Thursday, January 3, 2019

The importance of being mindful of security at all times - nearly everyone is one breach away from total disaster

This is a long one - TL;DR at the end!

If you haven't heard yet: BlankMediaGames, makers of Town of Salem, have been breached which resulted in almost 8 million accounts being leaked. For most people, the first reaction is "lol so what it's just a game, why should I really care?" and that is the wrong way to look at it. I'd like to explain why everyone should always care whenever they are part of a breach. I'd also like to talk about some ways game developers - whether they work solo or on a team - can take easy steps to help protect themselves and their customers/players.

First I'd like to state that there is no practical way to achieve 100% solid security to guarantee you'll never be breached or part of a breach. The goal here will be to get as close as possible, or comfortable, so that you can rest easy knowing you can deal with problems when they occur (not if, when).

Why You Should Care About Breaches

The sad reality is most people re-use the same password everywhere. Your email account, your bank account, your steam account, your reddit account, random forums and game websites - you get the idea. If you haven't pieced it together yet the implication is that if anyone gets your one password you use everywhere, it's game over for you - they now own all of your accounts (whether or not they know it yet). Keep in mind that your email account is the basically the holy grail of passwords to have. Most websites handle password changes/resets through your email; thus anyone who can login to your email account can get access to pretty much any of your accounts anywhere. Game over, you lose.

But wait, why would anyone want to use my password? I'm nobody!

It doesn't matter, the bad guys sell this information to other bad guys. Bots are used to make as much use of these passwords as possible. If they can get into your bank they might try money transfers. If they get into your Amazon account they might spin up $80,000 worth of servers to mine Bitcoin (or whatever coin is popular at the time). They don't care who you are; it's all automated.

By the way, according to this post (which looks believable enough to be real) this is pretty much how they got into the BMG servers initially. They checked for usernames/emails of admins on the BMG website(s) in previous breach dumps (of which there are many) and found at least one that used the same password on other sites - for their admin account!

If you want to see how many of your accounts are already breached check out Have I Been Pwned - I recommend registering all of your email addresses as well so you get notified of future breaches. This is how I found out about the Town of Salem breach, myself.

How You Can Protect Yourself

Before I go into all the steps you can (and should) take to protect yourself I should note that security is in a constant tug of war with convenience. What this means is that the more security measures you apply the more inconvenienced you become for many tasks. It's up to you to decide how much is too much either way.

First of all I strongly recommend registering your email(s) on https://haveibeenpwned.com/ - this is especially important if your email address is associated to important things like AWS, Steam developer account, bank accounts, social media, etc. You want to know ASAP when an account of yours is compromised so you can take steps to prevent or undo damage. Note that the bad guys have a head start on this!

Passwords

You probably need to have better password hygiene. If you don't already, you need to make sure every account you have uses a different, unique, secure password. You should change these passwords at least once a year. Depending on how many accounts you have and how good your memory is, this is your first big security vs convenience trade-off battle. That's easily solved, though, by using a password manager. You can find a list of password managers on Wikipedia here or you can search around for some comparison articles.

Some notable choices to consider:

  • 1Password - recommend by Troy Hunt, creator of Have I Been Pwned
  • LastPass - I use this at work and it's generally good
  • BitWarden - free and open source! I use this at home and in some ways it's better than LastPass
  • KeePass (and forks) - free, open source, and totally offline; if you don't trust "the cloud" you can trade away some more convenience in exchange for taking full responsibility of your password security (and backups)

Regardless of which one you choose, any of them is 100x better than not using one at all.

Multi-Factor Authentication / Two-Factor Authentication (aka MFA / 2FA)

The problem with all these passwords is that someone can still use them if they are found in a breach. Your passwords are only as strong as the website you use them on. In the case of the BMG breach mentioned above - all passwords were stored in an ancient format which has been insecure for years. It's likely that every single password in the breach can be reversed/cracked, or already have been. The next step you need to take is to make it harder for someone else to login with your password. This is done using Multi-Factor Authentication (or Two-Factor Authentication).

Unfortunately not every website/service supports MFA/2FA, but you should still use it on every single one that does support it. You can check which sites support MFA/2FA here or dig around in account options on any particular site. You should setup MFA/2FA on your email account ASAP! If it's not supported, you need to switch to a provider that does support it. This is more important than your bank account! All of the big email providers support it: GMail, Outlook.com, Yahoo Mail, etc.

The type of MFA/2FA you use depends on what is supported by each site/service, but there is a common approach that is compatible on many of them. Time-based One-time Password or TOTP is probably the most commonly used because it's easy to implement and can be used with many different apps. Google Authenticator was the first popular one, but it has some limitations which continue the security vs convenience battle - namely that getting a new phone is a super huge chore (no backup/restore option). Many alternatives support cloud backup which is really convenient, though obviously less secure by some measure.

