 Good afternoon, DEF CON. We're here to talk about getting F on the river. And if anybody has played poker, I'm sure it's happened to you. Just to frame what we'll go over in today's session. First, in the preflop section, we'll give you a little background about who we are and what online poker is. On the flop, we'll get into some past vulnerabilities that have been discovered in the online poker software and architecture. Turn, we'll get into some of the research that we have been doing and what we've been looking at, some vulnerabilities that I don't think have been published before. And then the river, we'll get into defenses and next steps in research. What this talk won't do is it's not going to show you how to make millions of dollars by some zero-day exploit. Because if we had that, I'd be keeping it to myself. So preflop. Who are we? This is my company. They paid for me to come out here, so I put a slide in there. To make them happy, I guess. Who am I? Gus Fritchey, just a security professional based out of DC, CTO of this firm. And you can see what I enjoy doing. I probably like to enjoy gambling more than anything. So that's really what got me interested in this subject. Who do I have with me? We have Steve Whitmer right here, who I also work with. And he did a lot of research in the web app piece, which you'll see later on in the presentation. I had a little bit of help also from a couple guys who just couldn't make it. Mike Wright, who I also work with, he did a little bit of work on a couple slides. And then J.D. Durick, he did some work in the analysis of the poker client itself and looking from a forensic perspective at what the client does behind the scenes. So that's who we are. So what is online poker? How many people like to gamble? Show of hands. All right, we're in the right place. How many people like to play poker? How many people have played online poker? Okay, a decent person. How many people saw money locked up on some sites out there? All right, we're lost. Me too. Well, you probably do. All right. So it seems like a lot of people have at least heard of what online poker is. It's really interesting. And I lost my train of thought. Sorry. One second. Some people have a misperception that it's playing against, you know, the computer or not real people, but you're actually playing for the most part against real people, except for those pesky poker bots, which we'll talk about later on in the presentation. It's been around for a while. We have a short time frame just to show you what's been going on. So we have, in the early 90s, there really was just people actually played it via IRC. And the poker industry, as we see it today, really came out in the late 1990s when Planet Poker was launched in 1998. And then shortly after that, you started having gaming commissions that were launched to sort of try to regulate this industry. And you can see going down the step, UB, Party Poker. And I think when, at least when I got interested in poker, and probably a lot of people who play it today got interested in 2003, when Chris Moneymaker won the World Series of Poker, he sat alighted in on a $40 online poker tournament and won $3.5 million and made everybody think that they can do the same thing. So that really made the industry grow. In fact, prior to that, most of the casinos here in Vegas, a lot of them were closing their poker rooms. And now most of the major casinos at least have some form of poker room. And shortly after that, you had Full-Till Poker. If you like poker, you heard of Phil Ivey and all these famous Chris Ferguson, all these famous poker pros formed that company. 2005, it became a $2 billion industry. 2006, we see the UIGEA, which is an Unlawful Internet Gaming Enforcement Act, which was tacked on to the end of the Port Security Act that passed in the last minute of Congress. So it was sort of, you know, the Republicans trying to tack something on a rider onto a bill. And that made it, didn't make it illegal to play poker, like some people may think, but it made it illegal for banks to transfer money into the poker sites. So it made it a little bit more difficult. And at that time, we started seeing, you know, the market had sort of peaked and it started going back down. 2007, we had a pretty large cheating scandal on one of the major sites. And we'll talk about that a little bit into the presentation. 2010, we reached $6 billion. So, you know, we're not going to solve our debt crisis here, but it's still a fairly large amount of money. And then 2011, recently on 415, Black Friday, when the Department of Justice seized three of the major sites. And why is this important? Because I just wanted to show what's been going on from the time frames. I think in the beginning, you know, it wasn't big enough for people to really notice. It started getting bigger. People started noticing more. But government, and then also, I think, from a security perspective, you know, whenever something gets that big, it obviously draws attention to it and it makes you, you know, just more curious about really what security controls are in place. So I mentioned online poker current events. You know, if you go to fulltiltpoker.com or poker stars, you'll see this banner display. The Department of Justice has, you know, went ahead and seized the domain names for these sites. And you officially made it illegal for, not well, maybe not illegal, but it made it much more difficult for U.S. citizens to play online poker. And poker stars paid all their players right away. So if you had money on poker stars, you got paid. But if you had money on other sites, like I do, you still haven't got paid. And because of this, you know, the seizure, really development of new features and functionality sort of is in a holding pattern in poker clients. And another thing why it's important to mention is it sort