Online Games Security Threats - Quick Start Guide


Published on

Security vulnerabilities in online games are increasingly being exploited by hackers to gain access to confidential data and systems. This paper discusses how attackers break into gaming applications and how to secure them.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Online Games Security Threats - Quick Start Guide

  1. 1. Games Hackers Play: Security Threats for Online Game Portals How malicious hackers choose their targets? They favor popular applications and web sites since there’s no sense in attacking things that few people use. They love low-hanging fruit, those easy-to-execute attacks that take advantage of known vulnerabilities. And most recently they have shown a decided preference for utilizing interactive web sites to distribute malicious code. So when you are working to determine what will attract the interest of cybercriminals next -- what venues you would use if you wanted to easily sneak some nasty code into lots of computers -- it makes sense to look at popular online destinations that rely heavily on protocols and program code that historically harbors potentially unpatched vulnerabilities. One of the most obvious probable targets is casual game portals. 87 million people in the US alone visited online game websites during the month of May, according to marketing research company comScore. As interest in casual gaming flourishes and grows, historical application security attack patterns indicate that game portal sites will increasingly become highly preferred targets. Any web site that is collecting data that is sellable for a profit -- specifically credit and debit card information -- needs to ensure that its security profile is as robust as possible. Casual Game portals also need to ensure that their sites and the applications that they host do not expose their users to hack attacks. In its 2009 Data Breach Investigations Report, Verizon Business found that of the 90 breaches in 2008 that it examined, 79% were compromised via web applications. Whether games are played in a web browser environment or downloaded onto a user’s computer, it’s important to ensure that end users are not being exposed to malicious or flawed code. No business wants to deal with the expense, damage to reputation, and loss of investor confidence that follows a breach, whether that breach exposes critical data, enables players to bypass payment and other system controls, or exposes users’ computers to criminal attack.
  2. 2. Anatomy of a Gaming Attack As we are trying to prevent attacks we won’t be offering deep details on exactly how casual game sites themselves and the games they host could be hacked. But it’s certainly no secret that there are Flash player vulnerabilities that allow malicious hackers to craft content that installs unwanted software on computers that access that content. Flash/JavaScript sandboxing does a decent job of limiting code’s access to resources of players’ computers, but that doesn’t mean that casual games -- and the portals that provide them -- aren’t hackable. Players have created workarounds that let them to score higher and bypass game controls, and legit programmers looking to bypass sandbox restrictions have found ways to do so. Hewlett Packard recently analyzed nearly 4,000 Web apps developed with the Flash platform and found that 35 percent violate Adobe's security best practices. Marketing and advertising firms are increasingly looking to partner with casual game portal sites and developers to piggyback their product messaging onto the success of the games. Game sites are also forging connections with social networking sites. But as casual game developers add enhanced functionality -- such as dynamic advertising, geographic targeting, and connections with social sites -- more attack venues will open up. The simplicity of casual games was their best defense against hack attacks, but that defense is slipping away. Good programmers can sometimes slip and write bad code, and even good code can sometimes turn bad when exposed to unexpected conditions. Online games, like any modern connected application, interacts with other applications and services developed by third parties, creating web application security holes that the original programmers didn’t envision. That’s just one of the reasons that extremely well-known attacks like SQL injections, cross-site scripting and buffer overflows remain so pervasive: SQL injection is an attack method that enables hackers to force an incorrectly configured database into performing unauthorised actions. One does this by appending a command to the end of a valid request string. SQL Injection can be used to do anything a fully authorized system administrator could do, including access/copy/deleting data and remotely executing stored procedures. Buffer Overflow occurs when an attacker forces an application to put an inordinate amount of data into its buffer -- the section of memory allocated to it -- or forces the application to put data outside of its buffer. When this occurs it is sometimes possible to force the application to execute malicious code, often with the goal of gaining remote access privileges over an affected system. Many Flash Player exploits are carried out via buffer overflow attacks. Cross-site scripting, also known as “XSS” (so as not to be confused with cascading style sheets, which is commonly abbreviated as CSS) have been topping the most widely exploited threats lists for the past several years. XSS flaw occurrence in websites is alarmingly high, with some reports indicating that anywhere from 60-68% of all active sites are wide open to XSS attacks. Attackers use XSS vulnerabilities to insert their own bits of malicious code into a site, circumventing existing security protections. The end result of a successful exploit ranges widely, including hijacking users to other websites, extracting payment/account data, reconfiguration of cookies, inserting malicious code into advertising, and more. Essentially, any legitimate action that can be performed with a script can be reconfigured to work to the hacker’s advantage.
