Archive for the Gaming Security Category

Intellectual Property and I.C.E.

Posted in Gaming Security on June 15, 2010 by Will

So day 1 of E3 is here. I really didn’t expect to see any security related booths, nevermind find one outside the show hall, but lo and behold the U.S. Government provided me with one. Right in the front of hall 1 there was a small booth where a nice Agent was kinda enough to entertain some of my “pre-E3 Expo floor opening” questions.

ICE Booth

I.C.E. stands for U.S. Immigrations and Customs Enforcement, interesting how they are involved with the handling of IP rights. From what I could gather this group investigates claims presented to them in one of 2 ways. Either A) one of their agents happens to come across it some how or B) a report is filed by a company that is actively trying to protect themselves. Obviously their biggest clients right now are the RIAA and MPAA. They investigate all kinds of IP rights claims, everything from Digital to Physical products. They perform some investigation work, but most of the digital investigation is handled by another department. After the investigation is finished this department handles the prosecution and all the other legal stuff.

There are 2 things I found interesting while chatting with the Agent. First was that they don’t perform any real preventative services yet and secondly they investigate claims of user fraud and account stealing also.

For the first point, I find it interesting that they don’t go out and actively try to help companies protect themselves from being stolen from. Instead they are more of a reactive group. They wait for the crime to be committed and then go and find out what happen. At these trade shows they do a little bit of speaking about how to report the crimes, but not very much about how to protect your company from being attacked. It seems like it would make sense to actually have the government help prevent the attacks in the first place too, but that’s probably pretty expensive.

The second point was interesting because I didn’t think the U.S. had reached the same points the rest of the world was at regarding the User and it’s property. Now don’t get me wrong here, they are not investigating actual users, instead they will investigate big groups of users that have been hacked and then bring the hackers to justice.

It’s good to see that the US is keeping pace with the rest of the world when it comes to IP rights, the agent mentioned a few times that he their team is relatively small, so lets see if we can help them out by reducing the IP that can get stolen.

Current Gaming Security Topics (part 6, End to End Security)

Posted in Gaming Security on June 14, 2010 by Will

Ok, the plane is getting close to landing and I’ve typed a ton of blogs (I’ll schedule them to post over the next 2 days). This is my last one before hitting the show floor.

 
 

Antivirus, Secure Socket Layers, Authentication, Encryption, Memory dumps and so many more problems and technologies to combat them. It’s an interesting time in the Security market, authentication companies are being gobbled up by the bigger Security giants out there. As these markets collide we start to see new requests from our customers, “End to End Security”. Generally this is the ability to string all of the different security programs and needs together into one package. There are certainly some benefits to this but there can be some pitfalls too.

The benefits are that as an end user I can have a one stop shop for all their perceived security needs. Tokens with Antivirus and Certificates on them. It sounds great. I’d probably look at it, but in the end I’m probably going to go with separate providers.

 
 

Hmm as I am writing this I’m trying to figure out my point and how it relates to the online gaming space.

 
 

The main thing for me is that I don’t want all my eggs in one basket. But do our players really care? As I mentioned in my children security post, I’m pretty sure my kids would go on and play games even if they had to get everything from one provider. I’m also pretty sure that if the technology made it any harder for them (such as having to install software or requiring admin access for it) they would simply move on to the next game. I’m pretty sure this is what we would see from all demographics too. So what does End to End security get us?

I think End to End security is till too new to figure out if our users are ready for it. Our games are trying to have less hurdles to being played and by implementing End to End security we might be defeating ourselves. It still seems like the holy grail, but I think I need to sit back and watch it evolve a bit more before I make any major comments on it.

Current Gaming Security Topics (part 5, Code/IP Protection)

Posted in Gaming Security on June 14, 2010 by Will

Who can forget the code leaks and rogue servers out there. There were some big ones just last winter. Are we doing everything we can to protect our property? Most of us use card readers to get into our buildings, and tokens to get into our VPN’s, what’s interesting is that most of the developers out there still only use username and static password to login to our CVS or Codebases.

I’ve met with a number of smaller developers out there and the impact to them appears to be even greater than the impact to bigger development houses. A rogue server or two out of 10 or 20 certified servers doesn’t make that big of an impact, but a rogue server when you only have 1 or 2 certified servers with 100k users could make a huge impact.