of made our research a little bit more difficult because we were researching some of these sites then. Then on 415, it was more difficult to do research into those sites. This slide is just here to show you why it's, how much money is at stake. And why this will become important, I think we'll see in the next slide, when you start talking about regulation and compliance. You know, back in 2004, we were only talking about one billion dollars. You know, U.S. government doesn't really care too much. But when it starts growing, well, when I say U.S. government, maybe, I mean, the Nevada casinos, HERA's, Caesar's Entertainment right here, start wanting to get a piece of that pie which they currently don't have. And if you see online gambling revenue as a whole, it's 25 billion. So in other words, you know, there's a lot of money in online poker. I'll put this slide on here just because I'd like to see piles of money. Regulation and compliance. We all have regulation compliance in other industries. You know, if it's a government with FISMA, PCI, SOX, whatever. And I'm not here to say that compliance and regulation is the best thing. We all know that just because you have a system that is certified and accredited according to FISMA or NIST standards, doesn't mean it's necessarily secure. It just means you filled out, you know, all the right paperwork and then dotted your eyes and crossed your T's. But it's better than nothing. And I think, you know, there's another talk going on right now talking about PCI. And I think the argument can definitely be made that compliance helps strengthen the security posture of those industries. And I think something similar needs to take place in the online poker industry. From what I just said, you may think that there is no compliance or regulation. There is. It's just not very greatly enforced. You have Isle of Man, you know, off the coast of England, the Kanawaki Gaming Commission, an Indian tribe, licensed some of these sites. But they really haven't, you know, put into all the controls in place that we would expect these companies to be held accountable for. You know, PartyPoker, a site that pulled out of the U.S. industry back in 2005 when the UIEGA came out, you know, they're licensed by government in Gibraltar. And you can read here what they say, you know, that they keep their system to reliable, the highest standards of software integrity, including access control, change control, fingerprinting of executables. From what we've seen, I don't think all the sites are really doing that. And, you know, we didn't really look closely at PartyPoker since we can't play there. I wanted to concentrate our research on sites that were available to U.S. players at the time. So we obviously see there is a need for compliance and I think you'll see why there's a need when we get into some of the past vulnerabilities and new issues that we've noted. You know, a standard needs to be developed, companies that provide these services need to be audited, just not from the financial aspect to make sure that something that happened on Black Friday doesn't happen again, but also from a computer security control perspective that controls to be put in place to enforce these programs that have, you know, basic levels of security, which I think we take for granted when we look at other systems like account lockout. You know, just simple things that they just don't do. And why will this happen? Because there's a lot of money in online poker and the government wants it and land-based casinos want it. I'm not sure if everyone can make this out, but that's a $1.3 million pot being shipped right there, which was the largest pot in online history. Just a lot of money. So, the flop. Sorry, got distracted. Past vulnerabilities. So here I just want to touch on some of the vulnerabilities that, you know, have come, you know, from the beginning of when online poker first came into existence and to recent vulnerabilities. These aren't issues that we came across ourselves. These are documented issues. I just put them in here so you may not be aware of what has happened in the past. And these are all related to, you know, information security, computer security. So the random number generator vulnerability. I think everybody probably can guess what the random number generator is for it. So, you know, obviously when you have a real dealer shuffling the cards, you know, it's going to be randomly shuffle them. So in order to get that same level in gaming, you have an RNG. So Planet Poker, which remember was the first online poker site to come into existence in 1998, they were very proud of their online, of their random number generator, so much that they published the algorithm to show that, hey, we have a good shuffling algorithm. Unfortunately, when some researchers started looking at it, they realized it probably wasn't the best algorithm that was in place. You can see in a real deck cards what the possible number of unique shuffles is, a very, very large number. In their algorithm, only four billion possible shuffles could result. And then to make that even a lower number of a seed they were using was from the Pascal function, randomized, so that reduced the number even further. And then they were able to reduce the number of possible combinations down to a number that could be effectively brute force so they could tell what cards are going to be coming out. You know, this has since been fixed, obviously, and other companies these days have their RNGs audited by reputable third parties. I took this from the poker star site, you know, Sigital, you know, went ahead and looked at their RNG and all the other sites have similar information. I'm not sure, you know, we didn't look at this to see if the RNG is, you know, is safe or secure. Maybe it is, maybe it's not, but it's probably something that should be