Troubles and security issues in SecondLife and other virtual worlds

The Mercury News has a story where savvy security researchers have found a flaw in Second Life virtual world that allows them to strip a user’s character of all of its in-world money.

Charles Miller and Dino Dai Zovi, two experienced hackers, claim they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars. But the risks for Linden Lab, the San Francisco operator of Second Life, are limited because the researchers say the flaw can be quickly patched.

Miller, a researcher at security firm Independent Security Evaluators in Baltimore, gained some notoriety this summer when he found a way to hack Apple’s iPhone. He said that he and Dai Zovi found the flaw by exploiting a known problem with Apple’s QuickTime movie playback software, which is used to play movies inside the virtual world. That QuickTime flaw was exposed on Monday and the pair completed their hack in a few days. That gave an opening to Dai Zovi and Miller, who had been mulling over Second Life security for months.

The exploit works because Second Life allows users to embed videos or pictures on their character’s or their virtual property. When someone comes nearby and is within view of the object, the Second Life software activates QuickTime so it can play the video or picture. In doing so, QuickTime directs the Second Life software to a web site. By exploiting the flaw in QuickTime, the hackers can direct the Second Life software to a malicious web site that then allows them to take over the Second Life avatar.

When we last tried to reach the page at ISE where the security problem is said to be explained in details the page http://www.securityevaluators.com/sl did not open.

In another story Swedish authorities said in January 2007 they would clamp down on Swedes earning money through Internet games such as Second Life.

Indeed, while Second Life may have started as a utopian world where gamers, geeks, and technophiles could gather and immerse themselves into the pure and innocent escapism of a genuine second life, the rocketing popularity of Linden Lab’s online world has now begun attracting the attentions of people that intent on destruction, and even violence, reports the Concorde Monitor.

Here are some recent incidents that happen at SecondLife’s and other virtual worlds around Internet.

  1. Australian broadcaster ABC has its luxury island turned into a crater by angry hackers.
  2. Worrying reports of rape and child abuse have started to gather around the supposedly idyllic existence to be ‘enjoyed’ in Second Life.
  3. The above mentioned rape incident, which took place earlier in 2007, caused outrage when with one virtual avatar sexually assaulted by another.
  4. The police in Belgium opened an investigation into, not who perpetrated said rape, but whether an actual crime had been committed.
  5. 17-year-old Dutch teenager was arrested this week on suspicion of stealing furniture worth £2,800 from a hotel room in the three-dimensional world Habbo Hotel, a children’s game that only exists on the internet.
  6. German authorities have also homed in on an incident of sexual abuse involving live images of a child avatar having simulated sex with an adult avatar.
  7. Virtual gangs killing off lone in-game players and stealing their wares, which are later sold on for real-world profit.
  8. Shanghai-based 41-year-old Legend of Mir 3 online gamer stabbing another cheating player repeatedly in the chest after he stole an in-game weapon reportedly worth some $850 USD.
  9. British cops will be going undercover in Second Life to investigate depictions of adult-child sex and track down pedophiles

All of this, of course, promotes the question of whether a virtual world such as Second Life should be governed by a virtual police force.

Independent Security Evaluators‘ mission is to provide the outside technical resources companies need to control their technology risk. The experts at ISE have vast experience in every facet of security. The team includes computer scientists, electrical engineers, and cryptographers. ISE experts have testified before Congress, served as expert witnesses, participated in creating standards, and evaluated systems for both government and private industry.

ISE researchers have published several influential books and dozens of scientific papers in the top refereed conferences and journals. They have also analyzed and helped repair several widely used commercial systems. ISE was formed to offer this expertise to the private sector.

On the other side, in respond to the security issues pointed out by the hackers, Joe Miller, VP, Linden Lab in San Francisco, CA has replied:

I want to reiterate that this is an Apple QuickTime issue, not a flaw inherent in Second Life, and as such, affects all platforms and browsers that use QT. Second Life remains a viable environment for conducting business, with a stable economy and the appropriate Resident and economic controls in place.

