[HN Gopher] Hackers claim it only took a 10-minute phone call to...
___________________________________________________________________
Hackers claim it only took a 10-minute phone call to shut down MGM
Resorts
Author : jimt1234
Score : 63 points
Date : 2023-09-13 17:49 UTC (5 hours ago)
(HTM) web link (www.engadget.com)
(TXT) w3m dump (www.engadget.com)
| mikece wrote:
| Wouldn't real hackers post evidence and not just claims?
| lcnPylGDnU4H9OF wrote:
| If I had made some significant negative impact on a company's
| operations such that my antics made national news, I would
| likely choose to avoid providing evidence of my actions.
| andy800 wrote:
| If MGM refuses to pay up then it must have confidence that they
| have sufficient backups and can get everything up and running
| again.
|
| I had (still have) serious doubts that they have the expertise
| and discipline (as well as all the vendor systems it relies on)
| but I will have to give them credit if true and they can get back
| to 100% without paying a ransom.
|
| At the same time, the source of this article may be completely
| fabricating all his/her claims, there's obviously no confirmation
| of any of it at this point.
| mannyv wrote:
| Hacker: "Ugh, I just lost my laptop. Can you reset my password?"
|
| Helpdesk: "Sure!"
|
| Hacker: "Thanks! What mail server should I use again? And what's
| the VPN IP? I need to RDP to fix some kind of outage."
|
| Helpdesk: "[redacted]"
|
| Hacker: "Thanks so much! Have a nice day!"
| withinboredom wrote:
| I remember reading one of the earlier editions of "Art of
| Deception" which has lots of these types of examples. Like
| simply calling up the local county clerk to figure out when the
| police officer is on vacation for your traffic ticket, then
| getting a continuance for that day. The police officer doesn't
| show up, and you get off the hook.
|
| So many good stories. RIP.
| ARandomerDude wrote:
| When I worked for the government, my coworkers and I half
| joked that if you dressed nicely, wore a lanyard, and carried
| around a clipboard and a stopwatch, you could probably get
| into a lot of facilities you didn't have access to.
|
| None of us were brave enough to try it.
| marcosdumay wrote:
| Oh, I have some coworkers that are often tasked on going
| into places they shouldn't be and seeing if anybody
| complains.
|
| At least over the population we test, your chances of
| getting in jail are big enough that you shouldn't try it.
| But you certainly can collect anecdotal evidence that it
| works.
| dhosek wrote:
| There's a line in the 90s movie the Paper where Michael
| Keaton's character says, "A clipboard and a confident wave
| will get you into any building."
|
| I have to admit that I actually used that on occasion.
|
| 9/11 changed that fact.
| d1str0 wrote:
| 9/11 might have changed it in some places but not most.
| Cyphase wrote:
| https://tvtropes.org/pmwiki/pmwiki.php/Main/BavarianFireD
| ril...
| aftbit wrote:
| Or a ladder. Nobody stops a pair of people dressed like
| laborers carrying a ladder.
| freeopinion wrote:
| A few years back a town lost several miles of copper
| cable installed under main street. A work truck pulled up
| in the middle of the street, coned off the area, opened a
| lid, hooked up a spooler and started yanking.
|
| They spooled up a truckload of copper, gathered their
| cones, and drove off. They were seen by hundreds of
| witnesses in the middle of the day, but nobody suspected
| anything.
| SoftTalker wrote:
| Or just a high-vis vest, a hardhat, and a toolbox or
| belt.
| neilv wrote:
| When I sold my Flipper Zero recently, the buyer showed up
| wearing business casual, with a button-down shirt
| tastefully embroidered with the name of a company
| involved in commercial real estate.
|
| I didn't ask whether they actually worked for that
| company, or the outfit was part of their pen-testing
| toolkit.
| Freak_NL wrote:
| Security minded types might still stop you, especially
| since these are the kind of well-known scenarios that
| might get used in security training.
|
| You want invisible? Be female, 40+, short but otherwise
| average build, any skin colour but white, black hair,
| generic cleaning staff outfit, and one of those carts
| with mops and buckets. Now you're invisible (racist,
| classist, and misogynistic biases exist, might as well
| use them).
|
| (As a 2m tall person I can't blend in anywhere.)
