THIS ARTICLE CONTAINS LINKS THAT ARE NOT SAFE FOR WORK
I have written elsewhere about the likelihood that Second Life would be targeted by criminals for identity theft purposes and sadly such an event has come to pass. The volume of money flowing through Second Life’s economy ($64 million annually according to Popular Science) makes it an obvious target for attack. And apparently Linden Labs’ security practices have been less than stellar.
Linden Labs posted a security bulletin yesterday on the Second Life site announcing that a “zero-day exploit” had been used to access customer account records including passwords and possibly payment information. While the original security bulletin itself was quite terse and made no mention of compromised payment information, a subsequent e-mail and included FAQ revealed:
We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.
“Zero-day exploit” is a general term for any attack that is launched the same day as a new product or patch is released. For example, Microsoft announced a zero-day exploit attack on Internet Explorer back in 2005. Linden Labs didn’t reveal exactly what software was compromised, stating only that it was “third party” software.
Personally I don’t find this answer very satisfying nor should other SL users. Passing the buck to a “third party” won’t protect user data. It is clear from the brief description of the events which was released that the company has not been following industry best practices. There is simply no excuse for storing private information such as credit card numbers or users’ true names in the clear. According to the e-mailed FAQ, Linden Labs uses MD5 hash encryption for protecting payment information, however cracks for MD5 hashes are available on-line from several sources. For example, here, here, and here. Also see this article for a more technical explanation of the state of the art attacks on MD5. Wikipedia also has a good introduction to the issues surrounding MD5 here.
While the objective of the attackers probably was to obtain personal information and credit card numbers for the purposes of identity theft and credit card fraud, the breach also revealed SL users’ true names raising the spectre of more personal attacks and in world impersonations. It is less than clear where this information might end up. Participants in Gorean slavery or other unusual on-line sexual practices within Second Life, may not be too pleased to learn that their true identities might be revealed to spouses or employers. Second Life users may want to think twice before strapping on that genitalia next time.