Virtual Worlds, Real Cheaters

Cheaters are following legitimate users into virtual worlds such as World of Warcraft and Second Life. And the techniques those cheaters learn can become a threat to service-oriented architectures used for business.

Cheating in online games has led to lawsuits and efforts from game makers to spy on their players.

Such cheating also could become a security problem within the massively distributed systems that many companies have deployed or are renting from service providers to act as the foundation for their service-oriented architectures, Gary McGraw, a security researcher and CTO for security services provider Cigital, told InformationWeek. "If you think about the kinds of security issues tied in with MMORPGs, they're an indicator of things to come as we adopt SOA," he said.

Online games are designed to follow the client/server model, and there are millions of people playing these games while connected to a server, which has to keep track of all the information about the virtual world in which the gamers operate. This information includes, for example, the X, Y, and Z coordinates for a gamer's avatar. If the server can be attacked and these coordinates changed, the gamer is able to essentially "teleport" his character throughout this virtual world regardless of the movement rules established by the game, said McGraw, whose new book "Exploiting Online Games," written with fellow security researcher Greg Hoglund, debuts this week. What's to stop business users from doing the same to business applications?

With the gaming market expected to reach $12 billion in annual revenue by 2009, game developers have a strong incentive to keep their players honest. This has led to an arms race of sorts between less honest gamers and the software companies that produce the games. "These software companies are installing spyware to make sure gamers aren't cheating," McGraw said, adding that World of Warcraft does this through a piece of software it calls The Warden. In response, McGraw and his colleagues wrote a piece of software they call The Governor, which tracks The Warden. "The Warden reports on non-World of Warcraft items that reside on gamers' computers," he said, adding that it can track the version of Windows that the gamer is using and even what they're writing in their IMs.

Games and virtual worlds also have online economies that map back to the real economy. Internet Gaming Entertainment, which McGraw estimates saw about $400 million in revenue last year, has been in business since 2001 selling virtual gold or other items that can be used to improve one's standing in online games, including Final Fantasy VI, Lord of the Rings Online, and World of Warcraft. One player in October 2005 even paid MindArk--makers of the Project Entropia game--$100,000 for the rights to a virtual asteroid space resort, McGraw said. In Second Life, the gamer has some property rights to land and artifacts within the virtual world, which is interesting in a legal sense, McGraw said, adding that one player managed to find a bug in the Second Life program where he could bid on virtual real estate that wasn't yet open for auction. "He became a real estate baron by exploiting a bug in their system, using URL manipulation," he added.

Marc Bragg, a lawyer in West Chester, Pa., approached the virtual world as a money-making opportunity, something Second Life maker Linden Lab didn't appreciate. In May 2006, he filed suit against Second Life maker Linden Lab, alleging that the company unfairly confiscated thousands of dollars worth of his virtual land holdings by shutting down his account with them. Linden Lab and some Second Life members have accused Bragg of breaking into HTML code on a virtual real estate auction list and buying virtual land for much less money than he would have paid in a public online auction. Bragg, who made money on the virtual land by renting it out to other Second Life users, claims that Linden Lab froze about $8,000 worth of virtual assets and refused to reimburse him.

Linden Lab, which develops and operates Second Life, used to say that users owned property in the virtual world. Now, they use more general language, that users own licenses to the property, legally similar to software licenses in the real world.

The list of infractions continues, including money-laundering through online games and other virtual investments. But McGraw's main contention is that these security issues may have broader implications for how business will use distributed software and defend against similar tactics in the future.