We waited impatiently for the check at the Rio. The waitress breezed by for the third time, promising to deliver the bill as soon as she could add it up.
Add it up? What year was this? Have we been transported to the 1980s?
I nudged my companion, who blurted out what I was thinking. "Def Con pranksters!"
The hotel’s point-of-sale system goes down during a busy lunch hour while the world’s biggest gathering of hackers is convened on the property. Coincidence?
Def Con has long been known for digital hijinks. The hacks are usually performed to prove a point — for educational purposes, not fraudulent or destructive ones. But Def Con, held Aug. 4-7, was not involved in the Rio’s system failure, according to a conference spokesman. In fact, sources told me Def Con offered help to the hotel’s IT staff, drawing from the large pool of expertise at the conference.
The Rio’s management would not comment on the crash or on any related subject. But rank-and-file employees were not so circumspect. Several spilled their guts when I chatted them up after the system was restored. They readily shared details about frequent point-of-sale system crashes.
"Six times since I’ve been here," said one. "That’s been about two years."
Another said the outages last up to eight hours, affecting not just the Rio, but other Las Vegas properties at the same time.
"It’s very stressful," said the first staffer. If only she knew.
The simplest explanation for chronic crashes, said one Def Con attendee who worked for a decade in the card payment industry, is an incompetent service provider. That’s the middle man linking the retailer with the credit card company.
But that doesn’t rule out other possibilities. Among them, obsolete software, bone-headed security policies, savvy cybercriminals, or — get this — internecine warfare among competing casino properties. Far-fetched?
"Hey, it’s Vegas," the expert shrugged.
Disgruntled former employees are more likely attackers, according to data security studies. They are sufficiently familiar with the targeted system to gain remote access and may want revenge. Current and former insiders are a leading source of cybercrime and data loss, another conference attendee told me.
"What if I got fired?" mused the man, who identified himself as a security practitioner. (Def Con has a long tradition of attendees paying cash for their credentials and identifying themselves by their hacker handles instead of their real names.) "So I get another job at some crappy little company, and I’m mad, and I’m gonna damage my old company. I know their system, and they haven’t taken any measures to keep me out. It happens all the time."
Badly written software could be another cause of frequent system crashes, the card system expert said. Some software currently in use was deployed long ago, when credit card payments were first becoming ubiquitous.
"POS systems have not changed significantly in the last 10 years," he said. "Most of them have not had serious security efforts put into them."
Then there’s the galling possibility that the service provider is just stupid.
"It may be that one company is the service provider for all these hotels," said the expert, who claims that field audits bear out this theory. "Rather than having individual passwords for each hotel system, they may have one user name and password for all the systems they administer."
With a bit of diligence, a bad guy can discover one set of credentials and have access to all the client systems.
Information is the key to the castle, and it’s also the prize sought by cyberthieves.
Which brings us back to the hotel employees, who, when I questioned them sympathetically about their lunch-time chaos, responded by telling me about the pattern of the crashes. Hackers call what I did "social engineering": gleaning useful information through social interaction. But hospitality industry folks would say they were just being friendly to a customer.
I’m not knowledgeable enough to act on the information, but plenty of people are, and some of them are professional social engineers. Def Con now features a social engineering contest, in which contestants place phone calls to big-name companies and schmooze information from the guy or gal who answers the phone. Most employees answer almost any question they’re asked.
"Giving out information like that facilitates the ability for a malicious person to do attacks on the corporate network and to steal data, to wreak havoc," said Chris Hadnagy, who runs the contest. "Information is what facilitates attacks."
I also tried another technique I learned by covering Def Con, called "responsible disclosure." When you discover a security risk, you report it to management. But management wasn’t interested in knowing what was leaked by casino employees, even when I took off my reporter hat and said, "Hey, I’m a Nevadan. I’ll live here after all these people go home. I’m on your side."
Willfully blind managers pervade every sector of business, the experts say. Despite daily news stories about big losses from cybercrime, non-technical managers rarely grasp information security risks, or the associated liabilities, until it’s too late.
The whole business world needs to get a lot smarter, very quickly. But I couldn’t help thinking that Las Vegas has a special responsibility to become the role model, given its history as host city to the world’s largest hacker conference.
Nevada journalist Samantha Stone is a producer and field reporter for "Nevada Newsmakers" and the host of the weekly podcast, "The Cyberjungle" (www. thecyberjungle.com).