LizaMayra
Enthusiast
Silver Level
Hey Everyone,
I play poker online just like you guys, but I have always been curious about online security for the poker rooms... so I started looking at some companies that do software security for some of the major online poker rooms, and this is what I found.
http://www.cigital.com/news/index.php?pg=art&artid=20
(copy and paste this link to browser)
Here is what is on the page:
Press Release
Internet gambling Software Flaw Discovered by Reliable Software Technologies Software Security Group
DULLES, Va., September 1, 1999—The Software Security Group at Reliable Software Technologies, the leading authority and industry visionary on software assurance for security-critical software, today announced the discovery of a major security flaw in Internet Gambling software. The flaw can be exploited to bilk innocent players of actual money in online poker games.
Regardless of its quasi-legal status, online gambling presents an entire raft of risks. Key questions include: Will your personal information be handled securely (for example, will the credit card number you're paying with be stolen or the fact that you're gambling at all be leaked)? What if the gaming site is hacked? Could you be playing against cheating insiders or players acting in collusion? Are the games implemented correctly and fairly? Is the software secure? In response to the last question, we have demonstrated that the answer is no.
The Software Security Group at Reliable Software Technologies has discovered a serious flaw in the implementation of Texas Hold 'em Poker that is distributed by ASF Software, Inc.. We have exploited this flaw in the lab. Our exploit allows a player (us) to calculate the exact deck being used for each hand in real time. That means a player using our exploit knows the cards in every opponent's hand as well as the cards that will make up the flop (cards placed face up on the table after rounds of betting). We can always make the right decision, and consequently maximize our earnings. A malicious attacker could use our exploit to bilk innocent players of actual money without ever being caught. ASF Software and all of their online casino customers have been notified of the flaw.
Currently we know of three online casinos (www.planetpoker.com, www.purepoker.com, and www.deltacasino.com) that appear to use ASF Software's implementation of Texas Hold 'em Poker. All three Websites allow players to compete for real money. There is also a demo casino that allows players to gamble with play money. We used our exploit against the demo casino. We also demonstrated, without actually cheating, that it could be used against real money casinos.
The flaw exists in the card shuffling algorithm used to generate each deck. Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm with the idea of showing how fair the game is to interested players (the relevant question has since been removed). In the code, a call to randomize() is included to produce a random deck before each deck is generated. The implementation, built with Delphi 4 (a Pascal IDE), seeds the random number generator with the number of milliseconds since midnight according to the system clock. That means the output of the random number generator is easily predicted. A predictable "random number generator" is a very serious security problem.
The scenario below illustrates the problem. The first screen shows an actual game in progress. In this scene, we are jonnyboy (whose cards are shown face up) and three "flop" cards are displayed. Two other players are participating, but their cards are not displayed (for obvious reasons).
By synchronizing our clock with the clock on the online casino and hitting the "shuffle" button, our program can calculate the exact shuffle. That means we know all the cards that have yet to appear, everyone's hand, and who will win. The screen shot below shows the information displayed by our program in realtime during an actual game. Our program knows what cards are to appear in advance, before they are revealed by the online game.
As you can see in the screen shown below, taken at the conclusion of the demonstration game, our program has correctly determined all the cards. Given our program, a malicious user would know when to hold 'em and know when to fold 'em with 100% accuracy. This information can be used to win money from unsuspecting players.
A typical hand involves $30-1000 in the pot. We estimate over $100,000 worth of money changes hands daily on the four most popular online poker sites.
There are a number of other problems in the poker implementation that could lead to complete security compromise. We have only exploited the easiest one at this time.
I play poker online just like you guys, but I have always been curious about online security for the poker rooms... so I started looking at some companies that do software security for some of the major online poker rooms, and this is what I found.
http://www.cigital.com/news/index.php?pg=art&artid=20
(copy and paste this link to browser)
Here is what is on the page:
Press Release
Internet gambling Software Flaw Discovered by Reliable Software Technologies Software Security Group
DULLES, Va., September 1, 1999—The Software Security Group at Reliable Software Technologies, the leading authority and industry visionary on software assurance for security-critical software, today announced the discovery of a major security flaw in Internet Gambling software. The flaw can be exploited to bilk innocent players of actual money in online poker games.
Regardless of its quasi-legal status, online gambling presents an entire raft of risks. Key questions include: Will your personal information be handled securely (for example, will the credit card number you're paying with be stolen or the fact that you're gambling at all be leaked)? What if the gaming site is hacked? Could you be playing against cheating insiders or players acting in collusion? Are the games implemented correctly and fairly? Is the software secure? In response to the last question, we have demonstrated that the answer is no.
The Software Security Group at Reliable Software Technologies has discovered a serious flaw in the implementation of Texas Hold 'em Poker that is distributed by ASF Software, Inc.. We have exploited this flaw in the lab. Our exploit allows a player (us) to calculate the exact deck being used for each hand in real time. That means a player using our exploit knows the cards in every opponent's hand as well as the cards that will make up the flop (cards placed face up on the table after rounds of betting). We can always make the right decision, and consequently maximize our earnings. A malicious attacker could use our exploit to bilk innocent players of actual money without ever being caught. ASF Software and all of their online casino customers have been notified of the flaw.
Currently we know of three online casinos (www.planetpoker.com, www.purepoker.com, and www.deltacasino.com) that appear to use ASF Software's implementation of Texas Hold 'em Poker. All three Websites allow players to compete for real money. There is also a demo casino that allows players to gamble with play money. We used our exploit against the demo casino. We also demonstrated, without actually cheating, that it could be used against real money casinos.
The flaw exists in the card shuffling algorithm used to generate each deck. Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm with the idea of showing how fair the game is to interested players (the relevant question has since been removed). In the code, a call to randomize() is included to produce a random deck before each deck is generated. The implementation, built with Delphi 4 (a Pascal IDE), seeds the random number generator with the number of milliseconds since midnight according to the system clock. That means the output of the random number generator is easily predicted. A predictable "random number generator" is a very serious security problem.
The scenario below illustrates the problem. The first screen shows an actual game in progress. In this scene, we are jonnyboy (whose cards are shown face up) and three "flop" cards are displayed. Two other players are participating, but their cards are not displayed (for obvious reasons).
By synchronizing our clock with the clock on the online casino and hitting the "shuffle" button, our program can calculate the exact shuffle. That means we know all the cards that have yet to appear, everyone's hand, and who will win. The screen shot below shows the information displayed by our program in realtime during an actual game. Our program knows what cards are to appear in advance, before they are revealed by the online game.
As you can see in the screen shown below, taken at the conclusion of the demonstration game, our program has correctly determined all the cards. Given our program, a malicious user would know when to hold 'em and know when to fold 'em with 100% accuracy. This information can be used to win money from unsuspecting players.
A typical hand involves $30-1000 in the pot. We estimate over $100,000 worth of money changes hands daily on the four most popular online poker sites.
There are a number of other problems in the poker implementation that could lead to complete security compromise. We have only exploited the easiest one at this time.
