{"id":15033,"date":"2014-11-28T14:28:16","date_gmt":"2014-11-28T14:28:16","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2912"},"modified":"2020-02-26T18:50:51","modified_gmt":"2020-02-26T16:50:51","slug":"security-of-online-gaming-business-reasons-to-care","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/security-of-online-gaming-business-reasons-to-care\/15033\/","title":{"rendered":"Security of online gaming business: reasons to care"},"content":{"rendered":"

Online games these days are products of years of development with budgets approaching those in Hollywood, and with similar marketing support. And if we speak of massively multiuser online games (MMOG), in most cases these are created to provide end-users with continuous entertainment, while the game creators \u2013 with a source of continuous income. In other words, each MMOG is a business enterprise on its own. As such, these games and associated services (distribution platforms, specifically) have certain common traits with online banking\/payment, social networks (they are<\/em> social networks of sorts, after all), and other web services. Online games operators do process personal and payment data, have to work with the players\u2019 community, attract new clients and keep the older ones loyal. Similar are the problems online games face: reliability of hardware and software under the high load conditions, cyberattacks and the security of personal and payment data.<\/p>\n

Actually it\u2019s all about the satisfactory users\u2019 experience that would be heavily affected by any kind of incident and security failures.<\/p>\n

Technical issues and reliability<\/strong><\/p>\n

Every game, online multiplayer or single-player is a software package, firsthand. A large and rather complex one, with high demand for system resources: a high-class entertainment costs.<\/p>\n

The software framework \u2013 so-called game engine \u2013 typically provides such features as renderer for graphics, a physics engine, \u201cartificial intelligence\u201d, networking, memory management, etc. Occasionally some vendors write game engines as commercial packages to be licensed to other developers, and not just as a technical base for a specific game. For instance, there are two dozen games based on id Software\u2019s id tech 3 engine (on which id\u2019s own Quake III is based), although much fewer games have been built of the later engines \u2013 id Tech 4 (Doom III, Quake IV) and id Tech 5 (Rage). Epic Games (of Unreal and Unreal Tournament fame) license their Unreal Engine left, right and center, recently changing their license terms so that it becomes accessible for next to anyone. A relative newcomer \u2013 Unity Technologies \u2013 created their Unity product as an all-purpose game engine specifically for licensing to third parties.<\/p>\n

With overwhelming complexity of these products, it would be naive to expect they lack bugs. Actually, bugs are always present, but regarding the games they are mostly assumed to affect the game itself, not the framework it\u2019s being run within, whether it is a local machine or a server.<\/p>\n

#Security of online gaming business: reasons to care #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n

However, last year researchers have found quite a few zero-day vulnerabilities some of which put servers and the gamers who use them at risk<\/a>. A number of very popular (albeit not always exactly new) engines such as Unreal Engine 3 and id Tech 4 (both available since 2004) as well as CryEngine 3 (available since 2009) were reported as flawed.<\/p>\n

Some game engines are used by US military and FBI in their simulator training systems, and there\u2019s no need in the wildest imagination to figure out the possible consequences of malicious exploitation of these systems\u2019 flaws.<\/p>\n Battlefield 4 screenshot\n

And even away from that, a successful attack on central servers of an online multiuser game means a grand amount of discontent, complaints, bad publicity and other displeasing things that may be pretty harmful for business.<\/p>\n

Especially when we speak about MMORPGs such as World of Warcraft, the current \u201cruler supreme\u201d of MMOG market \u2013 the game with especially large audience.<\/p>\n

Social service<\/strong><\/p>\n

WoW used to have ~15 million active subscriptions in the past, down to current 10 million, which is still can be compared to population of a major city. And all these people pay for playing time (and occasionally for some in-game objects bought from the official shop), and expect their experience to be smooth and consistent. Little they care about the complexity of the software and hardware framework, amount of servers in the data centers processing all those hundreds of thousands simultaneous connections, etc. But if something happens they get extremely disgruntled quickly, always ready to vent their anger both in and outside of the game.<\/p>\n

As said before, MMOGs are similar to social networks in their nature, and as any other socially-oriented services with, they largely face similar problems \u2013 those with security of users\u2019 sensitive data included.<\/p>\n

