This action might not be possible to undo. Are you sure you want to continue?
How malicious hackers choose their targets?
They favor popular applications and web sites since there’s no sense in attacking things that few people use. They love low-hanging fruit, those easy-to-execute attacks that take advantage of known vulnerabilities. And most recently they have shown a decided preference for utilizing interactive web sites to distribute malicious code. So when you are working to determine what will attract the interest of cybercriminals next -what venues you would use if you wanted to easily sneak some nasty code into lots of computers -- it makes sense to look at popular online destinations that rely heavily on protocols and program code that historically harbors potentially unpatched vulnerabilities. One of the most obvious probable targets is casual game portals. 87 million people in the US alone visited online game websites during the month of May, according to marketing research company comScore. As interest in casual gaming flourishes and grows, historical application security attack patterns indicate that game portal sites will increasingly become highly preferred targets. Any web site that is collecting data that is sellable for a profit -- specifically credit and debit card information -- needs to ensure that its security profile is as robust as possible. Casual Game portals also need to ensure that their sites and the applications that they host do not expose their users to hack attacks. In its 2009 Data Breach Investigations Report, Verizon Business found that of the 90 breaches in 2008 that it examined, 79% were compromised via web applications. Whether games are played in a web browser environment or downloaded onto a user’s computer, it’s important to ensure that end users are not being exposed to malicious or flawed code. No business wants to deal with the expense, damage to reputation, and loss of investor confidence that follows a breach, whether that breach exposes critical data, enables players to bypass payment and other system controls, or exposes users’ computers to criminal attack.
Anatomy of a Gaming Attack
The other reason that flaws like this exist is due to all-too-common bad security testing practices, mistakes made in the rush to release or because programmers are unfairly expected to do double-duty as security experts. These mistakes include weak/default passwords, ports left open, permissions left undefined, an unprotected directory that anyone with a bit of knowledge can access and rewrite, and more. Online Cheating: While online games are fast becoming the most sought after applications on the Internet, cheating has emerged as a notable phenomenon in current game play. Online cheating is an important security issue that distinguishes online games from other E-commerce applications, though some cheats in online games may find similar exploits in other E-commerce applications. With advancement of newer technologies in online gaming approach newer cheating forms have been identified and our understanding about game cheating has also increased. Some of the newer techniques which have got special relevance to online games are as follows:
a) Exploiting Misplaced Trust: Many cheats involve tampering with game code,
configuration data, or both, on the client side. A cheater can modify his game client program, data, or both, and then replace the old copy with the revised one for future use.
b) Collusion: People can agree with each other to gain unfair advantages over their
honest opponents in online games. For example, the so-called “win-trading” was a collusion cheat widely seen in the popular StarCraft game, in which two cheaters colluded with each to lose to the other alternately in the ladder competition.
c) Abusing the Game Procedure: This form of cheating may be carried out without any
technical sophistication, and a cheater simply abuses the operating procedure of a game. One common case that we have observed in many online games is escaping: a cheater disconnects himself from the game system when he is going to lose.
d) Related to Virtual Assets: Trading of virtual characters and items (e.g. clothing,
weapons, homes and magical objects) acquired in games is a new and real business created by online games. Many players would like to have good characters, or improve the status of their own characters by getting some items in the game. Nonetheless, it is not easy for every player to get good characters and items, which require gaming skills and time. Where there is demand, there is supply, and then there is a market! Now virtual characters and items become virtual assets, or real assets in a virtual world, and many of them have been auctioned for real money on eBay.
e) Exploiting Machine Intelligence:
Artificial intelligence techniques can also be exploited by a cheating player in some online games. For example, the advancement of computer chess research has produced many programs that can compete with human players at the master level. When playing chess online, a cheater can look for the best candidates for his next move by stealthily running a strong computer chess program.
f) Modifying Client Infrastructure: Without modifying game programs, configurations or
data on the client side, a player can cheat by modifying the client infrastructure such as device drivers in his operating system. For example, he can modify a graphics driver to make a wall transparent so that he can see through the wall, locating other players who are supposed to be hidden behind the wall.
g) Social Engineering: Social engineering is often used to steal passwords. There are
many variations of this scam but all of them aim the same: to trick players to happily reveal their ID password pairs. Often these social engineers – password scammers – will attempt to trick a player into believing something attractive or annoying has happened to the player and his ID and password are needed for that purpose. They may approach a victim by phone, email, online chatting channels, or whatever they may exploit.
h) Denying Service to Peer Players: A cheater can gain advantages by denying service
to his peer players. For example, a cheater could delay the responses from his opponent by flooding his network connection. Other peer players would then be cheated into believing that there was something wrong with the network connection of the victim, and agree to kick him out from the game in order to avoid the game session being stalled. It’s clear that any business that hosts web applications like casual games needs to be super proactive about assuring the security of the site and the games they distribute. Beyond the devastating hacks that expose customers’ information and/or their computer systems, businesses also have to protect themselves from those who are looking to bypass payment systems and access content for free. Strong security is an essential part of doing business online, half-measures are a waste of time and budget. There’s no doubt that hackers will devote plenty of time and effort to find that one nasty little hole that exists in an otherwise pristine web portal.
What to do? Programming code reviews built into the development application security cycle are an obvious must. Risk-adjusted security processes that pinpoint areas of particular concern are helpful. Regular security self-assessments using an automated tool to scan the site infrastructure and its applications to spot problems -- hackers will be using their own scanning tools to spot exploitable issues on targeted websites -- is always a good thing, but there are many classes of highly exploitable vulnerabilities which automated tools cannot easily spot. And standard automated scanning tools can’t provide the essential complete picture either. In contrast, penetration tests look at a system or application exactly the way the most highly skilled malicious hackers do when they are looking for flaws to exploit, using procedures such as in-depth interactive testing to force error conditions and analysis of the data flow through an entire system to see how that data could be maliciously manipulated as it moves through applications. Application Penetration testing, such as those conducted on-demand by iViZ which are finetuned to spot exploitable flaws in web-based applications and their host sites, reveal the issues that exist in single applications, the problems that are created when applications interface with each other and the probable impact of each discovered flaw.
Another critical defense method to keep in mind is that security at its best is always a dynamic process. Programming code changes, new vulnerabilities crop up, new ways of bypassing yesterday’s strong controls are constantly developed. The goal is to provide consistent protection against known, current and emerging threats. Effective security is not an item on a todo list that can be completed, checked off, and never thought about again. It is and always will be an ongoing process, not a finite project. Periodic web application security assessment identifies potential vulnerabilities before they can cause damage and is a highly effective way to ensure that a happy casual game portal doesn’t become a dangerous playground for cybercriminals. Be cautious about the difference in Vulnerability assessment and penetration testing. Always insist for a penetration testing of your gaming application and not just vulnerability testing. Also do a thorough research on how to choose good penetration testing companies To read more about security of online travel portal visit blog.
References: homepages.cs.ncl.ac.uk/jeff.yan/TEL.pdf http://www.gamecareerguide.com/education/theses/20050610/A%20Legal%20Perspective%20on%20C heating%20in%20Online%20Multiplayer%20Games.pdf www.ivizsecurity.com/blog/
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.