Colorado Researchers Crack Internet Chess Club

← Back to Stories (view on slashdot.org)

Colorado Researchers Crack Internet Chess Club

Posted by timothy on Sunday October 10, 2004 @10:00AM from the that's-nice-dear-and-how-was-class dept.

edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.

8 of 130 comments (clear)

Min score:

Reason:

Sort:

Another dupe, timothy? by Anonymous Coward · 2004-10-10 10:01 · Score: 5, Informative

Internet Chess Club Security Defeated
Re:This isn't really useful... by AEton · 2004-10-10 10:12 · Score: 3, Informative

If I were you, I wouldn't be proud of being Bobby Fischer.

--
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Web Programmers by Jesus+IS+the+Devil · 2004-10-10 10:16 · Score: 4, Informative

I've seen way too many programmers who think they're the world's greatest gift to mankind, but don't know the FIRST RULE of developing web applications:

NEVER TRUST USER INPUT

This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.

Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.

--

eTrade SUCKS
Re:I wonder... by Vole_of_Wrath · 2004-10-10 10:49 · Score: 2, Informative

As a student of University of Colorado, living in the dorms no less, CU is VERY uptight about their internet security. They have almost every port closed from the outside, and they dont let you access the internet without several dozen procedures to make sure your computer is safe. I'm not saying it isn't foolproof, but it's like Fort Knox :X
Re:Is slashdot editing anything like survivor? by MikeBabcock · 2004-10-10 10:59 · Score: 2, Informative

You can edit your personal settings to not show stories by him though.

--
- Michael T. Babcock (Yes, I blog)
Academic research reporting should be left... by Anonymous Coward · 2004-10-10 12:10 · Score: 1, Informative

to academics and not institutions.

In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:

http://www.chessclub.com/help/security

"Question: Is my credit card secure at ICC?

ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p

When you access the web form, your browser shows a "locked padlock" icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See help privacy for more information. In almost ten years of service, no member has ever lost a penny of their money because of poor security at ICC."

Now if only someone could divulge Madonna's online name so all the chess geeks could finger her.
Re:Bah by jnguy · 2004-10-10 13:22 · Score: 2, Informative

A chess club where grandmasters play, and the general population has confidence in, I would imagine its fairly secure.
ICC Security Improvements by gmacd997 · 2004-10-10 14:03 · Score: 5, Informative

The Internet Chess Club (ICC) has taken steps to improve security since this paper was published.

For details on the paper and ICC's response see the help file at:
http://www.chessclub.com/help/blackpaper

For details on how ICC protects user's security see:
http://www.chessclub.com/help/security

For details on how ICC protects user's privacy see:
http://www.chessclub.com/help/privacy

An excerpt from the /blackpaper help file:

Question: What is ICC doing to improve security?

ICC is doing three main things to improve security:

1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p When you access the web form, your browser shows a 'locked padlock' icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See http://www.chessclub.com/help/privacy for more information.

2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.

3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.

...

If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.

Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.

George MacDonald
General Manager
Internet Chess Club