| withinboredom wrote:
| Or just be very pregnant while carrying boxes, anybody
| will open the door for you. Pro-tip: prothesis pregnant
| belly full of tools.
| rthomas6 wrote:
| If you smoke a few Marlboros in a cleaning staff outfit,
| get some Walmart shoes, get a $30 phone, and get a mop
| and bucket, I feel like it might work pretty well.
| [deleted]
| mannyv wrote:
| Posing as an IT person is the best way. I remember when
| NationsBank bought Bank of America (yes, it wasn't a merger) a
| friend bet another friend that he could get BofA root access.
|
| He called the branch manager saying he was from NationsBank IT
| and was going to do a pre-merger inspection. He showed up,
| asked for the root passwords of the boxes in the branch, logged
| in, left a MOTD message, then left.
|
| Needless to say they beefed up the training on that once the
| merger closed.
| sbate1987 wrote:
| [dead]
| soared wrote:
| > Customer anecdotes report issues making reservations, using ATM
| machines, playing certain games and mobile key entry into hotel
| rooms, but Engadget has not independently confirmed these
| reports.
|
| Will be very curious to see what systems were affected
| andy800 wrote:
| Quite a few systems were likely pulled offline as a preventive
| measure, though it may be indistinguishable to a customer from
| a "hack"
| cardiffspaceman wrote:
| These responses may have been a goal of the attack.
| SoftTalker wrote:
| The hackers may regret it when Vinny and Tony pay them a visit.
| freeopinion wrote:
| Vinny and Tony were the hackers.
| JohnMakin wrote:
| Humans are always the biggest weakness in any system. I
| completely believe this, and it's a major reason why I don't keep
| my linkedin or other social profiles current.
| workfromspace wrote:
| https://archive.ph/Lvu84
| petercooper wrote:
| They should put the MGM Grand's front desk staff in charge..
| Their car park machine ate one of my room keys so I popped to the
| desk on the way to the pool. As I wasn't carrying ID (just my
| other room key) they gave me a very thorough interrogation of the
| exact layout of the room, how much my upgrades cost, and other
| details before they'd issue a second key.
|
| Then they flat out refused to put parking charges onto my tab
| without ID. Yet if I had gone back to the room and merely pulled
| a single drink out of the minibar, I could have run up a $60
| charge no problem!
| e40 wrote:
| _> Yet if I had gone back to the room and merely pulled a
| single drink out of the minibar, I could have run up a $60
| charge no problem!_
|
| Please tell me that was a mini bottle of aged whisky and not
| Diet Coke.
| TylerE wrote:
| Probably closer to the former, but I wouldn't expect GOOD
| booze. I've seen minis of Cuervo for $15 in a minibar.
| petercooper wrote:
| It was _ridiculous._ So a bottle of water, say, was something
| like $7 in the mini bar, and then there was a "$50
| restocking fee" on top if you took _anything_ out of the
| minibar in a certain day. Naturally, all minibar use was
| immediately banned when I discovered this ;-)
| floren wrote:
| Mandalay Bay has a little sign on the minibar indicating
| that if you even pick something up, you're liable to get
| charged -- they claim to have weight sensors, presumably so
| you can't drink a $15 bottle of water, then run down to CVS
| an hour later and buy a replacement. This might just be
| bullshitting, but I took great care not to even touch the
| damn thing... which is exactly what you want on your
| vacation, a little zone of the room that'll cost you money
| if you touch it.
| silisili wrote:
| This is strange in that it -feels- illegal. Could you
| imagine if grocery stores did that? What if you just want
| to inspect it closer or look the back or something?
| Nextgrid wrote:
| They indeed have weight sensors - that's how the mini
| fridge detects that something has been taken so it can
| charge you.
|
| The concept isn't evil in itself, it's just that the
| pricing applied to it is predatory.
|
| The warning is there for your convenience more than
| anything else and is often out of an abundance of
| caution. I've seen similar ones where you can pick up and
| put it back within a certain time and not be charged -
| I'm pretty sure _all_ these machines have a grace period
| to avoid spurious charges in case it gets bumped /etc, so
| it _is_ safe to pick up items and put them back within a
| reasonable timeframe.
|
| In practice feel free to pick up (and even replace items,
| if it's literally the same and they won't be able to
| tell) and just play dumb and contest the charges at the
| front desk, they'll have to waive them if they can't
| decisively prove you actually took any items.