Out-of-game loot to take<\/strong><\/p>\n

It\u2019s not surprising that pay-to-play MMOGs attract financially-minded miscreants of various sorts \u2013 there is a loot to take. Years ago a steady black market formed, where the in-game items (fancy armor, weapons, artifacts, etc.) and, above all, in-game currency are sold for the real-world money. While seemingly not illegal on its own, this brisk trade sometimes is frowned upon by the game developers. World of Warcraft EULA, for instance, forbids this \u201cgold trade\u201d in no uncertain terms, and still for years in-game currency is sold in troves for a moderate amount of dollars or euro.<\/p>\n

\"World

World of Warcraft screenshot<\/p><\/div>\n

What does it have to do with security? The gold trade on its own doesn\u2019t. The issue lies with the ways that in-game gold and other items are being acquired. In a nutshell, the accounts hacking with intention to rob the players\u2019 characters of their in-game property is a very common problem for various MMOGs. It is mostly done by \u201cserving\u201d the user with some keylogging malware by whatever means possible \u2013 drive-by attacks, phishing, etc.<\/p>\n

Actually, years ago author of this blogpost had been hit by the account-stealers: apparently a keylogger dropped itself into C:Temp folder and reported all my logging-ins as well as the later attempts to change password. It ended up like some sort of tug-of-war between me and the bad guy who had hijacked my account. I used some freeware antivirus at that time, and it failed to discover the keylogger.<\/p>\n

Purging the C:Temp folder resolved the issue. Later on \u201cGame Masters\u201d reimbursed my lost items and following the growing amount of such incidents Blizzard improved their users\u2019 account security dramatically, introducing multifactor authorization, among other things.<\/p>\n

DDoS-attacks is also a recurring problem for MMOGs as well as game distribution platforms and networks. Earlier this year Valve\u2019s Steam and EA\u2019s Origin gaming platform were hit by DDoS. Apparently the attackers were acting out of simple mischief.<\/p>\n

And as of recent the hacking groups such as Lizard Squad presumably associated with so-called Islamic State, has been targeting gaming services \u2013 Microsoft Xbox Live and Sony PlayStation Network, among others \u2013 bringing them down earlier this year.<\/p>\n

Online gaming has a lot of similarities with other industries processing users\u2019 sensitive data #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n

Fresh-out, World of Warcraft\u2019s new expansion Warlords of Draenor had been hit with a mighty DDoS attack upon its launch in US in mid-November. Giving the number of people affected, this is clearly a \u201cmild\u201d form of cyberterrorism. And the real victims are the game service providers, because, whatever happens, users point fingers on them expecting total satisfaction for their money.<\/p>\n

Gaming industry under attack<\/strong><\/p>\n

Last year Kaspersky Lab reported on Winnti APT group<\/a>, that has been attacking companies in the online video game industry since 2009. The group\u2019s objectives were stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. This clearly shows that online gaming industry may have some huge value for the criminals, even if only as a leverage for attacks on some other industries.<\/p>\n

We can also recall an attack on Sony Playstation Network in 2011 that resulted in a record-breaking leak of the service\u2019s user data (which was stored, to say the least, not very securely) as well as an extremely long outage of the service.<\/p>\n

Every industry which deals with sensitive users\u2019 data on any scale finds itself in the crosshairs of those who would like to claim it. Gaming industry is not an exception.<\/p>\n","protected":false},"excerpt":{"rendered":"

Online games these days are products of years of development with budgets approaching those in Hollywood, and with similar marketing support. And if we speak of massively multiuser online games<\/p>\n","protected":false},"author":209,"featured_media":15526,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[647,97],"class_list":{"0":"post-15033","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-gamers","10":"tag-security-2"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/security-of-online-gaming-business-reasons-to-care\/15033\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/security-of-online-gaming-business-reasons-to-care\/15033\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/security-of-online-gaming-business-reasons-to-care\/15033\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/gamers\/","name":"gamers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15033","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=15033"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15033\/revisions"}],"predecessor-version":[{"id":26416,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/15033\/revisions\/26416"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15526"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=15033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=15033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=15033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}