modified version of Virtual World Security Threat Matrix (Lee 2007)
The
following discusses a series of major security incidents which have occurred
within Second Life. The discussion of the security incident is then mapped to
the modified version of Virtual World Security Threat Matrix (Lee 2007).
Security
breach of user details
In
September 2006 a hacking attack upon Second Life’s database led to the real
life personal information of Second Life residents to be breached (BBC 2006a;
Lazarus 2006). While much of the data was encrypted, there was a risk of
identity theft and financial frauds as a proportion of Second Life residents
have registered their credit card details to convert real life currency to
Linden Dollars and vice versa. Linden Lab immediately required all users to
change passwords after the attack (Fost 2006).
Applicable
Threat Dimension(s): I & II
The
“Grey Goo” attack
Worm-like
malicious virtual objects appeared at various locations on the Second Life Grid
in November 2006. The golden ring- shaped virtual objects flooded various
Second Life locations by self- replicating. They caused disruption to the
Second Life teleportation service, account balance and the rendering of avatar
clothing (BBC 2006b; Lemos 2006). The incident was termed a Grey Goo attack as
the maliciously coded virtual objects share many similarities with out of
control nanotechnology robots that self-replicate and consume all available
physical resources. An outright ban on self-replication scripts was not
possible as that would limit legitimate use of self-replication for coding
virtual objects. Unlike virtual worlds such as There.com, Second Life residents
need not submit virtual objects to Linden Lab for approval before the objects
could be introduced in the virtual world. Furthermore, Linden Lab encourages
Second Life users to create innovative virtual objects, such as virtual plants
that grow, multiply, and interact with avatars and virtual environmental
elements Although Linden Lab was able to respond to the Grey Goo attack
quickly, the incident highlights the vulnerability of the Second Life Grid to
attacks by malwares, computer viruses and worms.
Applicable
Threat Dimension(s):II, IV, VI & VIII
Griefing
attacks
Griefing
is an anti-social behaviour that shares many similarities with bullying
(Chesney et al. 2007), harassment and vandalism. Griefing is defined as an
intentional act that is enjoyed by the attacker, the griefer, and one that
affects the victim’s experience negatively (Foo and Koivisto 2004). Attackers
often take advantage of loopholes and weaknesses in the virtual world mechanism
or policies. A griefing attack may target an avatar, an organisation, a virtual
location, or a virtual event. In an attack on an avatar, the attacker may use
push weapons to displace a victim or override the movement or capabilities of
the victim. Griefers have also been known to plant malicious tools and virtual
items at virtual locations, or visually vandalise the space by clouding it with
large virtual objects that carry disparaging text or graphic. Denial of
Service-like griefing attacks occur when a large number of attackers swamp a
virtual location or virtual event, generating excessive avatar traffic.
Griefers may also attach computing -intensive virtual objects onto their
avatars when they visit a virtual location to overload the server that renders
the graphics for the virtual location. In December 2006 a real-time CNET
interview conducted with Anshe Chung (the avatar of Ailin Graef, a virtual
entrepreneur) held in Second Life was severely disrupted by griefers (Terdiman
2006a). In the end the interview had to be moved to an alternative virtual
location.
Applicable
Threat Dimension(s): IV, V, VI & VIII
Copybot
Another
well documented security incident in Second Life relates to the existence of a
Copybot application that makes unauthorised copies of virtual objects and
avatars (BBC 2006b; Terdiman 2006b). The Copybot application violates Second
Life’s Terms of Service which stipulates that Second Life residents retain full
intellectual property for digital content created in Second Life (2007k). The
Copybot application was originally used by developers for debugging purposes,
so that developers could import/export digital content into the Virtual World.
The application subsequently modified to make unauthorised copies of virtual
objects. Although the Copybot application does not operate within the Second
Life Grid and does not interfere with Second Life server performance, it rocked
the Second Life economy as virtual objects that are usually sold for a price
could be copied free of charge. After much protest by residents and businesses,
Linden Lab has banned the use of Copybots and declared its use an infringement
of copyright. However, Second Life residents whose virtual objects or avatars
have been copied will still need to take individual action against the
perpetrator.
Applicable
Threat Dimension(s): II & III
Second
Life Permission Request Weakness
Second
Life residents may allow their avatars to interact with scripted virtual
objects in the virtual world. By accepting a permission request emitted by a
virtual object, a monetary payment of L$ to the owner of the virtual object may
be initiated, or the avatar’s movement may be animated. The permission request
system could be abused to hide fraudulent and unauthorised monetary
transactions, such as charging a price for a virtual object appears visually as
a freebie (Second Life 2007l) . Once a permission request has been granted, the
Second Life resident is not able to pause, cancel or revoke the process.
Applicable
Threat Dimension(s): I, II, III, IV, VI, VII & VIII
Posted by : Nur Asma Husna Abd Samat
No comments:
Post a Comment