actions that we can apply against you and your associates in the civil and criminal code. In the meantime, refrain from any action on this matter.

Your opinion about the consequences of this incident for Atrient or its clients is based on fiction.

Atrient quickly posted on Twitter a statement regarding the incident at the show, and then deleted it. (Gill said it was due to a “re-stilization”). Then another version of this statement was sent to our editorial board and other British publications. It says:

We have become aware of false claims related to the vulnerability of one of our products and the alleged attack. In November 2018, one of our sites selling products was attacked with brute force against a demo server with no personal data. The demo sites of our sales department were affected by the attack.

Then a group of individuals came in contact with us, among whom was a man who identified himself as Dylan Inglish, which, as we now know, is the pseudonym of Giza Bjula from the secjuice.com website, as well as a man who refused to give his name. Soon after
This made it clear that a financial motive was involved in the case. The FBI is aware of the existence of this group.

On February 6, 2019, one of the “security researchers” made an unplanned visit to the Atrient stand at the ICE exhibition in London. His name tag was written on his name, Dylan Wheeler, and we believe that this is his real name. After he was informed that Atrient would not pay him money, he put forward another false accusation, this time about an attack on him, whose baselessness was revealed by an investigation conducted by the ExCel exhibition center.

Now this business is in the hands of legal advisers to the company and law enforcement. Therefore, additional comments will be redundant.

The name “Dylan English” is really attached to Wheeler’s email - he uses this pseudonym to work in his information security company. However, the signature of all his letters to Atrient, to the casino operator and the FBI was his real full name, so all participants of the events should have known it.

Sending a response to Atrient, Wheeler sent letters to the FBI agents and the casino operator, saying that he had been attacked and that Atrient did not bother to fix the vulnerability. Then he told everything to Beulu, and also gave him links to recordings of conversations with the FBI and screenshots for publication on SecJuice. Now the details of the security issues that Wheeler and Me reported in Atrient have become public knowledge.

Know when to support and when to pass.

No episodes of development of this situation surprise Beardsley. “People involved in the disclosure of vulnerabilities, quickly find out about the existing situation - usually people do it not too often, so we all do it badly. We don’t have instructions on how to act preferably. ”

– , – . , , , «, , , , , , . , ».

– , – , , . .

Atrient , , - . , $40- . -, ( ) , , , Atrient . .

, , : «, , , - , . , , – , , , , ».