Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013.

Published byShanon Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013."— Presentation transcript:

1 Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013

2 © SeNet International Corp. 20132December 2013 SeNet Who We Are – SeNet International

3 © SeNet International Corp. 20133December 2013 SeNet Who We Are – Gus Fritschie CTO of SeNet International Subject Matter Expert in Gaming and iGaming security Presented at multiple conferences, including Defcon on iGaming issues Written multiple articles on gaming security for both print and online publications Most importantly I want sites and organizations to be safe and secure because I am also a player Follow on Twitter @gfritschie

4 © SeNet International Corp. 20134December 2013 SeNet Why This Talk? The future of gaming, if not the Internet is tied closely to it. Even those components that may not be specifically tied to iGaming (i.e. OTB) still require a certain level of security. While the racing industry has had a head start (thanks to UIEGA) it only leads by a couple of lengths, and when it comes to security it is neck-to-neck. We need to learn from past mistakes in other sectors in order to avoid them in the future. Often security is seen as a cost and something we don’t think about until there is a problem (similar to flooded basement). However, this trend needs to change and we need to become more proactive compared to reactive.

5 © SeNet International Corp. 20135December 2013 SeNet How is Online Racing Security Different From This?

6 © SeNet International Corp. 20136December 2013 SeNet Security is Security There is no difference! Racing and iGaming face the same problems and need the same level of protection as other verticals. Areas that need to be taken into account include: Application Security Network Security System Security Database Mobile Physical And more………

7 © SeNet International Corp. 20137December 2013 SeNet Security is all About Managing Risk You will never be 100% secure, the key is to understand the risks you face and with that information make informed business decisions. In order to be 100% secure you would need to do this…….

8 © SeNet International Corp. 20138December 2013 SeNet Are Compliance Standards the Answer?

9 © SeNet International Corp. 20139December 2013 SeNet Compliance Does Not Equal Security But it is a starting point and better than nothing. Need to approach it from more than a paperwork exercise. The problem is most of the compliance standards (current gaming included) are not strict enough and leave organizations with a false sense of security. Compliance != Secure

10 © SeNet International Corp. 201310December 2013 SeNet What is the Solution? The answer is a comprehensive, enterprise solution across all facets. Too long of an answer for this brief presentation. In my opinion two ways organizations are most likely to get compromised. 1.Attacks via the application (both web and mobile) 2.Social engineering attacks Let’s look closer at the first method……

11 © SeNet International Corp. 201311December 2013 SeNet Types of Application Attacks

12 © SeNet International Corp. 201312December 2013 SeNet Security Needs to be Baked into the SDLC Examples: Audit logging design possibly include redundancy, retention, and reliability (unintentional 3 r's there); Session design possibly include concurrency control, lock, identification, replay Access, authentication, and authorization (intentional 3 a's there) Error handling design Unit test automation by check-in gates Code coverage Design for functional testing Information input restriction RBAC Partitioning Information validation Rules engine/input validation, app firewall Risk-based approach vs. compliance-only focus. Security integration to system development is critical to front-end design

13 © SeNet International Corp. 201313December 2013 SeNet Examples

14 © SeNet International Corp. 201314December 2013 SeNet. Session Token in URL

15 © SeNet International Corp. 201315December 2013 SeNet Account Number Enumeration

16 © SeNet International Corp. 201316December 2013 SeNet Backend Password and Username Exposed in Request

17 © SeNet International Corp. 201317December 2013 SeNet Backend Password and Username Exposed in Request (Cont.) GET / php/fw/php_BRIS_BatchAPI/2.3/Games/Payouts?ip= 172.20.18.156&username=strikeit&password=1tg00d &affid=5000&output=json HTTP/1.1

18 © SeNet International Corp. 201318December 2013 SeNet 123456 What is this?

19 © SeNet International Corp. 201319December 2013 SeNet Weak Password Policy

20 © SeNet International Corp. 201320December 2013 SeNet Password Stored in Clear-text in Database Using the forgot password function the password is sent via email and is the same password as initially set. This indicates passwords are stored in clear-text.

21 © SeNet International Corp. 201321December 2013 SeNet Cross-site Scripting (XSS)

22 © SeNet International Corp. 201322December 2013 SeNet Cross-site Scripting (XSS)

23 © SeNet International Corp. 201323December 2013 SeNet Conclusion This introduction presentation just touched on some of the security issues that the Online Racing Industry need to take into account. All examples used were discovered via passive analysis, no active or scanning was performed on sites. Less than a few hours were used to locate these “low-hanging” vulnerabilities, certainly more exist. During the rest of this panel discussion we will dive deeper into some of these attack vectors and others that you need to be aware of.

Download ppt "Security Trifecta – Overview of Vulnerabilities in the Racing Industry Gus Fritschie December 11, 2013."

Similar presentations

Webgoat.

Webgoat.
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Security

Web Application Security
How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance.

How to Defend Against FISMA Gus Fritschie and Andrew Du June 1st, 2013 FISMA Compliance.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google