50 Shades of Greyhat: A study in how not to manage security disclosures

50 Shades of Greyhat: A study in how not to manage security disclosures

Aurich Lawson / Getty People who find security vulnerabilities commonly run into difficulties when reporting them to the responsible company. But it’s less common for such situations to turn into tense trade-show confrontations—and competing claims of assault and blackmail. Yet that’s what happened when executives at Atrient—a casino technology firm headquartered in West Bloomfield, Michigan—stopped…

Casino Screwup Royale: A tale of “ethical hacking” gone awry

Aurich Lawson/ Getty

.

Individuals who find security vulnerabilities typically face troubles when reporting them to the accountable business. However it’s less common for such circumstances to develop into tense trade-show confrontations– and completing claims of assault and blackmail.

Yet that’s what occurred when executives at Atrient– a casino innovation company headquartered in West Bloomfield, Michigan– stopped reacting to 2 UK-based security researchers who had reported some alleged security flaws. The researchers thought they had reached an agreement regarding payment for their work, but nothing final ever materialized. On February 5, 2019, one of the researchers– Dylan Wheeler, a 23- year-old Australian living in the UK– stopped by Atrient’s cubicle at a London conference to confront the company’s chief operating officer.

What took place next remains in dispute. Wheeler says that Atrient COO Jessie Gill got in a confrontation with him and yanked off his conference lanyard; Gill insists he did no such thing, and he accused Wheeler of tried extortion.

The ordeal culminated in legal hazards and a great deal of mudslinging, with live play-by-play commentary as it played out on Twitter. Rapid7 Director of Research Study Tod Beardsley was among the viewers. “My first response,” Beardsley joked, “was, man, I wish a vendor would punch me for disclosure. Boy, that beats any bug bounty.”

Vulnerability Disclosure Bingo.


From https://t.co/6jvhEvksOe pic.twitter.com/aL0avgSrzq

— @mikko (@mikko) February 15, 2019

The story is virtually a case study in the problems that can emerge with vulnerability research and disclosure.

Numerous big companies and innovation vendors now run active “bug bounty” programs to carry the efforts of outside hackers and security scientists towards proficiently revealing security issues in their software application and facilities– however the large majority of companies have no clear system for outsiders to share details about security spaces.

When it concerns disclosing vulnerabilities to those kinds of business, Beardsley told Ars, “I’ve gotten everything varying from silence to active ignorance–‘ I do not wan na hear it’– to cease and desist letters telling me ‘I’ll remove your advisory.’ All of that, and I have actually gotten great deals of good [responses], too. I’ve dealt with individuals who have actually not had a long track record with disclosure and I hand hold them through it.”

In this case, 2 reasonably unskilled “ethical hackers” attempted to feel their way through what they felt was a fairly severe security issue, even as Atrient executives felt like they were being taken for a trip by unethical hackers trying to make a buck. Thanks to call recordings and a months-long e-mail thread between Wheeler, Atrient, and other stakeholders in the disclosure– including a significant US casino operator and the FBI’s Cyber Department– we have a respectable concept of how the situation played out.

The company

  • Atrient’s Las Vegas workplace, just a stone’s toss from McCarran International Airport.


    Google

  • Atrient’s head office is in this building in West Bloomfield, Michigan.


    Google

Atrient is a little business, plying its wares in a highly specific niche of the casino and gaming industry.

Originally established in April of 2002 by Sam Attisha and Jashinder (Jessie) Gill as Vistron, Inc. and relabelled a year later, according to Michigan corporate records, Atrient was at first a catch-all innovation seeking advice from company. It used “services outside package” (as the business’s initial website explained them) related to IT staffing, software development, imaginative services, and project management. The company briefly took a stab at the cordless business, running Vistron Wireless Inc. to “offer marketing and technology services to the cordless market,” according to business registration documents.

Within a couple of years, Atrient’s work grew to include software application combination for casinos. By 2015, Atrient’s main focus became a casino consumer loyalty system called PowerKiosk, which connects freestanding kiosks, electronic slots, and mobile applications to track gambling establishment bettors and present them with benefits, unique games and marketing deals. The system can track consumers through loyalty cards that it issues or through Bluetooth “beacons” and geolocation utilizing mobile applications, along with tracking the worth of a person’s rewards points built up by activities within the gambling establishment.

While Atrient keeps a workplace in Las Vegas for sales and client assistance, the company’s headquarters are in a little workplace and retail building in West Bloomfield, Michigan. Atrient’s head office shares the 2nd floor of the structure with a dental professional and an H&R Block Advisors workplace, with a Tim Hortons donut store and a bed mattress shop listed below. (Atrient shares its workplace with Azilen, an IT outsourcing company with 2 offices in India and one in Belgium. The complete relationship between Azilen and Atrient isn’t clear; a minimum of one Azilen designer now works for Atrient’s subsidiary in Hyderabad, India, which was signed up in May of 2018.)

Atrient has actually obviously succeeded in its specific niche, partnering with a number of major gamers in the gambling establishment and video gaming market. Konami cut an offer in 2014 for special distribution rights to Atrient’s software for existing Konami clients. Atrient has actually likewise incorporated its software with gaming systems from Scientific Games’ Bally Technology system and Worldwide Video game Technology.

Over the past year or more, Atrient was in settlements with the gaming and financial tech company Everi Holdings– settlements that culminated on March 12, 2019 with the revealed acquisition of “particular possessions and intellectual home” of Atrient by Everi. The $40 million deal was made with $20 million in money, with additional payouts based on contingencies in the agreement over the next 2 years. These settlements were continuous as the researchers tried to make their security concerns heard.

Learn More