Getting F***** On the River
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 122 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/40571 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 1973 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
ComputersicherheitCoxeter-GruppeZufallsgeneratorAuthentifikationRechnernetzEDV-BeratungInformationDienst <Informatik>ClientPROMFokalpunktDialektRechenwerkFlächeninhaltPenetrationstestKonfigurationsraumPunktspektrumHackerComputerforensikMalwareAnalysisSoftwareDigitalsignalVirtuelle RealitätReelle ZahlWeb SiteBaum <Mathematik>Cheat <Computerspiel>Funktion <Mathematik>MusterspracheEreignishorizontInklusion <Mathematik>SpieltheorieSystemprogrammierungStandardabweichungKonsistenz <Informatik>KontrollstrukturZugriffskontrolleRegulärer GraphKomponente <Software>Regulator <Mathematik>EreignishorizontPi <Zahl>ComputersicherheitWort <Informatik>RechenschieberGüte der AnpassungQuick-SortMusterspracheBitFunktionalWeb SiteSoftwareentwicklerPerspektiveRahmenproblemGamecontrollerCheat <Computerspiel>Reelle ZahlNeuroinformatikMultiplikationsoperatorNational Institute of Standards and TechnologyDomain-NameOnline-SpielWeb-ApplikationSpieltheorieDemoszene <Programmierung>IntegralDivergente ReiheClientTurnier <Mathematik>BildschirmmaskeMereologieComputerarchitekturAusnahmebehandlungRoboterAnalysisPhysikalisches SystemHilfesystemCoxeter-GruppeWellenpaketExploitZweiSoftwareTorusStandardabweichungRechter WinkelParametersystemÄhnlichkeitsgeometrieSoftwareschwachstelleMetropolitan area networkProzessfähigkeit <Qualitätsmanagement>MathematikElektronischer FingerabdruckMessage-PassingPetaflopsGarbentheorieWhiteboardComputeranimation
09:31
Dienst <Informatik>PerspektivePetaflopsZahlenbereichZufallszahlenSoftwareschwachstelleVererbungshierarchieSoftwareentwicklerAlgorithmusSpieltheorieKonsistenz <Informatik>SoftwarePlastikkartePascal-ZahlendreieckZufallsgeneratorComputersicherheitBetrag <Mathematik>Elektronisches ForumCheat <Computerspiel>ATMComputerInformationStochastische AbhängigkeitKonfigurationsraumDatenverwaltungCodeExploitTabelleDisjunktion <Logik>ATMElektronischer ProgrammführerPlastikkarteCheat <Computerspiel>SoftwareElektronisches ForumComputersicherheitSoftwareentwicklerWeb SiteDemoszene <Programmierung>VererbungshierarchieSoftwareschwachstelleInformationNeuroinformatikZufallsgeneratorZahlenbereichProzess <Informatik>Betrag <Mathematik>AlgorithmusPascal-ZahlendreieckReelle ZahlData MiningVersionsverwaltungPetaflopsStatistikSummierbarkeitSchaltnetzForcingt-TestOrdnung <Mathematik>BeweistheorieMultiplikationsoperatorGrenzschichtablösungStereometrieEindeutigkeitRandomisierungDienst <Informatik>ExistenzsatzGraphBitrateExploitMAPAusreißer <Statistik>DruckverlaufKonfigurationsraumPhysikalisches SystemProgrammPerspektiveGamecontrollerMusterspracheBitCodeMessage-PassingSpieltheorieElektronische PublikationKonfigurationsverwaltungTabelleLoginGrundsätze ordnungsmäßiger DatenverarbeitungPunktLesen <Datenverarbeitung>Güte der AnpassungFunktionalWeb logComputeranimation
19:02
HackerMIDI <Musikelektronik>Lokales MinimumComputerschachCodeProzess <Informatik>TelekommunikationInterprozesskommunikationSynchronisierungEin-AusgabeKernel <Informatik>Objekt <Kategorie>InjektivitätSpieltheoriePixelProgrammPortscannerComputersicherheitSchlussregelSoftwareE-MailEntscheidungstheorieWeb SiteKonsistenz <Informatik>ClientWurzel <Mathematik>Charakteristisches PolynomCachingCheat <Computerspiel>Überlagerung <Mathematik>SystemaufrufFunktion <Mathematik>Physikalisches SystemAutorisierungDemoszene <Programmierung>RechenwerkKanal <Bildverarbeitung>ParametersystemGarbentheorieWurm <Informatik>MomentenproblemInternetworkingURLCookie <Internet>InstantiierungWorkstation <Musikinstrument>VerzeichnisdienstMotion CapturingKonvexe HülleZufallszahlenRechnernetzRechnerorganisationBitServerSoftwareInformationMereologieQuaderQuick-SortTouchscreenInternetworkingTermDienst <Informatik>VersionsverwaltungSoftwareschwachstelleTabelleBildschirmfensterRoboterDemoszene <Programmierung>BenutzerbeteiligungClientURLFirewallProgrammInjektivitätRootkitAnalysisDatenmissbrauchPortscannerWeb SiteFunktionalSummengleichungSpieltheorieDifferenteInverser LimesGarbentheorieGüte der AnpassungCachingComputerschachSchwebungSchlussregelCharakteristisches PolynomRechenschieberTypentheorieBrowserProzess <Informatik>Konsistenz <Informatik>SoftwaretestMultiplikationsoperatorBeweistheorieVideokonferenzPlastikkarteDrahtloses lokales NetzGamecontrollerChiffrierungPasswortPhysikalisches SystemComputersicherheitTelekommunikationStellenringDirekte numerische SimulationImplementierungInteraktives FernsehenPixelSocial Engineering <Sicherheit>SIDISMusterspracheGemeinsamer SpeicherRegulator <Mathematik>Computerarchitektur
28:33
RechnernetzRechnerorganisationSpeicherabzugEinfach zusammenhängender RaumSpieltheorieServerSoftwareSoftwaretestDifferenteAdressraumProgramm/Quellcode
29:15
SystemplattformSoftwaretestClientHackerEin-AusgabeCookie <Internet>Digitales ZertifikatLokales MinimumHill-DifferentialgleichungBenutzeroberflächeKonvexe HülleWeb SiteLoginDienst <Informatik>MalwareElektronisches ForumSkriptspracheE-MailClientBitElektronisches ForumEinfügungsdämpfungServerSystemplattformAdressraumWeb-SeiteRechenschieberMinimumSoftwareschwachstelleMultiplikationsoperatorSoftwaretestCookie <Internet>Cross-site scriptingGüte der AnpassungAggregatzustandBrowserPunktValiditätWeb SiteEin-AusgabeInhalt <Mathematik>BenutzerbeteiligungBaumechanikMatchingHackerZufallsgeneratorFlächentheorieDatenfeldSpieltheorieLesezeichen <Internet>TabelleFuzzy-LogikPlastikkarteInformationVerschlingungZahlenbereichDigitales ZertifikatCodeNetzadresseHook <Programmierung>SkriptspracheE-MailComputersicherheitAvatar <Informatik>LastHyperlinkTranslation <Mathematik>Hecke-OperatorFlash-SpeicherPublic-domain-SoftwareVektorraumNP-hartes ProblemFaltung <Mathematik>Rechter WinkelÜbersetzer <Informatik>URLMAPProgramm/Quellcode
38:34
Lie-GruppeOffene MengeWeb-SeiteInhalt <Mathematik>Hill-DifferentialgleichungInformationSkriptsprachePivot-OperationBrowserMailing-ListeCross-site scriptingMereologieFirewallBenutzerbeteiligungPunktRechter WinkelSkriptspracheDatenfeldVirtuelle MaschineExploitWurm <Informatik>Public-domain-SoftwareBrowserHook <Programmierung>StellenringAdressraumFunktionalSoftwareClientPlastikkartePlug inGüte der AnpassungComputeranimation
41:06
