"What we are talking about is the future of software security." Gary McGraw, Citigal
RSA Conference 2009, Thursday, 4-23-09
Exploiting Online Games
This morning, as I headed to the session I had chosen to attend for that segment of the day, I noticed it was one of three sessions lined up along the same wall. One session was standing room only. The other two were two-thirds empty.
The standing room only session was on “Seven Most Dangerous New Attack Techniques and What’s Coming Next,” the other sessions, the ones not even half-full, were on “Virtualization Security” and “Exploiting Online Games.”
This observation offers us some insight into one of the great challenges in the security space. How do you look over the horizon or beyond the obvious when what is right in front of you, and what is painfully obvious, are simply overwhelming?
Some of the thorniest problems coming down the pike will relate to security of virtualization and virtualization of security. Some of the most intriguing exploits and hacks coming down the pike will come from the world of online gaming.
But the majority of attendees, as well as they should, were streaming into the session that might help them fight some of the biggest fires that are burning in their environments right now. How do you ever get ahead of the curve if you are always struggling even stay current?
I was on my way to the session on exploiting online games. (NOTE: CyLab corporate partners can read more about the security issues raised by the trend toward virtualization in my September 2008 Intelligence Briefing on “The Shadow Side of Virtualization.’)
Gary McGraw, CTO for Citigal, moderated the panel.
Participants included Greg Hoglund, CEO of HBGary, attorney Sean Kane of Drakeford and Kane, Aaron Portney, a security researcher with TippingPoint and Avi Rubin, President of Independent Security Evaluators.
In his opening remarks, Gary McGraw welcomed the scattering of attendees to the “edge of technology,” and declared “what we are talking about is the future of software security.” There are so many people out on the exhibit hall floor hawking the so-called Cloud, “even though they have no idea what it means.” But online games are massively distributed systems. “They put nine gigabyte globs in everybody’s box.”
“Virtual worlds have virtual stuff that is worth actual money, which means if you can figure out how to cheat you can make money,” McGraw continued.
“Also, the law is abundantly unclear (and dang interesting). Imagine you set up a bank in Second Life and told them you were going to pay them interest, and then you stole all the money. Those regulators who don’t regulate banks very well don’t regulate virtual banks at all.”
Noting that there are 17 million people (at least) playing online games, McGraw further suggested that drawing attention to this area of security is a way to engage and hopefully enlighten a broader audience.
“I am certain that there are not 17 million geeks in the world, so there are a lot of normals playing online games. They do not care about security; they just want to play the game. But when someone cheats them that irks the hell out of them. So this is an interesting way to start a conversation about security with normals.”
McGraw also provided some monetary context for the issues involved, e.g., one game, World of Warcraft (WoW) has 14 million subscribers, and that each one pays $14 per month. Well, $14 per month x 10 million subscribers = $240 million per month, and $240 million per month x 12 months = $1.6 billion per year.
"There is also a healthy middle market exists for pretend stuff."
Globalization is second-nature to online gaming, and to exploiting it as well. Indeed, the exploiting of online games is an element of the global economy. And just as cyberspace and the global economy interpenetrate, the "virtual economy" of the online games and the "real" economy of the global marketplace interpenetrate as well.
According to McGraw, in China, over 500,000 people “farm” Massively Mult-player Online (MMO) games, e.g., farming "Gold" for WoW.
"You can pay somebody to play the game for more than they could make working for Nike."
Next up, Greg Hoglund outlined the two ways in which online gaming is attacked or its resources misappropriated: exploits and bots.
Exploits can be used to duplicate items needed for the game, including gold, or to "see stuff you're not supposed to see."
Both AFK (i.e., away from keyboard) and non-AFK bots are used to perform legal input, but in an automated fashion. They can work for keystroke and mouse movement, which require taking over the GUI and also a dedicated computer, among other things, or to thread highjacking, which allows you to call internal functions within a game directly, eliminating the need for macros.
The panel's legal expert, Sean Kane gave thumbnail sketches of the issues involved in two court cases relevant to the exploiting of online games.
Bragg v. Linden Research, was based on a Second Life player'a use of hacking to purchase virtual land at less than its market value. The company's User License Agreement (ULA), which the judge determined was draconian, a settlement was reached, and the player's user account was returned.
MDY Industries v. Blizzard Entertainment was based on a third party developer's marketing of software that automated play and leveling in WoW.
$6 million in damages were awarded to Blizzard. The case is in Appeals Court.
According to Kane, the "top two threat families on Microsoft's detection and removal list are online game password stealers."
'As offenders become more organized," Kane concluded, "and their operations scale up rapidly, all industry participants must strive to establish protections for their users and game spaces both in code and in law.”
Like Hoglund, Aaron Portnoy focused on the how and what of online game exploitation, citing his own experience.
"We focused on Disney's Pirates of Caribbean -- written in a dynamic language called Python -- to the point where we had full source code within a couple of days of downloading it. They distribute all the client code on your computer."
Portnoy could change the height his character could jump from 4 feet to four hundred feet, he could also alter levels on the speed of ships or power of weapons.
McGraw interjected, "Many developers and architects don’t think about trust boundaries at all. They put it all on this guy’s computer," pointing to Portnoy, "and expect him not to look under the hood."
"I changed the speed on my ships, I ended up with a line of kids on the dock, waiting for rides. All the other ships were much slower ..." Portnoy added, "I could play Jesus by walking on water. And my guy’s walking speed was faster than the sailing speed of everybody else's ships, so I could track them down over the sea and just shoot them."
Portnoy was banned from all Disney.com sites.
The letter is framed on his wall.
In his remarks, Avi Ruben stressed the importance of identity management.
"In gaming as in other domains, it is important to be able to manage real world identities. Many attacks are possible if people can create fake identities."
Rubin gave to two fascinating examples of how using a Sybil attack, i.e., being able to have multiple identities, while playing online poker could facilitate cheating.
For example, if you are holding two pair in Texas Hold 'Em, if one of the four cards comes up you could get a full house. One of four out of forty six cards. But if you using a Sybil strategy, you put other players in the game, you can increase your chances of winning significantly.
Of course, as Rubin noted in closing, "solving identity management will solve some but not all of the problems. Guys could still get on the phone and share their hands, and the winnings."
I am grateful I had the opportunity to spend an hour "at the edge" with McGraw and his colleagues.
-- Richard Power