Trustwave failed to spot casino hackers right under its nose – lawsuit IT security biz Trustwave is being sued by a Las Vegas casino operator for allegedly bungling a hacking investigation. Trustwave denies any wrongdoing. The outcome of the lawsuit could have staggering consequences for infosec outfits hired to analyze and cleanup computer network intrusions, in terms of potential liabilities …
Since gambling is the only reason for a casino, it appears a couple of gaming commissions are either very asleep or quietly threatening the casinos with big fines. If the latter then a lawsuit to recover some of the fines makes sense in a perverse beancounter way.
Middle of the 3rd bold paragraph: "Affinity Gaming hired Ernst & Young to perform penetration testing pursuant to new regulations from the Missouri Gaming Commission"
So apparently Affinity was doing its due diligence and found bad news. I don't think they'll get fined for being proactive, but they certainly want to know "WTF?" from Trustwave.
The lawsuit says "we're not the security pros, so we hired you... only it turns out you couldn't find your ass with both hands, much less a second hacking"
It does look like Trustwave dropped the ball here.
The problem in infosec is it's all a game of compromise and risk management, and there are no guarantees.
If you hire someone to do a pentest, how in depth do you want them to go? And more importantly, how in depth are you willing to pay them to go? Most companies only want, or are only willing to pay for your typical blind external pentest which basically says "given 2 days and only the ip of your website we couldnt get in through direct vulnerabilities on that ip"... It doesn't account for indirect attacks, or even just pure random luck etc.
Also just because a pentest was conducted at any level doesn't mean the client actually followed the recommendations.. Quite often security compromises are made because of cost or lack of skills etc. Many networks are also not designed with security in mind, so significant improvements would require a massive (and costly) redesign.
And it sounds like this case talks about an incident response job, but again jobs like that are down to budget and scope... When i've done such jobs often the scope (and budget) has been limited to the systems known to be compromised but that's not really enough as systems are usually interconnected and often managed from the same workstations etc. The outcome of most incident response jobs is usually that "your logging isnt good enough to really know what happened" and "we really should look at other systems but there isnt budget for it".
I'm with you and Jungle bloke below. I'm betting this was a limited scope engagement ordered by bean counting management who are now rueing their penypinching.
Ironically they will probably pay 10-100 times more in the lawyers fees than they ever paid to the security biz.
Something I've experienced before is security companies giving assurances that they shouldn't give based on the scope of the testing, and not giving adequate caveats.
E.g. testing a web application and not testing the infrastructure yet declaring a web service 'secure.'
What exactly were Trustwave hired to do?
If they were only asked to find out what was wrong, which they did
" including ongoing activity from a malware program named “Framepkg.exe,” which Trustwave had found, but apparently had not contained or sought to remediate, during its investigation in 2013."
then fixing it would have been another contract. A lot of the suit could depend on the wording of the contract.
Mind you, I've dealt with Trustwave. Their entire model seems to be to continuously enlarge the scope of their consultant services. Even for the most minor of things.
OTOH, if they provided a proposal to remediate, and it was rejected. . . .then the casino is S.O.L. . .
This post has been deleted by its author
Yes, it's always best to use properly supported and tested software, especially when your ass is on the line. So it's really unfortunate that they apparently used something capable of executing 'Framepkg.exe'. Maybe if they'd used Android, Apple or Linux software they wouldn't have had a problem.
If you hire a rival they're always going to allege incompetence, but something stinks here.
How did those hackers get in in the first place? That's not the fault of the company hired to fix matters (although they failed to return to a clean baseline) - that means things were not all that well to start with. To me it appears they were already, er, gambling with their security, and this is just to divert the attention.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