PlastikkarteSoftwareschwachstelleAuthentifikationMultiplikationStandardabweichungBeschreibungskomplexitätPasswortLoginZufallszahlenZahlenbereichMulti-Tier-ArchitekturObjektverfolgungElektronisches ForumHypermediaInklusion <Mathematik>InformationMalwareVorzeichen <Mathematik>EinsTrigonometrische FunktionMIDI <Musikelektronik>ComputersicherheitSoftwaretestKonfigurationsraumProzessfähigkeit <Qualitätsmanagement>TeilbarkeitRSA-VerschlüsselungDatenverwaltungVirenscannerKomplex <Algebra>RechnernetzClientKontrollstrukturProxy ServerTextur-MappingBenutzerbeteiligungPerspektiveClientAnalysisMultiplikationPasswortKomplex <Algebra>Web-ApplikationRegulator <Mathematik>E-MailStandardabweichungSoftwaretestSoftwareVirenscannerElektronisches ForumTypentheorieWeb SiteCASE <Informatik>TouchscreenMultiplikationsoperatorRechter WinkelComputersicherheitAuthentifikationOrdnung <Mathematik>MereologieReelle ZahlSoftwareschwachstelleDrahtloses lokales NetzServerEinfach zusammenhängender RaumURLGamecontrollerMetropolitan area networkSkriptspracheZahlenbereichBitrateWellenpaketTabellePlastikkarteAdressraumPackprogrammKartesische KoordinatenSpieltheoriePunktVirtuelle MaschineInstantiierungBeweistheorieNetzadresseCross-site scriptingSummierbarkeitHypermediaForcingImplementierungAnalytische FortsetzungBestimmtheitsmaßComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Good afternoon, DEF CON. We're here to talk about getting F'd on the river. And if anybody has played poker, I'm sure it's happened to you. Just to frame what we'll go over in today's session. First, in the preflop section, we'll give a little background about who we are and what online poker is. On the flop, we'll get into some past vulnerabilities that
00:24
have been discovered in the online poker software and architecture. Turn, we'll get into some of the research that we have been doing and what we've been looking at. Some vulnerabilities that I don't think have been published before. And then the river, we'll get
00:41
into defenses and next steps in research. What this talk won't do is it's not going to show you how to make millions of dollars by some zero day exploit. Because if we had that, I'd be keeping it to myself. So preflop. Who are we? This is my company. They paid for
01:03
me to come out here, so I put a slide in there. To make them happy, I guess. Who am I? Just a security professional based out of DC. CTO of this firm. And you can see what I enjoy doing. I probably like to enjoy gambling more than anything. That's what got me
01:24
interested in this subject. Who do I have with me? We have Steve Whitmer right here, who I also work with. And he did a lot of research in the web app piece, which you'll see later on in the presentation. I had a little bit of help also from a couple guys who just couldn't make it. Mike Wright, who I also work with, he did a little bit
01:43
of work on a couple slides. And then J.D. Durick, he did some work in the analysis of the poker client itself and looking from a forensic perspective at what the client does behind the scenes. So that's who we are. So what is online poker? How many
02:03
people like to gamble? Show of hands. All right, we're in the right place. How many people like to play poker? How many people have played online poker? Okay. A decent perspective. How many people still have money locked up on some sites out there? All right. Me too. You probably do. All right. So it seems like a lot of people have
02:25
at least heard of what online poker is. It's really interesting and I lost my train of thought. Sorry. One second. Some people have a misperception that it's playing against
02:41
the computer or not real people, but you're actually playing for the most part against real people except for those pesky poker bots which we'll talk about later on in the presentation. It's been around for a while. Here we have a short time frame just to show you what's been going on. So we have in the early 90s there really was just
03:06
people actually played it via IRC. And the poker industry as we see it today really came out in the late 1990s when Planet Poker was launched in 1998. And then shortly after
03:20
that you started having gaming commissions that were launched to sort of try to regulate this industry. And you can see going down the step, UB, Party Poker. At least when I got interested in poker and probably a lot of people who play it today got interested in 2003 when Chris Moneymaker won the World Series of Poker. He
03:41
satelliteed in on a $40 online poker tournament and won $3.5 million and made everybody think that they can do the same thing. So that really made the industry grow. In fact prior to that most of the casinos here in Vegas, a lot of them were closing their poker rooms. And now most of the major casinos at least have some form of poker
04:03
room. And shortly after that you had Full Tilt Poker. If you like poker you heard of Phil Ivey and all these famous Chris Ferguson and all these famous poker pros formed that company. 2005 it became a $2 billion industry. 2006 we see the UIGEA which is an
04:22
unlawful Internet Gaming Enforcement Act which was tacked on to the end of the Port Security Act that passed in the last minute of Congress that was sort of the Republicans trying to tax something on a rider on to a bill. And that didn't make it illegal to play poker like some people may think but it made it illegal for banks to
04:44
transfer money into the poker sites. So it made it a little bit more difficult and at that time we started seeing the market had sort of peaked and it started going back down. 2007 we had a pretty large cheating scandal on one of the major sites and we'll
05:02
talk about that a little bit into the presentation. 2010 we reached $6 billion so we're not going to solve our debt crisis here but it's still a fairly large amount of money. And then 2011 recently on 4-15 Black Friday when the Department of Justice seized three
05:21
of the major sites. And why is this important? Because I just wanted to show what's been going on from the time frames. I think in the beginning it wasn't big enough for people to really notice. It started getting bigger, people started noticing more of government and then also I think from a security perspective whenever something gets that big it
05:41
obviously draws attention to it and makes you just more curious about really what security controls are in place. So I mentioned online poker current events. If you go to fulltollapoker.com or poker stars you'll see this banner displayed, the Department of Justice went ahead and seized the domain names for these sites. And you officially
06:10
made it illegal, maybe not illegal, but it made it much more difficult for U.S. citizens to play online poker. Poker stars paid out all their players right away so if you