The technology has always been the hurdle here. It’s usually not that people don’t want to use advanced security, it’s just that the types of technology used can be cumbersome and may hinder creativity rather than help it. The last thing we want is for a developer to stop using our change server just because it takes to long for him to login to it. As soon as that happens we end up with random bits of code in all kinds of locations that are easily stolen.

Most technology introduced here has been PKI (public key infrastructure). PKI has all been bulky with all kinds of overhead (including servers and servers and servers, oh and the certificates themselves). We have started to see that PKI has advanced quite a bit over the years as it quietly got more and more refined. Today’s PKI is a far cry from PKI used in the early 2000’s.

Over the last year I started to see a resurgence of PKI being used across markets and honestly it’s much more integrated than it has been for years. Most development tools can use certificates for encrypting code natively and most change control applications allow for certificate authentication. With a USB device that means that as long as the developer has the device, he can work more securely without even thinking about it.

While PKI is certainly poised to offer many benefits to source/IP protection, it can still be a costly option. OTP is still an option that can be used for this problem. OTP has it’s own technology hurdles in this space too. Most of them have to do with compatibility with the applications that need them. Over the last few months I have certainly seen some of these applications actually start to add OTP options to their products. I can only assume that this is a growing trend too.

For a few years now we have seen a number of hybrid devices on the market that allow for PKI and OTP. The issue in the past has certainly been drivers and operating systems and the quality of the devices (focusing on 2 components instead of just one seems to make certain smaller manufacturers reduce the quality of the devices). As some of the major token providers start to enter this space, we are seeing that the quality of the devices and the software drivers are becoming less of a problem. Along with the quality and software increasing these major manufacturers are bring the cost to implement the hybrid devices down too.

It appears that now is the time to start investigating these solutions and planning for implementations. Gamers shouldn’t have to live with rogue servers and publishers shouldn’t have to worry about the impact stolen code has on them. Products are ready, so now lets get the developers on board.

 
 

Current Gaming Security Topics (part 4, Hosting Security)

Posted in Gaming Security on June 14, 2010 by Will

There are some great hosting company’s for online gaming. Some of them take care of everything from the engine to the payment processor to the delivery systems. They are the one stop shop for a publisher to get their game on the internet quickly and efficiently. I have yet to hear of one being hacked. That being said, most publishers are still only authenticate using a standard username and static password.

As we see the adoption of more advanced security in online games we start to forget that it’s not just our users that we need to protect. Developers generally use usernames and passwords to access their VPN’s, as do most of these hosting facilities. So it’s not that far a leap to getting our publishers to use devices to login and perform actions with the hosting providers. Some already have this option available, some are still weighing the benefits.

When I started with VASCO our major market was/is banking. In the US, banking means corporate banking, retail banking is still a little ways off. Most banks utilize application providers for their banking systems (such as Wire Transfers, or Bill Pay, or Payroll, etc.). For our US team it was a natural fit to have the application providers utilize us for their customers, the banks. We see a lot of synergies between these application providers and the online gaming hosting providers.

The major hurdles have been:

  1. Cost
  2. Interest

     
     

Cost is always a major hurdle when implementing security. Security is basically seen as, “if I implement it I will probably save money, but I’m not sure how much money”. So generally as a cost saving mechanism. Retail gaming has proven that money can be made off marketing on the devices, but generally hosted games do not have the unique market following that the big names do. The cost savings in a space that really doesn’t seem to have been hacked yet seems more like insurance than security. There are many cost models that will work here, but if we start to see problems in this part of the market, I expect that security will simply be implemented regardless of the costs.

That brings us to the second major hurdle, interest. There doesn’t appear to be many publishers asking for additional security. I think this is because of 2 things, one the publishers haven’t been hacked, and two they aren’t aware that hackers could be waiting to pounce on them. I’ve spoken to many of the hosting providers out there and I’ve heard from just about each of them that they are only asked once in a great while if they have additional security for the players. It appears that the publishers are more interested in protecting their users than protecting themselves. This is great news for the online gaming users, but a potential pitfall for the publishers.

I read a bunch of my fellow security bloggers out there and they appear to be seeing the same trends. It’s interesting to think that hackers just haven’t made the jump to these platforms yet. They apparently don’t read the same blogs I do.

As I am at E3 this week I will continue to build a list of hosting providers that are using advanced security for their publishers and/or gamers and then I’ll come back and see if I can make a quick list.

