
Sharking: High-Rollers in the Crosshairs - sdoering
http://www.f-secure.com/weblog/archives/00002647.html
======
stevenrace
Another great read from the F-Secure folks.

From the code snippet, it seems Toolkit.getDefaultToolkit.getScreensize()
doesn't account for external monitors - only the primary display. Targeted
malware you'd think would use getScreenDevices() or something to account for
that - I'd always imaged professional online poker player 'sat' at many tables
at once ...presumably using multiple monitors.

~~~
rscale
That's an interesting catch. I'm guessing the gap was because the attacker
commissioned the software at low cost, and didn't spot the problem. That said,
the attack would still work well because Jeans plays nosebleed stakes[1], so
he's not likely to be playing a huge number of games at a time, and he travels
regularly for live games so he's likely to be on a standalone laptop.

Multi-monitor setups are very common in the poker world, but the primary
monitor would get you a long way. After all, if you sit with him and realize
your table isn't on his main screen, you could sit out.

I'm quite glad he thought to drop his computer at F-Secure.

[1] example hands from his online games: [http://www.highstakesdb.com/poker-
hands.aspx?=&sort=potsize&...](http://www.highstakesdb.com/poker-
hands.aspx?=&sort=potsize&player=Jeans89&page=1)

~~~
Argorak
For those not into poker slang (like me, I had to google it):

Nosebleed refers to very high stakes games where the minimum stake is usually
over 200$/400$ per round and more, with an open end ;).

~~~
sejje
And for those who have a slightly better poker vocabulary, it's games where
the blinds (antes) are $200/$400.

Your actual stake on the table will be ~$40,000 in that game.

------
dirtyaura
F-Secure is a prime example how company blogging should be done. They have a
lot of interesting posts about and around their core subject, but they manage
to avoid the vibe that you get from typical startup blog posts that somebody
is trying to sell you something.

And it isn't just blogging, it's their public presence in general- Mikko
Hyppönen's talks (like his TEDx talk about NSA) are genuinely interesting.

------
leoedin
It would be interesting to know what type of door locks the hotel used.
There's been numerous attacks on hotel door locks recently [1], and the
current situation appears to be that a sizeable proportion of hotel door locks
are incredibly vulnerable. It's a good reminder that if you have a security
requirement, use full disk encryption.

[1]: [http://www.extremetech.com/computing/133448-black-hat-
hacker...](http://www.extremetech.com/computing/133448-black-hat-hacker-gains-
access-to-4-million-hotel-rooms-with-arduino-microcontroller)

~~~
mistercow
>It's a good reminder that if you have a security requirement, use full disk
encryption

If someone can gain repeated access to your hotel room, full disk encryption
is vulnerable to the so-called "evil maid attack". Basically, someone comes to
your room, boots from a thumb drive, and installs their own bootloader on the
machine. When you return, everything will appear normal to you, but the
bootloader can do any amount of mischief. For example, it can log the password
you enter to log in and store it. Or they can have the spyware mentioned in
the article install once you log in.

Later, they come back, wipe the bootloader, and leave your system apparently
in its original state (but with spyware installed). The only difference now is
that you may think you've foiled their attack because of the full disk
encryption, and fail to investigate further.

~~~
korussian
Easy: use cloud storage with 2-factor authentication.

~~~
mistercow
That will weaken the attack, make it a little more difficult, but it won't
thwart it.

------
kripy
They probably should have checked the term "sharking" before calling it -
[http://www.urbandictionary.com/define.php?term=sharking](http://www.urbandictionary.com/define.php?term=sharking)
\- big in Japan a few years ago.

~~~
stbtrax
How does a particular type of sexual assault become so commonplace that it
warrants its own slang term?

~~~
sanskritabelt
Welcome to the Patriarchy.

------
confluence
The innovation of criminal enterprises continues to impress me. This is why I
love reading about security, espionage, and crime. It's industries like these
that open me up to the possibility that maybe my laptop is compromised, my
line is insecure, my servers are tapped, my phones are tapped, my car is
bugged, people who contact me might be social engineers, and so on and so
forth. You get a much better handle on reality by looking at what the dark
side is doing.

------
mistercow
Putting the computer in a safe is a good idea, assuming it doesn't have a
backdoor. Full disk encryption alone won't be good enough in a hotel, due to
the "Evil Maid Attack":
[https://www.schneier.com/blog/archives/2009/10/evil_maid_att...](https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html)

~~~
chiph
Lots of hotel safes (with the electronic locks) have a default password known
to the staff, so they can get in after a guest has checked out and forgotten
an item in the safe, or the guest has forgotten the password they chose. I
would regard hotel safes as only slightly better than leaving your laptop on
the nightstand.

~~~
mistercow
Exactly. So if you want to avoid an evil maid attack, you're basically going
to have to lug around your own safe, or keep your laptop with you at all
times.

------
antihero
Perhaps this would be the sort of situation where you boot from read-only USB
stick, or LiveCD.

~~~
alexkus
Fine, but how would you verify your read-only USB stick or LiveCD before use?

Theoretically someone could sneak and replace the LiveCD with one that looks
identical but is infected with the required malware[1].

Carrying it on you, or locking it in the safe in the room[2], might mitigate
that I suppose.

1\. Sneak in once, steal a copy of the USB/LiveCD contents, go away and create
a new version infected with malware, sneak in again and swap them over.

2\. Not really safe as one previous link on HN showed.

~~~
mikeash
This seems like something where Secure Boot, with user-provided keys, would
really be handy. Create a key pair and tell your computer to only boot from
stuff signed with your own key, then it will refuse to boot from a tampered
USB stick or CD.

