作者：Joe Osborne

如果你有过在Facebook上玩社交游戏的经历，很可能见过欺骗性消息。但是，安全问题远比“我们保证，这里有免费的Farm Cash！”这样的News Feed复杂。真正的原因在于，Facebook和Google+同其他网络服务相比，更容易受到大范围的攻击。

事实上，目前已有传言称，黑客组织Anonymous计划在下个月攻击所有的网络服务。这样的威胁永远不会终止，而且很难跟踪和解除。Citrix系统首席安全战略师Kurt Roemer在最近访谈中，针对社交网站可能面临的威胁以及如何在Facebook、Google+和手机上安全地玩游戏发表了自己的看法。

secure-facebook(from games)

对于如今的Facebook、Google+和手机来说，什么是最普遍的安全威胁？玩家应当如何避开威胁？

以Facebook为例，任何人都能够以他人的信息来注册，Facebook确认的信息并不多。只要我知道你的些许信息，就可以用你的名义来注册。如果你没有使用Facebook，那么我很容易就可以你的名义来行事。

过去Facebook中有许多漏洞，好友可以看到双方正在使用的应用。现在，你必须不断查看隐私设置，确保你没有泄露你的电子邮箱地址、所玩的游戏、所处的位置、谁是你的好友以及其他从隐私角度来说对你很重要的信息。

你认为是否存在可能影响玩家经济安全的威胁？

我看过儿子Kevin玩游戏，玩家会在游戏中花费大量金钱来购买附加商品。现在，他可以使用我的信用卡购买售价10美元的附加商品。他可能每天购买的数量多达10次，而我只有在下次查看账户时才会知道。

软件也有可能被添加漏洞，有人会在上面添加自动点击的广告，也就是说你可能会自动为你原不想购买的服务付费。现在，这确实已经成了个值得关注的问题。随着NFC（近距离通信）和Google Payments进入手机设备，越来越多的人在生活中（游戏邦注：包括在游戏中）使用这些服务，这个问题也就会持续下去。

Facebook或Google+等平台受到大范围严重攻击的可能性有多少？

看看Anonymous这样的组织，他们宣称准备在3月31日通过攻击所有DNS服务器的方式让全球网络瘫痪。他们也可能在5月份芝加哥召开NATO Summits时发动攻击。从根本上来说，他们肯定有足够的手段和工具来攻击任何公司和企业。

他们还未将Facebook之类的社交网点作为目标，但是已经出现了Firesheep这样的工具，可以浏览和阅读同在星巴克使用无线网络的人正在Facebook上发布的内容。攻击手段的创新以及涉足和掌握这些系统的人群肯定会不断增加。

过去，游戏被锁定在ROM中，看到代码是件很困难的事情。现在，破解这些网络协议是件非常简单的事情，黑客可以知道正在发生的事情，并对其进行操控。对于游戏公司来说，他们必须假设有人正在操纵客户端数据的情况，你不能完全相信来自手机平台的所有东西，你必须对所有信息进行验证。

当玩家因手机或网页社交游戏而受到安全威胁时，可以通过哪些措施来挽回损失？

玩家应当做的首件事情是，注意自己当时正在做的事情以及所发生的事情。然后，他们应当通过游戏平台报告所发生的事情。专业的游戏平台通常都设有报告途径，因为他们要确保游戏过程是公平的。

任何专业平台都有此类服务，他们会调查所发生的事情，然后修补漏洞。游戏公司不可受到攻击游戏之人的牵制。如果是这样的话，玩家也就不会继续玩游戏。

除了保密密码和避免受到信息欺骗外，玩家可以通过哪些措施来更安全地在Facebook及其他社交网络上玩游戏？

如果你使用的是Windows系统，你需要确保修补系统补丁和升级操作系统，安装反病毒软件等。不要运行管理员账户，这样你就不会有过多的权限。许多其他的平台会为帮你关注安全问题，比如iOS。在这些平台上，你无需过多地担心安全问题。

选择复杂的密码，不要在多个站点和游戏上使用相同的密码。如果有人能够获取你登陆一款游戏的密码，假如你在Facebook中使用的是完全相同的密码，他们就可以获取你的其他信息。如果你怕在交易上出问题，要确保你自己能够理解自己所做的交易行为，或者对某些交易进行限制。

不要使用额度过高的信用卡，你可以在某些游戏平台上使用一次性的信用卡或者额度相对有限的信用卡。

security setting(from games)

你认为Facebook及其他社交游戏平台的HTTPS对玩家的效果如何？

HTTPS只是在后端的电脑或手机设备与网络服务器间提供更多的加密。它的作用在于防止他人通过有限或无线网络查看用户的信息。我之前提到过的Firesheep只在没有SSL的环境下有效。

