Security

SAN FRANCISCO--It will likely come as no surprise to anyone familiar with virtual worlds and online games that they can be hacked. But what might come as a shock is the sheer breadth of types of exploits that are possible.

That was the broad message of a Thursday panel called, appropriately, "Exploiting Online Games" at the RSA 2009 security conference here.

Moderated by Gary McGraw, CTO of software security consulting firm Cigital and an author of several books, the panel took the audience on a deep dive into the diverse ways that hackers and others have figured out to either skim real money or to gain game play advantages not available to normal players.

McGraw opened the panel with a brief explanation of the fact that there are real, functioning economies in virtual worlds and online games, and that players cash in their virtual goods for real money, to the tune of more than $1 billion a year. This, of course, is old news to those in game playing circles, but for many of the security experts in the room, it may well have been eye-opening.

And, McGraw said, it's the very fact that real money is at stake that often gets otherwise uninterested game players to pay attention to the security risks they face every day.

"There's a whole bunch of normals (those not steeped in knowledge about computers) using games, and they don't care about security," McGraw said. "But they like their stuff, (and) when their stuff gets taken, that really hurts the hell out of them. That's a way to start a conversation about computer security with normals, because almost everybody knows somebody who plays online games."

The first panelist to present was Greg Hoglund, the founder of Rootkit.com and the CEO of the consulting firm, HBGary. He explained that online games are regularly under attack by two discrete types of cheats: exploits--actual bugs in games that clever hackers have figured out how to mine in various ways, and bots, which are essentially automated macros that can be used to perform mundane tasks again and again and again, and very profitably.

The bugs, Hoglund said, often exist "at the borders of systems," and are used for things such as duplicating gold, or leveraging poor synchronization between back-end databases to extract money out of a game economy or even to gain teleportation powers that otherwise don't exist.

Hoglund also recalled a security expert who figured out a hack that allowed him not only to filch Second Life users' virtual currency--which is directly convertible to US dollars--but also to get ahold of users' credit card information and then use it to buy more of the currency to trade in. That exploit, Hoglund explained, was done only to prove that it could be done, but it underlined some of the significant risks facing players of online games and virtual worlds with functioning economies, as well as the publishers of those titles.

He also talked about bots, and explained that they, too, are often employed to gain an advantage most players don't have. They are almost universally prohibited, but Hoglund said creating them and using them is remarkably easy for those who know what they're doing. And he talked about one he had written to use in World of Warcraft that allowed his character to stay safe from attack from the rear, while also luring in loot-bearing enemies to kill. Once killed, the enemies would be regenerated by the bot, allowing Hoglund's character to kill them and pick off all their loot over and over again, a process that netted him significant profit, he hinted.

Similarly, he explained that games like World of Warcraft have vulnerabilities that allow savvy hackers to tap into the games' code, allowing for all kinds of new abilities, like being able to perform 15 charms at once, not available to the public at large.

Hoglund said companies like WoW publisher Blizzard are always actively trying to stop players from employing bots and ban those they catch, but added that for those who know what they're doing, detection is not something to worry about. And that, of course, is one of the explanations behind the so-called gold "farmers," often teams working in third-world countries whose job it is to run multiple accounts simultaneously, usually employing bots to perform gold-earning tasks and essentially just making sure that their in-game characters don't get "lodged in a tree."

Courts weigh in
Next up was Sean Kane, a partner with the New York law firm of Drakeford & Kane, and a leading voice on issues surrounding the law and virtual worlds.

Kane talked about two specific cases, one that is several years old and one that is much more recent.

The older case, Bragg v. Linden Research, focused on whether Linden, the publisher of the virtual world Second Life, was right to shut down the account of a user who had discovered an exploit allowing him to buy virtual land at below-market prices. Mark Bragg, the plaintiff, demanded $8,000 in restitution and eventually won a settlement from Linden in which his account was reinstated. But that only happened, Kane pointed out, after a federal judge ruled that the arbitration clause in the Second Life terms of service was onerous and one-sided.

At the time, the entire virtual world community had been watching the case closely, as many thought it would be the case that for the first time established the real-world value of virtual goods (and despite the fact that Bragg, himself a lawyer, had filed his suit in state court with a hand-written form), However, the settlement, not long after the federal judge's ruling, side-stepped that outcome.

But what many found interesting at the time was that Bragg had argued his hack was fair game, since all he did was exploit a feature hidden in the Second Life code. In effect, Bragg argued, code is law, and anything that players can do with the tools at their disposal is legitimate. Linden obviously disagreed, but ended up settling anyway.

Kane also focused on another case, MDY Industries v. Blizzard, in which MDY had created a bot, called Glider, that allowed players to level-up their characters without even having to be playing.

Blizzard sued for copyright infringement, arguing that bots like Glider were prohibited under its end-user license agreement (EULA) and that only that license actually allowed players to run WoW. In essence, the argument said that by running WoW under circumstances that violated the EULA, Glider was supporting copyright infringement.

Ultimately, though many argued that Blizzard's argument was beyond specious, the courts ruled in favor of the publisher, awarding it $6 million. But, not surprisingly, the outcome is on appeal.

Hacking Disney
Aaron Portnoy, a researcher with Tippingpoint security research, took the microphone next and talked briefly about his experiences hacking the Python code of the Disney online game, Pirates of the Caribbean. He explained that because Python is a dynamic language, he and a colleague had needed just a couple of days to reverse-engineer all of the game's code, and were able to use their exploit to get their in-game characters to do things that were otherwise impossible.

During a panel on exploiting online games, Tippingpoint's Aaron Portnoy talked about how he and a colleague discovered that Disney's online game Pirates of the Caribbean was written in Python, a language that allowed them to reverse-engineer the game's code in just two days. The result was that Portnoy's character was able to fly high in the sky, whereas everyone else in the game was limited to jumps of just four feet high.

(Credit: Daniel Terdiman/CNET Networks)

For example, Portnoy said, he was able to easily get his character to jump high in the air, while the standard maximum jump was just about four feet. Or, to jump out of a pirate ship, walk on water at a speed faster than sailing ships in the game could travel, and attack at will.

"Everybody could see my guy jumping over buildings for miles," Portnoy said.

And, given how easy he and his colleague found it to reverse-engineer the code, Portnoy said, "It's almost like (Disney) didn't even consider security."

Gaming the games
Last up was Avi Rubin, a professor of computer science at Johns Hopkins. He talked, also relatively briefly, about how easy it is for some cheaters to exploit the game of online poker.

Essentially, Rubin argued, a hack called a Sybil attack--which employs fake people participating in games--makes it possible for online poker players to gain a big advantage over their opponents. That works, he said, by making it possible for a single player to control multiple hands in a game, allowing that person to see more cards than they would otherwise, and get a better handle on the odds of their own hand.

For example, he said, in a game of Texas Hold'em, a player employing a Sybil attack on an online poker game could control multiple hands and see things like whether the fives or eights they need to complete a full house and beat an opposing player's flush had already been played.

Rubin's point, then, was that game operators need to work harder at identity management, in order to keep players from employing such exploits. He didn't, however, offer any solutions as to how to do that.

All told, the panelists made it clear that just about any kind of online game or virtual world--especially those where money is on the line--is subject to some kind of hack or exploit, and that for those with the skills to launch such attacks, the barriers stopping them are easily surmountable.

The lesson, then, is that publishers of such games need to think harder about how to manage their players' actions and expectations. Otherwise, players may find themselves in games that are so compromised that the economies collapse and the fun disappears.

SAN FRANCISCO--IBM on Tuesday introduced cloud security services and said it is initiating a company-wide project to develop a security architecture for hosted computing.

The company, which made the announcements at the RSA security conference, also unveiled an appliance designed to protect virtual network segments. Proventia Virtualized Network Security Platform, an appliance that includes intrusion prevention, Web application protection, and network policy enforcement.

IBM also announced:

• Proventia Web application firewall, which is embedded into the IBM ISS Proventia portfolio of products and which acts as a virtual application patching mechanism.

• Malware scanning for IBM Rational AppScan, which allows users to automatically scan Web sites for embedded malware.

• IBM Tivoli Identity and Access Assurance, which offers centralized identity, access and audit services for corporations.

• IBM Tivoli Data and Application Security, designed to mitigate privacy and compliance risks by encrypting data stored on tapes and disks.

• IBM Tivoli Security Management for z/OS, which features centralized management for mainframes.

MOUNTAIN VIEW, California -- Symantec is turning to virtualization and cloud computing to protect Web surfers and let them access Web-based applications from one site.

The company demonstrated the technologies, along with another one designed to block malware from getting into corporate networks, to reporters and briefed them on its research and development strategy at an event it dubbed "Innovation Showcase" on Wednesday.

Virtualization technology that essentially creates different machines on the same computer offers a good platform for securing PCs by providing different protected environments, said Joe Pasqua, vice president of research at Symantec Research Labs.