looked at further. The next one I want to cover as far as the past vulnerability, if you remember this was on the timeline, and it was on the timeline just because I think it's a pretty important issue, was this ultimate bet absolute poker super user issue. And the full story is really almost like a soap opera. I mean, you really should read, if you're interested in a good read, read this blog, that's URL is up there. She goes into a lot of details as far as, you know, what happened behind the scenes, why it possibly happened, you know, just to give you a little flavor involved, a teacher sleeping with a student, I'm in a lawsuit, and, you know, I guess I needed to make some money. What happened was, and not all this is 100 percent, you know, confirmed, it's not like poker was legal in the United States or regulated, so you couldn't go ahead and, you know, bring these people to court. But what we've been able to piece together is that the owner of the company went to his developer, a software developer, and said, hey, I think people are cheating on my site in the high stakes, you know, games. In order for me to determine if they're cheating, I need to be able to see their whole cards so I can see, you know, make sure that they're cheating because I would know based on what their whole cards are if they were cheating. So the original developer was like, you know, I don't think that's a good idea to give someone access to see whole cards. So he went to an independent contractor and hired him, and they put in his guide mode, is what they called it. So they ended up putting into the actual software a process and, you know, they wanted to put some controls in this process because, I mean, the developer really thought that at the time that the owner was doing this for a legitimate purpose. So they made it so you couldn't be on the same computer playing as with guide mode running. But what we suspected they do is they simply had a user, you know, in guide mode and then just relayed that information to the person playing. And at the end you can see how much money was stolen, $22 million from players. So that's, you know, not a small sum of money. And how did they end up catching or, you know, discovering that this guide mode had been put into the software? Was it from the strict controls that were built into the software, auditing, access control, someone reviewing logs? No. It was from the community, the online poker community. And there's a pretty strong online poker community. There's a lot of forums. I think Steve's going to talk a little bit about how you could leverage those forums for some malicious purposes. But what they were able to do was, you know, the players started suspecting, wow, this one guy is winning a lot of hands. And online poker is different than regular poker. You know, a lot of people play eight to ten tables at once. So in real poker, you know, like you see on TV, people get reads by looking at people and they know betting patterns and they can sort of tell when people are bluffing. But with online poker you don't have that. So based on your hand histories, you know, what people are being dealt, you're able to, you know, see those hand histories and people have written software that gives you a statistical analysis over, you know, who's won what hands, who, you know, how many times they saw the flop, how many times they three bet you, etc. So based on this information they were able to show this, you know, they created this graph that showed here's, you know, in the blue is, you know, a statistical analysis over win rates over a certain number of hands at a certain level. And then you can see this outlier in yellow who's winning at an obscene rate. So this made them suspect that there's no way in the world this guy could be winning at such a large rate. So eventually, you know, they went to, you know, there's enough pressure from the community that they went to the company and the company finally did their own investigation and admitted, yeah, hey, someone was cheating, you know, and they tried to refund the money. You know, a lot of players did get money back when we were playing high stakes, but it's still suspected that they didn't get paid back in full. You know, so lessons learned from this. I think it's lessons that, you know, other industries have already learned. Configure, was it what? It's suspected that it was the owner. You know, it suspected Russ Hamilton, who was the owner of Ultimate Poker and Ultimate Bet and Absolute Poker. It was suspected that he was involved. You know, once again, there's no proof, so it's just alleged. But, you know, he had past ethical issues and it is largely suspected that he was the, you know, the main culprit. But other companies, industries have learned this. Configuration management, separation of duties, code reviews, have a solid STLC in place, have auditing. These are things that, you know, banking has in place. Other institutions that we rely on in industries, but it's not there yet in poker, which shows the need for compliance. Just to give another example, I mentioned that, you know, hand histories are important to online poker. You know, if you play the hand, you know, you get the hand history of what happened. So, you know, if you play, you know, as many hands as I had, you'll have a huge, you know, hand history file. Some people don't have, you know, the luxury of playing that many hands and they want to, you know, maybe gain an advantage. So, there's companies that have sprouted up that do data mining and collect all the information and then go about, go about and sell it. Why is that important? Well, they sort of stumbled upon this SSL exploit by accident. You know, they weren't trying to, you know, there wasn't like a company that was out there doing vulnerability research. You know, they were trying to get the hand histories, a