| HWR_14 wrote:
| The "reasonable timeframe" listed last time I was in that
| situation was 6 seconds.
| solardev wrote:
| Won't be long until manufacturers start making different
| SKUs for different hotel chains, like they do for price
| matching retailers
| TonyTrapp wrote:
| How far away from civilization (or the next supermarket) do
| you need to be for these prices and fees to make any sort
| of sense, that anyone even remotely thinks about taking a
| single drink? I've never seen something like that in
| Europe.
| Operyl wrote:
| It's more so "how drunk are your guests."
| petercooper wrote:
| Being a casino, I assume that the targets are people who
| are either drunk or totally indifferent to prices while
| they're on vacation or, as is common in Vegas, on an
| employer-expensed conference junket.
|
| My solution was to go to the convenience store (still
| located in the casino) which was expensive (a guy in
| front of me nearly had a meltdown at paying $15 for a can
| of lager) but at least had no "restocking fees." A
| _Target_ with more sensible prices is about a 10 minute
| walk from MGM Grand, however, in case anyone here ever
| winds up there.
| TylerE wrote:
| Hotel prices on even basic food/snacks are so high now
| it's often cheaper, even with a good tip, to just do like
| a grocery store/pharmacy door dash on your first day
| there.
| ChefboyOG wrote:
| In my experience, the minibar's level of use is
| proportional to the sobriety of the guests + their
| understanding of the prices.
|
| So, basically, drunk people and children.
| isk517 wrote:
| Yeah, the only times I've heard people talk about having
| to pay for using the minibar it one of two stories,
| either; 'I was drunk and just wanted something to snack
| on' or 'I left my kids unattended in the room for a half
| hour'.
| munificent wrote:
| You don't need to be far from civilization. You just need
| to be drunk and exhausted, which describes a very large
| fraction of people in Las Vegas hotel rooms.
| ghaff wrote:
| And the Vegas strip, when it's 110 degrees outside and a
| 20 minute walk between casinos, is often not the the most
| convenient place to pop into a convenience store.
| martin8412 wrote:
| I was at the Westin in Las Vegas recently and it just had
| an empty fridge that I stocked with beer from the nearby
| liquor store.
| dylan604 wrote:
| One of my coworkers showed me a fun something that was so
| obvious that it's one of those "now why didn't I think of
| that" tips on one of our international trips. When
| arriving at the destination airport, buy a bottle of
| whatever at the duty free shop. Consume that instead of
| any minibar items. The cost of one full size bottle will
| be cheaper than a single minibar charge. I don't know
| why, but hitting duty free was just in my head as only
| something to do when returning home. I just chalk it up
| to OJT!
| solardev wrote:
| OJT? Orange juice time?
| dylan604 wrote:
| On the Job Training
| solardev wrote:
| Way more practical, but less delicious
| andy800 wrote:
| The MGM Grand is massive, over 5000 rooms. It's about a 1/4
| mile from self park to the front desk. Nobody "pops" anywhere
| in that building.
|
| Also, who drives without ID?
| withinboredom wrote:
| Who said they were driving?
| andy800 wrote:
| They were interacting with the car park machine.
| withinboredom wrote:
| The comment never says they interacted with it, only that
| the machine ate it. They could be a passenger, we don't
| have enough information.
| andy800 wrote:
| As I mentioned, there are numerous parts of the story
| that don't add up. The MGM Grand, as I stated, has over
| 5000 rooms, a random front desk agent would not be able
| to verify identity by describing the layout of one
| specific room (nor would that be compliant with security
| procedures).
|
| The car park machine, "popped to the desk," driving or
| wandering Las Vegas without ID, the identity procedure...
| I'm comfortable with my assessment that there is
| something not entirely correct with the story. You are
| welcome to disagree.
| withinboredom wrote:
| I don't know about this particular story. But I have
| personally been escorted to my room and asked to
| describe, in-detail, what objects are in the room when
| they open the door. I have no idea what they plan to do
| if it isn't what I say it is, but that method I've
| experienced. I've also explained to the front desk and
| they ask a cleaning person to do a check based on what I
| say.