Notable choices to consider:

  • Authy - probably the first big/popular one after Google Authenticator came out (I think) - NOTE: They let you use it on your desktop/browser, too, but this is TOO much convenience! Don't fall for that trap.
  • LastPass Authenticator - conveniently links up with a LastPass account, some sites support extra features (like not needing to type a code, just answer a phone notification)
  • Yubikey - A real physical MFA device! Some models are compatible with phones, too.
  • Duo - this one is more geared towards enterprise, but they have a free option

Some sites/services use their own app, like Blizzard and Steam, and don't allow you to use other ones. You will probably have a few apps on your phone when all your accounts are setup, but it's worth it.

Don't forget to save backup codes in an actual secure location! If you lose your backup codes and your auth app/physical key you will be locked out of accounts. It's generally not fun recovering in that situation.

There is such a thing as bad MFA/2FA! However, anything is at least better than nothing. A lot of places still use SMS (text messaging) or e-mail for their MFA/2FA implementation. The e-mail one has the most obvious flaw: If someone gets into your email account they have defeated that security measure. The SMS flaws are less obvious and much less likely to affect you, but still a risk: SMS is trivial to intercept (capture data over the air (literally), clone your SIM card data, and some other methods). Still, if you're not a person of interest already, it's still better than nothing.

What Does This Have To Do With GameDev?

Yeah, I do know which subreddit I'm posting in! Here's the section that gets more into things specific to game development (or software development in general).

Secure Your Code

Securing your code actually has multiple meanings here: Securing access to your code, and ensuring your code itself is secure against exploitation. Let's start with access since that's the easier topic to cover!

If you're not already using some form of Source Control Management (SCM) you really need to get on board! I'm not going to go in depth on that as it's a whole other topic to itself, but I'll assume you are using Git or Mercurial (hg) already and hosting it on one of these sites (or a similar one):

First, ensure that you have locked down who can access this code already. If you are using private repositories you need to make sure that the only people who have access are the people who need access (i.e. yourself and your team). Second, everyone should have strong passwords and MFA/2FA enabled on their accounts. If 1 person on the team does not follow good security practices it puts your whole project at risk! So make sure everyone on the team is following along. You can also look into tools to do some auditing and even automate it so that if anyone's account becomes less secure over time (say they turned off MFA one day) they would automatically lose their access.

Additionally you should never commit secrets (passwords, API keys, tokens, social security numbers, etc) to your code repository. Probably 90% of cases where people have their AWS/Google Cloud/Azure accounts compromised and racking up huge bulls for bitcoin mining is due to having their passwords/keys stored in their git repo. They either accidentally made it public or someone got access to the private repo through a compromised account. Never store sensitive information in your code repository!

Next topic: Securing your code from vulnerabilities. This one is harder to talk about for game dev as most engines/frameworks are not as susceptible to these situations as others. In a nutshell, you need to keep track of the following:

  • Is my code doing anything "dangerous"? (system-level stuff, memory access, saving passwords anywhere)
  • Could someone get the keys to the kingdom (API key, server password, etc) by just opening Cheat Engine and looking at memory values? Or doing a strings/hex edit/decompile/etc on my game executable?
  • Am I using outdated libraries/framework/engine? Do they have any known security bugs?

A lot of these things cannot be solved automatically, unfortunately, but some of it can. If you are using Javascript for your game you likely will be using packages from npm - luckily they (recently) added security auditing for packages. For other languages you can look at tools like Snyk or some other alternatives to audit the libraries you use in your project. Unfortunately none are particularly aimed at game dev in particular, but it's still important to use these tools when you can. In general, be aware of all of your code dependencies and what impact they can have on your game or your customers if there are security bugs. Impact can range from "can cheat in multiplayer" to "can get IP addresses of all players in the world" or even "can get all information I ever put on my server", etc.

In general you'll want to look into Secure Software Development Lifecycle (commonly SDLC) practices. Microsoft has some information on how they do it.

Secure Your Computer

I'm not going to go in depth on this one because at this point everyone should have a handle on this; if not there are limitless articles, blogs, and videos about the how/what/why. In summary: Keep everything updated, and don't open suspicious links.

