Security Policy Considerations for Virtual Worlds
by Jeff Surratt - Thursday, 24 July 2008.
Understand the software client and connection – Each virtual world uses a client to connect to the server cluster. Every virtual world mentioned above requires that numerous ports and protocols are opened through the corporate firewall. Contact each virtual world service provider and research how each is open port is used. Just like their web counterparts, virtual world clients are subject to attacks.

The years 2006 and 2007 for example, saw an increase in the number of malware and Trojan programs written with the primary purpose of stealing passwords from virtual world users. These malicious programs utilized exploitable vulnerabilities (for example, the Web browser) to install password-stealing software or account "harvesting" programs.

The virtual world developed by Linden Lab, Second Life, has a client with its own XML HTTP Request that uses asynchronous callbacks; it gives the platform the capability to communicate with the Web on demand. Every object is scriptable and can be aware and active. In Second Life, a QuickTime file can automatically play on the machine of a user who enters another user’s virtual land or accepts a scripted object. Once played, the malicious QuickTime file can cause the user’s machine to do anything that file tells it to do (especially if the user is running Second Life under an account with administrative access (remember rule number 1!).

If you build it, accept that good and bad will come – Aside from password stealing on the client side, there is fraud that can be committed within the virtual world itself. There is also the potential for exploitation of scenarios that the developers (or users) never envisioned when designing the world or user created content.

For example: The attacks against Second Life such as the "Grey Goo" infestation where replicating objects brought about a shut down of the Second Life Grid for all but Linden Lab staff or the exploit in Blizzard Entertainment’s World of Warcraft that allowed "item duping" before the developers implemented a patch.

So what is the big deal with duplication? In the case of the “Grey Goo” item replication resulted in a denial of service (DoS) due to database loads. Outside of that, in virtual worlds, items hold a value. Just as it is in the real economy value is determined by demand or rarity. If I can flood the market with perfect copies of your virtual product then I can drive down demand by making it less rare or I can sell my copies for much less and undersell you. In Second Life, this could lead to legal consequences as the users hold the intellectual property rights to items they create. If a user is in the virtual world on a directed business initiative, the employer may hold the rights depending on the employment contract or agreement.

There is much to gain by embracing a growing population of virtual world users, but there is nothing virtual about the business consequences of a lapse in judgment.

Jeff Surratt, CISSP MSIA, has seventeen years of experience in IT and information security. Jeff holds a degree in Internetworking Technology from Strayer University and a Masters degree in Information Assurance from Norwich University.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th