In Sammlung (en) In der gespeicherten
  1. Ingenieurwissenschaft
  2. Informatik
  3. Datenbank

here - SYP 2016 Regensburg

Werbung 
CHEATERS, HACKERS,
SCRIPT KIDDIES
THE DARK SIDE OF ONLINE GAMES
Diplom-Informatiker
Stephan Payer
Co-Founder
SEIT
E
YOUR MONEY OR YOUR NET!
During a past Football Championship …
•
Mail to online betting portal:
"Transfer $ 15,000 via Western Union or we will
attack your website!"
•
No reaction
•
One hour before kick-off:
DDoS attack, website no longer available,
no bets on this match
PAGE 2
SEIT
E
© 2016 CIPSOFT
CONTENTS
•
CipSoft, Tibia
•
Security aspects
•
Motivation of attackers
•
Attack scenarios and countermeasures
•
Conclusions and advice
PAGE 3
SEIT
E
© 2016 CIPSOFT
TIBIA
•
Online role-playing game for PC
•
Classic fantasy setting
•
Online since 1997
•
300,000 daily users; 100,000 premium accounts
PAGE 4
SEIT
E
© 2016 CIPSOFT
SECURITY ASPECTS
Security
Safety
•
Fairness
•
Robustness
•
Access control
•
Durability
•
Integrity
•
Privacy
•
Availability
•
Ergonomics
PAGE 5
SEIT
E
Protection
Protection
against users
of users
© 2016 CIPSOFT
SECURITY ASPECTS
Security
•
Fairness
•
Access control
•
Integrity
•
Availability
Cheating
Account hacking
System hacking
Denial-of-Service
Protection
against users
PAGE 6
SEIT
E
© 2016 CIPSOFT
MOTIVATION OF ATTACKERS
Cheat
AccH
Convenience


Self-help

Earnings/savings


Curiosity/technical challenge


Prestige

Advantage in competition

SysH
DoS






Envy

Revenge (player)


Blackmail (player)


Revenge (operator)


Blackmail (operator)


PAGE 7
SEIT
E
© 2016 CIPSOFT
CHEATING: FARMBOTS
•
Completely automated hunting without the
player sitting at his computer
•
Often done by secondary characters to support
the main character
PAGE 8
SEIT
E
© 2016 CIPSOFT
CHEATING: FARMBOTS - METHOD
•
Walk down a prescribed way,
Attack monsters that turn up,
Collect loot,
Heal yourself when necessary,
Respond to other players
•
Macros, proxies, bots
•
Commercial realization of the yield
and of the programs
PAGE 9
SEIT
E
© 2016 CIPSOFT
CHEATING: FARMBOTS - PROBLEMS
•
Destruction of the fun of the game
•
Unfair competition
•
Abuse of power
•
Disturbance of the economy
•
Risk of account hacking
PAGE 10
SEIT
E
© 2016 CIPSOFT
CHEATING: FARMBOTS - COUNTERMEASURES
•
Community taking the law into their own hands
•
Restriction of money transfers
•
Restriction of the possiblity to abuse power
•
Banishment by gamemasters
•
Automated detection and punishment
PAGE 11
SEIT
E
© 2016 CIPSOFT
CHEATING: OTHER METHODS
Unfair advantage, usually at the expense
of others, by violating rules
•
Enhanced client view
•
Extended client controls
•
Inadmissible commands
•
Falsification of client data
•
Abuse of bugs
•
Account sharing
PAGE 12
SEIT
E
© 2016 CIPSOFT
CHEATING: GENERAL COUNTERMEASURES
•
Make cheating impossible
•
Make cheating useless
•
Detect and punish cheaters
•
Reward chief witnesses
•
Change the rules of the game
•
Adopt features
•
Allow cheating
PAGE 13
SEIT
E
© 2016 CIPSOFT
ACCOUNT HACKING: PASSWORD SNIFFING
Charakter Name
Password
Game Data
PAGE 14
SEIT
E
© 2016 CIPSOFT
ACCOUNT-HACKING: PASSWORD-SNIFFING
Charakter Name
Password
Session Key
RSA
Game Data
XTEA
PAGE 15
SEIT
E
© 2016 CIPSOFT
ACCOUNT HACKING: PASSWORD SNIFFING
Challenge
Challenge
Charakter Name
Password
Session Key
RSA
Game Data
XTEA
PAGE 16
SEIT
E
© 2016 CIPSOFT
ACCOUNT HACKING: OTHER METHODS
•
Brute-force attacks
•
Hacking of e-mail accounts belonging to players
•
Phishing
•
Social engineering
•
Keyloggers, Trojan horses
•
Faked copies of identity cards
PAGE 17
SEIT
E
© 2016 CIPSOFT
ACCOUNT HACKING: GENERAL COUNTERMEASURES
•
Use encryption
•
Protect against brute-force attacks
•
Support authenticator tokens
•
Raise players‘ awareness regarding:
PAGE 18
SEIT
E

