BACKGROUND:
A Chinese game developer has accidentally leaked nearly six million player profiles for the popular title Battle for the Galaxy after misconfiguring a cloud database. The WizCase research team made this discovery containing 5.9 million player profiles, two million transactions, and 587,000 feedback messages.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>It’s not all fun and games when a game developer of your favorite title accidentally leaks player profiles containing users’ sensitive PII. The perception that game profiles don’t contain much if any valuable information is incredibly faulty. The linkages that users set up—often using their social media account credentials to create gaming accounts and profiles—capture a much larger swath of usable information for threat actors, enabling the targeting of users who spend larger amounts of money on the game. Gamers need to be aware of the types of data they are giving to the game directly or through linking accounts, and they need to hold game developers and hosting companies accountable for protecting it.</p> <p> </p> <p>On the other side of that coin, gaming organizations need to take data privacy much more seriously, building into their data infrastructures more than just the bare minimum level of security. Given that they collect potentially valuable data from users, their strategy should be data-centric, with an assumption that threat actors might try to get to this cache of information. When you protect the data itself, rather than the perimeters around it, with methods such as tokenization or format-preserving encryption, you obfuscate the sensitive parts and render it incomprehensible and useless to hackers. Better yet, data-centric security is not dependent on protected borders and travels with the data. These organizations need to level up their ability to thwart deliberate attacks or inadvertent leaks through a data-centric approach to protecting their customers’ user profiles and PII.</p>
<p>With the prevalence of misconfigured databases, it’s clear that some teams lack the ability to confirm they are using a secure configuration for their production systems. There are a number of potential remedies, but one of the simplest is to define an exception based update model for configuration settings. Under this model, an audit level review of configuration data is performed to create a set of approved configuration settings and files. Any update to those previously approved settings then requires that same audit level review for the changes, and current configuration is always validated against approved settings. While there are a number of technologies that can be used to implement exception based updates, this is a case where a well defined process with automated checks is far more valuable than the technology implementing the process.</p>