protecting the player– information security concerns gus fritschie @gfritschie march 21, 2014
TRANSCRIPT
![Page 1: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/1.jpg)
Protecting the Player– Information Security Concerns
Gus Fritschie@gfritschie
March 21, 2014
![Page 2: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/2.jpg)
© SeNet International Corp. 2014 2 March 2014
SeNet Overview
While there is the potential for attacks against the iGaming application and infrastructure, it is easier to attack the consumer.
Why spend days trying to exploit a SQL Injection vulnerability when all you need to do is have a player click a link.
The focus of this talk is on protecting the player.
![Page 3: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/3.jpg)
© SeNet International Corp. 2014 3 March 2014
SeNet Houston, We Have a Problem
![Page 4: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/4.jpg)
© SeNet International Corp. 2014 4 March 2014
SeNet Barcelona Laptop Incident
http://pokerfuse.com/news/live-and-online/confirmed-ept-barcelona-laptop-infected-with-screen-sharing-trojan-11-12/
![Page 5: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/5.jpg)
© SeNet International Corp. 2014 5 March 2014
SeNet Las Vegas Sands Hacked
![Page 6: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/6.jpg)
© SeNet International Corp. 2014 6 March 2014
SeNet What Can Sites Do?
There are many steps that sites can take to help protect their players, here are some:
• Security Awareness • User security controls (i.e.
password policy, multi-factor authentication, account lockout)
• Site security controls (i.e. SSL, secure coding, secure configuration)
• Continuous Monitoring
![Page 7: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/7.jpg)
© SeNet International Corp. 2014 7 March 2014
SeNet Security Awareness
• Operators need to do more to raise security awareness among their customers.
• This could take the form of logon messages, emails, or other forms of communication.
• Last year Poker Stars released a guide on protecting your laptop that was distributed at an EPT event in the wake of the Barcelona hotel incident.
• Learn a lesson from Facebook.
![Page 8: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/8.jpg)
© SeNet International Corp. 2014 8 March 2014
SeNet User Controls
• Password complexity requirements
• Session timeout
• Account Lockout
• Multiple Sessions
• Dual-factor authentication
• IP/MAC Restrictions
• Logon Notification
![Page 9: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/9.jpg)
© SeNet International Corp. 2014 9 March 2014
SeNet Site Controls
• Security Code Reviews
• 3rd Party and Internal Security Reviews
• Secure architecture design and implementation
• Configuration Management
• Encryption (data-in-transit and data-at-rest)
![Page 10: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/10.jpg)
© SeNet International Corp. 2014 10 March 2014
SeNet Continuous Monitoring
• Collusion/bot detection
• Abnormal activity/win rates
• Account Activities
• Logging/SIEM
• Important to monitor not only technical controls, but management and operational controls too
![Page 11: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/11.jpg)
© SeNet International Corp. 2014 11 March 2014
SeNet Examples
![Page 12: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/12.jpg)
© SeNet International Corp. 2014 12 March 2014
SeNet Security Configuration Issues
![Page 13: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/13.jpg)
© SeNet International Corp. 2014 13 March 2014
SeNet Authentication Weaknesses
http://www.onlinepokerreport.com/9529/authentication-comparison-two-nj-igaming-sites/
![Page 14: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/14.jpg)
© SeNet International Corp. 2014 14 March 2014
SeNetBackend Password and Username
Exposed in Request
![Page 15: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/15.jpg)
© SeNet International Corp. 2014 15 March 2014
SeNetPassword Stored in Clear-text in
Database
Using the forgot password function the password is sent via email and is the same password as initially set. This indicates passwords are stored in clear-text.
![Page 16: Protecting the Player– Information Security Concerns Gus Fritschie @gfritschie March 21, 2014](https://reader033.vdocuments.us/reader033/viewer/2022051401/56649e9f5503460f94ba24b4/html5/thumbnails/16.jpg)
© SeNet International Corp. 2014 16 March 2014
SeNet Weak Password Policy