5. Want Security? Think Like a Casino

“Oceans 11” got it right. What happens in Vegas gets filmed – and tagged and tracked throughout the casino. It’s not just the 2,000 cameras in a casino like the Bellagio; a Las Vegas casino has more sensors per square foot than anywhere but a battleship, IBM Distinguished Engineer Jeff Jonas said.

“Each resort has tens of thousands of sensors: every door-lock system, every slot machine, ATM machines, point of sale machines, it just goes on and on,” Jonas said.

And Jonas should know. Until IBM bought his company, he designed security systems used by half the casinos in the world. Now that he works on national security and banking fraud he was happy to spill the inside scoop at Etech.

After he met a gambler who used wigs and glasses and fake mustaches to disguise himself as he cheated in casino after casino, Jonas pioneered facial recognition software but the systems don’t scan everyone. Only a handful of people will be watched by the casino on video; they’ll save the recordings to refer back to when winnings are suspiciously large. Card counters won’t get thrown out unless they’re too good – and if they’re with someone losing 10 times as much money, the casino won’t upset the high roller by throwing their friend out. “They spend the minimum amount of money on security and surveillance,” Jonas said. “They’d rather buy three more slot machines and make money. They only mess with you if you’re really, really cheating.”

But the casinos do want to track cheaters and high rollers. The fine for letting someone play when they’ve been banned by the gaming commission could cost the casino more than they’d ever win. The casino has to track you once you win more than $10,000 for tax purposes. If an ardent gambler loses too much money they might never come back so Harrah’s uses analytics software from SAS to spot people who are losing big and then offer them free meals and show tickets to get them away from the tables. And if you win too much, the casino will try to tempt you with anything, including a private jet waiting to fly you back to lose it all again.

Cheating can be as simple as switching cards with a friend or as complex as filming the cards inside the shuffling machine and slowing down the video to spot which card is coming next. If a miscreant could somehow pull it off, getting a dealer to use a stacked deck could win someone $250,000 in 15 minutes. A secret code in a video poker game that gives you a good hand if you follow a specific betting pattern has been put there on purpose, but a slot machine that gives you $100 to play with and returns your $100 bill at the same time might just have a bug. And if armed robbers show up, casino security may stand back rather than provoking a shootout. Like the kidnappers who got away with a $1 million ransom for the daughter of casino owner Steve Wynn, they’ll be caught when they go out and spend the money.

That might be the only way we’ll catch the criminals behind botnets if more people don’t use a personal firewall. Michael Staggs of FireEye spends his time tracking down traffic that comes from infected machines. It’s usually hard because bots use a variety of exploits to take over computers. They hide for two months before they do anything and delete the evidence as they go along. Even when you find an infected machine it’s not cost effective for law enforcement to look at individual computers.

But some attacks are so blatant that they send commands in plain text. A taskforce checking for an older generation of bots that use IRC found 16,000 infected servers in one day. Of the 600 million computers that have used Google’s search services in the last year, one in six have displayed what Staggs calls “bot-like behavior.” He predicted that 5%-10% of computers at the conference would be infected. And if you think moving away from Windows makes you secure, think again; while 90% of bots are on Windows PCs, 8% are on Linux systems and 2% are on Macs.

Hacker Pablos Holman showed how vulnerable voicemail and credit cards are at the conference. He used caller ID spoofing to hack into the AT&T voicemail of ETech organizer Brady Forrest and change his message then used a few lines of JavaScript to add his own content to CNNMoney.com. He opened a supposedly secure Schlage door lock with a blank key and a mallet and decoded a credit card number from the RFID chip in it. In each case he was using loopholes rather than cracking the system. Rather than working out how to decode the credit card encryption he bought a credit card machine on eBay.