A trio has published a fascinating paper on how they hacked the Internet Chess Club. They produced a client with which they could easily cheat by controlling the amount of time they used per move, even setting it to zero. They also hacked the communications stream and could eavesdrop on all communications between any user and the ICC server, including credit card info, or even take control of the system to solicit information from an unsuspecting user. Read the abstract of their paper below.
They say they won't release their code and they offer suggestions to fix the problems. They also made their info available to the ICC before they published last week. I just chatted with George MacDonald, the general manager of the ICC, and they are still working on the system. Today they updated their help file to include a security disclaimer (see below).
As for it being easy, as the paper's authors imply, that's from a mathematical standpoint not a practical one. It's not as if anyone with a few hours free time would be able to whip up a cheat client. The danger would be an expert distributing such a thing.
How to Cheat at Chess: A Security Analysis of the Internet Chess Club
J. Black ∗ M. Cochran ∗ R. Gardner ∗
September 3, 2004
Abtract
The Internet Chess Club (ICC) is a popular online chess server with more than 30,000 members worldwide including various celebrities and the best chess players in the world. Although the ICC website assures its users that the security protocol used between client and server provides su.cient security for sensitive information to be transmitted (such as credit card numbers), we show this is not true. In particular we show how a passive adversary can easily read all communications with a trivial amount of computation, and how an active adversary can gain virtually unlimited powers over an ICC user. We also show simple methods for defeating the timestamping mechanism used by ICC. For each problem we uncover, we suggest repairs. Most of these are practical and inexpensive.
**********************
The ICC has added a security item to their online help file. It reads:
ICC is committed to keeping confidential data secure and cheaters out of business. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.
All data communicated between the ICC and Timestamp-enabled clients such as BlitzIn is encrypted.
However, no computer system can be guaranteed as completely safe from dedicated hackers and the ICC is no exception. ICC is aware of theoretical vulnerabilities mentioned in some reports on the internet. We are taking steps to address these issues.
If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to icc or an email to icc@chessclub.com.
The geek in me was fascinated to read the details of the analysis in the paper. With my limited exposure to cryptography it seems like they know their stuff. However, as with any computer security exploit you need to ask how likely it is that anyone would bother. Why would someone go through the trouble to "hack the communication stream" (they spent 65 hours writing their cheating client!!) to steal a credit card number when they can simply do a Google search? It's frightening how many small businesses have unencrypted customer information, including credit card numbers, pin numbers, and that secert three-digit code on the back of your card, sitting on the internet.
As someone who uses a credit card at small businesses, your comments scare me, Steven. What should we non geeks know to protect ourselves, besides not to use a credit card on ICC?
This is a good straightforward guide:
http://www.ftc.gov/bcp/conline/pubs/online/payments.htm
The biggest issue these days are the phishing e-mails that say they are from your bank, or Paypal, or Ebay, etc. Basically, never click on a link in one of these e-mails. Go to your bank's site in a browser only.
Giving credit card info online at a secure site (when the padlock appears in the bottom-right corner) is no more dangerous than handing your card to a waiter or letting carbons sit under a cashier's desk for hours or days. The problem is storage. Companies, online and off, are storing everything in online databases. They may have great encryption when you purchase, but they may slack in database protection.
I make several hundred online credit card purchases per year and rely entirely on online bill payment and banking, credit card management, and of course Ninja billing. Never a problem.
If you are purchasing from a small website that you aren't confident in you can always order by phone. Many let you order online and give CC info on the phone. But again, it's what companies do after they get the info that is usually the problem.
Infiltrating your computer via trojans is another danger more prevalent than intercepting info during online purchases. Using a firewall and scanning with Spybot Search & Destroy on occasion are absolutely essential if you have a broadband, always-on connection.
If anyone is paranoid, it's just plain silly. Everything's hackable, really, but the cost/benefit ratio just isn't there for hackers to really exploit it. Remember, these are top cryptography guys putting tons of effort to hack a 10 year old piece of software. Not exactly worth bothering with.
After reading Mig's article last night, I went to sleep and had a dream where I was on ICC playing 5-minute. I had 8.1 seconds left against about 15 seconds for my opponent. I figured I didn't have much of a chance.
My opponent must have fumbled a move because somehow after their next move the times were even with about 8 seconds each.
Then, I was waiting for my opponents move again - thought I had the game in the bag - a slow mover I figured they were. I'd seen this before, they freak out or something and make a few illiegal moves losing their time advantage. It's happened to me also. I wasn't paying attention to the clock, as it was their move and any distraction would slow my next move down.
A little too much time went by, I glanced at the clocks and was horrified to see my own time ticking down near 0, with my opponent still at 8 seconds - EVEN THOUGH IT WAS HIS/HER MOVE! I woke up before the final second ticked off, and realized it had all been horrible nightmare.
I dont usually thread-dive, but Christ, you're such an ICC ass-kisser, Mig.
Its probably safe enough to spend money at ICC. However, their elitism and greed make them targets for hacking. People have done so repeatedly over the years and prolly will continue to. Its no secret that ICC was born using the freely-donated work of others for personal financial gain. The hundreds of coders from the free-ICC days out there make a large pool of likely suspects. Banning the thousands of guests who helped to build them up until they got their dumbed-down computer "members" working didn't help the cause either. So it cant be denied that are lots of places to spend money more safely than ICC.
Pull your nose out of their butts, man.