Current Gaming Security Topics (part 3, Payment Protection)

Posted in Gaming Security on June 14, 2010 by Will

This topic has baffled me since starting in the online gaming industry. Every show I go to I see many Payment application providers. The sheer number of them is staggering to me. Each one I see I try to strike up a conversation and see what they are doing for security or where there maybe a need. What’s interesting to me is that most of them do not feel that user authentication needs to be secure for them. Most of them simply allow publishers to use their systems to process the end users credit cards or however the user is paying for the game. This strikes me as what I am seeing in the credit card world too. Basically the processing company simply assumes that if you have the credit card number than you must have the card. At LOGIN I spoke to a payment company and they told me of the problems they face with charge backs and proving that a user is who they say they are. It seems like a big problem for this group, yet they still seem to see user authentication as not interesting.

PayPal is about the only one that seems to embrace user security, well if you don’t count the fact that the token devices are hidden deep in their web pages on security. It makes sense to me that if you require the user to make an account, then the user should be using more than a username and password to authenticate themselves.

The issue at hand here is 2 fold from my view.

  1. The users account is used to store the credit card information, if the user goes to view the information most of it is hidden from them and all they can do is to add or change this information.
  2. The customer isn’t paying the payment company, or at least not directly. So there really isn’t much that is driving the payment company to offer security that may come with a price tag.

 
 

I know there is a need here, as I know that I want my payment information protected from prying eyes, but I can’t seem to figure out what the business need is and how to make that leap from convenience to security for this part of our market. As I walk around the show floor at E3 this week, I will continue to investigate this space and see if I can find that missing link.

Current Gaming Security Topics (part 2, Revisit Keylogger/Trojan Protection)

Posted in Gaming Security on June 14, 2010 by Will

Ok it’s been a few months and really there has been a lot of new things going on in the online gaming security space. The threat of the Keylogger is still lurking around, but to be honest it hasn’t deterred many game publishers from not going forward with One Time Passwords. Apparently the attacks just aren’t compromising enough accounts, and the reality is that the attacks really still can’t be automated enough. Many users are still only using static passwords and the major game publishers want users to simply move off of this practice on to the next more secure option.

 
 

I still have the conversations about the Keylogger attacks verse One Time Password tokens, and it came to me one day, the solution has been staring me in the face for years. So I probably need to do a little research but I think I’m ok with my knowledge here, but if your taking a test on what I’m typing you’re probably going to fail, so look it up. I believe that in the late 80’s early 90’s token devices came on to the scene. I know VASCO started in the early 90’s and I know that the first tokens we had on the market were actually PIN PAD (they have a numeric keyboard on the front) style devices. VASCO didn’t introduce our Go-1 device (OTP only) until 1999 I believe. So what does this have to do with the attack. Well these PIN PAD style devices were used for what’s known as Challenge-Response (CR). That means that the server generates a random number and sends it to the user and then the user simply typed it into the token and the token made a random number based on that. As long as the number the server received back from the user could be matched with the Challenge it originally sent over, then the user would be let in.

The technology hasn’t changed too much here, we’ve added the ability to make the Challenges time based with time based responses (instead of just challenge based responses). But all in all the technology is the same. It was designed to stop shoulder surfing (remember my disclaimer about my facts up above) attacks. If an attacker is watching the user generate the password and type into the screen, the attacker would need to get the same challenge generated and sent to them during the same time period in order for the password they stole to work. So this pretty much completely defeats keylogger/shoulder surfing attacks.

The major hurdles for adoption of this technology really depends on what we believe our users will do. The original hurdle for OTP devices was that we didn’t think users would want to hold the devices and might leave us for the next game. What we found was exactly opposite. Not only did users not have a problem with generating a password and typing it in, but the devices sold out in record time and were becoming collectable.

With Challenge Response we need to ask the user to take the next step. Not only do they need to turn the device on, but they also need to type in something they see on the screen before getting a password from the device. While I believe the time it takes for someone to do this is probably less than a few seconds, it’s still something that hasn’t been introduced to our users yet and it’s different than what they are doing at work (where they probably only use an OTP only token).

The benefits here seem to outweigh the usability problems. First we solve the keylogger problem and the marketing real-estate on the device is much bigger than the single button ones. What if we make It so that we extend the in game feeling right to the device by making the challenge from in game languages and character sets. We can start to push the game further out to the user’s own environment while making them more secure in the process.

