Security

Odlanor Poker Spyware Analysis

There’s been a flurry of recent articles focused on the Odlanor spyware that reportedly targets online poker players. A news release regarding Odlanor from security firm ESET triggered coverage from sites such asSlashdot, Business Insider, and dozens of others.

Coverage blows threat out of proportion

But it seems that some in the media and the general poker population have blown this story out of proportion.

Headlines like “The great online poker scam” and “Hackers Use Malware to Cheat at Online Poker” make it appear that online poker players are facing a new (and immediate) risk of losing their money to malware-enabled cheating.

I have even heard from iGaming opponents that this is another reason as to why online poker should be banned.

Reality is far from headlines

The reality is that this piece of malware is no different from other client side attacks. These types of attacks that target users are not unique to the poker community.

It has been our experience when responding to breaches that the most common entry point into an organization’s network are users who have been compromised via a phishing attack or other client side attack that installs malware or a remote administration tool.  From there the attacker pivots to other systems on the network.

Large companies like Sony have been impacted by this attack, so it is not surprising that a certain percentage of online poker players are also affected.

Nor is the fact that Odlanor targets online poker sites in any way unique. Yes, as documented by ESET when they reversed engineered the malware using a disassembler (a tool used to determine what functions the code was performing) there were specific calls that searched forFull Tilt and PokerStars program windows.

But there are countless examples of attacks in the past that targeted players with variations on remote access exploits in order to view a player’s hole cards.

Finally, it’s worth noting that ESET puts total observed Odlanor infection at “several hundred users.” According to Amaya, there were 2.3 million total active real-money users at PokerStars and Full Tilt in the second quarter of 2015.

Basic security steps significantly reduce any threat

Most of the time users are infected because they are not following best practices when it comes to computer security.

This article I wrote for Pokerfuse summarized the core habits poker players should internalize to minimize risk, including basic steps like:

  • Use antivirus (not 100% effective, as it is signature based).
  • Keep your system patched.
  • Use strong, unique passwords and logins.
  • Use two-factor authentication whenever possible.
  • Don’t click on links in suspicious emails.

However, probably the best advice is to use a dedicated system for playing online poker – eithera separate physical system or a virtual machine dedicated to iGaming on your primary workstation.

Following this advice would make it far less likely that your gaming system will become compromised.

What steps can operators take?

Another question I have heard being asked is why are the poker sites not taking any actionagainst this threat?

The answer is because these attacks are targeted against the players, not the operator or the game servers.  There is little the operator can do.

The truth is that in regulated environments such as New Jersey there are information security requirements that operators must adhere to in order to secure the online gaming infrastructure and application.  Sites attempt to help protect players by forcing them to use strong passwords, making multi-factor authentication available, and performing data analysis in order to detect cheating.

But they can only do so much. Ultimately, the primary responsibility to protecting a player’s account lies with themselves.

What is important to remember is that this is not a new threat. Online poker is no less safe than it was last week.  But it is an important reminder for players to remain vigilant and follow computer security best practices.

This article was originally published in the September issue of Online Poker Report

SURVEILLANCE & SECURITY: Protecting Your Cyber Assets

The past year saw a number of high-profile security incidents across various verticals. Target and Home Depot in the retail sector, Sony in entertainment, and Las Vegas Sands in gaming, to name just a few. What is also interesting is how the motive behind these attacks varied. In some instances, financial gain was the driving force, but in others hacktivism or attacks for political views was the primary motive.

While the examples listed above feature large, well-known companies, there are just as many (if not more) smaller, lesser-known organizations that have suffered security breaches. This article will explore what gaming organizations (both land-based and iGaming) can learn from these cyber-attacks, how they should react, and what they can do to reduce risk in the future.

When, Not If

It is common expression in the security sector that it is not if you will be “hacked,” but when. What I have learned throughout my security career is that you can never eliminate all vulnerabilities. The goal is to manage risk and make informed business decisions regarding your information technology infrastructure.

All organizations have vulnerabilities that could be exploited by a skilled and determined attacker. Our job is to make it as difficult as possible for an attacker, while balancing business needs, to cause them to move onto the next target (no pun intended). We also need to have capabilities in place to detect and respond to attacks when they do happen.

Lastly, we need to have a plan on how we will communicate with our customers in the event of a breach. Before we cover these items in detail, let’s see what can be learned from one of these previous attacks.

I was having a security discussion with the vice president of technology of a major land-based casino, and one of his concerns was facing attacks not for financial gain, but those that had a social or political message. We may not want to admit it, but gaming is not universally loved. There are those in the anti-gaming crowd that may look to cause harm via cyber-attacks.

