From the code snippet, it seems Toolkit.getDefaultToolkit.getScreensize() doesn't account for external monitors - only the primary display. Targeted malware you'd think would use getScreenDevices() or something to account for that - I'd always imaged professional online poker player 'sat' at many tables at once ...presumably using multiple monitors.
I've known online poker players who can play up to 8 at a time, just flipping around on individual windows in 1 screen. I think a lot depends on the stakes of the table, and the style of play. Someone playing aggressive with small stacks on moderate stakes doesn't need to pay attention to the level of someone playing with a large pile in high stakes games.
Since poker is a zero sum game, many pros find it more profitable to be spread out amongst multiple games of amateurs at modest stakes, than at a high risk high stakes table. (Collecting pennies rather than fighting over dollars, or predictable farming versus unpredictable hunting)
High stakes players (best targets for such attacks) usually don't play more than 3-4 tables at once - there just isn't enough action nowadays, and with hundreds of thousands of dollars on the line, even they (they are often multitasking gods by an ordinary human standard) ackonwledge that focusing on smaller number of tables might be a good idea...
That's an interesting catch. I'm guessing the gap was because the attacker commissioned the software at low cost, and didn't spot the problem. That said, the attack would still work well because Jeans plays nosebleed stakes[1], so he's not likely to be playing a huge number of games at a time, and he travels regularly for live games so he's likely to be on a standalone laptop.
Multi-monitor setups are very common in the poker world, but the primary monitor would get you a long way. After all, if you sit with him and realize your table isn't on his main screen, you could sit out.
I'm quite glad he thought to drop his computer at F-Secure.
F-Secure is a prime example how company blogging should be done. They have a lot of interesting posts about and around their core subject, but they manage to avoid the vibe that you get from typical startup blog posts that somebody is trying to sell you something.
And it isn't just blogging, it's their public presence in general- Mikko Hyppönen's talks (like his TEDx talk about NSA) are genuinely interesting.
It would be interesting to know what type of door locks the hotel used. There's been numerous attacks on hotel door locks recently [1], and the current situation appears to be that a sizeable proportion of hotel door locks are incredibly vulnerable. It's a good reminder that if you have a security requirement, use full disk encryption.
>It's a good reminder that if you have a security requirement, use full disk encryption
If someone can gain repeated access to your hotel room, full disk encryption is vulnerable to the so-called "evil maid attack". Basically, someone comes to your room, boots from a thumb drive, and installs their own bootloader on the machine. When you return, everything will appear normal to you, but the bootloader can do any amount of mischief. For example, it can log the password you enter to log in and store it. Or they can have the spyware mentioned in the article install once you log in.
Later, they come back, wipe the bootloader, and leave your system apparently in its original state (but with spyware installed). The only difference now is that you may think you've foiled their attack because of the full disk encryption, and fail to investigate further.
That was my first thought when I read the story too.
I bet non casino hotels pay way less attention to security I suspect that the vegas hotels would have caught the perp on camera - and in these more enlightend times they might even have survived :-)
not necessarily. since he had to rekey the card... someone just showed up with any for of ID, or not even that, on the front desk and claimed that another random card they acquired by any other means (i collect those when i stay) wasn't opening the door. easy as that.
I came into a Las Vegas hotel one morning around 7am... literally drunk as a skunk and looking really rough... I told the concierge I didn't have any ID or a key to my room... She asked me what was in the room, I said a backpack. She then proceeded to give me a new key and open my door for me.
I could have been any random drunk who stumbled into that hotel that morning.
Security was sent up every time I have been locked out of a hotel room. They're always happy to open the door for me, but won't leave until I satisfactorily identify myself (with ID that is usually locked in the room).
Wow, that never happened to me. I always get the card re-keyed without any kind of security. And that is from low 3 stars to 4 stars hilton and Cliff in SF to name a few.
Yes, basically. Having your computer actually at risk of physical attack is very unlikely for most people (given that most people aren't worth the bother), but if you are in a situation where an attacker could gain physical access to your computer, and that physical access could lead to significant loss (whether of property, money or valuable information) then the hassle involved in full disk encryption is minimal compared to the potential for loss.
I had heard of casino "sharks" before, but I'd never heard of what you linked to before.
Also, I hope offenders are treated to severe punishment or jail time in Japan (unless it's done with the woman's consent, which I doubt). I can't believe it's serious enough to merit its own term.
The innovation of criminal enterprises continues to impress me. This is why I love reading about security, espionage, and crime. It's industries like these that open me up to the possibility that maybe my laptop is compromised, my line is insecure, my servers are tapped, my phones are tapped, my car is bugged, people who contact me might be social engineers, and so on and so forth. You get a much better handle on reality by looking at what the dark side is doing.
Lots of hotel safes (with the electronic locks) have a default password known to the staff, so they can get in after a guest has checked out and forgotten an item in the safe, or the guest has forgotten the password they chose. I would regard hotel safes as only slightly better than leaving your laptop on the nightstand.
Exactly. So if you want to avoid an evil maid attack, you're basically going to have to lug around your own safe, or keep your laptop with you at all times.
This seems like something where Secure Boot, with user-provided keys, would really be handy. Create a key pair and tell your computer to only boot from stuff signed with your own key, then it will refuse to boot from a tampered USB stick or CD.
AFAIK, that can be somewhat problematic for windows. Why windows you ask? Most poker clients are windows only. It's probably possible to boot windows from a LiveCD, but when I looked at it in the past, it wasn't straightforward.
From the code snippet, it seems Toolkit.getDefaultToolkit.getScreensize() doesn't account for external monitors - only the primary display. Targeted malware you'd think would use getScreenDevices() or something to account for that - I'd always imaged professional online poker player 'sat' at many tables at once ...presumably using multiple monitors.