Linden Lab alerted all Second Life Residents of this exploit both on the official Linden Lab blog and at log-in on Friday afternoon. In addition, the Second Life community is doing a great job of spreading the word, and letting their fellow residents know about the potential issues surrounding the use of QT. I can assure you that no other affected platform is communicating with their customers as thoroughly as we are.

We have measures in place to deal with this type of exploited vulnerability – including the ability to log and track URLs, identify the attackers and take the appropriate measures, as well as making sure that affected Residents are reimbursed if they should lose any Linden dollars.

We’re hopeful Apple will remedy this problem as soon as possible, and we pledge to alert Residents as soon as the fix has been made.

According to the Second Life’s website, there were 6,491,898 residents in its alternative reality.  Second Life, created by San Francisco technology company Linden Lab, has attracted several real-world companies, including car manufacturers and sports clothing makers, which created 3-D stores.

Second Life is a 3-D virtual world entirely created by its Residents. Since opening to the public in 2003, it has grown explosively and today is inhabited by millions of Residents from around the globe. From the moment you enter the World you’ll discover a vast digital continent, teeming with people, entertainment, experiences and opportunity. Once you’ve explored a bit, perhaps you’ll find a perfect parcel of land to build your house or business. You’ll also be surrounded by the Creations of your fellow Residents. Because Residents retain the rights to their digital creations, they can buy, sell and trade with other Residents. The Marketplace currently supports millions of US dollars in monthly transactions. This commerce is handled with the in-world unit-of-trade, the Linden dollar, which can be converted to US dollars at several thriving online Linden Dollar exchanges.

Other virtual worlds include:

Entropia Universe ( http://www.entropiauniverse.com/ ), the Swedish virtual world, which had a turnover of $365m last year.

Habbo ( http://www.habbo.com/), owned by a Finnish company, Sulake, boasts more than 80 million members today.

VOY Plaza Virtual ( http://www.voyplaza.com/vpv.html )

There.com ( http://There.com.com )

Club Penguin ( http://www.clubpenguin.com/) recently sold to Disney.

Active Worlds ( http://www.activeworlds.com/ )

Barbie Girls ( http://www.barbiegirls.com/ )

Cyworld ( http://us.cyworld.com/ )

Dubit ( http://www.dubitchat.com/ )

Faketown ( http://www.faketown.com/ )

BBC’s Adventure Rock ( http://bbc.co.uk/cbbc/adventurerock )

World of Warcraft ( http://worldofwarcraft.com )

Gaia ( http://www.gaiaonline.com/ ). The game has just got funded by Sony Pictures.

IMVU ( http://www.imvu.com/ )

Kaneva ( http://www.kaneva.com/ )

Millsberry ( http://millsberry.com/ )

Mokitown ( http://www.mobile-kids.net/ )

Neopets ( http://www.neopets.com/ )

Red Light Center (NSFW) ( http://redlightcenter.com/ )

Webkinz ( http://www.webkinz.com/ )

Zwinktopia by InterActiveCorp ( http://www.zwinktopia.com/ )

Openlife Grid ( http://www.openlifegrid.com/) Public Grid with Opensim Technology.

ViOS – ViOS 3D Internet Viewer ( http://en.wikipedia.org/wiki/ViOS )

Whyville ( http://www.whyville.net/top/index.html )

Citypixel ( http://www.citypixel.com/ )

Weblo ( http://www.weblo.com/ )

  

Via

[ http://www.mercextra.com/blogs/takahashi/2007/11/30/exclusive-hackers-say-they-can-pick-pockets-of-characters-in-second-life-virtual-world /]
[ http://www.kb.cert.org/vuls/id/659761 ]
[ http://www.securityevaluators.com/sl/ ]
[ http://secondlife.com/whatis/ ]
[ http://www.thelocal.se/7347/20070518/ ]
[ http://www.guardian.co.uk/technology/2007/nov/17/internet.crime ]
[ http://metasecurity.net/2007/06/05/crime-rife-in-virtual-second-life/ ]
[ http://www.techcrunch.com/2007/08/05/virtual-world-hangouts-so-many-to-choose-from ]
[ http://en.wikipedia.org/wiki/Virtual_world ]
[ http://www.virtualworldsreview.com/ ]
 

Microsoft Acquires WebFives, yet another multimedia sharing site

Microsoft has acquired yet another photo/video and audio sharing site called WebFives.

