THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI - PowerPoint PPT Presentation

THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI

WHAT IS BLIZZARD? • A video game development company based in California established in 1991 • Developed many popular franchises, such as Warcraft , Starcraft , and Overwatch • Subsidiary of Activision Blizzard Inc. since 2008

HOW BIG ARE THEY? • 40 million unique monthly active users in the final quarter of 2017, after 6 successive quarters with at least 40 million Source: https://investor.activision.com/static-files/0212ede8-9901-4889-a710-a52fc60ec20b • • In 2016, the company made 4.87 billion dollars of revenue Source: https://www.polygon.com/2017/2/9/14568722/activision-blizzard-2016-earnings-record • • The massive scale of the company’s games and their online player bases mandates good security and fair gameplay with minimal exploits

TYPES OF VULNERABILITIES AND ISSUES • Divided into two categories • Gameplay vulnerabilities • Cheating through external software • Security vulnerabilities • Traditional “hacking” attacks on vulnerable software

GAMEPLAY VULNERABILITIES • Largely exploited through the use of external software • Offenses often result in the banning of the player from the game • Outlined in the End-User License Agreement (EULA) • For some (i.e. software distributors) , results can be more severe • Prime example: “botting”

GAMEPLAY VULNERABILITIES • Botting: the use of external software to automate gameplay • A “bannable” offense if the user is caught Reference: https://www.engadget.com/2010/06/07/the-lawbringer-the-history-of-blizzard-and-mdy-glider/ • • The results: • The offending “player” gains an unfair advantage over others • In-game economies can be disrupted through automated gathering of materials • Bots gather materials en masse to be converted to in-game currency, which is then sold for real-world currency Reference: https://www.vice.com/sv/article/zn5pda/i-make-thousands-of-dollars-a-month-from-playing- • computer-games

SECURITY VULNERABILITIES • Consists of more traditional attacks • Exploiting flaws in online Blizzard software • Stealing of private information • Offenses are often illegal and could result in more severe punishment • Potential for prosecution • Likelihood of attacks increased by the integration of Blizzard platforms and games with the internet • Examples: remote execution flaw on Blizzard Update Agent; account information leakage

SECURITY VULNERABILITIES • Google security researcher Tavis Ormandy discovered a remote code execution bug in the Blizzard Update Agent used to update games • Design allowed for commands to be sent to user’s computers, which were authorized using a system that could be exploited using a DNS rebinding attack • Ormandy sent a demo of the flaw to Blizzard, who eventually fixed the flaw • Flaw could have allowed attackers to infiltrate millions of player computers • Reference: https://www.csoonline.com/article/3250627/security/hackers-could-have-exploited-flaw-in-all-blizzard- games.html

SECURITY VULNERABILITIES • Another attack: in 2012, Blizzard was hacked and information stolen • Information taken included email addresses, security question answers, and hashed passwords • Blizzard conducted an investigation and reported that accounts could not be accessed by attackers based on information stolen Reference: https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account-information- • stolen/#ef53f8a55d1b

HOW BLIZZARD DEFENDS ITS PRODUCTS • A technical solution: Warden, a piece of anti-cheat software • A legal solution: going after distributors of illegal software • A people-powered solution: relying on the reports of others

THE WARDEN • Warden is a piece of software that runs in the background of Blizzard games such as World of Warcraft • Scans processes and programs on your computer, checking for the presence of known cheating software or any forbidden program interacting with the game • Exact mechanisms and whether or not it is still used are not known, as it is proprietary software Reference: https://www.engadget.com/2009/03/09/computerworld-on-blizzards-warden-at-work/ •

LEGAL BATTLES • Blizzard asked the creator of popular botting software “Glider” to cease distribution • Creator Michael Donnelly sues Blizzard, who files seven counterclaims against Donnelly • Ultimately, Blizzard wins most of its claims and Donnelly is ordered to pay damages and cease distribution of the illegal software • Reference: https://www.engadget.com/2010/06/07/the-lawbringer-the-history-of-blizzard-and-mdy-glider/

ADDRESSING REPORTED ISSUES • Security flaws can be reported by security researchers; in-game issues can be reported by players • Tavis Ormandy reported remote code execution flaw, which was eventually fixed by Blizzard Reference: https://www.csoonline.com/article/3250627/security/hackers-could-have-exploited-flaw-in- • all-blizzard-games.html • All Blizzard games offer in-game report systems • Players can report suspicious activity or flaws noticed in-game • Results vary for offenders, from warnings to account bans • Can lead to awareness of new botting and exploit techniques

THE TRADEOFFS OF ONLINE SECURITY • Cybersecurity is a series of tradeoffs • Blizzard and its products are no exception to this rule • As modern Blizzard software is almost entirely connected to the internet, this rule is even more applicable • Even this is a tradeoff: making online games requires heightened security efforts by the company

THE TRADEOFFS OF ONLINE SECURITY • The use of the Warden software to find cheaters has been criticized in the past for the methods it uses • It has gained notoriety and been called spyware • Since it works by scanning the programs that your computer is running Reference: https://www.gamesindustry.biz/articles/spies-like-us-the-law-and-blizzards-warden • • Has the potential to cause distrust in online player base • Represents a compromise by Blizzard of the benefit of catching cheaters versus the downside of having to scan other user’s computers • Again, please note: Warden may not be used in its current form anymore

THE TRADEOFFS OF ONLINE SECURITY • Security is essential for massive games like World of Warcraft • Blizzard must spend time and money ensuring the security of its products • As proprietary software, Blizzard likely uses several in-house security tools that are not publically known • The responsible thing to do, but can increase time between product releases • Represents the essential overarching tradeoff between finishing a product quickly and ensuring sufficient security

WHAT SHOULD YOU DO? • Don’t cheat! • There’s a good chance you’ll get caught • Know what the software does where possible (i.e., what programs may be running while you play) • Modern Blizzard games are built in and around the internet, so beware of the risks of investing time and money in online services • Always the potential for data breaches or attacks, as with 2012 leak of account information Reference: https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account- • information-stolen/#ef53f8a55d1b

QUESTIONS?