Issue 3 - SeNet International Corporation

SeNet International Corporation
SENET
GAMING
SECURITY
NEWSLETTER
Don’t Gamble with Security
Volume 1,
June 2013
Improving Critical Infrastructure
Cyber Security and How it Relates to iGaming
By Gus Fritschie
IN THIS ISSUE
Improving Critical
Infrastructure
Cyber Security and
How it Relates to
iGaming
On February 12, 2013 President Obama issued Executive Order 13636. Among other items,
this order recognized the need for improvement in cyber security, directed the National Institute of Standards and Technology (NIST) to create a framework to be followed, and encouraged sharing of information between private companies and the Government. One week later
gaming stakeholders and interested parties convened in Las Vegas, Nevada for the iGaming
North America (IGNA) conference. While there was much talk of liquidity, state rights, and
the possibility of Federal regulation, there was precious little discussion on the subject of information security. What can the iGaming industry learn from the current Federal initiatives in
cyber security, and how can it avoid the mistakes that have been made before?
One thing that is clear is that cyber security is in the news, from the advanced persistent threat
(APT) and attacks from China to social networking services, such as LinkedIn and Evernote,
being compromised. Even the Federal Reserve of the United States had a recent security
breach. The media has jumped on these stories for a variety of reasons, and yes, sensationalism has been one of them. The iGaming sector is an area that the mainstream media (and for
that matter the information security news outlets) have ignored. This is not because it is safe
from threats; one only need to read sites, such as two-plus-two, that focus on gaming and poker. If iGaming is to succeed in a highly regulated environment of the United States, it has to
learn from and address security issues that were encountered in the past (cont’d page 2)
Live Ace
By Gus Fritschie
LiveAce
The Hidden
Risks of Social
Media
LiveAce is a subscription-based online poker site that allows players to play in ring games
(limit hold’em, no limit hold’em, pot limit omaha) and convert their chips into cash and valuable prizes. The team at LiveAce recognized the need for security in their application and software early in the SDLC process. LiveAce contracted with SeNet to perform independent thirdparty vulnerability testing. The testing was performed in two phases, one from a web application testing perspective and the second involving a review of the source code.
During the web application assessment SeNet IT Security experts examined not only the gaming functions but also the backend features such as player registration and player profiles. We
utilized automated web application vulnerability scanning tools to examine the site as well as
proxy software to intercept and modify HTTP requests in an attempt to perform privilege escalation and affect the gameplay. SeNet IT Security experts also conducted a security review of
the online gaming application source code. We then produced a detailed report which provided
the management and technical staff at LiveAce an overview of potential vulnerabilities with
mitigation suggestions and allowed them to make informed risk-based decisions.
As LiveAce continues to grow and mature they plan to continue to utilize SeNet to perform
periodic security testing and advise them on matter related to information security. Please contact us for how we can help your organization with similar tasks and feel free to reach out to
LiveAce to get their view on SeNet’s performance. And remember -”Don’t Gamble with Security”(TM)”
SENET
Page 2
(for example, the Absolute/Ultimate Bet backdoor, and Cake and other sites not implementing
encryption and SSL correctly).
The gaming industry understands this and the various regulatory bodies have standards, including
security, which the sites must meet. Unfortunately, each regulatory body has adopted different
standards that the operators and players must be adhered to. Often these standards are not as strict
as they need to be. Compare this to the above mentioned executive order where NIST was given
the authority to create a framework for all critical infrastructure organizations. Here we have a central authority that is responsible for setting and enforcing standards.. Of course, regulation and
compliance enforcement are not the silver bullets that will eliminate security breaches. There are
plenty of companies and organizations that have been tested for meeting compliance with security
standards, such as those established by PCI and FISMA, but have still been subjected to security
compromises. The primary reason for this is that these companies limit their security goals and activities to compliance with standards. The same trend has already been observed in the iGaming
space. I recently had an individual from one of the major testing labs tell me that they have to be
careful only to test to what the standard requires, no more. Unless the sites begin to go above and
beyond what the regulations require, they will suffer the same fate that many companies in other
sectors who just view compliance as checking a box. Regulation alone can't make the sites secure,
but it is a necessary starting point.
