Security vulnerabilities in online games are increasingly being exploited by hackers to gain access to confidential data and systems. This paper discusses how attackers break into gaming applications and how to secure them.
More than Just Lines on a Map: Best Practices for U.S Bike Routes
Online Games Security Threats - Quick Start Guide
1. Games Hackers Play: Security Threats for Online Game Portals
How malicious hackers choose their targets?
They favor popular applications and web sites since there’s no sense in attacking things that
few people use. They love low-hanging fruit, those easy-to-execute attacks that take advantage
of known vulnerabilities. And most recently they have shown a decided preference for utilizing
interactive web sites to distribute malicious code.
So when you are working to determine what will attract the interest of cybercriminals next --
what venues you would use if you wanted to easily sneak some nasty code into lots of
computers -- it makes sense to look at popular online destinations that rely heavily on protocols
and program code that historically harbors potentially unpatched vulnerabilities.
One of the most obvious probable targets is casual game portals. 87 million people in the US
alone visited online game websites during the month of May, according to marketing research
company comScore. As interest in casual gaming flourishes and grows, historical application
security attack patterns indicate that game portal sites will increasingly become highly preferred
targets.
Any web site that is collecting data that is sellable for a profit -- specifically credit and debit card
information -- needs to ensure that its security profile is as robust as possible. Casual Game
portals also need to ensure that their sites and the applications that they host do not expose
their users to hack attacks. In its 2009 Data Breach Investigations Report, Verizon Business
found that of the 90 breaches in 2008 that it examined, 79% were compromised via web
applications.
Whether games are played in a web browser environment or downloaded onto a user’s
computer, it’s important to ensure that end users are not being exposed to malicious or flawed
code. No business wants to deal with the expense, damage to reputation, and loss of investor
confidence that follows a breach, whether that breach exposes critical data, enables players to
bypass payment and other system controls, or exposes users’ computers to criminal attack.
2. Anatomy of a Gaming Attack
As we are trying to prevent attacks we won’t be offering deep details on exactly how casual
game sites themselves and the games they host could be hacked. But it’s certainly no secret
that there are Flash player vulnerabilities that allow malicious hackers to craft content that
installs unwanted software on computers that access that content. Flash/JavaScript sandboxing
does a decent job of limiting code’s access to resources of players’ computers, but that doesn’t
mean that casual games -- and the portals that provide them -- aren’t hackable. Players have
created workarounds that let them to score higher and bypass game controls, and legit
programmers looking to bypass sandbox restrictions have found ways to do so. Hewlett
Packard recently analyzed nearly 4,000 Web apps developed with the Flash platform and found
that 35 percent violate Adobe's security best practices.
Marketing and advertising firms are increasingly looking to partner with casual game portal sites
and developers to piggyback their product messaging onto the success of the games. Game
sites are also forging connections with social networking sites. But as casual game developers
add enhanced functionality -- such as dynamic advertising, geographic targeting, and
connections with social sites -- more attack venues will open up. The simplicity of casual games
was their best defense against hack attacks, but that defense is slipping away.
Good programmers can sometimes slip and write bad code, and even good code can
sometimes turn bad when exposed to unexpected conditions. Online games, like any modern
connected application, interacts with other applications and services developed by third parties,
creating web application security holes that the original programmers didn’t envision. That’s just
one of the reasons that extremely well-known attacks like SQL injections, cross-site scripting
and buffer overflows remain so pervasive:
SQL injection is an attack method that enables hackers to force an incorrectly
configured database into performing unauthorised actions. One does this by appending
a command to the end of a valid request string. SQL Injection can be used to do
anything a fully authorized system administrator could do, including access/copy/deleting
data and remotely executing stored procedures.
Buffer Overflow occurs when an attacker forces an application to put an inordinate
amount of data into its buffer -- the section of memory allocated to it -- or forces the
application to put data outside of its buffer. When this occurs it is sometimes possible to
force the application to execute malicious code, often with the goal of gaining remote
access privileges over an affected system. Many Flash Player exploits are carried out
via buffer overflow attacks.
Cross-site scripting, also known as “XSS” (so as not to be confused with cascading
style sheets, which is commonly abbreviated as CSS) have been topping the most
widely exploited threats lists for the past several years. XSS flaw occurrence in websites
is alarmingly high, with some reports indicating that anywhere from 60-68% of all active
sites are wide open to XSS attacks. Attackers use XSS vulnerabilities to insert their own
bits of malicious code into a site, circumventing existing security protections. The end
result of a successful exploit ranges widely, including hijacking users to other websites,
extracting payment/account data, reconfiguration of cookies, inserting malicious code
into advertising, and more. Essentially, any legitimate action that can be performed with
a script can be reconfigured to work to the hacker’s advantage.
3. The other reason that flaws like this exist is due to all-too-common bad security testing
practices, mistakes made in the rush to release or because programmers are unfairly expected
to do double-duty as security experts. These mistakes include weak/default passwords, ports
left open, permissions left undefined, an unprotected directory that anyone with a bit of
knowledge can access and rewrite, and more.
Online Cheating: While online games are fast becoming the most sought after
applications on the Internet, cheating has emerged as a notable phenomenon in current
game play. Online cheating is an important security issue that distinguishes online
games from other E-commerce applications, though some cheats in online games may
find similar exploits in other E-commerce applications.
