GPWA Times Magazine - Issue 5 - May 2008

35 RECENT SECURITY PROBLEMS March, 2008 In March, UltimateBet revealed that they were investigating reports in January that a player with the handle “NioNio” had been cheating. “NioNio” exhibited “abnormally high winnings statistics,” UltimateBet said. And the online poker room, which is licensed by the Kahnawake Gaming Commission (KGC), said they are working with an independent third party expert to determine “whether an unfair advantage existed, how such a scheme might have been per- petrated, and whether additional accounts beyond those of NioNio were involved.” February, 2008 Distributed denial of service attacks (DDoS) wreaked havoc at online gaming sites for a few days in February.Full Tilt Poker,Titan Poker,Virgin Games and Party Poker were among the sites attacked by a Web-based botnet, according to the Shad- owserver Foundation, a watchdog group of security professionals that gath- ers, tracks, and reports on malware, botnet activity, and electronic fraud. Some e-commerce sites were also attacked. Full Tilt Poker’s Web site was inaccessible for parts of two days. And Full Tilt had to “pause” the final table of the FTOPSVII Main Event for a brief periodwith just three players remaining when its client lost connec- tivity with the Full Tilt servers.The botnets caused Titan Poker pages to load intermittently. October, 2007 Late in the month, Abso- lute Poker announced they were investigating whether “superuser” accounts could see the hole cards of all the players at a table. The problem first came to light when a player withthehandle“Potripper”enjoyed a prosperous, yet unlikely, string of fortune during a poker tournament, at one point going 20 minutes without folding pre-flop.A player by the name of “Marco” got suspicious and e-mailed Ab- solute Poker to request an XLS file of the hand history. As is the standard, Absolute Poker complied. When the file was received it was discovered that not only did it include complete hand history of every table revealing all of the hole cards of each player, but also the IP addresses and the user details, including e-mail addresses,of people observing the table.Players on the TwoPlusTwo forums analyzed the data and post- ed their conclusions that someone was cheating. The online poker room hired Australian-based Gaming As- sociates to investigate the matter.The audit found seven accounts“were used to compromise AP’s systems by par- ticipating in live poker games with players using software that enable the viewing of the‘hole cards’of each of the oth- er players, resulting in unfair play,” according to a KGC state- ment. And in January, the KGC fined Absolute Poker $500,000. which to the unsuspecting eye in the heat of the moment can be easily mistaken for the real thing. Once captured in the trap, punters can then be tricked into entering their credit card information or conned into taking part in a game for which there is always only one winner. Banks and e-commerce sites are particularly prone to this form of fraud, which can be very quickly set up and taken down again as soon as the scam is spotted and report- ed across the world’s Web chat rooms. In the meantime the site will have no doubt fooled enough individuals to have made the whole thing very worthwhile. Fortunately now there are plenty of low- cost anti-malware solutions that punters can use to detect if the site they are visit- ing is legitimate, and Microsoft’s Vista in- cludes automated alerts if a site is suspect. However, it is still the responsibility of the Web site owner to ensure that their site reg- istration is properly maintained and that safe- guards are put into place to enable customers to be sure they are dealing with the real article. For the legitimate online gaming business, having its Web site spoofed can cause serious long-term damage to the company. Not only are they losing potential revenue whenever the site is operating, but they also stand to lose out in terms of their corporate reputation. This is a particular problem for bigger, global gaming organizations that have more to lose when the customer’s trust and confidence are damaged, ultimately even affecting things like stock valuations that are difficult to recover from. Clearly and undeniably security has to be near the top of the agenda for any organization that relies on the Internet for its existence. Within this category, online gaming properties have to be close to, if not at, the top of the most vulnerable orga- nizations list, and any operators who do not take this seri- ously are essentially risking their whole business operation. For anyone who believes that this is overstating the case and that the problems have already been solved by the many companies offering security technologies, Symantec’s In- ternet Security Threat Report published in April 2008 could be an illuminating read. Probably one of the most comprehensive reports of its kind, drawing on data from across the world over a six- month period, it is too long to summarize adequately here. But one alarming statistic that should be a wake- up call to doubters is that during the research period a total of 25,000 vulnerabilities affecting more than 55,000 technologies from 8,000 vendors were re- corded – so how secure is your business? How secure is your online business? | GPWA TIMES