software version update came about and all of a sudden there, you know, they couldn't grab data mining hand histories. So, they started looking at it and looking, you know, after analysis they saw that it really wasn't SSL, they were just extorting the data, which I guess they thought was secure. But, you know, obviously we know it's not, but the general public, you know, they thought they were playing, you know, a protected, you know, a protected communication channel all the time. And, you know, these guys actually came up with a nice little proof of concept. If you Google about this, you'll see it, you'll see a video where they showed if you're on the same, you know, network or same wireless network, you could actually see other people's whole cards. And, you know, they did go ahead and fix it 11 days later because it's hard to implement SSL. It's very difficult. And then also, CAKE Network was also discovered to be vulnerable shortly after. So, I'm not sure why they are doing this, but who knows. But this is something that could have got caught if you think about it, even if you go to something as simple as looking at FISMA, you know, there's specific controls there that, you know, say, look at data confidentiality and data integrity and you would be testing to, you know, certify that the system is, you know, using encryption. But there's no regulation in place. Miscellaneous account compromise. This lies in here just to give you an idea, you know, I just Googled, you know, poker account, you know, hacked. And, you know, you can't, there's just hundreds of postings here people who have been hacked either through some type of social engineering, you know, phishing, you know, just guessing passwords as we'll talk about later on. But there's just so many different ways that poker, the poker software and gaming can be exposed. Poker bots. This is also, I mean, it's not necessarily a vulnerability. I mean, poker bots have been around for a long time, you know, since the beginning of the poker industry. But when they were new, they just really weren't that good. I mean, you could easily beat poker bots. But now, with artificial intelligence becoming as good as it is, you know, there's some very good bot software out there and it puts the player obviously at a disadvantage. I mean, it's different if you know you're playing against the bot and you're playing against a real human, you know. And the reason that it's just more difficult to create a poker bot is because the lack of information. Like, you know, there's definitely really good, you know, chess software or chess bots. That's because you know everything in chess. You know, all the information is in front of you. And poker is a game of limited information. You have some information, but the rest, you know, you just have to guess. There's a very, if you're really interested in the technical details of it, you know, you can look at this article on coding the wheel. Unfortunately, there's not, if this is really the best thing that I found that was out there, there's not a lot of good information about the bots that's easily accessible because the people who are writing them are making money with them and they don't want to share that information. So you sort of have to know where to go to look for it and even then it's difficult as far as the technical details. Just a little bit of information. Once again, that article goes into a lot of detail, but really the way that the poker bots work and we just thought it was interesting, you know, it's primarily through DOL injection. It's not modifying, you know, the actual executable binary because as you'll see when we look at the next section about the poker client underneath the hood, you know, it does a lot of checks and balances to see if you've made some potential modifications. So it's primarily through DOL injection that, you know, it's able to operate. And of course poker sites have been cracking down on bots. How do they catch them? Bedding patterns, you know, if it's always bet the same amount, tendencies, you know, bots definitely play differently, programming flaws. If you're always clicking the bet on the same pixel, you know, it's going to know that it is actually a bot. And then of course scanning as you will see these poker clients, you know, they do try to protect you by examining your system. But in that process, they also invade your privacy a little bit. But that's one way that the sites attempt to catch you. And of course, when a player is identified as a bot, you know, they'll go ahead and, you know, confiscate all your winnings and close your countdown. How do we know that? Well, we got caught. So they're doing something right, I guess. Poker client equals rootkit. No, no, we, the question was, did we write our own bot? We didn't write our own bot. This was just experiment with one of the known bots out there that we were playing around with. Yeah. So poker client equals rootkit. And maybe I, that's not 100% accurate, but it's close. It has a lot of the same characteristics as a rootkit. And, you know, in the attempt to protect, I guess, the gaming, it really goes down and does some things that you may not know about, you know, including, you know, going into, you know, where you've been in your web cache. I don't like people knowing where I've been. What does it do behind the scenes? We did some dynamic analysis. We didn't do any static analysis of what it's doing yet. But here's some interesting things that we just pulled out, or at least what, you know, what J.D. and I thought were interesting. Some of the function calls looking for, you know, enemy window names, enemy processes, enemy URLs, and then some of the programs that, or services that deems unauthorized. So here you can look at, like, if you're looking for Oli debug, if it's running, you know, it's looking, you know, if you're running some of this software that it considers to be against its terms of service. Once again, this is just very basic analysis. I'm sure it's doing a lot more behind the scenes. And it's just an avenue that we're going to explore further. Here's just some well-known modifications or behavior that we've observed in the poker clients. It goes ahead and will modify your, your host-based firewall policies if you're running it on Windows. It goes scanning through your Windows process tables. It has the ability to go ahead and read the, you know, the body and bar text of every window that you have open, ability to detect mouse movements. These are all things that the poker client is doing behind the scenes. You know, we mentioned that it scans for known bot software. You know, it also looks for, you know, the lack of, you can, of course, when you're playing poker, part of the fun is, you know, talking to people, you know. And you can do that on online poker, too, by chatting in the dialogue box. So, you know, it sort of monitors what you chat in the dialogue box. And here you can see the screen shot of it, you know, it's going through your, your Internet Explorer cache there. So it's going through looking for, well, who knows what. And we're not really sure what it does with this information. I'm not sure if it sends it back, you know, to the mothership. But, you know, it definitely looks like it's somewhat invasive to your privacy. And, of course, you're agreeing to allow us to do this, since you click on the terms of service when you install the software. But most people probably don't know exactly what it's doing behind the scenes. And these, these clients are, you know, somewhat complex. You know, we looked at the cake poker client, you know, has three main processes. The client scans itself, like I mentioned, at random intervals to make sure you didn't modify it. Because we did go ahead and we made some modifications to the actual client and it ended up, you know, detecting that and, and forcing you to install a new version. And then the cake pokers, actual executables, you can see when you compare cake poker to the bow dog version, the size of the actual poker client is obfuscated and encrypted and making it more difficult for someone to do static analysis. The question was, do you see what obfuscated they were using or encryption? We really didn't look too closely at that yet. That's something that we, we plan on looking at in the near future. And now I'll turn it over to Steve. Alright, thanks Gus. So I got involved in this process kind of late in the game. A lot of this research was kind of already ongoing. So I got pulled in to kind of look at some of the, the actual interactions with the client and the, the web clients themselves. So just to get into a little bit about the actual online poker network architecture, especially now that there's a lot of crackdown on poker in the US, you're going to be visiting a server somewhere internationally. And you know, various, various countries have various rules about data security and things like that. So just something to keep in mind as you go into these poker sites. Basically what happens when you log in, you make a request out to the internet, poker DNS server tells you which local server you're going to go to. You authenticate, you get a session created and then you start playing poker and then when you need to reauthenticate, you reauthenticate. This is just kind of a really simple dump on some of the actual data flying past. It's really not that important but it shows that the initial request is out over SSL and then you get another connection over SSL on another high numbered port. This is just a really, really quick scan of some of Botog's address space. Just shows that there's a lot of different stuff out there. There's actually some content that doesn't belong to Botog. There's some stuff that's on Botog's network that's actually a game creation companies and things like that. There's also some test servers out there. We didn't really attack it but just interesting that it's out there. Now to preface what we're going to talk about today. We did not, at least I didn't, I didn't actually attack any of these companies. The vulnerabilities that we're going to be talking about are vulnerabilities that are going to affect you as a poker player. So I think that's kind of more important because from the show of hands earlier a lot of people in here play online poker. If you're in this talk you probably are getting the idea that it's not the most secure thing in the world at this particular point so we're just going to talk about some of the vulnerabilities that are there. Like I said I came into this very late in the game just a few weeks ago but the vulnerabilities were really easy to find. Something else to consider when we're talking about vulnerabilities in online poker. There's dozens and dozens and dozens of online poker sites all with individual clients. So when we say that this is kind of a new research field that we're looking into we really haven't kind of scratched the surface at this point but just the stuff that we did find shows that you can be compromised fairly easily. Let's see here. So you know when you go to these particular sites they have 20 different links on how you can pay them money but they don't really have any kind of information about how they protect your information, how they protect your credit card data, how they're actually protecting you when you're playing online poker. Now for all of you out there who look for the hacker safe logo I'm sure that gives you a really warm fuzzy feeling at night but you should really know better and these guys don't even bother to do that. So it seems like you know when there was the actual detection of the RNG issues a lot of the poker companies kind of stepped it up and really started looking at their RNGs but they haven't done anything really on the clients to protect you. I wish we were going to stand here and talk about some really really advanced hacking techniques but hackers are lazy. We like the easiest way we can get into something and honestly there's some old tried and true favorites that can really screw you. So when we talk about some of the vulnerabilities out there there's basically no input validation in a lot of these clients. We'll talk about that in a little bit. The cookies that are being used when you're actually using an HTTP client as opposed to a thick client. The cookies are very insecure. They're weak. They're not marked as secure. They're not marked HTTP only. They can be reused. They contain sensitive information. Some of them are tracking you based on your IP address. All that kind of fun stuff. There's expired SSL certificates on some of these sites. The fun thing about that is if you get used to seeing okay yeah the sites you know expired blah blah blah SSL doesn't match. You can kind of get accustomed to that and if you do get phished it's really easy for you to just click through that without even reading it or thinking about it. And then we have our old friend cross-site scripting. Now this particular one this is an unauthenticated reflected cross-site scripting. Reflected cross-site scripting is basically the easiest style of attack where you send something to the web server. It sends the same code back to you and is then executed at the browser. The next one that we've got this is just showing you a little bit of the actual in the Botog client where you can enter some information about yourself. So you can put your email address, your address, your state, your city, all that kind of good stuff. And you know personally I live at script alert way. So it's important for me to be able to do this but for most people it's not. The funny thing about this the actual city is vulnerable, state, zip code, country and phone number. Now for phone number you shouldn't need to put characters in there. Okay? So what we're doing right here is we're really talking about they're not even doing basic data validation at this point. When you're looking at a state it's even abbreviated. You've got MA, you've got MD, you've got wherever you live there's a two letter. You should not be able to put JavaScript into that. Okay? This is easy guys. Zip code again. It's not that hard. These are supposed to be only numbers. Yeah anyway. Yeah that's vulnerable as of today as of this morning. Not that I'm telling you to go out and use this but this particular one this is actually using a stored and DOM based cross-site scripting attack. As you saw on the previous slide what we did is we put you know some active JavaScript in our address field. This comes back and this shows you every single cookie you need. So if you're using the web client you can create your cross-site scripting attack to then forward this information to your server. You grab that you replay that you're now that person. So you have a copy of their session. Not good. This one's an unauthenticated one. Again you can grab you know you can call document.cookie to grab all of the cookies have them forwarded to your server and you created a duplicate session. You can log in as this person and you can sign up to a table that you're also playing at and just fold fold fold fold fold and just lose somebody's money. So not so good. Again as we talked about quite a bit here it's basically a playground for cross-site scripting. For those of you who are actually pen testers out there who are used to having to do some encoding to get cross-site scripting to work you don't need to do it. You can basically go there and just be like I wonder if this works and you can kind of play around and have some fun with it. It's actually kind of cool because it's like stepping back three or four years in time and you can just make all kinds of fun stuff happen. There's also some invalidated redirects and the thing that I love about this one and we're kind of picking on Bowdog and I want to clarify a lot of the poker clients have these vulnerabilities. It's not just Bowdog but they're an easy target so why not we talked about them. The actual SSO that's used when you sign in to Bowdog is vulnerable. So as you'll see on these couple of URLs down at the bottom you can actually send somebody wherever you want and we'll talk about where you can actually leverage this in a minute. So using some of these vulnerabilities we've beaten to death cross-site scripting now everybody knows what cross-site scripting is it's not so good. You've got cross-site request forgery as well. Some of these clients this doesn't really matter but cross-domain.xml when you're using a flash-based poker client you want cross-domain to be locked down to at least things on the top level domain. So cake poker for example if you want cake poker you should only allow cake poker. Star dot cake poker whatever you want to do. You should not have a star in there and many many many of these sites just have a star in their cross-domain policy. Now what that means is you can basically decompile a flash client do whatever the heck you want to it recompile it and then start playing actively in some of these games because they're allowing content from anywhere. And you know this is again there's lots and lots more you can do with this this is all just the really really easy stuff to do and we didn't want to stand up here and be like alright here's how you take down poker right now but I will say there is more. One of the things that's a good attack vector especially when you talk about cross-site request forgery and cross-site scripting as far as actually getting people suckered into this is actually using forums and affiliate sites. Now the fun thing about using forums is