Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protect Your Passwords, Secure Your Servers


Published on

There have been too many sites compromising personal data. There is no excuse. It is not hard to stop most, if not all hackers. All you have to do is care about your customers. This module describes how you can easily and effectively stop many hack attacks and protect your customer data on your servers.

For more information, tools, and resources, visit

If you are interested in keeping up with the latest books, articles, and tools from me at Free2Secure send me an email steve @ with the subject “Subscribe”.

If you have any security questions, issues, or shoot me a note to steve @ with the subject “Help”.

Published in: Software, Technology
  • Be the first to comment

  • Be the first to like this

Protect Your Passwords, Secure Your Servers

  1. 1. Security eBooks Protecting Passwords & Securing Servers Steven Davis steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  2. 2. Security eBooks Standard Server Architecture • 3-Tier / N-Tier • Lots of Apps and Services on a box • Split up for performance, if at all • … a “mini-cloud” • Why? Servers Expensive… in the old days steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  3. 3. Security eBooks Bootstrap Attack! • Attackers use weakness in one part of a system to attack another – Privilege Escalation … dangerous if more privileges can get you somewhere – SQL Injection … only dangerous if there is something valuable in the same database or accessible via the same account steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  4. 4. Security eBooks The Server Architecture Problem• Lots of tools and lots of developers – Many of them not on your team – Very few security focused• Too many things to go wrong! steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  5. 5. Security eBooks Solution – More Servers (or Virtual Servers) • Break up online service infrastructure to multiple servers by function • Reduce number that are internet facing • Reduce and simplify security interfaces • Add proxies to isolate data and applications steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  6. 6. Security eBooks One Data Store per Server App Divide for Security Game Engine Player Assets Player Account Community Player Access Info • Separate Database & Access Account • Separate Data Store BETTER • Separate Virtual Server w/own Database App • Separate Actual Server Add “Connector” Datastores (Login Status, Player Stats, etc.) rather than links to critical databases steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  7. 7. Security eBooks Combine with Proxy Security Some online games dangerously include a SQL client and talk directly to the game server Rules Validation Data Validation Validation Message Incoming Message Database • Protecting Database from SQL injection / direct queries • Allows Rules Validation on Server or reallocation to other players steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  8. 8. Security eBooks Make Password Service a “Dumb Appliance” Secure User Name / Account Name Password Session Server Account Name / Password Identifier Server Password Identifier / Password Seed Login Server Password Identifier / Password Transform • Separate out Password verification from Login Service/Server • Have Password Service work at a slow pace • Use VERY SLOW Cryptography – Select algorithms or combinations of algorithms to take a specific amount of time… traditional cryptography is designed to run fast to support communications…. This is not the problem we face with passwords! • Consider Split Architectures steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  9. 9. Security eBooks Protect Email and Online Service Identity Info… by Login Service taking them (Encrypted) Active offline Info Updates Service • Users don’t need regular Back Office access to their entire identity profile… so take Personal Info what is not needed regularly offline Email • Only have temporary store for user info while it is being entered or Payment Info changed steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  10. 10. Security eBooks Six Forms of Personal ID • Separate them and use them all – Login Name Using emails for user names or – Internal Account Number user names for handles just – Handle (Community name) makes attacking easier – Email – Personal Contact Information – Payment Information steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  11. 11. Security eBooks What next? • Don’t give up! • More security presentations at: • Check out my book “Protecting Games” – Additional information at • You can “win” the security game steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416
  12. 12. Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.comGames, iGaming, and Gambling +1.650.278.7416