但是，这只保护了单个部分，并没有涵盖玩家玩游戏的手机平台。它没有认证用户身份，对后端的安全性并没有真正的帮助。但是，它可以确保传输中的数据不被操控。

你是否认为社交网络中游戏开发技术未来的发展能够提升玩家的安全性，比如HTML5和Gaikai等服务提供的流媒体技术？现在我们可以如何做准备？

HTML5的设计理念中包含安全性的考虑，它是个任何人都能够使用的开放标准，但它仍然是通过浏览器执行的。而浏览器在任何设备上都是安全性最低的应用，所以可以料想到这样的游戏同样会存在安全问题。

即便使用HTML5，你也可以进入和操纵DOM（游戏邦注：即文档对象模型），从而直接操纵任何在客户端和服务器间分享传输的对象。这意味着，所有制作游戏的开发商都需要确保用户不在客户端上做出重要决定，而且任何从客户端处传输的内容都需要经过双击和确认才可被接受。

流媒体游戏玩起来的感觉很不错。但是从安全性的角度来看，你只是在依赖其他人的安全措施。正因为此，这不会成为被业界广泛接受的标准，因为可能产生严重的安全问题。

facebook (from games)

总得来说，你对目前社交游戏安全状况有何看法？如何才能提升游戏的整体安全性？

在审视社交游戏安全性的问题上，我希望开发商能够将其放在最优先的位置上。你可能会想，偶尔的过失也是可以的。但是，每个人都可以玩游戏，所以其他人也可能会利用漏洞来欺骗你。

如果游戏开发商没有考虑到安全性问题，会给自己带来很多麻烦。你需要首先思考，其他人可能会如何欺骗或者操控系统，然后围绕这个漏洞进行设计和修补。你还需要注意人们使用游戏的方式，如果你能够与极具创意性且擅长制定规则的人来从事这项工作，很快便可以解决这个问题。

作为游戏玩家，要时刻关注与游戏相关的论坛和Twitter。这样，当发现游戏出现某些问题时，便更容易得知自己之前是否有同样的做法。我认为这是最积极的漏洞解除方法，所有的问题都难以遁形，因为每个人都可以在数秒的时间内将其发布到Twitter上，广泛流传开来。（本文为游戏邦/gamerboom.com编译，拒绝任何不保留版权的转载，如需转载请联系：游戏邦）

Everything you need to know about security in social games

Joe Osborne

If you’re playing social games on Facebook, chances are you’ve at least seen the scam attempts. But security issues go far deeper than News Feed posts that claim “There’s free Farm Cash here, we swear!” Truth is Facebook and Google+ are just as vulnerable to a wide-scale attack à la Sony’s PlayStation Network debacle of 2011 as any other web service.

In fact, word on the street is that hacker activist group Anonymous plans to attack all of the Internet later next month. The threats don’t come close to stopping there, and it’s tough to keep up.

So, we sat down with Citrix Systems Chief Security Strategist Kurt Roemer to get a better idea of what to expect, how to stay secure while gaming and his take on the state of secure gaming on Facebook, Google+ and even mobile.

What are the most common security threats to social gamers on Facebook, Google+ and mobile today, and what can players do to avoid them?

When you take a look at c, people are able to sign up with minimal credentials, and Facebook really doesn’t validate anything. I could basically sign up as you, Joe, just knowing a couple of things about you, and if you weren’t on Facebook I could pretend to be you very easily.

There have been several bugs in Facebook in the past where a friend of a friend would have visibility to applications used by friends. You have to constantly be reviewing your privacy settings to make sure that you’re not giving up your email address, what games you’re playing, what your location is, who your friends are and several other things that are very important to you from a privacy perspective.

Are there any security threats that you think could hurt a player’s financial security?

I even look at my son Kevin when he’s playing games–there’s a lot of additional money that you have to spend on add-ons. That money adds up, and a lot of times when you establish the account it’s just out there. He can go in with my credit card right now and be able to buy a $10 add-on. Well, he could buy 10 a day and I wouldn’t know until the next time I check the account.

There could also be a bug in the software or somebody could pull up an ad that is auto-clicking on all this and paying for services that you don’t really intend. That’s a real problem today with the way a lot of this is stored. But it’s going to be a continued problem when things like near field communication and Google Payments roll onto mobile devices and more people are using them for more of their life, including gaming.

What’s the likelihood of some wide-scale, crippling attack to happen on a platform like Facebook or Google+?