generally when somebody's at a forum they're logged into the poker client and they're just kind of chatting and doing whatever they want but you know if they're logged in you've got great targets for cross-site scripting because you know they have active cookies. They have active sessions. You can grab this information, take it, replay it, done. Also with cross-site request forgery if you've got something that you can do like a get to post translation or post to get translation excuse me. You can then just kind of say alright as soon as you load this particular page you're folding. Whatever you happen to be in. So the fun thing with this is you can oftentimes in forums because we all know forums are really secure right? Yeah? Good times. You can actually just create hyperlinks where you should have an avatar for example. So whenever anybody loads that page and it goes to load your avatar it just executes that particular URL. So fold your hand etc. So anyway these are just really really good attack platforms and forums and stuff like that have their own vulnerabilities. So even if you're using a secure poker client if you're on somebody else's forum they have cross-site scripting they can hook you. So here we have you know picking on bow dog again just because it's easy. One of their affiliates not checking cross-site scripting not even trying. Here's poker listings. Poker listings is another place that has cross-site scripting. This was a really really hard one guys I gotta tell you. So you see that search field right there? Script alert that's all this is. They're not even checking. It's easy easy easy stuff. So what do we do when we have cross-site scripting? How many people know what beef is? All right good. So you know where I'm going with this right? You've got beef you know and here you can see three clients that are all you know a local address that I was just playing around with. There's so many from my local one because everything I tried worked. It was really really easy to do this guys. So step one on this. This is what this is what an actual hook looks like in beef. So you've got your target domain. You've got then the payload there that says you know connect back to me blah blah blah blah blah. Once you've got a zombie inside of beef you can look at their browser. You can see what plugins they're using. You can see where they've been in their browser history. I'm not going to go down the full functionality of beef but beef is a really cool tool and if you haven't used it use it. It's good. You can do clipboard theft. You can send raw Javascript. You can use browser auto poem. Yay Metasploit. And you can also use that once you have browser auto poem running. Anybody who you've hooked in with XSS is now a pivot point. So let's say somebody is playing poker at work. Nobody would ever on a government machine for example play poker at work. Nobody would ever do that right. So now you've got a pivot point inside of a government network because web traffic goes through firewalls. Yay. So the fun part is after this of course you have profit. So that one of the things that we wanted to do is kind of hint at this but not really tell you exactly how to do it but if you've got a Metasploit zombie or if you've got a beef zombie if you can send them Javascript and you can capture their clipboard. Hands up how many people think you can see their hold cards. More hands. Yeah. So there you go. Still feeling good about online poker? Everybody who's signed up? Yeah? No? Okay. I'm going to turn it back over to Gus. He's going to do some more talking. Great. Thanks Steve. And moving away from a web application attacks that Steve went over to some authentication vulnerabilities and you know like Steve mentioned you know why sophisticated attacks are fun to go ahead and do in this instance you really don't have to do anything elite in order to compromise some of these sites. As you can see here here's just some of the password requirements I just went ahead and sampled some of the larger sites so you can see exactly what they're requiring. So you can see carbon poker requires six to 20 characters. I wonder what people are going to choose if they choose carbon. Perhaps carbon as their password. Or bow dog. Five characters. Maybe you have bow dog or maybe it's poker. You know full till you be absolute also weak. In fact the only one that had strong password requires requirements was cake poker with you know what you would expect something 8 to 14 lower case et cetera et cetera. So with passwords this strong it's probably you know impossible to brute force them right? Especially if no account lockout none of these sites will lock out your account. You can try it as many times as you want. And of course you need to have the actual user ID to log in with right? So how do we find that? Well forums you know whoever you're playing against most of the times whatever their name on screen is it's going to be their user ID. And then of course there's also poker table ratings which is another site that tracks players you know how much they've won or lost. You can go to poker table ratings and perhaps you want to do a search for those people who have won a lot of money and we can target their accounts. And you know of course the next step is you know nothing rocket science you know just like the cross-site scripting you know we don't have to do anything fancy here we just go ahead and use Hydra or Brutus. In this case we just want to head in and use Brutus. This is actually on Bodog which was somewhat different than some of the other sites you could log in with a username or you could also log in with this unique number you see here is 383-0000. So this is what there you could log in with these type of numbers. What's also interesting about this is that when you create a new account it just increments it by one. I'm not sure