Getting F***** On The River - DEF CON
Getting F***** on the RiverGus Fritschie and Steve Witmerwith help fromMike Wright, and JD DurickAugust 6, 2011
Presentation OverviewPreflopWho We AreWhat is Online PokerOnline Poker HistoryCurrent EventsFlopPast VulnerabilitiesRNGSuperUserSSLAccount CompromisePoker BotsTurnOnline Poker ArchitecturePoker Client RootkitWeb Application VulnerabilitiesAuthentication VulnerabilitiesAttacking SupportingInfrastructureRiverDefenses – ApplicationDefenses – UserNext Steps in ResearchConclusionQuestions
PreflopSeNet SeNet International Corp. 20113August 2011
SeNetWho We Are – SeNet InternationalSeNet International is a Small Business Founded in 1998 to Deliver Network andInformation Security Consulting Services to Government and Commercial Clients High-End Consulting Services Focus: Proven Solution Delivery Methodology: Contract Execution Framework for Consistency and QualityTechnical, Management, and Quality Assurance ComponentsExceptional Qualifications: Government Certification and Accreditation SupportNetwork IntegrationSecurity Compliance Verification and ValidationSecurity Program Development with Business Case JustificationsComplex Security Designs and Optimized DeploymentsExecutive Team—Security Industry Reputation and Active Project LeadershipExpertise with Leading Security Product Vendors, Technologies, and Best PracticesAdvanced Degrees, Proper Clearances, Standards Organization Memberships, and IT CertificationsCorporate Resources: Located in Fairfax, VirginiaFully Equipped Security LabOver 40 full time security professionals SeNet International Corp. 20114August 2011
SeNetWho We Are – Gus FritschieCTO of a securityconsulting firm basedin the DC metro area.Enjoys penetratinggovernmentnetworks (with theirpermission), playinggolf (businessdevelopment) andteaching mydaughter to gamble. SeNet International Corp. 20115August 2011
SeNetSr. Security Analyst inthe Northern Virginiaarea working for asmall companysupportinggovernment contracts.Responsible forconducting applicationassessments,penetration testing,secure configurationreviews, NISTC&A/ST&E and othersecurity mumbojumbo. He enjoysscuba diving and bigspeakers. SeNet International Corp. 2011Who We Are – Steve WitmerPrior to his current job, Stevespent 5 years as a road warriorworking for clients all over theworld ranging from Fortune 500 tochurches and delivering any kindof engagement a client would payfor: aka, a security whore.6August 2011
SeNetWho We Are – Mike WrightContractor for the United States CoastGuard (blame them for not seeing mypretty face tonight) and security consultant.Hobbies include the broad spectrum ofInformation Technology, but more gearedtowards security and hacking around.Currently trying to bleach my hat white butstill seeing shades of gray SeNet International Corp. 20117August 2011
Who We Are – JD DurickSeNetDigital forensicsexaminer in thenorthern Virginia areaworking for a largedefense contractor.Responsible forconducting networkforensics as well ashard drive and malwareanalysis on networkbased intrusionsinvolving commercial Experience as a software engineer,network security consultant,and governmentINFOSEC engineer, and digitalcomputer systems.forensic examiner for the past 15years. SeNet International Corp. 20118August 2011
What is Online PokerSeNet SeNet International Corp. 20119August 2011
Online Poker TimelineSeNet Early 1998 1999 2000 2001 2003 2004 2005 2006 2007 2010 201190’s – IRC Poker is the 1st Virtual Poker– Planet Poker Launched, 1st Real Money Site– Kahnawake Gaming Commission Regulations– UB Launches– Party Poker and Poker Stars– Moneymaker and Poker Boom– Full Tilt Poker– Online Poker Becomes 2 Billion Industry– UIGEA– UB/AP Cheating Scandal– Online Poker Industry Reaches 6 Billion– 4/15 Black Friday SeNet International Corp. 201110August 2011
SeNetOnline Poker Current Events DOJ has seized thefollowing poker sites oncharges of illegal gamblingand money laundering:Poker Stars, Full Tilt,UB/Absolute, andDoyles Room Poker Stars has paidplayers, not other site has. Development of newfeatures and functionalityseems to be in a holdingpattern. SeNet International Corp. 201111August 2011
