4. Never give out your password.
5. Follow the company dress code.
Now you may be asking yourself “Follow the dress code?” Yes! If your avatar is conducting company business then follow the company dress code. In many virtual worlds, there are many clothing types. Do you want users to conduct business as (or with) a ring-tailed lemur in bunny slippers or would you rather work with an avatar in business casual attire? If your business does not enforce dress codes, then insist people use good judgment.
Be mindful that all actions will be public and may be visible for a long time. Many software tools exist to screen capture. If you or your users can see other avatar, they can see you. Every user within sight of an avatar has the ability to immortalize a single poor choice for the entire Web to see.
Understand the software client and connection – Each virtual world uses a client to connect to the server cluster. Every virtual world mentioned above requires that numerous ports and protocols are opened through the corporate firewall. Contact each virtual world service provider and research how each is open port is used. Just like their web counterparts, virtual world clients are subject to attacks.
The years 2006 and 2007 for example, saw an increase in the number of malware and Trojan programs written with the primary purpose of stealing passwords from virtual world users. These malicious programs utilized exploitable vulnerabilities (for example, the Web browser) to install password-stealing software or account "harvesting" programs.
The virtual world developed by Linden Lab, Second Life, has a client with its own XML HTTP Request that uses asynchronous callbacks; it gives the platform the capability to communicate with the Web on demand. Every object is scriptable and can be aware and active. In Second Life, a QuickTime file can automatically play on the machine of a user who enters another user’s virtual land or accepts a scripted object. Once played, the malicious QuickTime file can cause the user’s machine to do anything that file tells it to do (especially if the user is running Second Life under an account with administrative access (remember rule number 1!).
If you build it, accept that good and bad will come – Aside from password stealing on the client side, there is fraud that can be committed within the virtual world itself. There is also the potential for exploitation of scenarios that the developers (or users) never envisioned when designing the world or user created content.
For example: The attacks against Second Life such as the "Grey Goo" infestation where replicating objects brought about a shut down of the Second Life Grid for all but Linden Lab staff or the exploit in Blizzard Entertainment’s World of Warcraft that allowed "item duping" before the developers implemented a patch.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.