if that's too important or but it's interesting that it just increments it by one. So of course just using Brutus you can go ahead and just script this and you can see on our test account that we used that you know it brute-forced it and you know very quickly of course. And trust me poker players they're not the most sophisticated players when it comes to you know putting strong protections in place. Most of the time they're pretty lazy and I guarantee a lot of them have pretty pretty easy passwords. It's like they're not risk-adversed. Exactly you know they're used to just gambling large sums of money. I want to make one point most of the research that we did was on the play money sites because every one of these sites has a play money site that is equivalent to the software is the same as the real money site but we just didn't feel like using you know putting I didn't feel like using my account because I didn't want to have it shut down for some reason and have my money confiscated. Anyways another thing attacking supporting infrastructure I think Steve went over this it gave some good examples as far as forums but it's just not the poker client itself and that's what I want to emphasize throughout this whole talk it's the whole poker industry that has weak controls and you know with the poker gaming these other you know people want to make money off of it so they come up with new ideas so there's training sites to teach you how to be a better poker player. There's tracking sites like poker table ratings and sharp scope that will track your play and show you how much you've won or lost. There's medium forums like Steve mentioned two plus two is you know probably the largest one out there and of course if these sites are being used at the same time that people are playing the game well then if there's vulnerabilities in them as Steve showed you you could potentially compromise them. So some just some quick examples another you know cross-site scripting this is actually in poker table ratings you can actually make comments about players like you suck or whatever and if you put some you know script in there when someone else goes ahead and reads that comment you know you could have obviously something much more malicious than this there. Attacking supporting infrastructure continuing this is about training sites and this is actually an email that I received because I belong to training sites because I like to try to make money when I play poker and this is from I think card runners sent me this letting me know that they had detected an illegal intrusion and that you know they believe that you know all they got potentially was my email address encrypted password IP address and you know so it just shows that people are actually attacking these guys actually sent these guys an email and said hey I can maybe look at this for you and they said they had it under control so just another forum this just shows you it may not be able to see it but it's just a warning from that's posted on the forum showing that someone has set up a archive site to look just like the two plus two and they're doing some phishing there so just you know morning there forum members to be careful so obviously people are going out and targeting these supporting infrastructures so almost done the river so just what are some online poker defenses that could be put in place and this is more on the application side we'll talk next about what you could do yourself to protect maybe move away from password based authentication because we know multi-factor can't be hacked but it's better implement simple things account lockout secure perform robust security testing perhaps only allow connections from you know the geographic location where you're supposed to be located so if you have the U.S. you probably don't want someone from China logging into your account of course you get around that but it makes it more difficult man maybe adhere to some certain standards online poker defenses what can you do to to help protect yourself I I personally play poker in a isolated you know virtual machine that's just used just for poker so I don't do anything else with that I have a particular VM just for poker I don't check email I don't get on the web with it all I do is play poker on it you know obviously basic oh basic security stuff use the anti-virus by where don't play on wireless networks strong complex passwords don't use the same password across multiple sites you know common sense stuff next steps we're gonna continue digging deeper into the client some static analysis you know maybe we look to try to customize the client to bypass restrictions perhaps write an automated tool just a better brute force you know the actual client itself rather than the web piece I think it'll be fun to map out more of these networks and see exactly you know from infrastructure perspective you know all these test servers and other things that are out there and then of course you know keep on digging at the web application vulnerabilities so conclusion why I don't think we talked about anything earth shattering here as far as you know stuff that we all know about I just don't think a lot of people have been thinking about it from an online poker perspective so you know we're gonna continue looking at it if you're interested in online poker there's a lot of smarter people than me out in that room so please you know you look at it and let me know if you find anything you know regulation of compliance you know needs to be put into place and you know the question is do I feel safe playing you know if if poker was you know online poker was legal you know tomorrow would I play well I'd probably play but that's because I have a gambling problem but I don't know about the rest of you so that's it questions you know we'll be in I guess Q2 to to answer anything thank you guys