The Las Vegas Sands Website Attack – Random Thoughts and Definite Plans By Jeffrey Compton February 16, 2014 at 4:24 pm As I write this column the Las Vegas Sands website has been down for six days. Over those days a plethora of ideas has gone through my head – plus some decisions about emergency planning for my very small business. Who did this and why? I know little about website hacking, so I started my questioning with my own technical director (Cory Roberts) and web designer (Jill Merk), and went from there looking for some reasonably solid theories. Almost all the people I talked to felt that the Las Vegas Sands web attack was the work of first-rate hacking experts, not college students or people who find defacing websites a fulfilling hobby. The hacker was probably a hired gun (meaning that he or she did not select the target) and might have been paid somewhere in the six-figures. The primary purpose of the attack was do serious operational and financial damage to the Las Vegas Sands Corporation – not to steal customer data – nor to protest Sheldon Adelson’s statements on the Middle East. Just defacing the casino’s home page would have been far easier (and thus cheaper), and would have created almost as much negative publicity for Adelson as what was done, bringing down the entire site for days. Considering the extent and success of the attack, insider assistance (or ex-insider assistance) should not be ruled out. I talked to Aaron Stanley, an occasional contributor here, whose day job is Washington DC Bureau Manager at the Financial Times. The cybersecurity/warfare people he spoke to said that while on the surface this attack appears to be Islamist in origin, the lack of any group taking responsibility plus the extent and success of the attack (most sites recover from Syrian Electronic Army attacks in two hours, and most in two days) tend to point to it being Chinese in origin. The Las Vegas Sands corporation has six of its nine properties in Asia, so this raises a new set of possible motives. Reaction to the attack (and why it is a problem) I have criticized Sheldon Adelson several times over the last few months, and will probably continue to over the coming year, but I was surprised (and saddened) by the reaction to the attack by others in our industry. I’ve heard the words “comes around” several times this week. This is wrongheaded thinking. Regardless of Sheldon Adelson’s feelings and statements on Israel, Iran, President Obama, and internet gaming, no person or business deserves this. And to operate under the assumption that “Sheldon had it coming” implies “this would not happen to us – so we will not worry about it.” A major gaming company’s website has been brought down for six days and counting; that’s something to worry about. Emergency Planning And while you are worrying, plan what you will do if and when it (or something comparable) does happen to you. My website gets one-zillionth the traffic of the Las Vegas Sands, so I seriously doubt it will ever be the target of international, expert hackers. (I am knocking on my wooden desk as I type this.) But that thought did not keep me from asking Cory to take a day and review our emergency plans in case the website crashes – or something goes wrong with our Internet connection – or the power goes out in my home office – or my principal computer crashes – or there is an issue with Constant Contact, the website that distributes our reports. What are our plan Bs? Do we have updated contact numbers for team members and vendors? What information do we have to know (and keep, some place accessible) to give our vendors in order to get immediate assistance: account numbers, passwords? By the end of the day I had a document (“SOS v1.0”) with critical information (for example, a list of nearby places that offer good quality, free Wi-Fi), plus some very reasonably priced suggestions for upgrades that would help us avoid such emergencies or make them easier to deal with. I’m sure that many of you have done much more extensive Internet emergency planning, and I hope that those who don’t are working that. Today, thanks to some someone out there who has more talent than conscience, we all have a reason to review our plans and documentation.