Online games have become a huge business in the last couple of years, complete with their own economies, currencies and, now, criminals. Like any other endeavor in which there’s money changing hands, games such as World of Warcraft, Everquest and other massively multiplayer online role-playing games (MMORPGs) have attracted people looking to find ways to cheat, steal and exploit weaknesses in the system for profit. All of this seems a bit far afield from the daily practice of information security, but as Gary McGraw and Greg Hoglund explain in their new book “Exploiting Online Games,” there are any number of lessons security professionals can learn from what goes on in these fantasy worlds and the way their software affects PCs.
McGraw says that the key thing to understand is that many of these games hook the operating system at a very deep level, often in the kernel, and monitor the user’s behavior n a number of ways. He cites the example of a small piece of code that’s installed with World of Warcraft, called Warden, which looks at every running process on a player’s machine to make sure the player isn’t using a third-party app to cheat the game. In the real world this is called spyware. The problem for IT managers is that when users install games such as World of Warcarft on company-owned machines, they end up with unwanted extras like the Warden, which can be a serious problem. It was worrisome enough to Hoglund that he wrote a counter-spy program he calls the Governor, which reveals all of the data that is being read by the Warden.
In “Exploiting Online Games,” which will be released Friday, Hoglund and McGraw also argue that these games are a preview of the kinds of security problems we’ll be facing in the next few years. “The main lesson is that we absolutely must pay more attention to security engineering while we’re building the next generation of systems,” McGraw said in an email interview. “A reactive network security approach (which remains a necessity) will not even begin to address the kinds of time and state related security issues seen in massively distributed online games. The kinds of security problems we see in MMORPGs like World of Warcraft are a harbinger of future security issues.”