Monday, January 07, 2008

Sussy McBride Shouts: I got hacked

Thanks to Sensepost for reporting this story last month. They describe an advisory published by Charles Miller and Dino Dai Zovi whereby arbitrary characters in Second Life are digitally mindjacked and robbed. By walking on "land" owned by an attacker, and having Second Life configured to automatically display video, a victim's avatar and computer can be exploited via the November 2007 Quicktime vulnerability. In the YouTube video you can see "Sussy McBride" be freeze, shout "I got hacked," and give her money to the attacker.

I am fascinated by this story because it is the natural progression from a 2006 post Security, A Human Problem describing a Second Life denial of service attack. In that post I said:

First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone could write a countermeasure at the individual player level for these sorts of attacks?

I wonder if anyone in Second Life will start creating disposable bodyguard avatars to walk in front of highly-valued avatars, thereby acting as "digital mine detectors?"

6 comments:

mikee.netsec said...

I really feel like a majority of consumers view the Internet like they do Monopoly money. It isn't real, it can't hurt you, and who cares if you lose it.

Until people start to look at web browsers, rich content, and other 'interfaces' (like Second Life) as what they really are, portals for people you don't KNOW or TRUST to run CODE on YOUR system, they won't really comprehend computer security. Usually when I get a chance to explain this to senior personnel, they finally understand. However, before they understand, they are the ones asking for the rich content, Second Life, and other applications, all the while demanding administrator level privileges.

They get the physical security aspect for the most part. They won't let a stranger come into their homes, walk around, and leave just because they do some cool tricks, but they will let that same person come in and do the same thing on their computers. If a stranger walks up to them at the mall and hands them a package with instructions to take it into work, open it, and press the button they know enough to refuse and probably call the police. If that same stranger sends them the same payload through email or a web browser they will click the button every time.

The Second Life client interface is essentially an interface by which people that setup objects in Second Life can run the code on your system that displays the objects and sets the rules by which you can interact with it. It hasn't gone through the decade and half trials that web browsers have been through, and we all know how vulnerable they continue to be. I'm not saying Second Life is a bad thing, but treat the objects in there like you should be treating any web page you go to, with caution until you can trust it. Use the principle of least privilege, use sandboxed browsers, expendable characters ( Bodyguards that Richard alludes to which I'm sure will come out any day ) and other methods that may be prudent for running untrusted code of this type on your system.

Ok, just needed to get that out there. whew.

Anonymous said...

>>I wonder if anyone in Second Life will start creating disposable bodyguard avatars to walk in front of highly-valued avatars, thereby acting as "digital mine detectors?"<<

I recall a similar set up using androids or clones in Philip K. Dick's "Clans of the Alphane Moon."

I guess great, and slightly deranged minds, think alike.

Dominic White said...

There is already a growing security industry making defensive 'scripts' for second life. This is mostly situated around the combat areas. For example, check out the combat systems for sale at slexchange (http://www.slexchange.com/modules.php?name=Marketplace&file=item&ItemID=354824). For example, most systems can crash a remote client by exploiting a type of overflow (e.g. flinging a person into the sky over 2billion meters makes their avatar fall apart), or will fling malformed objects at an avatar until it crashes, or just plain DoS attacks by spawning millions of prims that swarm around an avatar's viewpoint.

My personal belief is that the next 'step' is to either build in some sort of AV heuristic functionality into the SL client, or integrate it into existing AV software if the market gets big enough. Although, right now much of this is built into the various 'shields' on offer, which do all sorts of detections for badness. It wouldn't surprise me if someone hadn't already provided a shield that defends against the exploit.

Richard Bejtlich said...

Dominic,

That is very cool. Thank you for your post!

jbmoore said...

Richard,

You are talking about honeybots it sounds like. I doubt that the EULA would let people use a honeybot since it'd be a bot and the majority of bots built thus far allow some sort of cheating. How would the admins tell good bots from bad bots?

There seem to be two types of attacks being discussed, server-side and client-side attacks. The client-side attacks could be defended against using a proxy server or personal IDS/IPS to filter the datastream entering the client. Server-side attacks seem trickier. Some would have to be taken care of by the server admins. But how do you stop someone committing virtual homicide or rape? That's essentially the same as a zero-day exploit in the physical world (essentially being shot on the street). You'd need some sort of justice and law enforcement authority in Second Life to stop those attacks, if you can't write code to stop them.

John

Keydet89 said...

I've been doing some traveling lately, and I've been reading Neal Stephenson's "Snow Crash"...this sounds a LOT like what went on in the MetaVerse.

signed, Hiro Protagonist