Online Poker RevenueSeNet SeNet International Corp. 201112August 2011
SeNetOnline Poker Revenue (Cont.)In other words there is a lot of money in online poker SeNet International Corp. 201113August 2011
Regulation\ComplianceSeNet For an industry that makes a decent amount of revenue thereis little to no regulation\compliance Isle of Man Gambling Supervision Commission and KahnawakeGaming Commission Party Poker and other sites do not allow players from the USAand in certain countries (i.e. UK) it is regulated and taxed.“Licensed and regulated by the Government of Gibraltar, our games are poweredby the bwin.party systems which are independently tested to ensure that ourgames operate correctly, are fair, their outcomes are not predictable and thatthe system is reliable, resilient and otherwise up to the highest standards ofsoftware integrity, including access control, change control recording,fingerprinting of the executables and regular monitoring of all criticalcomponents of our systems.” SeNet International Corp. 201114August 2011
SeNetRegulation\Compliance (Cont.)There is a need forcompliance relatedactivities if online poker isto become regulated andsafe to play in the USA.A standard needs to bedeveloped and companiesthat provide these servicesneed to be audited. Notjust from the financialperspective, but thetechnical perspective.Why will this happen? SeNet International Corp. 201115August 2011
SeNetRegulation\Compliance (Cont.)Because there is a lot of money in online poker SeNet International Corp. 201116August 2011
FlopSeNet SeNet International Corp. 201117August 2011
Past VulnerabilitiesSeNet Random Number Generator Vulnerability UB/Absolute Super User Issue SSL Exploit Misc. Account Compromise Poker Bots SeNet International Corp. 201118August 2011
SeNetRandom Number GeneratorVulnerability Documented in 1999 and originally published inDeveloper.com PlanetPoker had published their shuffling algorithm todemonstrate the game’s integrity ASF Software developed the shuffling algorithm SeNet International Corp. 201119August 2011
SeNetRandom Number GeneratorVulnerability (Cont.) In a real deck of cards, there are 52! (approximately 2 226)possible unique shuffles. In their algorithm only 4 billion possible shuffles can result from thisalgorithm Seed for the random number generator using the Pascal functionRandomize() Number reduces to 86,400,000 They were able to reduce the number of possible combinationsdown to a number on the order of 200,000 possibilities Based on the five known cards their program searched through thefew hundred thousand possible shuffles to determine the correctone SeNet International Corp. 201120August 2011
SeNetRandom Number GeneratorVulnerability (Cont.) These days companies have their RNG audited by reputable 3rdparties From Poker Stars site: “Cigital, the largest consulting firm specializing insoftware security and quality, has confirmed the reliability and security of therandom number generator (RNG) that PokerStars uses to shuffle cards on itsonline poker site, showing the solution meets or exceeds best practices ingenerating unpredictable and statistically random values for dealing cards.” Do you believe this? SeNet International Corp. 201121August 2011
SeNetUB/Absolute Super User Issue Full story is almost like a soap opera. Cheating is thought to have occurred between 2004-2008when members of online poker forum began investigating. Still actively being investigated by people such as Haley(http://haleyspokerblog.blogspot.com/). SeNet International Corp. 201122August 2011
UB/Absolute Super User Issue (Cont.)SeNet Story is owner suspected cheating and asked softwaredeveloper to put in a tool to “help catch the cheaters” Hired an independent contractor to put in a tool whichbecame known as “god mode” God Mode worked like this: the tool couldn’t be used onthe same computer that someone was using. Someoneelse would need to log into UB and turn the tool on.That person could then see all hole cards on the site–and then feed the information. 23 accounts. 117 usernames. 22 million dollars SeNet International Corp. 201123August 2011