You look at groups like Anonymous, and they’re saying they’re gonna bring down the Internet on March 31 by attacking all of the root DNS servers. And they’re gonna be having all of these attacks on corporations during the NATO Summits in Chicago in May. They definitely have the wherewithal and the tools to be able to go out and attack basically anyone.

They haven’t targeted Facebook and other groups haven’t, but there have been tools like Firesheep that can go through and read exactly what other people are doing in Facebook that are sitting there in the wireless network with you at the local Starbucks. The innovation in attacks and people being able to get in and manipulate these systems is really only going to increase.

In the past, the games were locked into a ROM and it was very difficult to see the code. Nowadays, it’s very simple the reverse-engineer any of these web protocols, read what’s going on and be able to manipulate. Really, you have to assume, if you’re the gaming company, that people are manipulating data on the client, you can’t trust anything that comes from the mobile platform and you have validate everything.

When a player suffers a security breach through a social game on mobile or on the web, what are the usual steps to reverse the damage?

The first thing that players should do is take note of what they were doing at the time and exactly what happened. Then they should get on and report it through the gaming platform. You know, and professional gaming platform is going to have a way to report this, because they want to make sure the gameplay is fair. Let’s face it: If the gameplay’s unfair, it really should be because of superior skills, not because of inadequate security.

Any of the professional platforms are going to have a way to report this, be able to go back and look at what happened and rectify the situation. You can’t have somebody beating you just because they were able to hack the game. If that’s the case, people are going to stop playing the game.

Aside from keeping passwords private and avoiding scams, how can players play games on Facebook and other social networks more securely?

If you’re on Windows, you need to make sure it’s patched and up-to-date and anti-virus–all things that people tell you how to do. Don’t run [in Windows] as an administrator so that you don’t have too many rights. Many of the other platforms kind of take care of that for you, like iOS. There’s not a lot you have to worry about there.

Pick strong passwords and don’t use the same password across multiple sites and games. If somebody can read your password going into just one game, and it’s the same password you use everywhere else including Facebook, it can really mess with you then. If you suspect that there’s a problem, make sure that you understand what’s being paid in there as well and hopefully be able to restrict some of the transactions.

Instead of leaving a credit card out there that might have a $1,000 available credit on it, you might want to use one of the one-time use credit cards for some of the gaming platforms or one the cards that has limited value.

How effective do you think HTTPS on Facebook and other social gaming platforms is for gamers?

HTTPS just provides more encryption between the laptop or mobile device and the web server on the back end. What it does is it keeps people from being able to see information going across the wire or wireless network. The tool that I had mentioned before, Firesheep, only worked because there wasn’t SSL [Secure Sockets Layer].

That only covers one portion of the equation. It doesn’t cover anything in terms of the mobile platform that somebody is gaming from. It doesn’t verify the identity of the user and it doesn’t really help with security on the back end. But it is an essential piece in making sure that you can’t manipulate data that’s in transit.

What do you think future developments in gaming technology on social networks, like HTML5 and streaming through services like Gaikai, could mean for gamers’ security? What can we do to prepare for that now?

HTML5 is being designed with security in mind, and it’s an open standard that anyone can address, but it’s still implemented through browsers. And the browser has typically been the least-secure application on any device, so you can plan on their being continued problems.

Even with HTML5 you can get in and manipulate the DOM, called the document object model, and be able to directly manipulate any objects that are shared back and forth between the client and the server. Really what it means that any vendor that is making one of these games needs to make sure that critical decisions aren’t made on the client, and anything that is sent from the client is double-checked and verified before it’s accepted as true.

Streaming games are great to play. But from a security perspective, typically you’re relying on somebody just picking their own streaming method and sending that down and often requiring some plug-ins to support it. Because of that, if it’s not a widely-accepted standard that’s much more unique, usually there’s going to be security issues as a result.

Generally speaking, what’s your take on the state of security in social gaming, and what can be done to improve it overall?

When you look at security in social gaming, I would liken it to Battleship. Every once in a while you’d figure out, ‘Oh, I can move the ship or lie about a hit or a miss.’ Now, multiply that by everybody you’re playing with, and know that people can pick up the ships, can lie about their positions and move things around.

If you don’t take that into account as a game developer, you’re gonna have some real problems on your hands. You need to think about, first of all, how somebody could cheat or manipulate the system, and then design around that. You really need to be watching as well, how people are using it, and if you do get somebody who’s very creative and able to work around the rules, very quickly address that.

As a user as well, keep up to date on forums and Twitter messages associated with the game, so if there is a problem that gamers need to be aware of, they have more information available to them now than they would have in the past. I guess that’s one big positive: It’s harder for the problems to hide, because everybody can get this out on Twitter in seconds. (Source: games.com)