06:23
had money on poker stars you got paid but if you had money on other sites like I do you still haven't got paid. And because of this, the seizure really development of new features and functionality sort of is in a holding pattern in poker clients. And another thing why it's important to mention is it sort of made our research a little bit more difficult because we were researching some of these sites and then on 415 it was more
06:44
difficult to do research into those sites. This slide is just here to show you why it's important, how much money is at stake and why this will become important. I think we'll see in the next slide when you start talking about regulation and compliance. You know
07:03
back in 2004 we're only talking about one billion dollars. You know U.S. government doesn't really care too much. But when it starts growing, well when I say U.S. government maybe I mean the Nevada casinos, Harrah's, Caesar's Entertainment right here start wanting to get a piece of that pie which they currently don't have. And if you see
07:23
online gambling revenue as a whole it's 25 billion. So in other words there's a lot of money in online poker. I put this slide on here just because I'd like to see piles of money. Regulation and compliance. We all have regulation and compliance in other
07:43
industries. You know if it's a government with FSMA, PCI, SOX, whatever. And I'm not here to say that compliance and regulation is the best thing. We all know that just because you have a system that is certified and accredited according to FSMA or NIST standards doesn't mean it's necessarily secure. It just means you've filled out all
08:02
the right paperwork and dotted your I's and crossed your T's. But it's better than nothing. And I think there's another talk going on right now talking about PCI and I think the argument can definitely be made that compliance helps strengthen the security posture of those industries. And I think something similar needs to take place in the online poker industry. From what I just said you may think that there is no
08:24
compliance or regulation. There is. It's just not very greatly enforced. You have Isle of Man off the coast of England, the Kahnawakee Gaming Commission, an Indian tribe licensed some of these sites. But they really haven't put into all the
08:44
controls in place that we would expect these companies to be held accountable for. PartyPoker, a site that pulled out of the U.S. industry back in 2005 when the UIEGA came out. They're licensed by Government of Gibraltar. And you can read here what they say, that they keep their system to reliable, the highest standards of software
09:04
integrity including access control, change control, fingerprinting of executables. From what we've seen, I don't think all the sites are really doing that. We didn't really look closely at PartyPoker since we can't play there. I wanted to concentrate our research on sites that were available to U.S. players at the time. So we obviously see
09:27
there is a need for compliance and I think you'll see why there's a need when we get into some of the past vulnerabilities and new issues that we've noted. A standard needs to be developed. Companies that provide these services need to be audited, just not from the
09:43
financial aspect to make sure something that happened on Black Friday doesn't happen again. But also from a computer security control perspective that controls need to be put in place to enforce these programs to have basic levels of security, which I think we take for granted when we look at other systems like account lockout. Just simple
10:03
things that they just don't do. And why will this happen? Because there's a lot of money in online poker. And the government wants it and land-based casinos want it. I'm not sure if anyone can make this out, but that's a $1.3 million pot being shipped right there, which was the largest pot in online history. Just a lot of
10:25
money. So the flop. Sorry, got distracted. Past vulnerabilities. Past vulnerabilities. So here I just want to touch on some of the vulnerabilities that have come from the
10:44
beginning of when online poker first came into existence and to recent vulnerabilities. These aren't issues that we came across ourselves. These are documented issues. I just put them in here so you may not be aware of what has happened in the past. And these are
11:03
all related to information security, computer security. So the random number generator vulnerability. I think everybody probably can guess what the random number generator is for. Obviously when you have a real dealer shuffling the cards, it's going to be random. They
11:21
shuffle them. So in order to get that same level in gaming, you have an RNG. So Planet Poker, which remember was the first online poker site to come into existence in 1998, they were very proud of their random number generator so much that they published the algorithm to show that, hey, we have a good shuffling algorithm. Unfortunately when some
11:45
researchers started looking at it, they realized it probably wasn't the best algorithm that was in place. You can see in a real deck of cards what the possible number of unique shuffles is. A very, very large number. In their algorithm only 4 billion
12:02
possible shuffles could result. And then to make that even a lower number of a seed they were using was from the Pascal function, randomized. So that reduced the number even further. And then they were able to reduce the number of possible combinations down to a number that could be effectively brute force so they could tell what cards were going to
12:21
be coming out. This has since been fixed obviously. And other companies these days have their RNGs audited by reputable third parties. I took this from the poker star site. All the other sites have similar information. I'm not sure. We didn't look at
12:45
this to see if the RNG is safe or secure. Maybe it is, maybe it's not. But it's probably something that should be looked at further. The next one I want to cover as far as
13:01
vulnerability. If you remember this was on the timeline. It was on the timeline because I think it's a pretty important issue. Was this ultimate bet absolute poker super user issue. And the full story is really almost like a soap opera. I mean you really should read if you're interested in a good read, read this blog. That URL is up there. She goes
13:22
into a lot of details as far as what happened behind the scenes. Why it possibly happened. Just to give you a little flavor it involved a teacher sleeping with a student and then a lawsuit. And I guess I needed to make some money. What happened was not all of this