  • Update your OS for security updates ASAP
  • Update your web browser ALWAYS (this is your 99% chance attack vector, so don't postpone it!)
  • Don't install browser extensions that you don't need - a LOT of extensions are either malware from the start or become malware later (my favorite emoji extension started mining bitcoins, FFS!) - check reviews regularly after extensions update
  • DO use adblock and privacy extensions - ads are a common attack vector - I recommend uBlock Origin and Privacy Badger at a minimum (note that some legit sites can break and so you'll have to fiddle with settings or whitelist)
  • Don't open suspicious or unknown links on e-mail, social media, discord, etc (be sure to hover over the links in this post before clicking them)
  • Don't open attachments, ever - unless you were expecting it from that person at that time
  • Don't fill out ANY forms (comments, login, registration, etc) on websites that don't have HTTPS (secure) connection - your browser will show this in the address bar, usually
  • In general, be suspicious of everything that comes from people you don't know - and even from people you do know if it was unexpected
  • E-Mail is (probably) the least secure form of communications ever invented - so try not to use it for sensitive things

Secure Your Website

I will have to add more to this later probably, but again there are tons of good articles, blogs, and videos on these topics. Hopefully the information in this section is enough to get you on the right track - if not feel free to ask for more info. Lots of guides can be found on Digital Ocean's site and they are relevant even if you don't use DO for your servers.

  • Use HTTPS (SSL/TLS) secure connections - it's FREE and EASY thanks to Let's Encrypt
  • Don't think your website needs HTTPS? You're wrong; check here if you don't believe me
  • KEEP EVERYTHING UPDATED - automate as much as you can
  • If you have control over the server, you MUST update the OS, the web server, and any backend application servers/languages/frameworks involved. Equifax breach was due to having out of date server software. BMG breach was worsened by having out of date server software. YOU MUST STAY UPDATED, ALWAYS
  • Don't store sensitive personal information - it's a huge pain to be PCI compliant, it's a huge fine if you mess it up - avoid storing any customer information that you don't actually need (see also: GDPR)
  • Use secure password storage (salt + secure hash method) - do NOT reinvent the wheel, this has been solved already by smarter people than all of us combined
  • Follow OWASP Top 10 guidelines - especially if you built the website yourself
  • Do not allow access to SSH/Remote desktop/Database services from the whole world; the general public should only ever be able to reach ports 80 and 443 on your web server (and 80 should permanently redirect to HTTPS)
  • Use SSH keys instead of passwords on Linux servers
  • Don't run your own email server - it's just not worth it; use google apps for business, office 365, zoho, or something else for business email
  • Secure your domain registrar account! Don't lose your domain to a bad password or lack of MFA/2FA or an old email address! If your registrar doesn't support actual security then transfer to one that does. (namecheap, namesilo, google domains, amazon aws route53, even godaddy, the absolutely worst web company, has good security options)

A lot of this will apply to your game servers as well - really any kind of server you expect to setup.

That's it, for now

I ran out of steam while typing this all up after a couple hours, but I may revisit it later to add more info.

TL;DR (y u words so much??)

  • Use a password manager so you can have different, random, secure passwords on every account on every website/service/game
  • Use MFA/2FA on every account, if possible
  • Update your operating system (we all hate Windows Update, but it really is for our own good)
  • Update your browser
  • Use good adblocker/privacy blocker browsers extensions
  • Don't use browser extensions that you don't really need (they could be a trojan horse of bitcoin mining later)
  • Don't trust anything sent by anyone, unless you were expecting it and know it's safe
  • E-mail is the least secure form of communications in use these days; don't trust it for sensitive things
  • Use source control for your game code (git, mercurial, etc)
  • Lock down access to your source code
  • Don't put secrets (passwords, API keys/tokens, social security numbers, credit card numbers) in your code repository
  • Don't do dumb things like store your AWS keys in your game for players to just find with simple tools
  • Check your code dependencies for security bugs, update them when needed
  • Use HTTPS on your website
  • Update your web server OS and software
  • Use secure password storage (don't reinvent this wheel, it's solved by way smarter people)
  • Use SSH keys instead of passwords for Linux servers
  • Use a firewall to block the world from getting in with SSH/Remote desktop/database direct connections
  • Only allow your own IP address (which can change!) into the server for admin tasks
  • Don't run your own email server, let someone who knows what they are doing handle that for you
  • Secure your domain registrar account, keep email address up to date

Why Should I Trust This Post?

Hopefully I have provided enough information and good links in this post that you can trust the contents to be accurate (or mostly accurate). There is certainly enough information to do some searches on your own to find out how right or wrong I might be about these things.

If you want my appeal to authority answer: I've been working at a major (network/computer) security company for almost 7 years as a software developer, and I've had to put up with pretty much every inconvenience brought on by security. I've also witnessed the aftermath of nearly every type of security failure covered in this post, via customers and the industry at large.



No comments:

Post a Comment