An interesting part of the executive order was the section encouraging information sharing between
commercial entities and the Federal government. While this is part of the order that some critical
infrastructure organizations are not fond of, I believe it does make sense. Perhaps not as damaging
as an attack against critical infrastructure, a significant breach against one of the iGaming sites may
have dire consequences for the entire industry. Imagine if one of the online poker sites suffered an
attack where player’s hole cards could be viewed. Even though only one site was affected, the general public’s perception of the safety and integrity of the overall industry could be greatly compromised. I am not suggesting that competitors give away their trade secrets, but sharing information
in certain areas would have its benefits. For example, if operators were to share distributed denial
of service (DDoS) threats and attack vectors, or if they discussed how they were detecting the latest
bots and collusion attempts, the industry would become more mature and respected due to its greatly improved security posture. Perhaps this type of activity already takes place and you have Poker
Stars, for example, sharing security information with Bodog, but I doubt it. Before critics claim that
this does not happen in other industries, I am here to tell you that it does. For example, one of my
customers is in the railroad industry, and the major railroad’s heads of security meet on a regular
basis to discuss what each is doing and learn what improvements they can make.
I am not going to lie, security comes at an expense. The $64,000 question is: Would players pay
more for using a site that they knew took extra steps to verify and ensure the security of the gaming
platform and environment? Unfortunately, often businesses look at this additional cost and, because
they do not see an immediate return on their investment, it is one of the first items to get cut. This
does not occur just in gaming. Under competitive pressure to cut sometimes security becomes the
victim. The more visionary site owners do take security seriously, and I have had gaming customers come to me because they don’t want to just comply with regulations and minimum internal
control standards, but make sure their systems are actually protected. Would customers be willing
to pay ten cents more in rake if that meant that the code was undergoing security reviews on a regular basis, that monthly vulnerability assessments were occurring, and that other security mechanisms
were in-place? I am not sure, and the argument can be made that they should not have to. However, unless these types of continuous monitoring approaches are mandated, I don’t believe it will be
done unless a portion of that cost can be passed on. Even though operators should realize that they
are only going to get one chance.
Volume 1, Issue III
The Hidden Security Risks of Social Media
By Gus Fritschie
Social media and social networking play an important part of our lives, both personally and in business. Facebook, LinkedIn, and Twitter are names and services that the majority of us use, including
those involved in the iGaming and the poker industry. Of course when using these types of sites you
have to accept a certain amount of risk as most have had issues related to privacy and in some cases
even security breaches.
Issues and vulnerabilities in social networking platforms have been well documented and publicized, but the risks that users of these sites face offline have been largely underreported. While in
some instances there is good reason to publically disclose personal information (e.g., marketing)
people need to be made aware of the risks involved. This is especially true with professional poker
players who are known to have large sums of cash or other valuables.
Individual Mapping
Let’s start with Twitter as it is one of the more interesting sites in my opinion. Geotagging is one of
the more popular practices that often leaks user’s information without their knowledge. Wikipedia
defines geotagging as:
… the process of adding geographical identification metadata to various media such as a geotagged
photograph or video, websites, SMS messages, QR Codes1 or RSS feeds and is a form of geospatial
metadata. This data usually consists of latitude and longitude coordinates, though they can also include altitude, bearing, distance, accuracy data, and place names.
There are many devices including digital cameras and mobile phones that perform geotagging.
Some have the feature enabled by default and in other cases it has to be enabled by the user. From
the brief review I performed it seems like the majority of poker players do not have geotagging enabled on the pictures they upload to Twitter. The most likely reason is that the latest phones have this
feature disabled by default. “if somebody was to put together pieces from various sources they can
begin to build a profile … it can then be used in social engineering attacks, scams, and potentially
even more serious crimes.” However, there are some who either have geotagging enabled on purpose or by mistake.
We will pick on everybody’s favorite poker player tweeter (well at least mine) Jean-Robert Bellande, @BrokeLivingJRB. Jean-Robert likes to use Twitter to promote which celebrities he is hanging out with and where he is currently playing some cards. Now, much of this isn’t sensitive, but
there are some cases where information unintentionally leaks out. A number of tools are available
that can use this metadata to map out an individual’s location.
Creepy is an application that allows you to gather geolocation related information about users from
social networking platforms and image hosting services. In the figure below we use the tool to query based on Jean-Robert’s twitter handle.
Page 3
SENET
Page 4
As you can see a lot of information is returned. By selecting one of his posts you can
visually see where he was. In this case, he was at the PCA in the Bahamas.
This, along with other tweets about playing poker at the Aria, are not that sensitive. However, let’s look at one
he tweeted over the holidays while visiting his family.
While Jean-Robert’s life may be public, I’m sure his family’s home location is not. With applications like this
it is easy for malicious users to target a person for criminal purposes
For example, let’s say you tweet a picture of your chip stack from an underground game. If somebody is targeting you they now have the physical location of where you are—and know how much money you have on
you.