13:42
is 100% confirmed. It's not like poker was legal in the United States or regulated so you couldn't go ahead and bring these people to court. But what we've been able to piece together is that the owner of the company went to his software developer and said hey, I
14:02
think people are cheating on my site in the high stakes games. In order for me to determine if they're cheating I need to be able to see their whole cards so I can make sure that they're cheating because I would know based on what their whole cards are if they were cheating. So the original developer was like I don't think that's a good idea to
14:21
give someone access to see whole cards. So he went to an independent contractor and hired him and they put in his guide mode is what they called it. So they ended up putting into the actual software a process and they wanted to put some controls in this process because the developer really thought at the time that the owner was doing this for a
14:42
legitimate purpose so they made it so you couldn't be on the same computer playing as with guide mode running. But what we suspected they'd do is they simply had a user in guide mode and then just relayed that information to the person playing. And at the end you can see how much money was stolen, $22 million from players. So that's not a small
15:08
sum of money. And how did they end up catching or discovering that this guide mode had been put into the software? Was it from the strict controls that were built into the
15:21
software? Auditing, access control, someone reviewing logs? No. It was from the community, the online poker community. And there's a pretty strong online poker community. There's a lot of forums. I think Steve's going to talk a little bit about how you could leverage those forums for some malicious purposes. But what they were able to do
15:45
was the players started suspecting, wow, this one guy is winning a lot of hands. And online poker is different than regular poker. A lot of people play 8 to 10 tables at once. So in real poker, like you see on TV, people get reads by looking at people and they
16:00
know betting patterns and they can sort of tell when people are bluffing. But with online poker, you don't have that. So based on your hand histories, what people are being dealt, you're able to see those hand histories and people have written software that gives you a statistical analysis over who's won what hands, who, how many times they
16:23
saw the flop, how many times they three bet you, et cetera. So based on this information, they were able to show, they created this graph that showed here in the blue is, you know, a statistical analysis over win rates over a certain number of hands at a
16:41
certain level. And then you can see this outlier in yellow who's winning at an obscene rate. So this made them suspect that there's no way in the world this guy could be winning at such a large rate. So eventually, you know, they went to, you know, there's enough pressure from the community that they went to the company and the company finally
17:01
did their own investigation and admitted, yeah, hey, someone was cheating, you know, and they tried to refund the money. You know, a lot of players did get money back who were playing high stakes, but it's still suspected that they didn't get paid back in full. You know, so lessons learned from this. I think it's lessons that, you know, other industries have already learned. Configure ‑‑ was it what? It's suspected that it
17:25
was the owner. I mean, it's suspected Russell Hamilton who was the owner of ultimate poker ‑‑ ultimate bet and absolute poker, it was suspected that he was involved. You know, once again, there's no proof so it's just alleged. But, you know, he had
17:42
passed ethical issues and it is largely suspected that he was the main culprit. But other companies, industries have learned this. Configuration management, separation of duties, code reviews, have a solid SCLC in place, have auditing. These are things that, you know,
18:00
banking has in place. Other institutions that we rely on in industries, but it's not there yet in poker, which shows the need for compliance. Just to give another example, I mentioned that, you know, hand histories are important to online poker. You know, if you play the hand, you get the hand history of what happens. So, you know, if you play,
18:24
you know, as many hands as I had, you'll have a huge, you know, hand history file. Some people don't have, you know, the luxury of playing that many hands and they want to, you know, maybe gain an advantage. So there's companies that have sprouted up that do data mining and collect all the information and then go about ‑‑ go about and sell it. Why is that important? Well, they sort of stumbled upon this SSL exploit by
18:44
accident. You know, they weren't trying to ‑‑ there wasn't like a company that was out there doing vulnerability research. You know, they were trying to get the hand histories. A software version update came about and all of a sudden, you know, they couldn't grab data mining hand history. So they started looking at it and looking ‑‑ you
19:03
know, after analysis, they saw that it really wasn't SSL. They were just XORing the data, which I guess they thought was secure. But, you know, obviously we know it's not. But the general public, you know, they thought they were playing, you know, a protected communication channel the whole time. These guys came up with a nice little
19:25
proof of concept. If you Google about this, you'll see a video where they showed if you were on the same network or same wireless network, you could actually see other people's whole cards. And, you know, they did go ahead and fix it 11 days later because it's hard to implement SSL. It's very difficult. And then also cake network was also
19:45
discovered to be vulnerable shortly after. So I'm not sure why they were doing this, but who knows. But this is something that could have got caught if you think about it. Even if you go to something as simple as looking at FISMA, you know, there's specific controls there that, you know, say look at data confidentiality and data integrity and you
20:04
would do testing to, you know, certify that the system is, you know, using encryption. But there's no regulation in place. Miscellaneous account compromise. This slides in here just to give you an idea. You know, I just Googled, you know, poker account, you know, hacked.