Choice of password

Way of dealing with credentials

General behaviour on the internet
© 2016 CIPSOFT
SYSTEM HACKING: SQL INJECTION
Stephan
SELECT * FROM Characters
WHERE Name = 'Stephan';
PAGE 19
SEIT
E
© 2016 CIPSOFT
SYSTEM HACKING: SQL INJECTION
';DELETE FROM Characters; --
SELECT * FROM Characters
WHERE Name = '';
DELETE FROM Characters; --';
PAGE 20
SEIT
E
© 2016 CIPSOFT
SYSTEM HACKING: SQL INJECTION
Ä';DELETE FROM Characters; --
Ä'; DELETE FROM Charaters; -AddSlashes (ISO 8859)
Ä\'; DELETE FROM Characters; -Datenbank (UTF8)
SELECT * FROM Characters
WHERE Name = '?';
DELETE FROM Characters; --';
PAGE 21
SEIT
E
© 2016 CIPSOFT
SYSTEM HACKING: OTHER METHODS
•
Security holes in the application
•
Security holes in the operating system
•
Social engineering
•
Keyloggers, Trojan horses
•
Abuse of privileges
•
Misconfigurations
•
Weak or standard passwords, backdoors
PAGE 22
SEIT
E
© 2016 CIPSOFT
SYSTEM HACKING: GENERAL COUNTERMEASURES
• Check all user-generated input
•
Follow programming guidelines, use static code
analysis, use prepared queries
•
Configure your application appropriately
•
Configure your system appropriately, install patches
•
Use public and private IP addresses, use a firewall
•
Divide your system into security zones
•
Encrypt your stored data
•
Monitor your system, use intrusion detection
PAGE 23
SEIT
E
© 2016 CIPSOFT
SYSTEM HACKING: BEST OF …
48%
44%
32%
30%
23%
20%
18%
10%
7%
5%
5%
Keyloggers, form grabbers or spyware
Exploitation of default or guessable credentials
Use of stolen login credentials
Sending data to external site or entity
Brute-force or dictionary attacks
Backdoors
Disabling or interfering with security controls
Tampering
Social engineering
Exploitation of insufficient authentication
Misuse of privileges
81% Hacking
69% Malware
10% Physical
7% Social
5% Misuse
Source: Verizon, 2012 Data Breach Investigations Report
PAGE 24
SEIT
E
© 2016 CIPSOFT
DENIAL-OF-SERVICE: METHODS
Clients
Internet
1
Core Router
1
Bandwidth
2 Packet rate (esp. SYN flood)
1
2
Game Server
3
PAGE 25
SEIT
E
3
Application
© 2016 CIPSOFT
DENIAL-OF-SERVICE: MONITORING
PAGE 26
SEIT
E
© 2016 CIPSOFT
DENIAL-OF-SERVICE: COUNTERMEASURES
•
Rent a massive connection
•
Filter UDP packets, if you don‘t need them
•
Use SYN cookies
•
Use a stateful firewall
•
Make your application efficient
•
Buy strong hardware
PAGE 27
SEIT
E
© 2016 CIPSOFT
WELCOME TO THE UNDERGROUND
Source: SecureWorks, Underground Hacker Markets 2016
PAGE 28
SEIT
E
© 2016 CIPSOFT
CONCLUSIONS
•
Every chain is only as strong as its weakest link.
Don‘t strive for perfection in a single aspect!
•
Attackers are resourceful and find every hole.
No "security by obscurity"!
•
Client and browser are in the hands of the enemy.
Check all user-generated input!
•
There are no secure systems.
Have emergency plans!
PAGE 29
SEIT
E
© 2016 CIPSOFT
RECOMMENDED PROCEDURE
•
Make a risk analysis: What do you want to
protect and at what expenses?
•
Deter attackers.
•
Keep attackers from entering your system.
•
Keep attackers from finding data.
•
Detect attacks and respond to them.
PAGE 30
SEIT
E
© 2016 CIPSOFT
SEIT
E
Zugehörige Unterlagen
Ferienwohnung Lalic - Fire (4+2)
Ferienwohnung Lalic - Fire (4+2)
Climate Change in Europe
Climate Change in Europe
Didaktische Anforderungen an die erste Programmiersprache
Didaktische Anforderungen an die erste Programmiersprache
3D Computer Graphics with Python
3D Computer Graphics with Python
Alexander Elsas Goethe University Frankfurt, Germany
Alexander Elsas Goethe University Frankfurt, Germany
A module - JUG Saxony Day
A module - JUG Saxony Day
2 Multimedia Programming with Python and Pygame
2 Multimedia Programming with Python and Pygame
Analytisches Information Lifecycle Managment
Analytisches Information Lifecycle Managment
Working with Semantic 3D City Models
Working with Semantic 3D City Models
DBA Cockpit Update 2016_V3 (2)
DBA Cockpit Update 2016_V3 (2)
Oracle ORDS – Quickstart für Entwickler - Opal-Consulting
Oracle ORDS – Quickstart für Entwickler - Opal-Consulting
Was jeder Java-Entwickler über Strings wissen sollte
Was jeder Java-Entwickler über Strings wissen sollte
Herunterladen
Werbung