Protect Your Passwords, Secure Your Servers
Download as PPT, PDF0 likes547 views
The document discusses strategies for enhancing security in online gaming and server architecture, emphasizing the need for separate servers and data stores to protect against vulnerabilities like SQL injection and privilege escalation. It suggests using slower cryptographic methods for password verification and highlights the importance of minimizing exposure of personal identity information. Additionally, it encourages ongoing education and collaboration in the field of cybersecurity.
Protect Your Passwords, Secure Your Servers
- 1. Security eBooks Protecting Passwords & Securing Servers Steven Davis steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 2. Security eBooks Standard Server Architecture • 3-Tier / N-Tier • Lots of Apps and Services on a box • Split up for performance, if at all • … a “mini-cloud” • Why? Servers Expensive… in the old days steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 3. Security eBooks Bootstrap Attack! • Attackers use weakness in one part of a system to attack another – Privilege Escalation … dangerous if more privileges can get you somewhere – SQL Injection … only dangerous if there is something valuable in the same database or accessible via the same account steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 4. Security eBooks The Server Architecture Problem • Lots of tools and lots of developers – Many of them not on your team – Very few security focused • Too many things to go wrong! steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 5. Security eBooks Solution – More Servers (or Virtual Servers) • Break up online service infrastructure to multiple servers by function • Reduce number that are internet facing • Reduce and simplify security interfaces • Add proxies to isolate data and applications steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 6. Security eBooks One Data Store per Server App Divide for Security Game Engine Player Assets Player Account Community Player Access Info • Separate Database & Access Account • Separate Data Store BETTER • Separate Virtual Server w/own Database App • Separate Actual Server Add “Connector” Datastores (Login Status, Player Stats, etc.) rather than links to critical databases steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 7. Security eBooks Combine with Proxy Security Some online games dangerously include a SQL client and talk directly to the game server Rules Validation Data Validation Validation Message Incoming Message Database • Protecting Database from SQL injection / direct queries • Allows Rules Validation on Server or reallocation to other players steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 8. Security eBooks Make Password Service a “Dumb Appliance” Secure User Name / Account Name Password Session Server Account Name / Password Identifier Server Password Identifier / Password Seed Login Server Password Identifier / Password Transform • Separate out Password verification from Login Service/Server • Have Password Service work at a slow pace • Use VERY SLOW Cryptography – Select algorithms or combinations of algorithms to take a specific amount of time… traditional cryptography is designed to run fast to support communications…. This is not the problem we face with passwords! • Consider Split Architectures steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 9. Security eBooks Protect Email and Online Service Identity Info… by Login Service taking them (Encrypted) Active offline Info Updates Service • Users don’t need regular Back Office access to their entire identity profile… so take Personal Info what is not needed regularly offline Email • Only have temporary store for user info while it is being entered or Payment Info changed steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 10. Security eBooks Six Forms of Personal ID • Separate them and use them all – Login Name Using emails for user names or – Internal Account Number user names for handles just – Handle (Community name) makes attacking easier – Email – Personal Contact Information – Payment Information steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 11. Security eBooks What next? • Don’t give up! • More security presentations at: http://free2secure.com/ • Check out my book “Protecting Games” – Additional information at http://playnoevil.com/ • You can “win” the security game steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
- 12. Security eBooks About Me • Steven Davis – 25+ Years of Security Expertise – I have worked on everything from online games and satellite TV to Nuclear Command and Control and military communications • http://www.linkedin.com/in/playnoevil – Author, “Protecting Games” • Why Free2Secure? – Security is too expensive and isn’t working. There has to be a better way. I’m exploring these issues for IT security, ebooks, games, and whatever else strikes my fancy at http://free2secure.com/ – Join me there, ask questions, challenge assumptions, let’s make things better steve@free2secure.com Games, iGaming, and Gambling +1.650.278.7416
Editor's Notes
- #3: http://docs.oracle.com/cd/A97335_02/busint.102/a90287/vwarch1.gif