OK I haven't posted in a long while, but just so you don't think I've completely abandoned this blog, I'll post a quick update to let my 3 followers know I will be at GDC Online in Austin next week. I actually have a speaking gig, so I will be preaching about security and protecting free-to-play games and virtual to real world currency conversions. I'll wrap it all up with why you should want federation and what you can do today to start planning for it.
Hope to see you there. Let me know if you want to arrange a meeting or just come find me at the VASCO booth.
Monday, October 3, 2011
Monday, June 14, 2010
Current Gaming Security Topics (part 6, End to End Security)
Ok, the plane is getting close to landing and I've typed a ton of blogs (I'll schedule them to post over the next 2 days). This is my last one before hitting the show floor.
Antivirus, Secure Socket Layers, Authentication, Encryption, Memory dumps and so many more problems and technologies to combat them. It's an interesting time in the Security market, authentication companies are being gobbled up by the bigger Security giants out there. As these markets collide we start to see new requests from our customers, "End to End Security". Generally this is the ability to string all of the different security programs and needs together into one package. There are certainly some benefits to this but there can be some pitfalls too.
The benefits are that as an end user I can have a one stop shop for all their perceived security needs. Tokens with Antivirus and Certificates on them. It sounds great. I'd probably look at it, but in the end I'm probably going to go with separate providers.
Hmm as I am writing this I'm trying to figure out my point and how it relates to the online gaming space.
The main thing for me is that I don't want all my eggs in one basket. But do our players really care? As I mentioned in my children security post, I'm pretty sure my kids would go on and play games even if they had to get everything from one provider. I'm also pretty sure that if the technology made it any harder for them (such as having to install software or requiring admin access for it) they would simply move on to the next game. I'm pretty sure this is what we would see from all demographics too. So what does End to End security get us?
I think End to End security is till too new to figure out if our users are ready for it. Our games are trying to have less hurdles to being played and by implementing End to End security we might be defeating ourselves. It still seems like the holy grail, but I think I need to sit back and watch it evolve a bit more before I make any major comments on it.
Current Gaming Security Topics (part 5, Code/IP Protection)
Who can forget the code leaks and rogue servers out there. There were some big ones just last winter. Are we doing everything we can to protect our property? Most of us use card readers to get into our buildings, and tokens to get into our VPN's, what's interesting is that most of the developers out there still only use username and static password to login to our CVS or Codebases.
I've met with a number of smaller developers out there and the impact to them appears to be even greater than the impact to bigger development houses. A rogue server or two out of 10 or 20 certified servers doesn't make that big of an impact, but a rogue server when you only have 1 or 2 certified servers with 100k users could make a huge impact.
The technology has always been the hurdle here. It's usually not that people don't want to use advanced security, it's just that the types of technology used can be cumbersome and may hinder creativity rather than help it. The last thing we want is for a developer to stop using our change server just because it takes to long for him to login to it. As soon as that happens we end up with random bits of code in all kinds of locations that are easily stolen.
Most technology introduced here has been PKI (public key infrastructure). PKI has all been bulky with all kinds of overhead (including servers and servers and servers, oh and the certificates themselves). We have started to see that PKI has advanced quite a bit over the years as it quietly got more and more refined. Today's PKI is a far cry from PKI used in the early 2000's.
Over the last year I started to see a resurgence of PKI being used across markets and honestly it's much more integrated than it has been for years. Most development tools can use certificates for encrypting code natively and most change control applications allow for certificate authentication. With a USB device that means that as long as the developer has the device, he can work more securely without even thinking about it.
While PKI is certainly poised to offer many benefits to source/IP protection, it can still be a costly option. OTP is still an option that can be used for this problem. OTP has it's own technology hurdles in this space too. Most of them have to do with compatibility with the applications that need them. Over the last few months I have certainly seen some of these applications actually start to add OTP options to their products. I can only assume that this is a growing trend too.
For a few years now we have seen a number of hybrid devices on the market that allow for PKI and OTP. The issue in the past has certainly been drivers and operating systems and the quality of the devices (focusing on 2 components instead of just one seems to make certain smaller manufacturers reduce the quality of the devices). As some of the major token providers start to enter this space, we are seeing that the quality of the devices and the software drivers are becoming less of a problem. Along with the quality and software increasing these major manufacturers are bring the cost to implement the hybrid devices down too.
It appears that now is the time to start investigating these solutions and planning for implementations. Gamers shouldn't have to live with rogue servers and publishers shouldn't have to worry about the impact stolen code has on them. Products are ready, so now lets get the developers on board.
Current Gaming Security Topics (part 4, Hosting Security)
There are some great hosting company's for online gaming. Some of them take care of everything from the engine to the payment processor to the delivery systems. They are the one stop shop for a publisher to get their game on the internet quickly and efficiently. I have yet to hear of one being hacked. That being said, most publishers are still only authenticate using a standard username and static password.
