by RSS Guillaume Lovet  |  Feb 08, 2011  |  Filed in: Security Research

Today is the eighth annual Safer Internet Day, a global initiative that promotes safe and responsible use of online technology and mobile phones, especially among children and young people around the world. This year’s theme is “Virtual lives: It’s more than a game, it’s your life.”

The topic of 'virtual lives' encompasses online gaming – from simple games to MMOGs (Massively Multiplayer Online Game) – and social networking, the two most popular online activities with today’s youth. In recognition of Safer Internet Day, we thought it would be helpful to share some insights on the security issues related to e-gaming and social networking:


**Beware the Cracks and Patches **The dangers of online gaming do not lie in the game itself, but rather in small cracks and patches that are easily found on the Internet and are used to enable or modify games. Cybercriminals know players are craving those, and as a consequence, P2P networks are infested with rogue patches and cracks, which are in fact Trojan horses or worms. They may be banking Trojans going straight after the user’s online banking credentials, or bots used to relay spam, host illegal content or launch distributed denial of service (DDoS) attacks. Or they may be specialized "gaming Trojans."

**Gaming Trojans **Gaming Trojan infections are not limited to rogue cracks and patches - they may be installed via any other traditional infection vector (email, malicious Website, social networks...) - and go after the player’s gaming accounts, stealing the credentials at login. Once the credentials are obtained, the cybercriminals may transfer (in-game or not) valuable items and characters sitting in the stolen account. Those are then sold on eBay and the like. For instance, a high-level World of Warcraft character can sell for more than $500.

**Social Networking **Today, social networks such as MySpace, Facebook and Twitter have surpassed their fundamental function as a means to stay connected with family and friends to become the main scene of a social life. However, those virtual environments are not always safe. There are three main social network threats to know about:

  1. Malware - the Koobface worm has been scouring Facebook for a long time, and has been spotted on Twitter as well. Infection is achieved via social engineering, as users are mostly misled into clicking on malicious links embedded within personal messages impersonating a friend.
  2. Privacy - People tend to reveal too much personal information online, for instance, their social circles, comments, family photographs, working places, date of birth, etc. Left in the hands of unscrupulous cybercriminals or rogue app developers, this information can be used to:
  • Answer the so-called security questions used to enable access to online services (eg: webmails) in case you “lost your password” (remember Sarah Palin's webmail hack?). This leads to effective identity theft.
  • Craft personalized messages to serve as infection vectors in targeted attacks.
  1. Site Security - Being highly dynamic and having numerous features, social networking services are good candidates for server-side flaws (XSS, CSRF, Clickjacking...), which empower an attacker with the ability to hijack targeted accounts; a fistful of such flaws go public every year and are quickly patched, yet some more may be used in the underground. Another recurrent design flaw (choice?) of such sites is the lack of encryption of the HTTP connection by default - or at all. This also allows for easy account hijacking when connected to a public access point with low security (two words: firesheep).

In order to defend against these threats, users should exercise caution when a message sounds odd (especially if enticing you to watch a video). Never install codecs when a site prompts you to: popular online streaming video sites such as YouTube use Flash, you don't need video codecs. As for privacy and site security, one may harden her assets (enable HTTPS connections, use plugins such as NoScript) , but generally speaking, it's good advice to consider that all the information you put on social sites is public. Thus, for instance, a potential recruiter or cybercriminal, etc., may be looking at it.

by RSS Guillaume Lovet  |  Feb 08, 2011  |  Filed in: Security Research
Tags: