How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

CTF is coming & VM is recruiting

It may be a couple months away but Vulnerable Minds is getting read for one of the best parts of the year. No, not Christmas, Defcon. Say what you want about the Rivera, but Defcon is definitely one of the biggest events in the hacking community. Last year Vulnerable Minds competed for the first time in the Defcon qualifier, hoping to earn a spot to play CTF in Vegas.

Vulnerable Minds put in a good effort and did well for our first attempt. Out of 170 teams participating we ended up placing 30th, besting a number of very talented teams.

So now it's time to turn our thoughts towards this years competition. Vulnerable Minds is looking to build off last years strong showing and do even better this year. To that end we are looking for talented hackers interested in playing CTF, qualifying, and going to DefCon to play. Reversers, sploit coders, forensics gurus, even defensive specialists. DC area is preferred.

Not sure if this is your cup of tea? Check out information about qualification and CTF from the past two years from the L@stplace team (Winners the past two years at Defcon).

Interested? Fill out this handy contact form and we'll get in touch with you.

My Lunchtime Hack

If you're anything like me and you have a lot on your plate at work you may be inclined, as I often am, to take lunch at your desk. It's a common thing and often lets me get extra things accomplished without staying later than I already do. Still there is something to relaxing a bit away from the office when I usually go out to lunch.

I've since found a respite to go with whatever I packed for lunch. At the recommendation of al3x I started checking out Google's TechTalks. Described by Google as being "...designed to disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts." and lives up to it. More than a few are even security related, and not just any script kiddies.



So I recommend getting your sandwhich/salad/whatever, putting on some headphones, and really learning something next time you have a few minutes.

Sometimes its better to sleep on it

But no gold star. Reading further information from Microsoft in regards to the current Windows Server DNS RPC vulnerability I read this new post on the Microsoft Security Response Blog: More information on Microsoft Security Advisory 935964. Now I really appreciate Microsoft's efforts at transparency, I really feel it's the Microsoft Security Response Center's best trait, and something other security shops at large companies could learn from.

I was a bit worried though when I read the following line:

"Our teams worked overnight to identify workarounds that could protect customers while we worked on an update."

Now, I really appreciate the efforts, but if you saw the recommendations you might be a bit concerned for the Microsoft Security folks. They lost a whole night of sleep to come up with their remediation actions: 3 different ways to turn the service off and the recommendation that you block the ports (all 3976 of them). Now I realize I'm over simplifying a bit, but not that much.

So yeah add to that all the ANI fun, mostly the whole "working against Vista/IE 7" and maybe my recent faith in Microsoft came a bit too soon. Such is life though, and I'm going back to setting up Win2k3 and it's DNS server with all it's RPC muckiness in VMWare so I'm ready when that PoC goodness drops. Until then I'm gonna spend my day shooting a few of the other Minds. Gonna be a good day.

ShmooCon '07 Hack or Halo Virtual Machines Released

Thanks to the ShmooCon 2007 Hack or Halo staff for a great competition this year and a hearty congratulations to fellow Vulnerable Mind LogicX (Mike) for winning the Hack portion. The HoH staff has made the FreeBSD virtual machine available for the public to play with and learn from. You can find it at any of the mirrors below. Thanks to Mike, Tim, and Steve for hosting mirrors. Enjoy!

The image is 1.92 GB and also contains instructions and the packet captures from the competition. Torrent file coming soon. To unzip the file, you may need to download 7Zip (available for nearly all OSes).

MD5 [HoH.7z] = 5fe686660f74d50e2624b963dc34f420

Update: Everything should be fixed now.

Fastest (FTP)
Faster (HTTP)
CoBlitz Mirror (HTTP)
Fast (HTTP)