Protecting Passwords, Securing Servers
Upcoming SlideShare
Loading in...5
×
 

Protecting Passwords, Securing Servers

on

  • 864 views

There have been too many sites compromising personal data. There is no excuse. It is not hard to stop most, if not all hackers. All you have to do is care about your customers. This module describes ...

There have been too many sites compromising personal data. There is no excuse. It is not hard to stop most, if not all hackers. All you have to do is care about your customers. This module describes how you can easily and effectively stop many hack attacks and protect your customer data on your servers. This is part 9 of my game security course. For the rest of this course, visit http://free2secure.com/. You may also want to check out my book "Protecting Games" - see http://playnoevil.com/ for details.

Statistics

Views

Total Views
864
Views on SlideShare
340
Embed Views
524

Actions

Likes
0
Downloads
5
Comments
0

6 Embeds 524

http://free2secure.com 501
http://free2secure.com. 17
http://www.feedspot.com 3
http://131.253.14.66 1
http://webcache.googleusercontent.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://docs.oracle.com/cd/A97335_02/busint.102/a90287/vwarch1.gif

Protecting Passwords, Securing Servers Protecting Passwords, Securing Servers Presentation Transcript

  • Security eBooks Protecting Passwords & Securing Servers Steven Davis steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Standard Server Architecture • 3-Tier / N-Tier • Lots of Apps and Services on a box • Split up for performance, if at all • … a “mini-cloud” • Why? Servers Expensive… in the old days steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Bootstrap Attack! • Attackers use weakness in one part of a system to attack another – Privilege Escalation … dangerous if more privileges can get you somewhere – SQL Injection … only dangerous if there is something valuable in the same database or accessible via the same account steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416 View slide
  • Security eBooks The Server Architecture Problem• Lots of tools and lots of developers – Many of them not on your team – Very few security focused• Too many things to go wrong! steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416 View slide
  • Security eBooks Solution – More Servers (or Virtual Servers) • Break up online service infrastructure to multiple servers by function • Reduce number that are internet facing • Reduce and simplify security interfaces • Add proxies to isolate data and applications steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks One Data Store per Server App Divide for Security Game Engine Player Assets Player Account Community Player Access Info • Separate Database & Access Account • Separate Data Store BETTER • Separate Virtual Server w/own Database App • Separate Actual Server Add “Connector” Datastores (Login Status, Player Stats, etc.) rather than links to critical databases steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Combine with Proxy Security Some online games dangerously include a SQL client and talk directly to the game server Rules Validation Data Validation Validation Message Incoming Message Database • Protecting Database from SQL injection / direct queries • Allows Rules Validation on Server or reallocation to other players steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Make Password Service a “Dumb Appliance” Secure User Name / Account Name Password Session Server Account Name / Password Identifier Server Password Identifier / Password Seed Login Server Password Identifier / Password Transform • Separate out Password verification from Login Service/Server • Have Password Service work at a slow pace • Use VERY SLOW Cryptography – Select algorithms or combinations of algorithms to take a specific amount of time… traditional cryptography is designed to run fast to support communications…. This is not the problem we face with passwords! • Consider Split Architectures steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Protect Email and Online Service Identity Info… by Login Service taking them (Encrypted) Active offline Info Updates Service • Users don’t need regular Back Office access to their entire identity profile… so take Personal Info what is not needed regularly offline Email • Only have temporary store for user info while it is being entered or Payment Info changed steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks Six Forms of Personal ID • Separate them and use them all – Login Name Using emails for user names or – Internal Account Number user names for handles just – Handle (Community name) makes attacking easier – Email – Personal Contact Information – Payment Information steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  • Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416