Collaboration in the Cloud, Virtual Worlds and the Hacker Mindset
Collaboration in the Cloud
Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers. Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”. One major focus area is Virtual Worlds.
The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds. The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.
At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended. Today just login and teleport are supported. No stealing those trade secret “assets” yet ;-).
Linden Labs speaks to this issue:
Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.
With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here. I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out. “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.
Threat Profiling Second Life
Getting back to reality, people are already exploring Virtual World security. Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.
- In-game cheating
- Identity theft
- Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="425" height="344" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="allowFullScreen" value="true"/><param name="src" value="http://www.youtube.com/v/6MoptnBsNGc&hl=en&fs=1"/><embed type="application/x-shockwave-flash" width="425" height="344" src="http://www.youtube.com/v/6MoptnBsNGc&hl=en&fs=1" allowfullscreen="true"></embed></object>
For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).
Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.
In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.