Monday, November 20, 2006

Security, A Human Problem

I don't play Second Life or any video games these days. If I had the time I would play Civ IV. Neverthless, virtual worlds like SL are becoming increasingly interesting, as demonstrated by today's attack of the killer rings (pictured at left), also known as a "grey goo" attack.

This comment in the accompanying Slashdot post explains that it's possible for a rogue user to exploit vulnerabilities in Second Life and introduce code that peforms a sort of denial of service attack on the game. The attack occurs when game participants decide to interact with the gold rings shown in the thumbnail from this site. It's similar to human penetration testers leaving USB tokens or CD-ROMs at a physical world place of business and waiting for unsuspecting employees to see what's on them.

This story illustrates two points. First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone could write a countermeasure at the individual player level for these sorts of attacks?

Update: Here's a YouTube video.

4 comments:

LonerVamp said...

Such cute little rings... :)

I don't play Second Life either (I prefer less reality-immersive games) but my friends and I have been following, with keen attention, the development of this game and community. People are falling into Second Life and being more in tough with their virtual reality than the real world. People make a living in SL, companies are being created inside the game, real companies are putting operations inside the game, holding meetings, conducting training (NETg deserves some pats on the back for quickly adopting online training in such an interesting space), and so on.

The implications of security issues in the game is just wild. Picking up those rings may have done nothing had the game been more secure on the code side? Is that technical then?

I totally suggest keeping an eye on the goings-on in SL. It is quietly becoming a crazy next level for the Internet and gaming and life in general. You made my morning by mentioning security consultants in the game! :) Don't you dare tempt some of us into getting lost in that game and taking away from the already understaffed real worlds!

Anonymous said...

There are a number of security firms already working for games companies. I have some friends doing code review for some of these games now. As the amount of money continues to surpass the movie industry I suspect they will continue to ramp up their security programs as well.

Richard Bejtlich said...

I mean inside the game, working for the players -- not the companies.

Chris_B said...

Code exploits in games are not new though they may be amusing. What is more interesting to me is if companies are going to use SL as a venue for sharing internal information, how will they deal with the identity/trust and infosec issues which will arise? If the information to be shared is public, why not just post an intranet document, if it is at all sensitive then any manager doing conferences in SL needs their head examined.