As we see the adoption of more advanced security in online games we start to forget that it's not just our users that we need to protect. Developers generally use usernames and passwords to access their VPN's, as do most of these hosting facilities. So it's not that far a leap to getting our publishers to use devices to login and perform actions with the hosting providers. Some already have this option available, some are still weighing the benefits.
When I started with VASCO our major market was/is banking. In the US, banking means corporate banking, retail banking is still a little ways off. Most banks utilize application providers for their banking systems (such as Wire Transfers, or Bill Pay, or Payroll, etc.). For our US team it was a natural fit to have the application providers utilize us for their customers, the banks. We see a lot of synergies between these application providers and the online gaming hosting providers.
The major hurdles have been:
- Cost
Interest
That brings us to the second major hurdle, interest. There doesn't appear to be many publishers asking for additional security. I think this is because of 2 things, one the publishers haven't been hacked, and two they aren't aware that hackers could be waiting to pounce on them. I've spoken to many of the hosting providers out there and I've heard from just about each of them that they are only asked once in a great while if they have additional security for the players. It appears that the publishers are more interested in protecting their users than protecting themselves. This is great news for the online gaming users, but a potential pitfall for the publishers.
I read a bunch of my fellow security bloggers out there and they appear to be seeing the same trends. It's interesting to think that hackers just haven't made the jump to these platforms yet. They apparently don't read the same blogs I do.
As I am at E3 this week I will continue to build a list of hosting providers that are using advanced security for their publishers and/or gamers and then I'll come back and see if I can make a quick list.
Current Gaming Security Topics (part 3, Payment Protection)
This topic has baffled me since starting in the online gaming industry. Every show I go to I see many Payment application providers. The sheer number of them is staggering to me. Each one I see I try to strike up a conversation and see what they are doing for security or where there maybe a need. What's interesting to me is that most of them do not feel that user authentication needs to be secure for them. Most of them simply allow publishers to use their systems to process the end users credit cards or however the user is paying for the game. This strikes me as what I am seeing in the credit card world too. Basically the processing company simply assumes that if you have the credit card number than you must have the card. At LOGIN I spoke to a payment company and they told me of the problems they face with charge backs and proving that a user is who they say they are. It seems like a big problem for this group, yet they still seem to see user authentication as not interesting.
PayPal is about the only one that seems to embrace user security, well if you don't count the fact that the token devices are hidden deep in their web pages on security. It makes sense to me that if you require the user to make an account, then the user should be using more than a username and password to authenticate themselves.
The issue at hand here is 2 fold from my view.
- The users account is used to store the credit card information, if the user goes to view the information most of it is hidden from them and all they can do is to add or change this information.
- The customer isn't paying the payment company, or at least not directly. So there really isn't much that is driving the payment company to offer security that may come with a price tag.
I know there is a need here, as I know that I want my payment information protected from prying eyes, but I can't seem to figure out what the business need is and how to make that leap from convenience to security for this part of our market. As I walk around the show floor at E3 this week, I will continue to investigate this space and see if I can find that missing link.
Current Gaming Security Topics (part 2, Revisit Keylogger/Trojan Protection)
Ok it's been a few months and really there has been a lot of new things going on in the online gaming security space. The threat of the Keylogger is still lurking around, but to be honest it hasn't deterred many game publishers from not going forward with One Time Passwords. Apparently the attacks just aren't compromising enough accounts, and the reality is that the attacks really still can't be automated enough. Many users are still only using static passwords and the major game publishers want users to simply move off of this practice on to the next more secure option.
I still have the conversations about the Keylogger attacks verse One Time Password tokens, and it came to me one day, the solution has been staring me in the face for years. So I probably need to do a little research but I think I'm ok with my knowledge here, but if your taking a test on what I'm typing you're probably going to fail, so look it up. I believe that in the late 80's early 90's token devices came on to the scene. I know VASCO started in the early 90's and I know that the first tokens we had on the market were actually PIN PAD (they have a numeric keyboard on the front) style devices. VASCO didn't introduce our Go-1 device (OTP only) until 1999 I believe. So what does this have to do with the attack. Well these PIN PAD style devices were used for what's known as Challenge-Response (CR). That means that the server generates a random number and sends it to the user and then the user simply typed it into the token and the token made a random number based on that. As long as the number the server received back from the user could be matched with the Challenge it originally sent over, then the user would be let in.
The technology hasn't changed too much here, we've added the ability to make the Challenges time based with time based responses (instead of just challenge based responses). But all in all the technology is the same. It was designed to stop shoulder surfing (remember my disclaimer about my facts up above) attacks. If an attacker is watching the user generate the password and type into the screen, the attacker would need to get the same challenge generated and sent to them during the same time period in order for the password they stole to work. So this pretty much completely defeats keylogger/shoulder surfing attacks.
The major hurdles for adoption of this technology really depends on what we believe our users will do. The original hurdle for OTP devices was that we didn't think users would want to hold the devices and might leave us for the next game. What we found was exactly opposite. Not only did users not have a problem with generating a password and typing it in, but the devices sold out in record time and were becoming collectable.
