THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT BY MOHSIN RIZVI - - PowerPoint PPT Presentation

THE ONLINE GAME SECURITY OF BLIZZARD ENTERTAINMENT

BY MOHSIN RIZVI

WHAT IS BLIZZARD?

• A video game development company based in California established in 1991
• Developed many popular franchises, such as Warcraft, Starcraft, and

Overwatch

• Subsidiary of Activision Blizzard Inc. since 2008

HOW BIG ARE THEY?

• 40 million unique monthly active users in the final quarter of 2017, after 6

successive quarters with at least 40 million

• Source: https://investor.activision.com/static-files/0212ede8-9901-4889-a710-a52fc60ec20b
• In 2016, the company made 4.87 billion dollars of revenue
• Source: https://www.polygon.com/2017/2/9/14568722/activision-blizzard-2016-earnings-record
• The massive scale of the company’s games and their online player bases

mandates good security and fair gameplay with minimal exploits

TYPES OF VULNERABILITIES AND ISSUES

• Divided into two categories
• Gameplay vulnerabilities
• Cheating through external software
• Security vulnerabilities
• Traditional “hacking” attacks on vulnerable software

GAMEPLAY VULNERABILITIES

• Largely exploited through the use of external software
• Offenses often result in the banning of the player from the game
• Outlined in the End-User License Agreement (EULA)
• For some (i.e. software distributors) , results can be more severe
• Prime example: “botting”

GAMEPLAY VULNERABILITIES

• Botting: the use of external software to automate gameplay
• A “bannable” offense if the user is caught
• Reference: https://www.engadget.com/2010/06/07/the-lawbringer-the-history-of-blizzard-and-mdy-glider/
• The results:
• The offending “player” gains an unfair advantage over others
• In-game economies can be disrupted through automated gathering of

materials

• Bots gather materials en masse to be converted to in-game currency,

which is then sold for real-world currency

• Reference: https://www.vice.com/sv/article/zn5pda/i-make-thousands-of-dollars-a-month-from-playing-

computer-games

SECURITY VULNERABILITIES

• Consists of more traditional attacks
• Exploiting flaws in online Blizzard software
• Stealing of private information
• Offenses are often illegal and could result in more severe punishment
• Potential for prosecution
• Likelihood of attacks increased by the integration of Blizzard platforms and

games with the internet

• Examples: remote execution flaw on Blizzard Update Agent; account

information leakage

SECURITY VULNERABILITIES

• Google security researcher Tavis Ormandy discovered a remote code

execution bug in the Blizzard Update Agent used to update games

• Design allowed for commands to be sent to user’s computers, which were

authorized using a system that could be exploited using a DNS rebinding attack

• Ormandy sent a demo of the flaw to Blizzard, who eventually fixed the flaw
• Flaw could have allowed attackers to infiltrate millions of player computers
• Reference: https://www.csoonline.com/article/3250627/security/hackers-could-have-exploited-flaw-in-all-blizzard-

games.html

SECURITY VULNERABILITIES

• Another attack: in 2012, Blizzard was hacked and information stolen
• Information taken included email addresses, security question answers, and

hashed passwords

• Blizzard conducted an investigation and reported that accounts could not be

accessed by attackers based on information stolen

• Reference: https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account-information-

stolen/#ef53f8a55d1b

HOW BLIZZARD DEFENDS ITS PRODUCTS

• A technical solution: Warden, a piece of anti-cheat software
• A legal solution: going after distributors of illegal software
• A people-powered solution: relying on the reports of others

THE WARDEN

• Warden is a piece of software that runs in the background of Blizzard games

such as World of Warcraft

• Scans processes and programs on your computer, checking for the presence
• f known cheating software or any forbidden program interacting with the

game

• Exact mechanisms and whether or not it is still used are not known, as it is

proprietary software

• Reference: https://www.engadget.com/2009/03/09/computerworld-on-blizzards-warden-at-work/

LEGAL BATTLES

• Blizzard asked the creator of popular botting software “Glider” to cease

distribution

• Creator Michael Donnelly sues Blizzard, who files seven counterclaims against

Donnelly

• Ultimately, Blizzard wins most of its claims and Donnelly is ordered to pay

damages and cease distribution of the illegal software

• Reference: https://www.engadget.com/2010/06/07/the-lawbringer-the-history-of-blizzard-and-mdy-glider/

ADDRESSING REPORTED ISSUES

• Security flaws can be reported by security researchers; in-game issues can be

reported by players

• Tavis Ormandy reported remote code execution flaw, which was

eventually fixed by Blizzard

• Reference: https://www.csoonline.com/article/3250627/security/hackers-could-have-exploited-flaw-in-

all-blizzard-games.html

• All Blizzard games offer in-game report systems
• Players can report suspicious activity or flaws noticed in-game
• Results vary for offenders, from warnings to account bans
• Can lead to awareness of new botting and exploit techniques

THE TRADEOFFS OF ONLINE SECURITY

• Cybersecurity is a series of tradeoffs
• Blizzard and its products are no exception to this rule
• As modern Blizzard software is almost entirely connected to the internet,

this rule is even more applicable

• Even this is a tradeoff: making online games requires heightened security

efforts by the company

THE TRADEOFFS OF ONLINE SECURITY

• The use of the Warden software to find cheaters has been criticized in the

past for the methods it uses

• It has gained notoriety and been called spyware
• Since it works by scanning the programs that your computer is running
• Reference: https://www.gamesindustry.biz/articles/spies-like-us-the-law-and-blizzards-warden
• Has the potential to cause distrust in online player base
• Represents a compromise by Blizzard of the benefit of catching cheaters

versus the downside of having to scan other user’s computers

• Again, please note: Warden may not be used in its current form anymore

THE TRADEOFFS OF ONLINE SECURITY

• Security is essential for massive games like World of Warcraft
• Blizzard must spend time and money ensuring the security of its products
• As proprietary software, Blizzard likely uses several in-house security tools

that are not publically known

• The responsible thing to do, but can increase time between product releases
• Represents the essential overarching tradeoff between finishing a product

quickly and ensuring sufficient security

WHAT SHOULD YOU DO?

• Don’t cheat!
• There’s a good chance you’ll get caught
• Know what the software does where possible (i.e., what programs may be

running while you play)

• Modern Blizzard games are built in and around the internet, so beware of the

risks of investing time and money in online services

• Always the potential for data breaches or attacks, as with 2012 leak of

account information

• Reference: https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account-

information-stolen/#ef53f8a55d1b

QUESTIONS?