telecoms
Applications
Broadband
Digital Content
Fabric
Mobile
pcs
Chips
Graphics
Hardware
Internet
Notebooks
Peripherals
Servers
Software
Unusual
outsourcing
BPO
Outsourcing
CRM
business
Financials
Legal
Logistics
Resellers
Retail
Security
NewsNow
RSS Feed
Friday, 5 December 2008 07:08 UK Bengaluru, India


 

Gaming is the next security risk

Vulnerabilities galore

By Copper Harding @ Sunday, August 10, 2008 9:37 AM

 
 

Ferdinand Schober presented his research into gaming security at Defcon 16 in Las Vegas over the weekend.

He provided an overview mostly focused on PC games. Some of the problems raised for PC games also apply to console based games but in general console based games are a bit more secure.

Games nowadays have a $15-$20 million development budget and there are three major industry publishers of games. The budget used to be $2-$3 million and it was a niche market. That has, quite obviously, changed with games like GT4 being reviewed in the New York Times.

The development cycle is still one to three years despite the rising cost and complexity of development and so there is more pressure on the development team. Engineering and security practices are then often cut due to time and money pressures to get a game to market. When game design was a niche market they made custom graphics engines, now due to time pressures designers are limited to re-using the engine from a previous game. There are about three graphics engines used for most games. This includes physics, scripting, and AI.

One exploit will affect multiple games. Another change in games is that middleware is now standard. Engines provide the features, but the rest of the look and feel is done through middleware. This again means that an exploit will work across multiple games. Distribution of games has moved from CDs and DVDs to digital downloads. Steam is the largest method of distribution. It provides content protection on top of the platform and automated patching which can be a vector for exploits.

Steam will send your playing information over the net even if you think you're playing an off-line game because of it's 'phone home' security model. The move to online games allows someone to sniff and discover usage patterns. Custom content provides an additional attack vector because it is automatically pulled into the game. The gaming platforms pride themselves on giving gamers community and that social networking can again provide opportunities for the nefarious type.

Developers are pressed for time and money - time is spend on making it pretty - that's what sells. Security is low priority 'It's just a game' Release games aren't all that stable so crashes are not raising suspicion. The player just thinks that it's the game that is unsecure. If an exploit crashes their system they are unlikely to flag it as a security issue. Ferdinand said that you should just google for the hacks cracks and trainers and you will find evidence of the risk to games and gaming PCs.

PC gamers often will disable most anything that allows them to get higher performance for the game. They are often disabling security features and running the game with full access to their PC. This means that if you use your PC for anything other than gaming it most likely has personal and sensitive information - such as information left from online shopping- and that means criminals can gain access to that information. Ferdinand summarized the issue with these numbers: Approximately 810 games were released in 2007.

Of those, 42 are considered major selling games. Thirty of those 42 games the developers reused the graphics engines. Only 12 of the 42 major games used a custom built graphics engine. This means that thirty of those games have one of three graphics engines and so a criminal's attempts are much more likely to hit a larger number of computers as the exploit will transfer across games if it enters through the graphics engine.

There are two third party distributions that are now in the games. First is in-game advertisements provided by external servers, this means that the ads can carry malicious code into the game. Also there are middleware that provides skins and other fun things for players that are not considered executable yet they are often carrying extra code. What can be gained:griefing and cheating, personal information, payment information, and existing virtual assets. Currently there are 14 million or more gamers in MMOs.

Account stealers, targeted at acquiring account credentials for MMOs, show that there are approximately 2.5 million users that have been infected. This means that the account is being used for other purposes or something as simple as a platform for sending out messages and to the community. That is about 18% of the total gaming user base. X

 
Copyright 2008 - ITExaminer.com  Terms Of Use  Privacy Statement  Contact Us