Hack and Slash: Hacking Games
for Fun & Profit
A Journey through securing the video game ecosystem
Hello – I’m Eoin
Eoin Keary - CEO/Founder - edgescan
Delivering 1000’s Cybersecurity Assessments every month
15 years Web Development and Cyber Security
Global Board Member of The Open Web Application Security Project (OWASP.org) – 2011 to 2015
Gamer since 1983 and still going!! – (Not a very good one)
edgescan and Gaming
Global Gaming clients
Helping secure millions of users daily
Delivering 1000’s of assessments in the gaming sector
every month via SaaS
Fullstack Security of Gaming platforms
Integration into DevOps environments (DevSecOps)
“The convergence of connectivity, functionality and of
multiple mediums has greatly increased the Attack
Surface of modern gaming.”
The attack surface of a software environment is the sum of the different
points (the "attack vectors") where an unauthorized user (the "attacker") can
try to enter data to or extract data from an environment… - Wikipedia
• Micropayments/Loot boxes
• Cloud Instances
• Data Centre Infrastructure
• Services and Ports
• Voice Channels
• Social Communities
• Item Trading
• Web Applications
• Mobile Portals
Protecting Modern Attack Surface
Video games should employ a number of security features that should be implemented in any
software that has access to sensitive data or sensitive functionality.
Client-side security will always fail. The preferred solution is to check periodically with a server to
validate that there have been no modifications to the game and that everything is performing as
Vulnerabilities will be discovered. There needs to be a means of patching those vulnerabilities as
soon as possible. Minimising on client interruption.
If attackers can step through the source code (debug), there’s good chance they will find a way of
circumventing controls to their advantage.
Obfuscation is not about a security controls but rather raising the bar of entry to attackers. It
slows an attacker down giving you time to fix issues.
Runtime integrity checks.
Protect software from piracy and having software be used as a vector for injection attacks.
Stolen Credentials and Accounts
Steal Loot / Items and sell those items and currency to
other players (for real money) or wholesales them to
online grey markets.
Password Reuse – “One ring to rule them all”
Same passwords used for social media, web mail,
payment processing etc.
Source Code / Intellectual
Property (IP) Theft.
Bigger than Some Banks
Stats from the real world
Real World Example
Example Gaming Company
• Over a 12 month assessment period.
• Fullstack (Cloud/Datacentre/Apps)
• 25 - Social platforms, community portals,
• Infrastructure: 30,000 endpoints - AWS, Data
Centres, Game servers etc
• 360,000 Assessments in total
125 Vulns discovered.
5% of vulns were Critical risk
9% of vulns were High Risk
Average time to fix: 4 months
Fastest time: 1 day
Longest time: 6 months
Vulnerability Types & Attacks
Client-side Vulnerabilities (Attacking the user):
XSS, Session Hijacking, Account Theft, Malware
Crypto Vulnerabilities (Attacking Privacy):
Vulnerable Libraries (Old components):
Old Known Vulnerabilities:
CVE's - No Patching, Unsupported services, Mis configured servers.
Backend Servers, SQL Injection, DNS Attacks, VoIP attacks
Leverages known vulnerabilities as a result of poor patching or slow updates
Continuous Asset Profiling
Change can introduce risk
Constant change requires continuous profiling.
Keeping the lights on detecting change, hence risk
Source Code/New Functionality
Even when “standing-Still” change occurs around us.
Alerting and Real time visibility
Alerting on what matters –systems/services
Alerting based on Criticality – Acceptable risk
Compliance related alerts – Compliance (duh..)
“Opportunities present themselves every day -
to everyone. You just have to be alert and
ready to act.”
- Marc Ostrofsky
WAF (Web Application Firewalls)
Rule Generation & Virtual Patching
SIEM (System Incident Event Management)
Vulnerability Data / Correlation Data with events
GRC (Governance Risk and Compliance)
Bug Tracking (Fee Vulns into the Development Lifecycle)
Vulnerabilities as Bugs.
edgescan Training Material:
• Secure application development training material – free to use internally in your company.
• Basis for testing web application technical security controls
• Provides developers with a list of requirements for secure development.
There is no conclusion, this is not near over………
Security is a real “thing”.
More Features, More Data, More Users, More footprint, More issues, More Risk – All
we can do is consider & manage it.
Security is not point-in-time, either is code, what is??
Even a stopped clock tells the right time twice a day.