Posted By Nobunaga about 9 months, 2 weeks ago
It was really only a matter of time before another story of hackers gaining unauthorized access to a game company’s servers came to light, and this time Blizzard Entertainment has taken the hit, but is all as it seems? When the news broke yesterday that Blizzard Entertainment had suffered a “hack”, I grew suspicious… as a man who’s seen the Blizzard Campus for himself and seen behind the scenes of the gaming juggernaut, I had honestly believed that intrusion into their servers (after a hardware upgrade years ago) was largely impossible. Then again, nothing exists that is entirely unhackable but to say the task of breaking into an electronic fortress is daunting would be an understatement. I decided to have a bit closer of a look…
Yesterday a release was sent out by Mike Morhaime through Blizzard’s main website stating that they had discovered an unauthorized access to their network, that a list of e-mail addresses (of players outside of China), the security question of the e-mails in question, authenticator information pertaining to those addresses. In addition a list of heavily encrypted password were also accessed using Secure Remote Password protocol (SRP) which makes it essentially “more difficult than it’s worth” to crack a listing of passwords. Morhaime went on to say that there was no evidence to suggest that financial information had been accessed, but that they would be asking players to update their security question and password via an automated process in short order.
Since the story broke I’ve seen numerous stories suggest that Battle.net had been hacked, or even people suggesting that your financial information had been accessed (but Blizzard just doesn’t want you to know about it!)… I did a little investigating myself in order to discover if I did truly need to start changing passwords and cancelling credit cards, and what I found was at once troubling and comforting all at once.
In my investigation and personal knowledge from previous experience and conversations with Blizzard employees, security is taken immensely serious on the Blizzard Campus and in the company in general. There is a reason that leaks on the company’s projects either never appear or appear only a day or two before they were publicly announced to be released in the first place. Access cards are required, custom-written software and physical security exist on the Campus and staff are monitored heavily including their own executives. At Blizzcon once it was light-heartedly said that even Mike Morhaime has someone hired to watch him and file reports to the board. I can say for certain that’s not far from the truth.
So if Blizzard takes security so seriously, if Project Titan (their unannounced MMO project) is kept in a security lockdown building all it’s own and sensitive information requires layers of security access to get to, how does some hacker online slip through Battle.net’s security and retrieve our sensitive data? The answer is simple… they didn’t.
Even from another look at Morhaime’s letter to their customers, it becomes obvious that Blizzard’s online gaming network wasn’t compromised, but their local private network was compromised. Battle.net is primarily an external entity with server farms at several points across the world all tied together. And while it makes it possible for gamers around the world to play together, it does not directly link back into Blizzard’s internal network, but rather to another server all it’s own… the dreaded “Authentication Server”, which if it goes down (like many a current always-online DRM Diablo 3 players know all too well) makes it impossible to start up an (official) Blizzard game.
Now none of which provides access to the information listed above… but their internal network that is on-site at the Blizzard Campus does. In fact, a little digging brought up a worrisome fact that it was all too likely that an internal-network breach at a place like Blizzard means something had to be done to open their network to the outside. To say they take all matters of on-site security seriously is an understatement, so to have someone just run a few scripts and miraculously find themselves a wealth of information is practically impossible. What is possible however, if an on-site breach of electronic security in the form of, say, a USB drive slipped into a Customer Service agent’s computer that opened an OS exploit that was thought to have been patched.
Considering the information accessed, it doesn’t take a Blizzard Insider to see it was most likely the customer service department which suffered the breach. Financial (“Billing”) information is stored in an entirely different server rack and area of the Campus than “Customer Information”. A customer service agent doesn’t need passwords to access customer accounts, though they obviously do require a password all their own. A password easily accessed via a keylogger or other monitoring program installed… which when the customer service account was accessed outside of that staff member’s scheduled hours, could easily alert Blizzard’s in-place security.
So what does all this mean in the end? Well it means it’s unlikely you yourself will be affected (as a former or current player of Blizzard games), but that it wouldn’t hurt you to change your password occassionally, with now being a mighty-good time to do so. But beyond that, this wasn’t “Just another video game company getting hacked” as many have been reporting, it’s actually something much more worrisome and I can assure you things are getting turned upside-down at the Blizzard Campus at the moment. Blizzard Entertainment suffered an immense breach of security that is being downplayed, but it wasn’t so much online-security that was breached but local network security perhaps even physical security…
Customer service agents only have access to limited information (the a fore mentioned Authenticators, e-mails and encrypted passwords) and use custom designed proprietary software to interact with their databases… but if hackers are now going to slip past all the electronic and software protections by physical means just to get access to information already largely available by other means, shows a certain level of intimacy with the company.
If hackers want the account information and financials of Blizzard customers, it’s far easier to do and has been done before on a mass scale. Years ago in an effort to hack the accounts of hundreds of thousands of Blizzard’s customers, a hacker created a flash-game based around teaching World of Warcraft players the mechanic of a certain part of the game by simulating a specific interface and button layout and allowing players to practice before throwing themselves into the situation. This flash-game however contained an unknown Flash Exploit which allowed the hacker to place keyloggers in countless computers across North America and resulting in one of the largest streaks of compromised accounts in the game’s history and which soon after saw the introduction of Authenticators as a result.
So what does this all mean really? Well it does of course hint that we’re all too comfortable on the internet and that game companies are still a vulnerable part of our industry… and that no matter how much protection a company seems to have, they aren’t completely immune to getting hacked or intruded upon. It’s immensely troubling that hackers are now going to the levels of physically compromising electronic security to do what they wish, but in the end not unexpected given the circumstances the industry has been rushing to put in place since the first onset of game-company-hacks of the last few years.
What can we do? Well not a whole hell of a lot… change your passwords and hold onto your butts. I doubt the trend of hacked video-game companies is going to come to an end anytime soon.