Jean-Robert is not the only known poker player to have geotagging enabled. Another example is Sam Trickett, @Samtrickett1.
Volume 1, Issue III
Below is a screenshot from when he posted while playing in a tournament in Italy.
And this data from Creepy can be imported into a mapping tool like Google Earth for further interrogation:
[Jean-Robert Bellande and Sam Trickett were contacted prior to the publication of this article so they were
made aware of the issue and could take appropriate steps. At the request of Bellande, we blurred out lat/long
locations and the map of his family home, and helped him remove the information from his twitter account.]
Across Social Networks
Another tool that does something similar is called PushPin. But unlike Creepy, which takes a user’s name as
input, PushPin takes a location and then queries multiple sites including Twitter, YouTube and Instagram to
pull additional information.
Page 5
Page 6
SENET
The figure below shows a screenshot of the tool while running using GPS coordinates of a location that many
of you are probably familiar with.
The tool maps the data into two different tabs in your browser. The first shows the locations on a map and the
second shows the media that was accessed.
Volume 1, Issue III
By hovering over the push pin on the map you see who was where , and when:
Reading through all of the tweets from Vegas can make for an interesting time. While most of this information seems innocent, if somebody was to put together pieces from various sources they can begin to build a
profile of you. This information can then be used in social engineering attacks, scams, and potentially even
more serious crimes.
How to Protect Yourself
It is important to be aware of what information you are sharing on social media, and limit posting information
that could be used to harm you. Make sure that geotagging is disabled unless you are using it for a business
purpose.
On twitter, there is an option in your account settings to remove the location from all previous tweets:
Always remember that whatever you are posting, you consider it public information. A future article will
explore how other sites such as Facebook and LinkedIn can be used for data mining purposes, and how that
information can be used in other types of social engineering attacks.
Page 7
Page 8
Comprehensive List of SeNet’s Information Security Services
Service
Description
Penetration Testing and
Vulnerability Analysis
Using the latest set of automated tools combined with manual techniques, SeNet will evaluate the security of your IT infrastructure both from external point of view (“Penetration
Testing”) as well as from within your security perimeter (“Internal Vulnerability Analysis”)
Compliance Verification &
Validation
SeNet will verify that your implemented IT security controls (management, operational
and technical) meet and exceed the guidelines and requirements which apply to your business (e.g., HIPAA, GLB, SOX, FISMA, PCI etc.) Our security analysts will point out
gaps and suggest the most effective means to bridge them.
Using state of the art automated code scanning tools, our expert application security testers
Application Code Security will identify potential application security vulnerabilities and then manually verify them.
Review
They will work with your programmers to correct these errors and suggest better coding
techniques.
Secure Applications
Engineering (SAE)
We believe that security should be incorporated into the application life cycle from its
inception and not as an add-on once it is getting close to be deployed. SeNet provides
application design services that integrate “touch points” in the design process of your mission critical software applications. Some of these services include requirements definitions, procurement and source selection assistance, independent testing, and development
of key security modules.
On Going IT Security
Operations
SeNet security administrators conduct day-to-day IT security operations including continuous security monitoring, user accounts maintenance, configuration, log reviews, and responding to incidents.
IT Security Architecture
Development
SeNet’s Security Architects and Engineers will identify the most effective security means
based on a thorough analysis of your business and technical needs. The resulting security
architecture will incorporate multiple measures (“Defense in Depth”) to accommodate the
needs of your mission while ensuring compliance with mandated requirements and best
industry practices.
Security Products
Integration
Physical Security
Business Continuity/
Disaster Recovery
Planning
SeNet Security Engineers will install and configure IT Security devices, such as firewalls,
IDS/IPS and user authentication measures tools, on your IT infrastructure, including outsourced or hosted facilities. We will verify that they operate properly and in accordance
with your organizations security policy.
SeNet’s professionals will analyze your facility’s physical security posture, identify deficiencies and propose measures for strengthening the facility protection. We can also implement the recommended improvements
SeNet Security Analysts will evaluate your business needs and help you develop a strategy
and measures to recover from natural and man-made disasters. We will develop the procedures and help you run readiness exercises to ensure that your IT staff and end users are
familiar with them.
Security breaches often occur despite having the latest technical security measures in
End User and Admin-level place as a result of end-user carelessness or IT staff lack of knowledge. SeNet will deSecurity Awareness
vise a security awareness training and education program that suits your IT infrastructure, your end-user environment and organizational culture. We will then deliver the
Training
training using modalities best suited to your budget and logistical constraints.