Prezi

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in the manual

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Omg he haxx

null
by Jason Haddix on 29 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Omg he haxx

Intro ++ Background
Client
Network / Server
In-Game


An introduction to the OWASP Game Security Framework ++

OMG He HAXX!
ME
HP Fortify On Demand
Honorary NOVAH member
Mobile/OWASP Guy
Gamer
My Team is awesome: Dawn, James, Kevin, JamesL, Dan, Brent, Mohsan.
Games and $$$
RTS / MOBA
MMOs
Shooters ++
Platforms
The Game Industry
http://www.theesa.com/facts/pdfs/esa_ef_2013.pdf
Projected to hit 70 billion in 2014
Security?
Only a select few gaming companies have the experience, Blizzard being the largest.

Very few references.

Few security companies are participating

Lots of burden left on QA, lets help them out
A Noobs Framework ++
Game *exploits* remain non-transparent for a developer or QA

Design a checklist of sorts for
new
game companies.

Divide and conquer:
Client
Network
Server
++

Design from vulns upwards
Client Security
Massively distributed

Prone to traditional exploits

Hostile environment

Require AuthN
Dangers
RCE == pwned players


Memory Modification == cheated games


Race Conditions == cheated games

Some Traditional Thick Client Defenses
Exploit mitigation

DEP, ASLR, ++

Anti reversing

Advanced anti debugging
Integrity checks

*some* Dangers
Replay Attacks == cheating

Transport Security == mitm + cheating

DoS == loss of revenue

Traditional Web Server Type Exploits == Sad Panda
History => Exploit => Cause => Defense
This project will need a lot of help. Hence OWASP.
Project Workflow
*some* Defenses
Exploit Mitigation Server Side

???

Redundancy

Hosting level mitigation

Ninja Operations Team for IR

Having IR Policies

Additional Concerns
Accounts tied to web apps

Need secure payment options

etc...


Trying to find sec companies with experience in gaming to help

Reverse engineering exploits at a high level

Finding Places put new classes of *exploits*

Setting up OWASP wiki content

Parsing previous work
There is more than C/N/S
Spam and phishing

Chat and Mail

Combat/Boss exploitation

Exchange Systems
(trade + AH)

BOTTING

Economy Hacks
Buffing

Griefing

Aim Hacks

Speed hacks

Duping

Map Hacks


Currently we are...
More In-game Problems
Are interested in video games

Know sec people in that industry

Want to hack something new
jason.haddix@owasp.org
OR =>
Triviality or Economic upset kills player base
=>
SPAM and Phishing
Spam campaigns are now more aggressive for games than dating, sex, ponzi, or Nigerian prince/princess.
if you...
Review
Client
Network
Server
In-Game
Wet-Ware
RMT is estimated at 10 billion
No games were harmed in the making of this presentation
Also safer for spammers b/c no laws exist protecting virtual goods / currencies.
See the full transcript