20:23
And, you know, you can't ‑‑ there's hundreds of postings here of people who have been hacked either through some type of social engineering, you know, phishing, you know, just guessing passwords as we'll talk about later on. But there's just so many different ways that poker ‑‑ poker software and gaming can be ‑‑ can be exposed.
20:48
Poker bots. This is also ‑‑ I mean, it's not necessarily a vulnerability. I mean, poker bots have been around for a long time, you know, since the beginning of the poker
21:02
industry. But when they were new, they just really weren't that good. I mean, you could easily beat poker bots. But now with artificial intelligence becoming as good as it is, you know, there's some very good bot software out there and it puts the player obviously at a disadvantage. I mean, it's different if you know you're playing
21:20
against a bot and you're playing against a real human. You know, and the reason that it's just more difficult to create a poker bot is because the lack of information. Like, you know, there's definitely really good, you know, chess software or chess bots. That's because you know everything in chess. All the information is in front of you. And poker is a game of limited information. You have some information, but
21:41
the rest, you know, you just have to guess. There's a very ‑‑ if you're really interested in the technical details of it, you know, you can look at this article on coding the wheel. Unfortunately, there's not ‑‑ this is really the best thing that I found that was out there. There's not a lot of good information about the bots
22:00
that's easily accessible because the people who are writing them are making money with them and they don't want to share that information. So you sort of have to know where to go to look for it. And even then it's difficult as far as the technical details. Just a little bit of information. Once again, that article goes into a lot of detail.
22:22
But really the way that the poker bots work and we just thought was interesting, you know, it's primarily through DLL injection. It's not modifying, you know, the actual executable or binary because as you'll see when we look at the next section about the poker client underneath the hood, it does a lot of checks and balances to see if you've
22:43
made some potential modifications. So it's primarily through DLL injection that it's able to operate. And of course poker sites have been cracking down on bots. How do they catch them? Betting patterns, you know, if it's always bet the same amount.
23:00
Tendencies, bots definitely play differently. Programming flaws, if you're always looking to bet on the same pixel, you know, it's going to know that it is actually a bot. And then of course scanning. As you will see these poker clients, you know, they do try to protect you by examining your system but in that process they also invade your privacy a little bit. That's one way that the sites attempt to catch you. And of
23:26
course when a player is identified as a bot, they'll go ahead and confiscate all your findings and close your account down. How do we know that? Well, we got caught. They're doing something right, I guess. Poker client equals rootkit. No, no, the question was do
23:48
we write our own bot? We didn't write our own bot. This was just experiment with one of the known bots out there that we were playing around with. So poker client equals rootkit. And maybe that's not 100% accurate but it's close. It has a lot of the same
24:04
characteristics as a rootkit and, you know, in the attempt to protect, I guess, the gaming, it really goes down and does some things that you may not know about. Including, you know, going into, you know, where you've been in your web cache. I don't like people
24:22
knowing where I've been. What does it do behind the scenes? We did some dynamic analysis. We didn't do any static analysis of what it's doing yet. But here's some interesting things that we just pulled out. Or at least, you know, what JD and I thought were interesting. Some of the function calls looking for, you know, enemy window names,
24:44
enemy processes, enemy URLs and then some of the programs that or services that deems unauthorized. So here you can look at, like, if you're looking for OLLI debug if it's running. You know, it's looking, you know, if you're running some of this software that it considers to be against its terms of service. Once again, this is just very
25:05
basic analysis. I'm sure it's doing a lot more behind the scenes and it's just an avenue that we're going to explore further. Here's just some well-known modifications or behavior that we've observed in the poker clients. It goes ahead and will modify your host
25:24
based firewall policies if you're running it on Windows. It goes scanning through your Windows process tables. It has the ability to go ahead and read the, you know, the body and bar text of every window that you have open. Ability to detect mouse movements. These are all things that the poker client is doing behind the scenes. You know, we
25:46
mentioned that it scans for known bot software. You know, it also looks for, you know, the lack of, you can, of course, when you're playing poker, part of the fun is, you know, talking to people, you know. And you can do that on online poker too by chatting
26:00
in the dialogue box. So, you know, it's sort of monitored as what you chat in the dialogue box. And here you can see the screen shot of it, you know, it's going through your Internet Explorer cache there. So it's going through looking for, well, who knows what. And we're not really sure what it does with this information. I'm not sure if it sends it back, you know, to the mothership. But, you know, it definitely looks like it's
26:24
somewhat invasive to your privacy. And, of course, you're agreeing to allow us to do this since you click on the terms of service when you install the software. But most people probably don't know exactly what it's doing behind the scenes. And these clients are, you know, somewhat complex. You know, we looked at the cake poker client, you know,
26:42
has three main processes. The client scans itself, like I mentioned, at random intervals to make sure you didn't modify it because we did go ahead and we made some modifications to the actual client. And it ended up, you know, detecting that and forcing you to install a new version. And then the cake poker's actual executable, as you
27:01
can see, when you compare cake poker to the Bodog version, the size, the actual poker client is obfuscated and encrypted and making it more difficult for someone to do static analysis. The question was do you see what obfuscated they were using or
27:22
encryption. We really didn't look too closely at that yet. That's something that we plan on looking at in the near future. Now I'll turn it over to Steve. Thanks, guys. So I got involved in this process kind of late in the game. A lot of this
27:43
research was kind of already ongoing. So I got pulled in to kind of look at some of the actual interactions with the client and the web clients themselves. So just to get into a little bit about the actual online poker network architecture, especially now that there's a lot of crack down on poker in the U.S., you're going to be visiting a server
28:04
somewhere internationally. And, you know, various countries have various rules about data security and things like that. So just something to keep in mind as you go into these poker sites. Basically what happens when you log in, you make a request out to the internet, poker DNS server tells you which local server you're going to go to.