|
| Nothing about this sounds too far fetched to me, based on
| my experiences at other hotels/resorts. Maybe this only
| happens to you if you have a sketchy appearance or due to
| other biases; if you are clean cut and of a non-
| prejudiced race, maybe you won't run into this crap.
| andy800 wrote:
| "escorted to my room" is entirely different than the
| story described here. And "other hotels/resorts" don't
| have over 5000 rooms and thousands of additional visitors
| to the casino, clubs, shows, restaurants, who are not
| hotel guests.
|
| > maybe you won't run into this crap
|
| What "crap"? He didn't have ID. The employees should
| simply hand out keys on the honor system?
| expertentipp wrote:
| > Yet if I had gone back to the room and merely pulled a single
| drink out of the minibar, I could have run up a $60 charge no
| problem!
|
| Is it the kind of minibar connected to the phone line, where
| every item presses down a dedicated knob thus touching the item
| releases the signal to the system? The only time I saw
| something like this was in a hotel in US of A and viciousness
| of it infuriated me.
| mrguyorama wrote:
| It's usually done in a much more banal way, just charge you
| for what they restock.
| cowsup wrote:
| Not really. Nowadays, Vegas hotel minibars frequently have
| sensors.[0]
|
| Before sensors, people would grab a $5 can of soda at 2am,
| drink it, swing by the convenience store in the morning and
| get a 12-pack for $6, and put a single can back in the
| minibar. On paper it's a 1:1 swap, so it's not really
| stealing, but hotels wanted their profits, so they invested
| in the sensors.
|
| I'm sure other hotels just check what gets restocked and
| charge you accordingly, but hotels that _really_ want to
| juice you will get every dollar they can.
|
| [0] https://www.reviewjournal.com/local/local-las-
| vegas/minibars...
| ghaff wrote:
| Minibars seem to have generally fallen out of favor in the US
| and been replaced with just in-room refrigerators. It
| probably partly a function of the hotels I frequent though
| and, while I travel to Vegas less these days, it's hands-down
| the worst offender of breathe on the minibar or snack tray
| and get charged a lot of money.
| tkems wrote:
| I did some research after staying in a Vegas MGM property and
| the minibars [1] seem to use IR beams to detect if a product
| has been removed. They also can be hardwired via Ethernet or
| use wireless protocols like zigbee. It seemed that in my room
| it was wireless as the thermostat model supported zigbee. I
| also saw that the fridge could be locked remotely (!) on some
| models. [1] https://bartech.com/
| TylerE wrote:
| The last bit makes a lot of sense. Many recovering
| alcholics request no mini-bar access, and locking it
| remotely is both easier and more secure than having someone
| from housekeeping physically go into the room and do.
|
| If virtual it can be automatically as part of the guest
| check in flow.
| Nextgrid wrote:
| On the other hand the sight of alcohol being so close,
| even if locked, could be unpleasant and very tempting.
| TylerE wrote:
| It's Vegas. Anyone THAT uncomfortable with alcohol has no
| business being in town, because it's EVERY where.
| TurkishPoptart wrote:
| I wonder if there's any blog posts about covertly switching
| around beverages to fool the beams, Mission-Impossible-
| style.
| psadauskas wrote:
| A few years ago I was staying in a hotel where the minibar
| fridge compressor was making a ton of noise in the middle of
| the night. I did some "percussive maintenance" to get it to
| quiet down (I couldn't get to the plug to just unplug it).
|
| On checkout, I had a huge bill for a bunch of things in the
| minibar. I guess I jostled the items enough that it tripped
| whatever switches or sensors they used. I complained to the
| front desk, and luckily they refunded all of it.
| rahimnathwani wrote:
| Yet if I had gone back to the room and merely pulled a single
| drink out of the minibar, I could have run up a $60 charge no
| problem!
|
| Right, but pulling a drink out of the minibar requires a room
| key which, in turn you couldn't get without ID.
|
| So both cases depend on ID.
| petercooper wrote:
| Ah, but they did. They gave me that second key without ID,
| just with interrogation. That same interrogation was not
| suitable for a $35 parking charge, however.
| vwcx wrote:
| I suspect there's an aspect of precedent/case law here.
| Minibar charges hold up in court differently than parking
| (service) charges, perhaps?
___________________________________________________________________
(page generated 2023-09-13 23:01 UTC)