  3. 3. The other reason that flaws like this exist is due to all-too-common bad security testing practices, mistakes made in the rush to release or because programmers are unfairly expected to do double-duty as security experts. These mistakes include weak/default passwords, ports left open, permissions left undefined, an unprotected directory that anyone with a bit of knowledge can access and rewrite, and more. Online Cheating: While online games are fast becoming the most sought after applications on the Internet, cheating has emerged as a notable phenomenon in current game play. Online cheating is an important security issue that distinguishes online games from other E-commerce applications, though some cheats in online games may find similar exploits in other E-commerce applications. With advancement of newer technologies in online gaming approach newer cheating forms have been identified and our understanding about game cheating has also increased. Some of the newer techniques which have got special relevance to online games are as follows: a) Exploiting Misplaced Trust: Many cheats involve tampering with game code, configuration data, or both, on the client side. A cheater can modify his game client program, data, or both, and then replace the old copy with the revised one for future use. b) Collusion: People can agree with each other to gain unfair advantages over their honest opponents in online games. For example, the so-called “win-trading” was a collusion cheat widely seen in the popular StarCraft game, in which two cheaters colluded with each to lose to the other alternately in the ladder competition. c) Abusing the Game Procedure: This form of cheating may be carried out without any technical sophistication, and a cheater simply abuses the operating procedure of a game. One common case that we have observed in many online games is escaping: a cheater disconnects himself from the game system when he is going to lose. d) Related to Virtual Assets: Trading of virtual characters and items (e.g. clothing, weapons, homes and magical objects) acquired in games is a new and real business created by online games. Many players would like to have good characters, or improve the status of their own characters by getting some items in the game. Nonetheless, it is not easy for every player to get good characters and items, which require gaming skills and time. Where there is demand, there is supply, and then there is a market! Now virtual characters and items become virtual assets, or real assets in a virtual world, and many of them have been auctioned for real money on eBay. e) Exploiting Machine Intelligence: Artificial intelligence techniques can also be exploited by a cheating player in some online games. For example, the advancement of computer chess research has produced many programs that can compete with human players at the master level. When playing chess online, a cheater can look for the best candidates for his next move by stealthily running a strong computer chess program.
  4. 4. f) Modifying Client Infrastructure: Without modifying game programs, configurations or data on the client side, a player can cheat by modifying the client infrastructure such as device drivers in his operating system. For example, he can modify a graphics driver to make a wall transparent so that he can see through the wall, locating other players who are supposed to be hidden behind the wall. g) Social Engineering: Social engineering is often used to steal passwords. There are many variations of this scam but all of them aim the same: to trick players to happily reveal their ID password pairs. Often these social engineers – password scammers – will attempt to trick a player into believing something attractive or annoying has happened to the player and his ID and password are needed for that purpose. They may approach a victim by phone, email, online chatting channels, or whatever they may exploit. h) Denying Service to Peer Players: A cheater can gain advantages by denying service to his peer players. For example, a cheater could delay the responses from his opponent by flooding his network connection. Other peer players would then be cheated into believing that there was something wrong with the network connection of the victim, and agree to kick him out from the game in order to avoid the game session being stalled. It’s clear that any business that hosts web applications like casual games needs to be super proactive about assuring the security of the site and the games they distribute. Beyond the devastating hacks that expose customers’ information and/or their computer systems, businesses also have to protect themselves from those who are looking to bypass payment systems and access content for free. Strong security is an essential part of doing business online, half-measures are a waste of time and budget. There’s no doubt that hackers will devote plenty of time and effort to find that one nasty little hole that exists in an otherwise pristine web portal. Fight Back What to do? Programming code reviews built into the development application security cycle are an obvious must. Risk-adjusted security processes that pinpoint areas of particular concern are helpful. Regular security self-assessments using an automated tool to scan the site infrastructure and its applications to spot problems -- hackers will be using their own scanning tools to spot exploitable issues on targeted websites -- is always a good thing, but there are many classes of highly exploitable vulnerabilities which automated tools cannot easily spot. And standard automated scanning tools can’t provide the essential complete picture either. In contrast, penetration tests look at a system or application exactly the way the most highly skilled malicious hackers do when they are looking for flaws to exploit, using procedures such as in-depth interactive testing to force error conditions and analysis of the data flow through an entire system to see how that data could be maliciously manipulated as it moves through applications. Application Penetration testing, such as those conducted on-demand by iViZ which are fine- tuned to spot exploitable flaws in web-based applications and their host sites, reveal the issues that exist in single applications, the problems that are created when applications interface with each other and the probable impact of each discovered flaw.
  5. 5. Another critical defense method to keep in mind is that security at its best is always a dynamic process. Programming code changes, new vulnerabilities crop up, new ways of bypassing yesterday’s strong controls are constantly developed. The goal is to provide consistent protection against known, current and emerging threats. Effective security is not an item on a to- do list that can be completed, checked off, and never thought about again. It is and always will be an ongoing process, not a finite project. Periodic web application security assessment identifies potential vulnerabilities before they can cause damage and is a highly effective way to ensure that a happy casual game portal doesn’t become a dangerous playground for cybercriminals. Be cautious about the difference in Vulnerability assessment and penetration testing. Always insist for a penetration testing of your gaming application and not just vulnerability testing. Also do a thorough research on how to choose good penetration testing companies To read more about security of online travel portal visit blog. References: heating%20in%20Online%20Multiplayer%20Games.pdf