SeNet SeNet International Corp. 2011UB/Absolute Super User Issue (Cont.)24August 2011
UB/Absolute Super User Issue (Cont.)SeNet Lessons learned: Configuration Management Separation of Duties Code Reviews SDLC Auditing SeNet International Corp. 201125August 2011
SSL ExploitSeNetDiscovered by Poker TableRatings in May 2010.Why use SSL when you canjust XOR it .Fixed 11 days later (hard toimplement SSL)UB/Absolute and Cakenetwork were vulnerable SeNet International Corp. 201126August 2011
SeNet SeNet International Corp. 2011Misc. Account Compromise27August 2011
Poker BotsSeNet Poker bots are not new, but until recently they were not very good.Artificial intelligence has come a long way in the last few years.Chess bot vs. poker ilt-a-workingpoker-bot http://bonusbots.com/ SeNet International Corp. 201128August 2011
Poker Bots (Cont.)SeNet SeNet International Corp. 201129Windowing & GDIWindows HooksKernel objectsDLL Injection (in general:the injecting of code intoother processes)API Instrumentation (viaDetours or similar libraries)Inter-processCommunication (IPC)Multithreading &synchronizationSimulating user inputRegular expressions(probably through Boost)Spy August 2011
Poker Bots (Cont.)SeNet Poker Sites have been cracking down on bots How do they catch them: Betting patterns Tendency Program Flaws (always click same pixel) Scanning When a player is identified as a bot, Full Tilt or PokerStars removes themfrom our games as soon as possible.” Their winnings are confiscated, hesaid, and the company will “provide compensation to players whenappropriate.” SeNet International Corp. 201130August 2011
Poker Bots (Cont.)SeNet Full Tilt – Banned after finding evidence of a poker bot on your hard drive:On Sat, Oct 16, 2010 at 2:03 PM, Full Tilt Poker - Security security@fulltiltpoker.com wrote:Hello #FAIL ,As outlined in the email you received, you have been found guilty of a violationof our rules regarding the use of prohibited software. Specifically you have beenfound to have used the Shanky Technologies Bot. The email you were sent hasbeen included below for reference. This decision was the result of an extensiveand exhaustive review of your account activity on Full Tilt Poker.Do not attempt to play on Full Tilt Poker in the future on a new or existingaccount. If you are found playing on the site again, your account will besuspended and all remaining funds will be forfeited.We will not enter into any further discussion regarding this matter.RegardsSecurity & Game IntegrityFull Tilt Poker SeNet International Corp. 201131August 2011
TurnSeNet SeNet International Corp. 201132August 2011
SeNetOnline Poker Network Architecture SeNet International Corp. 201133August 2011
SeNetOnline Poker Network Architecture(Cont.) SeNet International Corp. 201134August 2011
SeNetOnline Poker Network Architecture(Cont.) SeNet International Corp. 201135August 2011
SeNetOnline Poker Network Architecture(Cont.) SeNet International Corp. 201136August 2011
Poker Client Root KitSeNetWhile the poker client is not exactlya root kit it does exhibit some of thesame characteristics. The onlinecompanies argue this is for playerprotection against cheating.However, in doing this there is someinvasion of privacy. I don’t knowabout you but I don’t like people toknow what web sites are in mycache. SeNet International Corp. 201137August 2011
SeNetPoker Client Behind the ScenesLets take a look at what one of the poker clients is doing under the covers. Belowwe list some of the interesting items that the Cake poker client performs. Function cessHashs()EnemyDLLNames()EnemyURLs () Examines the system from programs or services it deems unauthorized ctorHoldemInspector2HoldemManagerHMHud SeNet International Corp. 201138August 2011
