Security, A Human Problem
I don't play Second Life or any video games these days. If I had the time I would play Civ IV. Neverthless, virtual worlds like SL are becoming increasingly interesting, as demonstrated by today's attack of the killer rings (pictured at left), also known as a "grey goo" attack.
This comment in the accompanying Slashdot post explains that it's possible for a rogue user to exploit vulnerabilities in Second Life and introduce code that peforms a sort of denial of service attack on the game. The attack occurs when game participants decide to interact with the gold rings shown in the thumbnail from this site. It's similar to human penetration testers leaving USB tokens or CD-ROMs at a physical world place of business and waiting for unsuspecting employees to see what's on them.
This story illustrates two points. First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone could write a countermeasure at the individual player level for these sorts of attacks?
Update: Here's a YouTube video.
This comment in the accompanying Slashdot post explains that it's possible for a rogue user to exploit vulnerabilities in Second Life and introduce code that peforms a sort of denial of service attack on the game. The attack occurs when game participants decide to interact with the gold rings shown in the thumbnail from this site. It's similar to human penetration testers leaving USB tokens or CD-ROMs at a physical world place of business and waiting for unsuspecting employees to see what's on them.
This story illustrates two points. First, it demonstrates that client-side attacks remain a human problem and less of a technical problem. Second, I expect at some point these virtual worlds will need security consultants, just like the physical world. I wonder if someone could write a countermeasure at the individual player level for these sorts of attacks?
Update: Here's a YouTube video.
Comments
I don't play Second Life either (I prefer less reality-immersive games) but my friends and I have been following, with keen attention, the development of this game and community. People are falling into Second Life and being more in tough with their virtual reality than the real world. People make a living in SL, companies are being created inside the game, real companies are putting operations inside the game, holding meetings, conducting training (NETg deserves some pats on the back for quickly adopting online training in such an interesting space), and so on.
The implications of security issues in the game is just wild. Picking up those rings may have done nothing had the game been more secure on the code side? Is that technical then?
I totally suggest keeping an eye on the goings-on in SL. It is quietly becoming a crazy next level for the Internet and gaming and life in general. You made my morning by mentioning security consultants in the game! :) Don't you dare tempt some of us into getting lost in that game and taking away from the already understaffed real worlds!