Games People Play

Carl Weinschenk

Earlier this week, South Korean security vendor AhnLab said that a growing number of hackers are going after credit card numbers and other vital information put online by gamers. This Chosun story also reports that Symantec says hackers increasingly are attacking game sites in Korea, Japan and China.

 

Gaming is growing and, despite the fact that it is by definition a leisure time activity, must be scrutinized by security staffs. Any doubt of the importance of game site security is answered in this video interview at Second Life Online with Greg Hoglund, the co-author of "Exploiting Online Games: Cheating Massively Distributed Systems." Said Hoglund:

Online games, especially MMOs, are the most advanced multi-user application ever built. You have other hosted online applications like your accounting system, QuickBooks or something like that. But those are Web-based. These are complete standalone clients with their own protocols, and they have a lot more traffic going over the system and they have a lot more simultaneous users...The people who built these games come up with good secure methods of reducing risks and costs such as hacking. They should be writing papers on this because people who build other non-gaming applications can learn a lot from the architectures and the approaches they are taking.

Gary McGraw -- who co-wrote the book with Hoglund -- discusses ways in which people cheat in these massive games in this SecurityFocus piece. McGraw first points to the massive number of simultaneous players and describes the way in which all the games are kept synchronized. The piece deals with some of the considerable security threats. The bottom line is simple: Online gaming is a tremendous security challenge.

 

The structure is the problem, it seems. This TechNewsWorld piece says massive multiplayer online (MMO) games -- it offers World of Warcraft and Everquest II as examples -- rely on downloading a large portion of the software to client PCs. That's a problem, of course, because there is no way to control what the user does with the code. Thus, the platform is inherently insecure. This structural flaw is exacerbated by the fact that the popularity of MMOs is attracting an increasing number of hackers and malware distributors.

 

Gaming concerns are beginning to be recognized in the broader world of security. ScanSafe's security predictions for 2008 discuss gaming issues within the context of Web 2.0. The firm says the desire of hackers to steal "in-game currency and rare items" -- whatever that means -- will lead to extensive use of backdoors, bots and Trojans. The firm says Second Life and other avatar-based virtual worlds will become increasingly inviting targets during the year ahead.

 


Experts can debate where the line is between concerns that are specific to games and those that relevant for security in general. Even if it is determined that many of the issues are gaming-specific, it is still an important area to watch. It is a virtual certainty that the technology supporting online gaming will be co-opted for corporate use -- perhaps for training or as a way to gather customer feedback. The other concern is more current: Employees participate in online games from their work PCs and may be inadvertently compromising organizational security.



Add Comment      Leave a comment on this blog post
Dec 27, 2007 2:01 AM The Grid Live The Grid Live  says:
Second Life News for December 27, 2007... From: Second Life Blog TSL Snowman Build Contest Quote from the site - We had Snowman Build Contest in Voss the other day. We are headed your way too! Thursday evening, Sejong and I will be hosting an hour-long snowman building contest, followed by a ... Reply
Jan 2, 2008 6:50 AM Robert Minneman Robert Minneman  says:
In my opinion from the content of Carl Weinschenk's article here, I don't believe Carl has ever actually downloaded or played any of these games before.Of the games I've frequented (including WoW, EQ, EQII, CoH, etc.) the games themselves and the gaming information obtainable via the client hacked or otherwise doesn't actually contain any credit card information. In other words, you're not having to provide credit card information every time you log in, and it's not referenced anywhere within the client.If he'd ever played any of these games, he'd know this.The gaming community, and more specifically the cheaters in the gaming community, makes themselves a bit more open to phishing and general scams than normal business. People looking to cheat by buying the virtual item, Uber-sword-of-Extreme-Bastardification for 100 REAL WORLD dollars, are more likely to have their credit card information stolen during that transaction than they are from just logging into their chosen game.Any significant investment of time in these games would educate a person to this fact rather quickly.As far as financial information, ie: credit card account, goes, that's fairly secure for the most because the more reputable games handle that sort of transaction OUTSIDE of the game client.Beyond the immediate financial information, the information that's actually most frequently scammed/stolen is character account information, and again, due to how these systems are architected it's nigh impossible to hack the game client software such that you can read anyone elses information, the login process is typically handled via seperate set of servers from the in game servers. However, if you're in the business of selling virtual items for real money, the best information to have is the character account information, allowing you to log in as that character and transfer all the sellable items off and sell them later.Again due to how most of these games are architected the most common security risk is the phish, and honestly, I think it's a great thing this kind of thing is happening in the gaming community. It will do the business world a GREAT deal of good to have their future employees indotrinated at an early age against this sort of thing. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.