With advancement of newer technologies in online gaming approach newer cheating forms
have been identified and our understanding about game cheating has also increased. Some of
the newer techniques which have got special relevance to online games are as follows:
a) Exploiting Misplaced Trust: Many cheats involve tampering with game code,
configuration data, or both, on the client side. A cheater can modify his game client
program, data, or both, and then replace the old copy with the revised one for future use.
b) Collusion: People can agree with each other to gain unfair advantages over their
honest opponents in online games. For example, the so-called “win-trading” was a
collusion cheat widely seen in the popular StarCraft game, in which two cheaters
colluded with each to lose to the other alternately in the ladder competition.
c) Abusing the Game Procedure: This form of cheating may be carried out without any
technical sophistication, and a cheater simply abuses the operating procedure of a
game. One common case that we have observed in many online games is escaping: a
cheater disconnects himself from the game system when he is going to lose.
d) Related to Virtual Assets: Trading of virtual characters and items (e.g. clothing,
weapons, homes and magical objects) acquired in games is a new and real business
created by online games. Many players would like to have good characters, or improve
the status of their own characters by getting some items in the game. Nonetheless, it is
not easy for every player to get good characters and items, which require gaming skills
and time. Where there is demand, there is supply, and then there is a market! Now
virtual characters and items become virtual assets, or real assets in a virtual world, and
many of them have been auctioned for real money on eBay.
e) Exploiting Machine Intelligence: Artificial intelligence techniques can also be
exploited by a cheating player in some online games. For example, the advancement of
computer chess research has produced many programs that can compete with human
players at the master level. When playing chess online, a cheater can look for the best
candidates for his next move by stealthily running a strong computer chess program.
4. f) Modifying Client Infrastructure: Without modifying game programs, configurations or
data on the client side, a player can cheat by modifying the client infrastructure such as
device drivers in his operating system. For example, he can modify a graphics driver to
make a wall transparent so that he can see through the wall, locating other players who
are supposed to be hidden behind the wall.
g) Social Engineering: Social engineering is often used to steal passwords. There are
many variations of this scam but all of them aim the same: to trick players to happily
reveal their ID password pairs. Often these social engineers – password scammers – will
attempt to trick a player into believing something attractive or annoying has happened to
the player and his ID and password are needed for that purpose. They may approach a
victim by phone, email, online chatting channels, or whatever they may exploit.
h) Denying Service to Peer Players: A cheater can gain advantages by denying service
to his peer players. For example, a cheater could delay the responses from his opponent
by flooding his network connection. Other peer players would then be cheated into
believing that there was something wrong with the network connection of the victim, and
agree to kick him out from the game in order to avoid the game session being stalled.
It’s clear that any business that hosts web applications like casual games needs to be super
proactive about assuring the security of the site and the games they distribute. Beyond the
devastating hacks that expose customers’ information and/or their computer systems,
businesses also have to protect themselves from those who are looking to bypass payment
systems and access content for free. Strong security is an essential part of doing business
online, half-measures are a waste of time and budget. There’s no doubt that hackers will devote
plenty of time and effort to find that one nasty little hole that exists in an otherwise pristine web
portal.
Fight Back
What to do? Programming code reviews built into the development application security cycle are
an obvious must. Risk-adjusted security processes that pinpoint areas of particular concern are
helpful. Regular security self-assessments using an automated tool to scan the site
infrastructure and its applications to spot problems -- hackers will be using their own scanning
tools to spot exploitable issues on targeted websites -- is always a good thing, but there are
many classes of highly exploitable vulnerabilities which automated tools cannot easily spot. And
standard automated scanning tools can’t provide the essential complete picture either.
In contrast, penetration tests look at a system or application exactly the way the most highly
skilled malicious hackers do when they are looking for flaws to exploit, using procedures such
as in-depth interactive testing to force error conditions and analysis of the data flow through an
entire system to see how that data could be maliciously manipulated as it moves through
applications.
Application Penetration testing, such as those conducted on-demand by iViZ which are fine-
tuned to spot exploitable flaws in web-based applications and their host sites, reveal the issues
that exist in single applications, the problems that are created when applications interface with
each other and the probable impact of each discovered flaw.
5. Another critical defense method to keep in mind is that security at its best is always a dynamic
process. Programming code changes, new vulnerabilities crop up, new ways of bypassing
yesterday’s strong controls are constantly developed. The goal is to provide consistent
protection against known, current and emerging threats. Effective security is not an item on a to-
do list that can be completed, checked off, and never thought about again. It is and always will
be an ongoing process, not a finite project. Periodic web application security assessment
identifies potential vulnerabilities before they can cause damage and is a highly effective way to
ensure that a happy casual game portal doesn’t become a dangerous playground for
cybercriminals.
Be cautious about the difference in Vulnerability assessment and penetration testing. Always
insist for a penetration testing of your gaming application and not just vulnerability testing. Also
do a thorough research on how to choose good penetration testing companies
To read more about security of online travel portal visit blog.
References:
homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf
http://www.gamecareerguide.com/education/theses/20050610/A%20Legal%20Perspective%20on%20C
heating%20in%20Online%20Multiplayer%20Games.pdf
www.ivizsecurity.com/blog/