Taking advantage of this trend, the company has developed Virtualization-based endpoint security, VIBES, technology that works with machines already running virtualization hardware and software to isolate three different areas on a computer for doing activities that require different levels of security.

The VIBES prototype protects Web surfers from downloading malware and having sensitive data stolen, all behind the scenes. For instance, when a user wants to open or execute files downloaded from the Internet the system copies the file to a "Playground" virtual machine and executes it there. Any viruses or other malware that might get downloaded stay within that one area and are unable to infect the rest of the computer, said Pasqua.

When a user accesses a Web site using https, the protocol for encrypting sensitive data transactions, the VIBES system moves the operation to a Trusted Virtual Machine that provides a higher level of security. All other activities are carried out in a mode that offers the level of security offered by the antivirus and other security software installed on the computer. The isolating of the activities is all invisible to the end user.

The VIBES technology is based on Linux/VMWare Workstation and is being developed by the Symantec Research Labs Core Research group. Pasqua said he could not speculate on when it might end up as a product.

Symantec also showed off a service called GoEverywhere, an online workspace for accessing Web applications from any Internet-connected device. GoEverywhere, a project that will be in beta testing in a week or two, is designed as a subscription-based hosted service that offers a secure entry point with single sign on to any application on the Web, said Don Kleinschnitz, vice president and general manager of GoEverywhere.

"You are being untethered from your PC and your desktop," said Art Tong, senior vice president of New Business Investments. "Independent of what device you are using and where you rare using it you can access your applications, your files and your data."

The service offers links to more than 100 popular Web-based e-mail applications and offers free Web-based applications for instant messaging, word processing and spreadsheets.

GoEverywhere works on any browser and is being developed for use on mobile devices. It does not yet allow users to save and edit files, just to view them, Kleinschnitz said.

The service, developed in Symantec's New Business Incubator, is targeted at consumers, as well as public kiosks and small businesses that want to save on IT and hardware costs, according to Tong.

Symantec is not sure how GoEverywhere will be monetized, Ton said. It will be available for beta testing within the next few weeks.

The third technology demonstrated at the event is called DeepClean. It features an Enterprise Perimeter Sensor appliance that monitors all the Internet traffic entering a corporation. The system looks at the source of a file and if it comes from a trusted source it adds information about the file to a whitelist. The data is passed on to Symantec for building out the list of trusted whitelist sources it uses in other security products.

Customers who choose to install the sensors and participate in a limited beta test will get reports on every file that comes into their network. The product will be available for general customer trials in early March, said Brian Witten, senior director of research.

Symantec spends about 15 percent of its revenue on research and development, "in line with the rest of the industry," said Mark Bregman, chief technology officer at the company.

The security firm has set aside an unspecified amount of money to fund projects in its New Business Incubator program, which was launched a year ago, said Wong.

Just like a traditional venture capital firm, the aim is to create new businesses or projects that can become a substantial part of an existing business unit and start paying off in three to seven years, he said.

Explaining why Symantec continues to invest heavily despite the recession, Bregman said that during economic downturns Internet crime rises, creating opportunities for security companies.

Check Point Software Technologies announced Monday it plans to acquire the security appliance business of cell phone giant Nokia.

With the acquisition, the security software maker plans to use Nokia's security appliance business to broaden its footprint in the security appliance market.

Check Point, which is predominately known for its security firewall business, has branched out into the security appliance business over the past five years, beginning with its VPN-1 Edge device.

Nokia's security appliance business currently serves 23,000 customers throughout the world and is already designed to work with Check Point's firewall, virtual private network (VPN), and unified threat management software.

The two companies have collaborated on product development for over a decade, including developing security software for mobile and Internet devices.

For example, Nokia's Internet appliance clustering technology allows groups of VPN and firewall appliances to work together, with an aim toward improving performance and reliability.

The deal is expected to close in the first quarter. Terms were not disclosed.

Symantec is going to collaborate with VMware to sell its disaster-recovery products for virtual environments.

For mutual customers, VMware ESX will be integrated with Symantec's Veritas Cluster Server (VCS) disaster-recovery product. Support will be provided through TSANet, a database that participating vendors use to coordinate support responses, and exchange support information.

"VMware is pleased to see Symantec deliver solutions like VCS that integrate with and complement the value of VMware virtualization," Shekar Ayyar, vice president of infrastructure alliances at VMware, said in a statement on Tuesday.

Symantec's VCS is designed to protect applications from unplanned downtime through local fail over of virtual machines, or failover between clusters in a remote location. VCS is integrated with VMware vCenter, and is designed to supplement VMotion, used for reducing planned downtime, and Distributed Resource Scheduler, used for active workload management.

Tom Espiner of ZDNet UK reported from London.

Green Hills Software announced this week that it is spinning off a new company to bring its military-grade Integrity operating system to the enterprise market.

Integrity, which sits on top of the processor controlling access to hardware and devices, has received the EAL6+ (Evaluation Assurance Level), the highest rating for an operating system.

It's already being used in the B1 bomber, the F35 joint strike fighter, the Airbus 380, Boeing 767, and NASA's next-generation shuttle, and now will be available for use on computers running Windows, Linux, and other desktop operating systems.

The operating system's virtualization features can protect corporate networks by isolating viruses and other malware from other parts of the computer system, said David Chandler, chief executive of Integrity Global Security.

The software can be particularly beneficial for critical infrastructure and call centers, which are often outsourced and staffed by contractors, he said. "We can provide a secure environment and only show the information necessary for someone to do their job," he said.

"What Integrity has is much better than what's currently available on the market," said Neil MacDonald, a vice president of analyst firm Gartner.

"The challenge will be convincing people that they need this; that they have to be doing something different from what they're doing now with commercial software like VMware or Microsoft's Hyper-V technology," he said. "In the commercial world there is the challenge of 'good enough' security and do they really need military-grade or gold-plated security versions of what commercial companies have to offer."

Virtualization could end expensive long-term software licensing in favor of a pay-per-use model, according to Symantec.

Executives at the company said that years- or months-long licenses covering multiple machines could be slashed using virtualized applications to licensing deals structured as pay per day, per hour, or even per second.

Virtualized or streaming applications, where software is run on a central machine and streamed to computers over a network, allows monitoring of precisely how long each instance of the software is used.

"You can detect application usage so you can cut the number of licenses down to what is being used," said Ken Berryman, vice president of endpoint virtualization at Symantec.

"There are a lot of customers that would like to use that to only have to pay when using the software, but there is resistance among vendors to change the licensing model," he said. "What you cannot do today is go down to a charge-per-use model.

But licensing periods, Berryman added, are getting shorter, and one day may go down to individual usage.

Symantec is developing a prototype security service that will allow it to protect a machine with no installed security software using virtualization.

Berryman said using a built-in hypervisor would allow Symantec to set up a buffer to screen and intercept code before it is run on the virtual machine on a user's computer.

"Whenever a machine asks for some code, before you give it to them, you would give it to us, and we will scan against 47,000-plus virus definitions, and if it looks like a virus, we can inject our agent into that machine and kill the processes, and delete the files associated with that," he said.

Symantec is now deciding on how to deploy this virtualized security model and when there will be a market for it, according to Bruce McCorkendale, distinguished engineer in the CTO strategy office.

Nick Heath of Silicon.com reported from London.

Virtual worlds are playgrounds not just for people who want some online fantasy role-playing, but for cybercriminals who are looking for places to launder money and steal data, according to a new white paper from McAfee (PDF).

The in-game economies of virtual worlds are being hijacked by criminals who attempt to hide their profits through the exchange of virtual currencies, Dr. Igor Muttik, a senior architect at McAfee's Avert Labs says in a white paper entitled "Securing Virtual Worlds Against Real Attacks--The Challenges of Online Game Development."

"Typically, when a gaming account is compromised, attackers will convert the objects they steal into virtual currency--and then convert the virtual currency into real money," the white paper says.

Scammers also are increasingly attracted to virtual worlds, where they have numerous ways of trying to steal private data for fraud. For instance, sloppy scripting in some online games allows viruses to auto-execute and propagate. There are also phishing attempts and messaging spam luring members to malicious sites for "free" games.

Also increasing in number and frequency are data-stealing Trojans that use keystroke loggers and other software to record IDs and passwords, mouse movements, and even screenshots, the report says.

And that's not all; there have been other threats in the virtual worlds. A virtual illness wiped out entire servers of users in World of Warcraft in 2005 when a design flaw allowed the disease to spread throughout low level players. Meanwhile, user-created code caused a virtual terrorist attack in Second Life, according to the report.

Because virtual worlds appeal to the underground, there's also the possibility they could serve as honey pots to attract criminals and terrorists and provide counterterrorists a glimpse into terrorist activities.

Gaming Trojans and Trojans (Password Stealers or PWS) targeting online banking are about equally common.

(Credit: McAfee Avert Labs)