igda chicago igda chicago
next gatheringmeeting reportsforumabout igda chicagoresources
 

Meeting Report

Online Gaming Security
July 22, 2003


Online Gaming Security w/ Demetrius Comes at Incredible Technologies

The allure for creating an online gaming service is huge, look at Everquest's 450,000 subscribers at about $12 per month, you do the math. So what's the down side to creating one of these online services? Huge development budgets? Long development cycles? Supporting a live team? Well for this discussion we'll focus just on the security issue. Creating an online gaming service opens the door to a huge array of security concerns but also presents solutions that are not viable in the box game market. We'll discuss some of the security concerns I've experienced working in the security software, wireless and PC gaming industries.

Outline (subject to changes)

  1. Online gaming security overview
    What do we have to secure?
    1. Credit Card numbers
    2. The service's communication protocol
    3. Client side memory
    What type of attacks can we expect?
    1. Host based attacks (sometimes referred to as elevation of privileges) usually done via buffer overflow
      - Network security - proper firewall and DMZ set up
    2. Elevation of privileges attacks in game (Example: UO had a hack to make yourself a GM, E&B had a hack to give yourself unlimited credits)
    3. 3. In game time warp attacks
      1. If you crash a UO server after you die your death may not be recorded.
      2. Defend against these by using a RDBMS (Oracle, SQL Server, MySQL, etc)
    4. DOS
    5. DDOS - (not unlike AC and AC2 and the SQL slammer worm)
    6. Show EQ type
    7. Internal security / Disgruntled employee
      1. Database security
      2. Private key security
  2. Discuss the easiest of these to prevent: Buffer Overflows
    1. What is a buffer overflow?
    2. How do they work?
    3. Code an example of a buffer overflow.
  3. Discuss possible defenses of DOS, DDOS, Memory hacking.
    1. Memory hacking - crc64 in memory code.
    2. Server is authoritative NO EXCEPTIONS.
  4. Discuss procedures to protect against internal security / disgruntled employee problems.
    1. Including mechanism to age a public-private key pair.
    2. Ideal Database set up (Oracle specific)
  5. Types of encryption of communication protocol
  6. Open the discussion up to questions.
About Demetrius Comes - With over 12 years as a C/C++ programmer, Java programmer, and Oracle DBA, he is currently Internet Technologies Director for Incredible Technologies. As a server programmer and Senior DBA for Electronic Arts he worked on Earth and Beyond and Renegade, as well as lended his security background to The Sims Online and Ultima Online. Prior to entering the PC gaming industry he has worked as a senior developer for Internet Security Systems and senior architecture for a startup company developing secure communication software for wireless hand helds.

July's meeting is sponsored by Technical Animations. Technical Animations has been providing outstanding products,systems,service and support in the video editing and 3D animation industry for over a decade. They currently carry DVD Training for most of the Discreet products such as 3DS Max 5,Combustion 2, Reactor, and Character Studio 4. They also have DVD Training for all the Adobe products as well. Please visit their website for their complete line of over 300 products.