0
Security                                    eBooks      Client   Anatomy and   Identification    Security Inside the Clien...
Security                                  eBooks                               Most Useless                               ...
Security                                eBooks  … but you need theClient to be part of your        security…              ...
Security                                 eBooks                               • Security                                 d...
Security                                eBooks  REMEMBER: People are not Accounts                Neither are              ...
Security                                                           eBooks                       Identity and Uniqueness ar...
Security                                        eBooks                   Client Components  • Computer (tablet, cell    ph...
Security                                                            eBooks                                Device Fingerpri...
Security                                                   eBooks                       Basic Identity Toolkit   Multiple ...
Security                                                        eBooks        Registering a Platform   1.   Collect Platfo...
Security                                               eBooks     Essential Platform Identification & Authentication   • R...
Security                                          eBooks Security Tokens• Can be effective• Identify themselves, not  peop...
Security                                                          eBooks   Platform Identity is “Polite” Identity         ...
Security                                                             eBooks   What next?   • Don’t give up!   • More secur...
Security                                                                  eBooks      About Me  •   Steven Davis       – 2...
Upcoming SlideShare
Loading in...5
×

Protect Your Client Software and Identification Security

905

Published on

"Software clients can't be secured" is an axiom of computer security. True, but not helpful. How do you incorporate security into a client and address the key issues of Identity. For the more information or if you need any security help, visit http://free2secure.com/.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
905
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • http://www.mdgadvertising.com/blog/wp-content/uploads/2011/03/blog-device_fingerprinting.jpg http://docs.oracle.com/cd/E12057_01/doc.1014/e12054/img/fngrprt.gif
  • http://upload.wikimedia.org/wikipedia/commons/thumb/d/db/SecurityTokens.CryptoCard.agr.jpg/800px-SecurityTokens.CryptoCard.agr.jpg
  • Transcript of "Protect Your Client Software and Identification Security"

    1. 1. Security eBooks Client Anatomy and Identification Security Inside the Client – Part 1Steven Davis steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    2. 2. Security eBooks Most Useless Security Axiom: You Can’t Secure the Client steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    3. 3. Security eBooks … but you need theClient to be part of your security… so, how do you build a secure system with unsecure components? steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    4. 4. Security eBooks • Security decisions are built on different forms of identity – Service account – Person – Platform – Payment account – Email Uniqueness and Identity steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    5. 5. Security eBooks REMEMBER: People are not Accounts Neither are Computers steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    6. 6. Security eBooks Identity and Uniqueness are Tenuous Online • Online Identity is simply pieces of data presented over a network • The connection between the data and the underlying entity is weak • Bits are bits steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    7. 7. Security eBooks Client Components • Computer (tablet, cell phone) – Hardware Components • (Game) Application – Program – Persistent Data – State & Session Information • Operating System • Other Programs • Other Data steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    8. 8. Security eBooks Device Fingerprinting ord g aw tr on os a r to g is f n tin r pri ge Fin • Collection of a large number of hardware and software identities to create a “fingerprint” • getXXXXID() is just a program that can be spoofed • Better as a “white list” than a “black list”… maybe • Questionable in a world of active adversaries steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    9. 9. Security eBooks Basic Identity Toolkit Multiple platform identity sources Hardware Extracted Platform Serial Number Other Applications Player Identity Information Input Stored Application Data Stored Registration Keys Input Once Hashes & Splits & Passwords Tools steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    10. 10. Security eBooks Registering a Platform 1. Collect Platform ID information License Key Local IDs Local Data 2. Server Seed or Local Seed (optional) 3. Hash (optional) Seed (optional) 4. Split (optional) 5. Build Platform ID 6. Build Platform Platform ID Authentication Data 7. Store Locally Platform Authentication Data 8. Exchange with Server Local Split steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    11. 11. Security eBooks Essential Platform Identification & Authentication • Retrieve Platform ID • Reconstruct or Retrieve Platform Authentication Data • Verify (Locally or Remotely) Verification can be bypassed, spoofed, etc., of course, as can IDs and authentication data steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    12. 12. Security eBooks Security Tokens• Can be effective• Identify themselves, not people • Need to be linked with platform identity• Only as strong as registration process • PART of a security solution – a Node of trust, not a trusted system steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    13. 13. Security eBooks Platform Identity is “Polite” Identity • Useful, if you understand its limitations • Can be used for basic fraud detection and white listing • Black listing limited by virtualization and effort of foes • Challenge – Design Your System using weak identity • Do you need identity at all? – Gratuitous Strong Passwords • Use external channels for positive identification steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    14. 14. Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    15. 15. Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×