iGaming

Odlanor Poker Spyware Analysis

There’s been a flurry of recent articles focused on the Odlanor spyware that reportedly targets online poker players. A news release regarding Odlanor from security firm ESET triggered coverage from sites such asSlashdot, Business Insider, and dozens of others.

Coverage blows threat out of proportion

But it seems that some in the media and the general poker population have blown this story out of proportion.

Headlines like “The great online poker scam” and “Hackers Use Malware to Cheat at Online Poker” make it appear that online poker players are facing a new (and immediate) risk of losing their money to malware-enabled cheating.

I have even heard from iGaming opponents that this is another reason as to why online poker should be banned.

Reality is far from headlines

The reality is that this piece of malware is no different from other client side attacks. These types of attacks that target users are not unique to the poker community.

It has been our experience when responding to breaches that the most common entry point into an organization’s network are users who have been compromised via a phishing attack or other client side attack that installs malware or a remote administration tool.  From there the attacker pivots to other systems on the network.

Large companies like Sony have been impacted by this attack, so it is not surprising that a certain percentage of online poker players are also affected.

Nor is the fact that Odlanor targets online poker sites in any way unique. Yes, as documented by ESET when they reversed engineered the malware using a disassembler (a tool used to determine what functions the code was performing) there were specific calls that searched forFull Tilt and PokerStars program windows.

But there are countless examples of attacks in the past that targeted players with variations on remote access exploits in order to view a player’s hole cards.

Finally, it’s worth noting that ESET puts total observed Odlanor infection at “several hundred users.” According to Amaya, there were 2.3 million total active real-money users at PokerStars and Full Tilt in the second quarter of 2015.

Basic security steps significantly reduce any threat

Most of the time users are infected because they are not following best practices when it comes to computer security.

This article I wrote for Pokerfuse summarized the core habits poker players should internalize to minimize risk, including basic steps like:

  • Use antivirus (not 100% effective, as it is signature based).
  • Keep your system patched.
  • Use strong, unique passwords and logins.
  • Use two-factor authentication whenever possible.
  • Don’t click on links in suspicious emails.

However, probably the best advice is to use a dedicated system for playing online poker – eithera separate physical system or a virtual machine dedicated to iGaming on your primary workstation.

Following this advice would make it far less likely that your gaming system will become compromised.

What steps can operators take?

Another question I have heard being asked is why are the poker sites not taking any actionagainst this threat?

The answer is because these attacks are targeted against the players, not the operator or the game servers.  There is little the operator can do.

The truth is that in regulated environments such as New Jersey there are information security requirements that operators must adhere to in order to secure the online gaming infrastructure and application.  Sites attempt to help protect players by forcing them to use strong passwords, making multi-factor authentication available, and performing data analysis in order to detect cheating.

But they can only do so much. Ultimately, the primary responsibility to protecting a player’s account lies with themselves.

What is important to remember is that this is not a new threat. Online poker is no less safe than it was last week.  But it is an important reminder for players to remain vigilant and follow computer security best practices.

This article was originally published in the September issue of Online Poker Report

iGaming in New Jersey - A Security Overview

This article was originally published on Pokerfuse on April 29th, 2014. Introduction

Recently, I was in New Jersey performing security testing required by the Division of Gaming Enforcement (DGE) for one of our iGaming customers. While I cannot speak to the specific results of that testing, I did perform a brief security survey on the majority of the iGaming sites operating in New Jersey.

Though only a limited test was performed using passive techniques, it is still useful to illustrate some of the security controls that are in place.

Overall, based on my examination it appears that most of the sites have implemented the security controls required by DGE regulation. Of course there is room for improvement in some areas, but that is to be expected.

Testing Approach

The testing was performed simply by creating accounts and then logging into the various iGaming applications and observing certain settings such as password requirements, encryption, and other security requirements.

In some cases a local proxy was used in order to examine the web traffic in order to determine if we observed anything strange that might pose a risk.

This survey was done in a very short time frame and though it should not be considered an authoritative review on the state of the security of New Jersey’s igaming operators, it does provide an in-depth look at some of the security mechanisms encountered by igaming customers.

Password Complexity

The primary mechanism that the sites utilize for authentication is username/password. The strength of the password is important to the overall security of this method.

Most of the sites have adequate password requirements. It is my opinion that the sites bear part of the burden in keeping their customer’s accounts safe. They must force the players to choose strong passwords, otherwise everybody’s password will be “poker”.

The most common requirement forces users to select passwords that have at least 8 characters, at least one number, one letter, and one special character. This is better than it was in the past, but still not strong enough. However, there were some that did not even meet these basic requirements. Golden Nugget Casino for example only requires a minimum of 6 characters.

Others such as Harrahs Casino have a password maximum length set at 12. There is no technical reason why password lengths should ever be capped, and to be honest 12 should be a starting point for a minimum length.