The agreement has been reached during November 2007 and according it Microsoft has acquired all rights to WebFives technology, patents pending, trademarks, and software to incorporate into its products and services over time. In order to make WebFives’s wind down process as easy as possible for their users, Microsoft has agreed to provide them with a license to continue operating WebFives until the end of the year, giving their users time to copy any information you would like to keep to your own PCs or another service prior to the end of the year.

WebFives has initially been founded by a former Microsoft engineer Mike Toutonghi as Vizrea, which later became WebFives. Vizrea launched in 2006 and is based in Seattle and had a handful number of employees in both locations Seattle and Prague (Czechs Republic). Originally they idea is known to have started in August of 2003 with a vision of making video, photo, music sharing, and blogging easy and accessible to everyone from any device. The company launched with the support from some early Microsoft executives. Mike Toutonghi was the engineer who initiated the Media Center version of Windows at Microsoft before leaving for the startup world.

The company realized that building a great sharing and social network means serving the community at first place. They are making it possible for anyone who creates videos, pictures, or music to easily share their creations in stunning quality to the entire world or just a small group of friends. WebFives includes advertising so they can offer you a great, free level of service for creating and sharing videos, pictures, blogs, and audio on your own personal WebFives website. Users are provided with standard social networking profile pages complete with blogging, and have the option of accessing their sites via computer or via a WAP specific page.

Some of the site’s fundaments:

1 WebFives is Quality
The video you watch and share on the web doesn’t have to be fuzzy and low quality any more. WebFives can deliver full-screen, digital-TV quality video, and CD quality audio. It’s high quality on mobile phones too.

2 WebFives is Everywhere
Easily share what you create. You and your friends can use the web browser on almost any phone to upload to WebFives, and watch WebFives video or listen to WebFives music. You can also use multimedia messages (MMS) to send movies and photos directly from your phone to WebFives. (Your web address is: webfives.com/username, your mobile address is: wap.webfives.com/username. It really is as simple as that.) Plus, for some phones we have additional, optional software.

 3 WebFives is Friendly
Already using another service? No problem, WebFives likes them all. Easily put your high quality WebFives media on other sites like MySpace, Xanga—or even on all of them at the same time. Send a video from your phone to WebFives and it’ll update for all of your friends right away.

4 WebFives is the Whole Enchilada
It’s got everything you’d expect from a sharing service—video, music, blogs, comments, ratings, tags, ‘friends,’ fast and easy search, and more—on both PCs and mobile phones.

5 WebFives is You
It’s designed from the ground up with you in mind, so it’s easy and fun to use. You can whip out great looking, custom web pages in minutes, and decide who can see them. (People who can’t see them don’t know they exist.)

Other prominent acquisitions within the sector are Photobucket by MySpace (News Corp/Fox Interactive), Flickr by Yahoo and Picasa by Google some years ago. In just recent weeks American greetings has acquired Webshots Inc, one of the leaders of Photo sharing sites. 

The deal terms and the acquisition price were not disclosed and typically for big buys (Microsoft, Google, etc.) the site stopped working and current users are given with 30 days to have their content downloaded and moved away from the site.

Via

[ http://mashable.com/2007/12/01/microsoft-acquires-photo-sharing-site-webfives/ ]
[ http://www.webfives.com/whatis.aspx ]
[ http://seattlepi.nwsource.com/business/258559_vizrea07.html ]
[ http://blogs.zdnet.com/mobile-gadgeteer/?p=723 ]
[ http://blog.seattletimes.nwsource.com/brierdudley/2007/11/microsoft_buys_toutonghis_seat_1.html ]
[ http://www.techcrunch.com/2007/11/30/microsoft-acquires-mobile-focused-social-networking-site-webfives/ ]
Â