28:24
You authenticate. You get a session created. And then you start playing poker. And then when you need to reauthenticate, you reauthenticate. This is just kind of a really simple dump on some of the actual data flying past. It's really not that important. But
28:42
it shows that the initial request is out over SSL and then you get another connection over SSL on another high-numbered port. This is just a really, really quick scan of some of Bodog's address space. Just shows that there's a lot of different stuff out there. There's actually some content that doesn't belong to Bodog. There's some stuff
29:03
that's on Bodog's network that's actually game creation companies and things like that. There's also some test servers out there. We didn't really attack it. But just interesting that it's out there. Now to preface what we're going to talk about today. We
29:21
did not, at least I didn't. I didn't actually attack any of these companies. The vulnerabilities that we're going to be talking about are vulnerabilities that are going to affect you as a poker player. So I think that's kind of more important because from the show of hands earlier, a lot of people in here play online poker. If you're in this talk, you probably are getting the idea that it's not the most secure thing in the world
29:44
at this particular point. So we're just going to talk about some of the vulnerabilities that are there. Like I said, I came into this very late in the game just a few weeks ago. But the vulnerabilities were really easy to find. Something else to consider when we're talking about vulnerabilities in online poker. There's dozens and dozens and
30:03
dozens of online poker sites all with individual clients. So when we say that this is kind of a new research field that we're looking into, we really haven't kind of scratched the surface at this point. But just the stuff that we did find shows that you can be compromised fairly easily. Let's see here. So, you know, when you go to these
30:24
particular sites, they have 20 different links on how you can pay them money. But they don't really have any kind of information about how they protect your information, how they protect your credit card data, how they're actually protecting you when you're playing online poker. Now, for all of you out there who look for the hacker safe logo, I'm
30:44
sure that gives you a really warm fuzzy feeling at night. But you should really know better. And these guys don't even bother to do that. So it seems like, you know, when there was the actual detection of the RNG issues, a lot of the poker companies kind of stepped it up and really started looking at their RNGs. But they haven't done anything
31:02
really on the clients to protect you. I wish we were going to stand here and talk about some really, really advanced hacking techniques. But hackers are lazy. We like the easiest way we can get into something. And honestly, there's some old tried and true favorites that can really screw you. So when we talk about some of the
31:23
vulnerabilities out there, there's basically no input validation in a lot of these clients. We'll talk about that in a little bit. The cookies that are being used when you're actually using an HTTP client as opposed to a thick client, the cookies that are very insecure. They're weak. They're not marked as secure. They're not marked HTTP only.
31:46
They can be reused. They contain sensitive information. Some of them are tracking you based on your IP address, all that kind of fun stuff. There's expired SSL certificates on some of these sites. The fun thing about that is if you get used to seeing, okay, yeah, the site's expired, blah, blah, blah, SSL doesn't match, you can kind of get
32:03
accustomed to that. And if you do get phished, it's really easy for you to just click through that without even reading it or thinking about it. And then we have our old friend cross site scripting. Now, this particular one, this is an unauthenticated, reflected cross site scripting. Reflected cross site scripting is basically the
32:22
easiest style of attack where you send something to the web server. It sends the same code back to you and is then executed at the browser. The next one that we've got, this is just showing you a little bit of the actual in the Bodog client where you
32:41
can enter some information about yourself. So you can put your email address, your address, your state, your city, all that kind of good stuff. And, you know, personally I live at script alert way. So it's important for me to be able to do this. But for most people it's not. The funny thing about this, the actual city is
33:02
vulnerable, state, zip code, country and phone number. Now, for phone number you shouldn't need to put characters in there. Okay? So what we're doing right here is we're really talking about they're not even doing basic data validation at this point. When you're looking at a state, it's even abbreviated. You've got MA, you've got MD, you've
33:22
got wherever you live there's a two letter. You should not be able to put JavaScript into that. Okay? This is easy, guys. Zip code, again, it's not that hard. These are supposed to be only numbers. Yeah. Anyway. Yeah. That's vulnerable as of today. As of this
33:44
morning. Not that I'm telling you to go out and use this. But this particular one, this is actually using a stored and DOM based cross site scripting attack. As you saw on the previous slide, what we did is we put some active JavaScript in our address field. This
34:03
comes back and shows you every single cookie you need. So if you're using the web client, you can create your cross site scripting attack to then forward this information to your server. You grab that, you replay that, you're now that person. So
34:21
this one's an unauthenticated one. Again, you can grab, you know, you can call document dot cookie to grab all of the cookies, have them forwarded to your server and you created a duplicate session. You can log in as this person and you can sign up to a table that you're also playing at and just fold, fold, fold, fold, fold, fold, fold and
34:43
just lose somebody's money. So not so good. Again, as we talked about quite a bit here, it's basically a playground for cross site scripting. For those of you who are actually pen testers out there who are used to having to do some encoding to get cross site scripting to work, you don't need to do it. You can basically go there and
35:02
just be like, eh, I wonder if this works. And you can kind of play around and have some fun with it. And it's actually kind of cool because it's like stepping back three or four years in time and you can just make all kinds of fun stuff happen. There's actually a lot of people who are using it and we're kind of picking on Bodog and I want to