SeNetPoker Client Behind the Scenes(Cont.)Well-known modifications and behavior observed by online poker clients:1.Modification to the Windows host-based firewall policies which allows for automaticallyauthorizing various poker clientsHKEY LOCAL horizedApplications\List "C:\Program Files\Cake Poker 2.0\PokerClient.exe“2.-Scanning the windows process tableCake poker reads through each of your process after approximately 10-20 minutes of idle time(Reading the .exe files in 4k increments) – based on Cake poker client 2.0.1.33863. Ability to read the body and title bar text from every window you have open.- Extracts the window handles (HWND), caption, class, style and location of the windows.4. Ability to detect mouse movements in order to determine human vs. automated movements.- Mouse event API / bots work the same way by writing custom mouse or keyboard drivers SeNet International Corp. 201139August 2011
SeNetPoker Client Behind the Scenes(Cont.)Additionally functionality found in poker clients:1. Poker applications scan for instances of winholdem/Bonus bots (Shankytechnologies) running on your workstation or VM instance.2. Poker clients monitor table conversation for lack of table talk and longevity ofsessions.3. Numerous tools to detect monitoring of your filesystem and registry can be used.4. Poker applications are known for monitoring Internet Caches for URL historyinformation.5. Cookie creation from just about every client. SeNet International Corp. 201140August 2011
SeNetPoker Client Behind the Scenes(Cont.)-Cake Poker client is comprised of three main processes (CakePoker.exe,PokerClient.exe, and CakeNotifier.exe).-The client scans itself during random intervals most likely protecting itself againstmodification or patching of the executables.-Found the client (CakeNotifier.exe) also scanning directories containing packetcapture files and reflector ( a .NET decompiler)?-Cake poker’s executables are all obfuscated-PokerClient.exe is obfuscated – 12mb in size (huge – most likely encrypted).Bodog verion 3.12.10.5 is only 4mb in size SeNet International Corp. 201141August 2011
SeNetPoker Client Behind the Scenes(Cont.)-Bodog verion 3.12.10.5 file monitoring and registry activity-Prefetch files are created in C:\Windows\Prefetch-Digital certificate directory is created lCache (used for storingcertificates)-BPGame.exe modifies itself with new attributes-Reads through your URL cache-Loads images from Bodog poker installation directory SeNet International Corp. 201142August 2011
SeNetPoker Client Behind the Scenes(Cont.)Queries your registry--Looks in \Explorer\MountPoints2Queries your hardware settings on your workstationRead User Shell folder – the user shell folder subkey stores the paths to WindowsExplorer folders for the current user of the computer.TCP send request from localhost to 66.212.245.235 on port 80(After SSL handshake) - TCP send request from localhost to 66.212.249.155 on port7997Session manager (HKLM\Sysstem\CurrentControlSet\Session manager Gets the environment variables of the machine Username Root directory of windows Tmp dir Path Operating system SeNet International Corp. 201143August 2011
SeNet SeNet International Corp. 2011Web Application Vulnerabilities44August 2011
SeNet SeNet International Corp. 2011Web App Vulnerabilities (Cont.)45August 2011
SeNet SeNet International Corp. 2011Web App Vulnerabilities (Cont.)46August 2011
SeNet SeNet International Corp. 2011Web App Vulnerabilities (Cont.)47August 2011
SeNetWeb App Vulnerabilities (Cont.)If you thought it took some advanced techniques Fail. Cross-site scripting heaven (persistent and reflective);apparently the designers felt script might be neededin numeric only fields. Unvalidated redirects; where would you like poker sitesto take you? Pretty much zero input validation. Expired SSL certificates, not necessarily a vulnerability,but seriously? SeNet International Corp. 201148August 2011