With Challenge Response we need to ask the user to take the next step. Not only do they need to turn the device on, but they also need to type in something they see on the screen before getting a password from the device. While I believe the time it takes for someone to do this is probably less than a few seconds, it's still something that hasn't been introduced to our users yet and it's different than what they are doing at work (where they probably only use an OTP only token).
The benefits here seem to outweigh the usability problems. First we solve the keylogger problem and the marketing real-estate on the device is much bigger than the single button ones. What if we make It so that we extend the in game feeling right to the device by making the challenge from in game languages and character sets. We can start to push the game further out to the user's own environment while making them more secure in the process.
Current Gaming Security Topics (part 1, Child Security Thoughts)
Ok seat back, stuffed in this plane, ready to put some thoughts together.
So as I mentioned in my last post the main trends I have seen in the Online Gaming market have been (I've added):
- Child Protection (My post below)
- Keylogger/Trojan Protection (I wrote about this one a few weeks ago, I need to revisit this I think)
- Payment Protection
- Hosted Security Options
- Code/IP Protection
- End to End Security
I'll refine that list as I pull my thoughts together.
Let's start with the one that is closest to my heart, child protection. So I have 4 children that range in age from 16 to 4, which means I have many walks of life in the gaming space. My oldest is all about Facebook and other social gaming apps (Farmville, etc.). My 11 year old is all about pushing his boundaries, so he wants to play WoW and is dying to get on Facebook , but I've managed to sway him to stay on Wizard101, FreeRealms and FTP Flash Games for a little longer. My 6 year old is all about whatever the 11 year old is doing...but...WoW and Facebook appear to be out of his comprehension at this point, so he has stayed pretty much on Wizard101, Club Penguin and <insert web based gaming>. My youngest is content with watching her older brother run a character named for her through Wizard101 collecting pets and telling him where to move the little computer girl around the screen.
So the landscape of security risks for them are all over the place for me on a personal level. On a technical level, so far I don't even think one of them has thought about security at all yet. I sat my 11 year old down to chat about security on Facebook as he is just about ready to make the leap. I explained all about the "bad" people out there. His comment "Ok Dad, can I just set one up now?" I kinda expected that but the thought of him on Facebook is scary, I mean the 16 year old almost shocks me on a daily basis as I find out more through Facebook about her than I do when I chat with her. So for me security has to be introduced and I'm making a big push for it everywhere.
Since I work for the largest Token Manufacturer in the world (30 different hardware models alone now), it's hard not to let the kids play with them. My WoW account is protected by one and I must have a couple dozen hanging around with different logos that they have picked up and asked me how to use it. It's really my WoW account that really pointed me to what I thought should be investigated. I avoided having my account hacked and got the Authenticator on it as soon as they were ready. This stopped my kids from being able to login to move my character around (and get him killed). As long as I had my keys on me they were stuck. Then came the weekends, and since I am not a morning person, they would have the keys and off and running on my WoW running up my repair build. What I found interesting was exactly who was using the account now. I assumed it would be oldest boy (the 11 year old) but instead it was the 6 year old. He found it easier for himself to login, because he "didn't need to remember which keys were the password ones". Well this isn't really security but it sure sold me on the devices for children.
As far as the security goes, my account still hasn't been hacked and I still end up with new level 1 characters created in my account every few weekends. What I noticed on their Wizard101 accounts, is they have their passwords written down on scraps of paper everywhere, and not just once, there have be 3 or 4 scraps of paper with the password and username laying around my computer room. What shocked me even more was they were sharing it with our neighbors so that they could help them play (I stopped this activity pretty quickly I think). Additionally if my 6 year old left the desktop computer to play on the laptop he always needed my help, either to type in the username or to help remind him what keys he needed to press. I attempted an experiment and changed his password once, and the effect was pretty much the same. He just asked me to write it on more scraps of paper. The concept of security seems to be lost on children under 10. If it stops them from playing a game they will move on to the next game.
And what about the "bad" people. In the Industry I have been having lots of discussions about using a token to prove that the user is a child. It is an interesting concept. Basically if we put it in a store and ask the potential user to come into the store and buy the device we expect that we will get less people that will pretend to be children. It seems logical as I would imagine people might be more hesitant to walk into a store and buy a token that is labeled and packaged with kids toys. I do imagine that if a person wants to attack a child then this will probably be less of a hurdle for them, but it removes the anonymity of the user too and captures them on store surveillance video as they are purchasing the item.
So I think the last point of concern is the FTP (free to play) and social games. There are security issues here that are similar to the other games but for children the accounts appear to be too liquid (they create new ones every time they forget their passwords). As my company starts to roll out new security options soon I suspect that these types of games will have new options to embrace. As business goes I think these new technologies will help usher in a different type of thinking. No longer will it be the cost of doing security, instead it might be the cost of not doing security. I'll write up more on this technology at a later time.
Subscribe to:
Posts (Atom)