Friday, April 29, 2011

4 Tips for Safer Gaming

Did you recently receive an e-mail from the PlayStation Network (PSN) informing you that your personal information may have been lost? If so, you're one of many victims on a growing list for this year. Many hospitals, universities, and major companies such as Epsilon and Sony have all suffered similar data breaches in the first four months of 2011. Although data breaches are spreading to new horizons such as social networking and electronic health records, console gaming and associated processing systems are target rich environments that have been overlooked. This recent PSN breach serves as a wake-up call, drawing attention to the trust consumers put into these systems.
Whether you were affected by this breach or not, if you're a gamer you're probably wondering what you can do to bolster your security while gaming online. Based on our knowledge in network security and risk management paired with our team's personal experiences in online gaming, we've written a list of four potential steps you can take to play online, but keep your personal information as safe as possible.
1) Trust No One
We are being reminded on a fairly regular basis that our assumptions of trust in the online environment are unfounded.  We may use visual indicators like a visually appealing online presence, padlock icons, highlighted urls and ‘hacker safe’ logos to help justify moving forward with online transactions and information submissions, however they are no indicator of *actual* security.  Every single time you submit information to anyone, via phone, web form or jamming your credit card number into your gaming console, please stop and ask yourself “What would a bad guy do with this information?”  If your answer would hurt your bank accounts, credit or present issues with identity theft consider other options.  Specifically concerning transactions, review the alternative payment methods below.  Further, consider having non-critical email account(s) available for more trivial registrations.  The idea is to limit your exposure and risk. You will never eliminate risk entirely, but taking steps to limit damage can go a long way.
2) Utilize an Alternative Payment Method (Reduce your personal risk.)
Based on the recent loss of information, you may be less apt to trust online gaming networks with your information. Although little can be done to protect your contact information, it is possible to limit the exposure of your payment card data. Rather than exposing your card number, authentication code, and expiration data, consider these alternatives. Cards with points or credit in the gaming network can be purchased at many reputable retailers. These cards can be used to purchase items, games, and add-ons in the gaming network without exposing credit card data to them. Furthermore, it may be appropriate to leverage a limited use credit card. These cards may be generated by your online banking provider for one time use. Alternatively, consider using one of the many payment cards available with very low limits or allocated funds. Many banks offer a system in which parents can give their children cards with a certain cash value on them and refill the cards when needed. These cards may be ideal for less trusted vendors.
3) Segment your home network
In many ways, a console gaming system is like a network appliance. You have very little or no control over the software deployed on the system or how it interacts with the environment. In fact, many console systems use the universal plug and play (UPnP) protocol to open your home network up; establishing communications channels and opening ports to the outside. All of this is done with your implicit consent and, if you'd like to continue to participate in first person shooter (FPS) fun, you can't restrict those features.
Systems of this sort are often trusted less than others because they cannot be controlled or secured in the same fashion as PCs. When two distinct trust levels are present on a network, segmentation should be put into place.  This segmentation, or grouping, of systems will help prevent attacks which depend on being in the same logical network as other systems.  These attacks include man-in-the-middle style attacks and traffic analysis.  These types of attacks could be used from a gaming console to intercept sensitive information between your PC and retailers or online banking systems.
Although it would be nice to implement a full featured firewall between your PCs and the gaming systems, an alternative type of segmentation is possible with many home routers. New routers often include segmentation features such as VLANs. You can assign the gaming console(s) in your environment to a VLAN separate from the rest of your systems. This will limit inadvertent exposure of PCs using gaming ports and keep gaming consoles on their own network.  Of course, the underlying assumption here is your gaming console is not used as a media center requiring internal network communication - in which case more advanced preparation and setup may be required.
The following is a list of major, consumer-grade router manufacturers. Consult their website to determine whether or not your router supports network segmentation features, such as multiple VLANs:
  • DLink
  • Belkin
  • Cisco / Linksys
  • If your router does not support VLANs in vendor provided firmware, a custom firmware may be available which will enable this feature. If you are comfortable applying custom firmware (CFW) to your router, consider applying OpenWRT or DD-WRT to enable advanced features.
4) Consider the source of software
At the heart of a gaming console is a computer, one which has been optimized for accomplishing a single purpose, but a computer nonetheless.  As a result, we should treat consoles more like our PCs. If a website were offering a custom version of a popular operating system, such as Windows or OS X, wouldn't you be wary of applying that to your computer? We should apply the same logic to custom firmware and console gaming software available on the internet. A common attack against PCs is to backdoor pirated software or video games and then make the software available on peer-to-peer networks.  This attack vector would be highly effective against console gaming systems by deploying malicious game software or CFW.
Be wary of this software, evaluating and vetting software as much as possible before deploying it. CFW is not a bad thing and should be respected for the capabilities it provides consumers, but it should also be considered carefully by consumers as these CFWs become system level objects on gaming consoles when they are applied. This means that they have control over all aspects of the system.
Confirm the hash values of software against known, good values where possible to ensure that the software has not been changed or corrupted. Try to gather software from reputable sources as applicable.
The simplest answer to securing your information in this venue is to stop gaming online, but what fun is that? Keep these five things in mind to game safer and protect your personal information using a risk based approach.