Strong Authentication

Simple password based authentication is the default choice for most of the sites. However, the New Jersey regulations state that the sites must give the player’s the choice to implement “strong authentication” (i.e. multifactor authentication). Practically all of the sites have implemented this feature that can usually be enabled by selecting it in your profile.

The method that most of the operators have used to implement this requirement is by sending a pin to the player’s registered mobile device. This pin must be entered after successful authentication via password.

This control dramatically increases the security and lowers the risk of a player’s account becoming compromised. However, not all multi-factor authentication implementations are created equal. While this type of multi-factor authentication is much better than simple password based authentication, there are even more sophisticated solutions.

Though stronger multi-factor authentication solutions exist, until customers and/or regulators require these types of solutions operators might delay implementation due to cost.

Also as seen in the figure above many of the sites have an option to send you an email every time your account is accessed or your last logon time is displayed when accessing the site. This is great for detecting and responding to account related attacks.

Account Lockout

Another good preventative tool is account lockout. After a certain number of attempts to logon unsuccessfully, a user’s account is locked out for a certain period of time.

This is a good mechanism to prevent against brute-force password attacks. Now since this could also be used to stop a user from logging-in what some of sites have implemented is a CAPTCHAor additional security questions.

Some operators such as Harrahs will send an additional token to your email on record that must be entered with the authentication credentials. These have similar outcomes in limiting the success of brute-force attacks.

Session Timeout

Yes, people will complain that they must log back into the application after a specified period of time, but it is for their own protection.

This is another requirement which is in the DGE regulations and all sites have implemented in one form or another.

Another related control is that some sites like partypoker have implemented is restricting multiple sessions.

Encryption

One of the most obvious things that people think about when it comes to security is SSL.

The general public has been trained to look for the “lock” and make sure it says HTTPSwhen conducting sensitive transactions on the Internet. It is no different with iGaming, and while SSL is not the silver bullet some people make it out to be, it is better to have it enabled then not. Luckily most of the iGaming sites such as Betfair do have it enabled by default, even on their home pages.

However during my survey I did notice that Harrahs did not seem to have it enabled. I used my proxy to inspect the HTTP requests and contrary to the server name being casino-nj.secured-igaming-services.com, it did not seem to have SSL enabled.

Heartbleed Vulnerability

The week I was in New Jersey a serious vulnerability impacting OpenSSL (i.e. Heartbleed) was made public. It made me curious and I briefly looked at the sites in New Jersey.

On April 8 only one site in New Jersey was vulnerable to the heartbleed issue. As of today, no sites in New Jersey appear to be vulnerable.

A note on this survey; only the primary sites were reviewed (most iGaming sites are made up of numerous servers) and the tool used to test the sites was a Firefox plugin that passively examines the server.

Summary

Only a few subsets of general security controls were examined during this survey. While some problems were detected it appears that the majority of the required security controls are in place on all of the sites.

Of course the only way for operators to know for sure what the security posture of their application looks like is to have a detailed independent test.

Compared to what the state of security was when I first started examined igaming sites in 2010 those in New Jersey have made great improvements.

 

Betfair Client-side Validation

Data validation is often an important step in modern web applications, both for functionality and security purposes.  For example, if a user is required to enter a phone number in a form it makes sense to validate that it has the right number of digits and only contains numerical data.  If entered incorrectly a message can be displayed back to the user requesting them to fix their error. There are two primary types of data validation, client-side and server-side.  Client-side validation is carried out in the user’s browser.  This is often done using something like JavaScript or HTLM5 attributes.  The problem with client-side validation is that it can often easily be bypassed.  This is where server-side validation comes to the rescue.  In server-side validation the user’s input is examined at the server level, rather than the user’s browser.  This method is much more secure; one of the keys to secure programming is not to trust the user.  It is often recommended to initially perform client-side validation, but then also perform server-side too.

This leads to an example of data validation being performed incorrectly in the Betfair iGaming New Jersey web application.  During the user registration process a password must be selected.  The password must meet certain requirements (8 characters, 1 number, 1 special character, 1 uppercase).  The web form does performs both client-side and server-side validation during this initial registration process in order to validate the password.

However, once a user and password has been created a user has the option to change their password from within the application.  This is where the developers made a mistake and only performed client-side validation.  As you can see in the figure below when a weak password is entered client-side validation occurs and a “weak” password cannot be used.

A password that meets the requirements (P@ssword1) is then entered and the data is validated correctly on the client side.

But, before submitting the POST request to the server it is intercepted using a local proxy.  Below you can the original request with the password value being P@ssword1

Before we pass the request on to the server we modify the password value to pass.  This is a password that should not be accepted as it does not meet Betfair’s password requirements.

The request is forwarded on to the server and as you can see in the figure below the password was changed successfully.

In order to show that the password was changed to an invalid value we then login into the application using the new password as seen below.

The login is successful!

While in this example there is not much risk, all the user can do is bypass the data validation and select a password that does not meet the password requirements.  However, if the developers made this mistake in this area it is possible that similar errors in data validation were made in more sensitive and important components of the application.

As a note Betfair was notified of this issue at the end of March.