VWs require developers to be vigilant for new vulnerabilities and attacks, say Barbara Endicott-Popovsky and Aaron Weller.
As with many technologies, the rate of corporate adoption of virtual worlds (VWs) has outpaced the rate that effective controls have been developed to protect both users and the virtual environments themselves. As information security professionals, how can we make VWs a better place to live and work?
As virtual worlds become more functional, they also become more valuable, both to their users and to potential attackers. The total GDP of Second Life, one of the most popular VWs, was estimated at around $500m in 2007 – larger than the GDP of some small countries. In August of 2009 alone, nearly half a million users spent money in Second Life.
Dramatic growth in the virtual world economy has resulted in increases in the kinds and numbers of attacks. While early attacks focused on gaining control of in-world resources or disrupting user experience, more recent attacks aim at gaining access to real-world resources, like user bank accounts.
A VW is essentially a connected system of components, each of which can be modeled. This leads to understanding what the attack surface looks like, the key vulnerabilities of each and how they might be defended against.
Code on a client machine can be manipulated, either by changing the code itself or changing the way that it interacts with the VW server. A software security analyst at Independent Security Evaluators demonstrated a flaw in QuickTime (used by Second Life to play videos) by wrapping malicious video around a small pink box inside the game that users couldn’t resist opening. Once “opened,” the malware enabled remote manipulation of the user’s computer. Defensive programs, such as PunkBuster, now can control what other programs can run at the same time as the game client, performing checksums on key files to ensure their integrity.
As well, VWs are no different than other software environments: They require developers to be vigilant for new vulnerabilities and attacks. A 2008 cyberattack on a web server resulted in the creation of an SQL injection flaw. The flaw left Second Life customer data exposed, enabling hackers to run arbitrary SQL commands on a back-end database, invalidating all user passwords.
Another question is how do we validate identities when the consequences of reliance are great? Attending class in a VW implies reliance on the content delivered by the professor/avatar. We pay money for the privilege. How do we know that the content delivered is sound? New validation paradigms are needed.
Users of gaming VWs (for example, World of Warcraft) could be tempted by anything that might give them an advantage in the game world. Recent attacks exploit this characteristic by promising to show how to achieve objectives by downloading malware that enables the attacker to steal credentials or set up backdoors on a user’s machine. We need heightened user awareness through training that sensitizes users to such scams.
It is likely that the business use of VWs will expand in the future, just as business use of social networks has. While not a new phenomenon, attacks against VWs deserve more attention as the technology becomes more mainstream and blended attacks result in real-world losses.
Barbara Endicott-Popovsky is director of the Center for Information Assurance and Cybersecurity at University of Washington Information School. Aaron Weller is managing director of Concise Consulting Group.