As I have written about in the past, one of my fears is that a regulated iGaming organization will suffer a major incident that could set the industry back and curtail growth. Organizations can also become targets because of their leadership. A prime example of this is Las Vegas Sands.

Bloomberg Businessweek reported in its December 15, 2014 edition that the attack against Las Vegas Sands was driven by LVS Chairman Sheldon Adelson’s remarks on Iran’s nuclear program. If the reports in Bloomberg are accurate, the attack vector was a development server that was exposed to the internet. The attackers used this avenue to gain access to LVS’ internal network, and caused significant damage.

Some may be surprised that it was this easy to compromise a major organization. But if we have learned anything over the past few years from these news stories, it is that these larger, profitable companies are just as vulnerable as smaller organizations.

It was reported in the same news story that in 2012 there were only five cybersecurity personnel protecting over 25,000 systems on LV Sands’ network. While the board approved more budget, it was in the process of slowly being rolled out. Unfortunately, this is also something I have seen both in and outside the gaming sector. If upper management does not make the investment in information security, they are asking for trouble.

I have seen a number of gaming organizations that don’t have security leadership (i.e., CISO), but at the same time they will spend millions on marketing. Until we recognize the importance of information security to the business, we will see more of these types of security breaches.

One of the most important assets gaming companies have is data. This data must be protected, and there is no one single solution. Firewalls, data leakage prevention, intrusion detection/prevention, encryption, access control and many more are all areas that must be taken into account.

Confusing Compliance

Another lesson gaming companies can learn is that compliance and regulation are not the ultimate solutions. Both Target and Home Depot were PCI-certified at the time of their breaches. During the course of performing security assessments for our customers, we often discover weakness that could lead to a security compromise.

These are organizations/systems that are FISMA, PCI, HIPAA, you name the standard certified. The same holds true for gaming regulations. Many of the gaming MICs and standards should be viewed as a starting point, not the finish line.

Compliance and regulation should be viewed as the minimum level of security that needs to be implemented. We also have to be careful not to get pulled into the compliance game, where the majority of the security budget goes into making sure the organization meets the required controls. What this often leads to is security that looks good on paper but not in practice. Remember, just because you are compliant does not mean you are secure, but if you are secure you will be compliant.

Step by Step

So what can organizations do to be better prepared to respond to security threats?

• Understand where the weaknesses in your security posture are; • Implement detective capabilities to respond to security incidents; • Have a breach response plan detailing how you will communicate with your customers.

Unfortunately, there is no silver bullet for information security; there is no widget that you can implement that will protect you from all cyber-attacks. Don’t fall for pitches or solutions that promise such. It is only a layered approach that incorporates risk management and knowledge of your environment that leads to an increased level of security.

Understanding what your weaknesses and vulnerabilities are is the first step. By performing security assessment and penetration testing, we can learn where the holes are and take steps to mitigate them.

This applies to technical controls, but operational and management controls are just as important. I am not suggesting that you have to fix everything, which would be impossible. But by understanding what those risks are you can make informed business decisions. The key point is you will have the knowledge and information to make these decisions. I had one customer who did not want to perform these tests because they were scared of what they would find. Sticking your head in the sand and waiting to be breached is not the solution.

The second key is to have detective capabilities in order to be alerted when you are attacked and breached. I stated earlier that it is just a matter of time until your organization suffers a security compromise. In order to quickly respond and limit damage you need a comprehensive solution. This is a combination of intrusion detection and prevention tools, installed both internally and externally, forensics, detailed auditing and logging, and data correlation tools to take information from various information sources.

Lastly, you need a breach response plan. This should cover what you will do from a technical perspective, but also how you will inform customers and perhaps regulators. It is not fun to suffer one of these types of security incidents, but at least if you have processes and procedures, you will be able to limit the damage, both technically and from a public relations viewpoint.

While it is impossible to go over all the items that companies should be doing to better protect themselves, hopefully this article has given you some items to consider. My advice is to start by asking, when is the last time you had a real security assessment, not one just for compliance purposes? If you have not had one recently, start the process to have it performed.

You cannot protect and secure what you do not know about. Knowledge is key, and while security has a cost, it is much more costly to respond after the fact.

This article was originally published in the March issue of Global Gaming Business

iGaming in New Jersey - A Security Overview

This article was originally published on Pokerfuse on April 29th, 2014. Introduction

Recently, I was in New Jersey performing security testing required by the Division of Gaming Enforcement (DGE) for one of our iGaming customers. While I cannot speak to the specific results of that testing, I did perform a brief security survey on the majority of the iGaming sites operating in New Jersey.