35:22
clarify a lot of the poker clients have these vulnerabilities. It's not just Bodog but they're an easy target so why not? We talked about them. The actual SSO that's used when you sign in to Bodog is vulnerable. So as you'll see on these couple URLs down at the bottom, you can actually send somebody wherever you want. And we'll talk about where
35:47
you can actually leverage this in a minute. So using some of these vulnerabilities. We've beaten to death cross site scripting now. Everybody knows what cross site scripting is. It's not so good. You've got cross site request forgery as well. Some of these
36:02
clients, this doesn't really matter, but cross domain dot XML, when you're using a flash based poker client, you want cross domain to be locked down to at least things on the top level domain. So cake poker, for example, if you want cake poker, you should
36:20
only allow cake poker, star dot cake poker, whatever you want to do. You should not have a star in there. And many, many, many of these sites just have a star in their cross domain policy. What that means is you can basically decompile a flash client, do whatever the heck you want to it, recompile it and then start playing
36:42
actively in some of these games because they're allowing content from anywhere. And, you know, this is, again, there's lots and lots more you can do with this. This is all just the really, really easy stuff to do. And we didn't want to stand up here and be like, all right, here's how you take down poker right now. But I will say there is more. One
37:03
of the things that's a good attack vector, especially when you talk about cross site request forgery and cross site scripting as far as actually getting people suckered into this, is actually using forums and affiliate sites. Now the fun thing about using forums is generally when somebody is at a forum, they're logged into the poker client and they're
37:23
just kind of chatting and doing whatever they want. But, you know, if they're logged in, you've got great targets for cross site scripting because you know they have active cookies, they have active sessions. You can grab this information, take it, replay it, done. Also with cross site request forgery, if you've got something that you can do like a get
37:43
to post translation or post to get translation, excuse me, you can then just kind of say, all right, as soon as you load this particular page, you're folding. Whatever you happen to be in. So the fun thing with this is you can oftentimes in forums, because we
38:07
just create hyperlinks where you should have an avatar, for example. So whenever anybody loads that page and it goes to load your avatar, it just executes that particular URL. So fold your hand, et cetera. So anyway, these are just really, really good attack
38:23
platforms and forums and stuff like that have their own vulnerabilities. So even if you're using a secure poker client, if you're on somebody else's forum and they have cross site scripting, they can hook you. So here we have, you know, picking on Bodog again just because it's easy. One of their affiliates not checking cross site
38:42
scripting, not even trying. Here's poker listings. Poker listings is another place that has cross site scripting. This was a really, really hard one, guys, I got to tell you. So you see that search field right there? Script alert. That's all this is. They're not even checking. It's easy, easy, easy stuff. So what do we do when we have cross site
39:04
scripting? How many people know what beef is? All right. Good. So you know where I'm going with this, right? You've got beef, you know, and here you can see three clients that are all, you know, a local address that I was just playing around with. There's so many from my local one because everything I tried worked. It was really, really easy to do
39:23
this, guys. So step one on this, this is what an actual hook looks like in beef. So you've got your target domain. You've got then the payload there that says, you know, connect back to me, blah, blah, blah, blah, blah. Once you've got a zombie inside of beef, you
39:43
can look at their browser. You can see what plug-ins they're using. You can see where they've been in their browser history. I'm not going to go down the full functionality of beef, but beef is a really cool tool and if you haven't used it, use it. It's good. You can do clipboard theft. You can send raw JavaScript. You can use
40:03
browser autopone. And you can also, you know, use that once you have, you know, browser autopone running. Anybody who you've hooked in with XSS is now a pivot point. So let's say somebody is playing poker at work. Nobody would ever on a government machine, for
40:23
example, play poker at work. Nobody would ever do that, right? So now you've got a pivot point inside of a government network because web traffic goes through firewalls. Yay! So the fun part is after this, of course, you have profit. So one of the things that we
40:41
wanted to do is kind of hint at this, but not really tell you exactly how to do it. But if you've got a Metasploit zombie or if you've got a beef zombie, if you can send them JavaScript and you can capture their clipboard, hands up how many people think you can see their hold cards. More hands. Yeah. So there you go. Still feeling good about
41:08
online poker? Everybody who signed up? Yeah? No? Okay. I'm going to turn it back over to Gus. He's going to do some more talking. Thanks, Steve. And moving away from web
41:26
application attacks that Steve went over to some authentication vulnerabilities. Like Steve mentioned, while sophisticated attacks are fun to go ahead and do, in this instance, you really don't have to do anything elite in order to compromise some of these sites. As
41:47
you can see here, here's just some of the password requirements. I just went ahead and sampled some of the larger sites so you can see exactly what they're requiring. So you can see carbon poker requires six to 20 characters. I wonder what people are going to choose
42:02
if they choose carbon. Perhaps carbon as their password. Or bow dog, five characters. Maybe they have bow dog or maybe it's poker. Full tilt, UB absolute, also weak. In fact, the only one that had strong password requirements was cake poker with what you expect, something 8 to 14, lower case, et cetera, et cetera. So with passwords this strong,
42:26
it's probably impossible to brute force them, right? Especially with no account lockout. None of these sites will lock out your account. You can try it as many times as you want. And of course, you need to have the actual user ID to log in with,
42:42