SeNetAuthentication VulnerabilitiesWhile sophsticated attacks are fun, sometimes you justneed to go back to the basics. While some of the sitesoffer multifactor authentication these are not standardand cost extra. The sites differ widely in theirpassword complexity requirements.Poker SitePassword RequirementsCarbonBetween 6-20 charactersBodogAt least 5 charactersCakeBetween 8-14 and must contain thefollowing:Lower case, upper case, number,special characterFull TiltAt least 5 charactersUB/AbsoluteAt least 6 characters SeNet International Corp. 201149August 2011
SeNetAuthentication Vulnerabilities (Cont.)With passwords this strong it must be impossible tobrute-force Especially with no account lockoutAnd login IDs fairly well known, thank you PTRCan anybody say Hydra? Brutus? SeNet International Corp. 201150August 2011
SeNetAuthentication Vulnerabilities (Cont.)Some poker sites use non-randomnumbers as UID’s.for uid in seq 3830000 3840000 ;doecho uid users.txt;done(1 Second later )Half the battle? Done SeNet International Corp. 201151August 2011
SeNetAttacking Supporting InfrastructureSeveral businesses have developed supporting the pokersites, these include: Training sites (Cardrunners, Deuces Cracked) Tracking sites (PTR, Sharkscope) Media/Forums (Two Two)If these sites are used by online poker players could theybe leveraged in order to gain information or launchtarget phishing accounts with the goal to installmalicious software in order to see their cards? SeNet International Corp. 201152August 2011
SeNetAttacking Supporting Infrastructure(Cont.) SeNet International Corp. 201153August 2011
SeNetAttacking Supporting Infrastructure(Cont.) SeNet International Corp. 201154August 2011
SeNetAttacking Supporting Infrastructure(Cont.) SeNet International Corp. 201155August 2011
RiverSeNet SeNet International Corp. 201156August 2011
SeNetOnline Poker Defenses - Application Need to move away from password basedauthentication and toward multifactor, because thatcan’t be hacked right (RSA)? Maybe implement simple things, say like accountlockout Perform robust security testing and configurationmanagement Only allow connections from specific geographiclocations Adhere to certain standards (i.e. ISO, PCI, FISMA) SeNet International Corp. 201157August 2011
SeNetOnline Poker Defenses – User Have dedicated VM forpoker and only use it forthat purpose Use antivirus/spyware(D’oh) Don’t play on insecurewirelesses networks Use strong, complexpasswords. Better usemultifactorauthentication whereavailable Don’t use same passwordacross multiple sites Monitor your traffic SeNet International Corp. 201158August 2011
Next Steps in ResearchSeNet Continue digging deeper into the poker client Custom client to bypass restrictions Automated tool to brute-force poker passwords More mapping out poker networks In-depth look at web application vulnerabilities SeNet International Corp. 201159August 2011
ConclusionSeNet While we did not uncover a smoking gun, based onpreliminary research there seems to be several areasthat do require strengthening and further exploration issure to identify more serious issues Regulation and compliance is needed to attempt tomake companies develop and secure their gamingnetworks Do I feel safe playing? SeNet International Corp. 201160August 2011
QuestionsSeNetQuestions? SeNet International Corp. 201161August 2011
SeNet Online Poker Timeline Early 90’s – IRC Poker is the 1st Virtual Poker 1998 – Planet Poker Launched, 1st Real Money Site 1999 – Kahnawake Gaming Commission Regulations 2000 – UB Launches 2001 – Party Poker and Poker Stars 2003 – Moneymaker and Poker Boom 2004 – Full Tilt Poker
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
More than words-extreme You send me flying -amy winehouse Weather with you -crowded house Moving on and getting over- john mayer Something got me started . Uptown funk-bruno mars Here comes thé sun-the beatles The long And winding road .
Mad River rinity Salmon Redwood eek Scott Shasta River River River River River River River Crater Lake Spring Creek Summer Lake gue Sprague Upper Klamath Lake Illinois TH RIVER W i l l i a m s o n R i v e r ood River A-Canal OREGON CALIFORNIA 0 50 100 KILOMETERS 050100 MILES Chiloquin Yreka Fort Jones Seiad Valley Agness Prospect Somes Bar .