Though only a limited test was performed using passive techniques, it is still useful to illustrate some of the security controls that are in place.

Overall, based on my examination it appears that most of the sites have implemented the security controls required by DGE regulation. Of course there is room for improvement in some areas, but that is to be expected.

Testing Approach

The testing was performed simply by creating accounts and then logging into the various iGaming applications and observing certain settings such as password requirements, encryption, and other security requirements.

In some cases a local proxy was used in order to examine the web traffic in order to determine if we observed anything strange that might pose a risk.

This survey was done in a very short time frame and though it should not be considered an authoritative review on the state of the security of New Jersey’s igaming operators, it does provide an in-depth look at some of the security mechanisms encountered by igaming customers.

Password Complexity

The primary mechanism that the sites utilize for authentication is username/password. The strength of the password is important to the overall security of this method.

Most of the sites have adequate password requirements. It is my opinion that the sites bear part of the burden in keeping their customer’s accounts safe. They must force the players to choose strong passwords, otherwise everybody’s password will be “poker”.

The most common requirement forces users to select passwords that have at least 8 characters, at least one number, one letter, and one special character. This is better than it was in the past, but still not strong enough. However, there were some that did not even meet these basic requirements. Golden Nugget Casino for example only requires a minimum of 6 characters.

Others such as Harrahs Casino have a password maximum length set at 12. There is no technical reason why password lengths should ever be capped, and to be honest 12 should be a starting point for a minimum length.

Strong Authentication

Simple password based authentication is the default choice for most of the sites. However, the New Jersey regulations state that the sites must give the player’s the choice to implement “strong authentication” (i.e. multifactor authentication). Practically all of the sites have implemented this feature that can usually be enabled by selecting it in your profile.

The method that most of the operators have used to implement this requirement is by sending a pin to the player’s registered mobile device. This pin must be entered after successful authentication via password.

This control dramatically increases the security and lowers the risk of a player’s account becoming compromised. However, not all multi-factor authentication implementations are created equal. While this type of multi-factor authentication is much better than simple password based authentication, there are even more sophisticated solutions.

Though stronger multi-factor authentication solutions exist, until customers and/or regulators require these types of solutions operators might delay implementation due to cost.

Also as seen in the figure above many of the sites have an option to send you an email every time your account is accessed or your last logon time is displayed when accessing the site. This is great for detecting and responding to account related attacks.

Account Lockout

Another good preventative tool is account lockout. After a certain number of attempts to logon unsuccessfully, a user’s account is locked out for a certain period of time.

This is a good mechanism to prevent against brute-force password attacks. Now since this could also be used to stop a user from logging-in what some of sites have implemented is a CAPTCHAor additional security questions.

Some operators such as Harrahs will send an additional token to your email on record that must be entered with the authentication credentials. These have similar outcomes in limiting the success of brute-force attacks.

Session Timeout

Yes, people will complain that they must log back into the application after a specified period of time, but it is for their own protection.

This is another requirement which is in the DGE regulations and all sites have implemented in one form or another.

Another related control is that some sites like partypoker have implemented is restricting multiple sessions.

Encryption

One of the most obvious things that people think about when it comes to security is SSL.

The general public has been trained to look for the “lock” and make sure it says HTTPSwhen conducting sensitive transactions on the Internet. It is no different with iGaming, and while SSL is not the silver bullet some people make it out to be, it is better to have it enabled then not. Luckily most of the iGaming sites such as Betfair do have it enabled by default, even on their home pages.

However during my survey I did notice that Harrahs did not seem to have it enabled. I used my proxy to inspect the HTTP requests and contrary to the server name being casino-nj.secured-igaming-services.com, it did not seem to have SSL enabled.

Heartbleed Vulnerability

The week I was in New Jersey a serious vulnerability impacting OpenSSL (i.e. Heartbleed) was made public. It made me curious and I briefly looked at the sites in New Jersey.

On April 8 only one site in New Jersey was vulnerable to the heartbleed issue. As of today, no sites in New Jersey appear to be vulnerable.

A note on this survey; only the primary sites were reviewed (most iGaming sites are made up of numerous servers) and the tool used to test the sites was a Firefox plugin that passively examines the server.

Summary

Only a few subsets of general security controls were examined during this survey. While some problems were detected it appears that the majority of the required security controls are in place on all of the sites.

Of course the only way for operators to know for sure what the security posture of their application looks like is to have a detailed independent test.

Compared to what the state of security was when I first started examined igaming sites in 2010 those in New Jersey have made great improvements.