No security reprieve from Blizzard's Warden

Computerworld -

World of Warcraft (WoW) and other massively multiplayer online role-playing games (MMORPG) are the source of recent rumbling in the industry. The online gaming numbers are staggering, but the notion that a significant percentage of people is logging in from work is truly the stuff of executive nightmares.

The impact from lost work hours and the legality of alternate-currency businesses or "gold pharming" are worthy of discussion, but the alarm is a bit misplaced. Games have been a staple of computer workers' existence since J. Martin Graetz, Alan Kotok and others cooked up Spacewar! on a PDP-1 in 1961, and people have been exchanging virtual identities and goods for real money since the first multiuser dungeons (MUD) in the '80's.

Such games will always be with us, and the further up the knowledge-worker ladder one goes, the seemingly more essential their importance for blowing off steam. Modern role-playing games aren't my thing, but I'd much rather see a senior security officer ganking Blood Elves in a cathartic frenzy for 30 minutes on company time than losing her cool when cornered by a tightly wound executive in some postincident blamestorming session.

Yet there is a serious problem with gaming on the corporate network -- in fact, there are two. It's not with the games themselves and the effect of their use, but with software installation on an organization's computers by unauthorized individuals and the inclusion in that software of monitoring and self-help components. The former leads to all sorts of compliance issues. The latter leads to real risks of information disclosure and creation of new attack surfaces.

Monitoring and reporting

The Warden is not new in concept or execution. In response to widespread cheating on multiplayer online games, Blizzard Entertainment developed routines for detecting game cheats, eventually coalescing them into a distinct software component known as the Warden. The Warden is included with WoW, Diablo II and other Blizzard games.

When active, the Warden monitors program and process activity on the host computer, and it sends usage data and some desktop information (known to include at least the header of each open window) back to Blizzard's servers over the Internet. Blizzard says the Warden does not gather any personally identifiable information -- only data about the game account -- and only examines the gathered data for evidence of hack or cheat programs.

A representative of a WoW guild (a structured group of thematic players) told the BBC that many of its members support Blizzard's efforts to quash game cheats. "The concern most have is that the program has the capability to read text from open programs, potentially compromising the privacy of some sensitive programs. If someone is afraid of the program reading sensitive information from their programs, one possible solution is simply to not run any additional programs while playing World of Warcraft."