Current Gaming Security Topics (part 1, Child Security Thoughts)

Posted in Gaming Security on June 14, 2010 by Will

Ok seat back, stuffed in this plane, ready to put some thoughts together.

 
 

So as I mentioned in my last post the main trends I have seen in the Online Gaming market have been (I’ve added):

  • Child Protection (My post below)
  • Keylogger/Trojan Protection (I wrote about this one a few weeks ago, I need to revisit this I think)
  • Payment Protection
  • Hosted Security Options
  • Code/IP Protection
  • End to End Security

 
 

I’ll refine that list as I pull my thoughts together.

 
 

Let’s start with the one that is closest to my heart, child protection. So I have 4 children that range in age from 16 to 4, which means I have many walks of life in the gaming space. My oldest is all about Facebook and other social gaming apps (Farmville, etc.). My 11 year old is all about pushing his boundaries, so he wants to play WoW and is dying to get on Facebook, but I’ve managed to sway him to stay on Wizard101, FreeRealms and FTP Flash Games for a little longer. My 6 year old is all about whatever the 11 year old is doing…but…WoW and Facebook appear to be out of his comprehension at this point, so he has stayed pretty much on Wizard101, Club Penguin and <insert web based gaming>. My youngest is content with watching her older brother run a character named for her through Wizard101 collecting pets and telling him where to move the little computer girl around the screen.

So the landscape of security risks for them is all over the place for me on a personal level. On a technical level, so far I don’t even think one of them has thought about security at all yet. I sat my 11 year old down to chat about security on Facebook as he is just about ready to make the leap. I explained all about the “bad” people out there. His comment “Ok Dad, can I just set one up now?” I kinda expected that but the thought of him on Facebook is scary, I mean the 16 year old almost shocks me on a daily basis as I find out more through Facebook about her than I do when I chat with her. So for me security has to be introduced and I’m making a big push for it everywhere.

Since I work for the largest Token Manufacturer in the world (30 different hardware models alone now), it’s hard not to let the kids play with them. My WoW account is protected by one and I must have a couple dozen hanging around with different logos that they have picked up and asked me how to use it. It’s really my WoW account that really pointed me to what I thought should be investigated. I avoided having my account hacked and got the Authenticator on it as soon as they were ready. This stopped my kids from being able to login to move my character around (and get him killed). As long as I had my keys on me they were stuck. Then came the weekends, and since I am not a morning person, they would have the keys and off and running on my WoW running up my repair build. What I found interesting was exactly who was using the account now. I assumed it would be oldest boy (the 11 year old) but instead it was the 6 year old. He found it easier for himself to login, because he “didn’t need to remember which keys were the password ones”. Well this isn’t really security but it sure sold me on the devices for children.

As far as the security goes, my account still hasn’t been hacked and I still end up with new level 1 characters created in my account every few weekends. What I noticed on their Wizard101 accounts, is they have their passwords written down on scraps of paper everywhere, and not just once, there have be 3 or 4 scraps of paper with the password and username laying around my computer room. What shocked me even more was they were sharing it with our neighbors so that they could help them play (I stopped this activity pretty quickly I think). Additionally if my 6 year old left the desktop computer to play on the laptop he always needed my help, either to type in the username or to help remind him what keys he needed to press. I attempted an experiment and changed his password once, and the effect was pretty much the same. He just asked me to write it on more scraps of paper. The concept of security seems to be lost on children under 10. If it stops them from playing a game they will move on to the next game.

And what about the “bad” people? In the Industry I have been having lots of discussions about using a token to prove that the user is a child. It is an interesting concept. Basically if we put it in a store and ask the potential user to come into the store and buy the device we expect that we will get less people that will pretend to be children. It seems logical as I would imagine people might be more hesitant to walk into a store and buy a token that is labeled and packaged with kid’s toys. I do imagine that if a person wants to attack a child then this will probably be less of a hurdle for them, but it removes the anonymity of the user too and captures them on store surveillance video as they are purchasing the item.

So I think the last point of concern is the FTP (free to play) and social games. There are security issues here that are similar to the other games but for children the accounts appear to be too liquid (they create new ones every time they forget their passwords). As my company starts to roll out new security options soon I suspect that these types of games will have new options to embrace. As business goes I think these new technologies will help usher in a different type of thinking. No longer will it be the cost of doing security, instead it might be the cost of not doing security. I’ll write up more on this technology at a later time.