right? So how do we find that? Well, forums, whoever you're playing against, most of the time whatever their name on screen is going to be their user ID. And then of course there's also poker table ratings which is another site that tracks players, you know, how much they've won or lost. So you can go to poker table ratings and perhaps you want
43:01
to do a search for those people who have won a lot of money and we can target their accounts. And of course the next step is nothing rocket science. Just like the cross site scripting, we don't have to do anything fancy here. We just go ahead and use Hydra or Brutus. In this case we just went ahead and used Brutus. This is actually on
43:21
Bodog which was somewhat different than some of the other sites. You can log in with a user name or you can also log in with this unique number. You see here it's 3830000. So this is what they're, you can log in with these type of numbers. What's also interesting about this is that when you create a new account it just increments it by one. I'm not sure if that's too important or, but it's interesting that
43:43
it just increments it by one. So of course just using Brutus you can go ahead and just script this and you can see on our test account that we, that we used it, you know, it brute forced it and, you know, very quickly of course. And trust me, poker players, they're not the most sophisticated players when it comes to, you know, putting
44:04
strong protections in place. Most of the time they're pretty lazy and I guarantee a lot of them have pretty easy passwords. It's like they're not risk adverse. Exactly. They're used to just gambling large sums of money. One, I want to make one point. Most of the
44:23
research that we did was on the play money sites. Every one of these sites has a play money site that is equivalent to the, the software is the same as the real money site, but we just didn't feel like using, you know, I didn't feel like using my account because I didn't want to have it shut down for some reason and have my money confiscated.
44:43
Anyways, another thing, attacking supporting infrastructure. I think Steve went over this, gave some good examples as far as forums, but it's just not the poker client itself. And that's what I want to emphasize throughout this whole talk. It's the whole poker industry that has weak controls. And, you know, with the poker gaming, these other,
45:05
you know, people want to make money off of it. So they come up with new ideas. So there's training sites to teach you how to be a better poker player. There's tracking sites like poker table ratings and shark scope that will track your play and show you how much you've won or lost. There's media and forums like Steve mentioned. Two plus two is, you
45:22
know, probably the largest one out there. And, of course, if these sites are being used at the same time that people are playing the game, well, then if there's vulnerabilities in them, as Steve showed you, you could potentially compromise them. So just some quick examples. Another, you know, cross-site scripting. This is actually in
45:40
poker table ratings. You can actually make comments about players like you suck or whatever. And if you put some, you know, script in there when someone else goes ahead and reads that comment, you could have obviously something much more malicious than this there. Attacking supporting infrastructure continuing. This is about training sites. And this is actually an e-mail that I received because I belong to training sites
46:03
because I like to try to make money when I play poker. And this is from, I think, card runners sent me this letting me know that they had detected an illegal intrusion and that, you know, they believe that, you know, all they got potentially was my e-mail address, encrypted password, IP address. And, you know, so it just shows that
46:22
people are actually attacking these guys. I actually sent these guys an e-mail and said, hey, I can maybe look at this for you. And they said they had it under control. So just another forum. This just shows you, it may not be able to see it, but it's just a warning that's posted on the forum showing that someone has set up an archive site to
46:44
look just like the 2 plus 2 and they're doing some phishing there. So just, you know, warning their forum members to be careful. So obviously people are going out and targeting these supporting infrastructures. So almost done. The river. So just what are some online poker defenses that can be put in place? And this is more on
47:05
the application side. We'll talk next about what you can do yourself to protect. Maybe move away from password-based authentication because we know multi-factor can't be hacked, but it's better. Implement simple things. Account lockout. Perform robust
47:20
security testing. Perhaps only allow connections from, you know, the geographic location where you're supposed to be located. So if you're in the U.S., you probably don't want someone from China logging into your account. Of course you get around that, but it makes it more difficult. Maybe adhere to some certain standards. Online poker defenses. What can you do to help protect yourself? I personally play poker in an
47:47
isolated virtual machine that's just used for poker. I don't do anything else with that. I have a particular VM just for poker. I don't check e-mail. I don't get on the web with it. All I do is play poker on it. Obviously basic security stuff. Use
48:00
antivirus. Don't play on wireless networks. Strong complex passwords. Don't use the same password across multiple sites. Common sense stuff. Next steps. We're going to continue digging deeper into the clients and stack analysis. Maybe look to try to customize a client to bypass restrictions. Perhaps write an automated tool just to better brute force
48:22
the actual client itself rather than the web piece. I think it would be fun to map out more of these networks and see exactly from an infrastructure perspective all these test servers and other things that are out there. Keep on digging at the web application vulnerabilities. Conclusion. I don't think we talked about anything earth
48:41
shattering here as far as stuff we all know about. I don't think a lot of people have been thinking about it from an online poker perspective. We're going to continue looking at it. If you're interested in online poker, there's a lot of smarter people than me out in that room. Please look at it and let me know if you find anything. Regulation and compliance needs to be put into place. The question is do I feel safe playing? If
49:07
online poker was legal tomorrow would I play? I probably play but that's because I have a gambling problem. I don't know about the rest of you. That's it questions. We'll be in Q2 to answer anything. Thank you guys.
Empfehlungen
Serie mit 4 Medien