Break In at Second Life


I have written elsewhere about the likelihood that Second Life would be targeted by criminals for identity theft purposes and sadly such an event has come to pass. The volume of money flowing through Second Life’s economy ($64 million annually according to Popular Science) makes it an obvious target for attack. And apparently Linden Labs’ security practices have been less than stellar.

Linden Labs posted a security bulletin yesterday on the Second Life site announcing that a “zero-day exploit” had been used to access customer account records including passwords and possibly payment information. While the original security bulletin itself was quite terse and made no mention of compromised payment information, a subsequent e-mail and included FAQ revealed:

We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.

“Zero-day exploit” is a general term for any attack that is launched the same day as a new product or patch is released. For example, Microsoft announced a zero-day exploit attack on Internet Explorer back in 2005. Linden Labs didn’t reveal exactly what software was compromised, stating only that it was “third party” software.

Personally I don’t find this answer very satisfying nor should other SL users. Passing the buck to a “third party” won’t protect user data. It is clear from the brief description of the events which was released that the company has not been following industry best practices. There is simply no excuse for storing private information such as credit card numbers or users’ true names in the clear. According to the e-mailed FAQ, Linden Labs uses MD5 hash encryption for protecting payment information, however cracks for MD5 hashes are available on-line from several sources. For example, here, here, and here. Also see this article for a more technical explanation of the state of the art attacks on MD5. Wikipedia also has a good introduction to the issues surrounding MD5 here.

While the objective of the attackers probably was to obtain personal information and credit card numbers for the purposes of identity theft and credit card fraud, the breach also revealed SL users’ true names raising the spectre of more personal attacks and in world impersonations. It is less than clear where this information might end up. Participants in Gorean slavery or other unusual on-line sexual practices within Second Life, may not be too pleased to learn that their true identities might be revealed to spouses or employers. Second Life users may want to think twice before strapping on that genitalia next time.


One Response to “Break In at Second Life”

  1. Does identity matter online? « Mediaspace Says:

    […] A break in at Second Life exposed customer account data including not only payment information which was encrypted, but also users true names which were stored unencrypted in clear text. Since many participants in Second Life engage in cybersex (attachable genetalia of various tyoes are the best selling accesories in SL) users may not be too pleased to learn that their true identities might be disclosed in a similar manner. Over in Germany, police investigating a child pornography ring seized Tor servers used to send “anonymous” e-mails. Just how anonymous these e-mails will actually be remains to be seen. It is a widely held belief within the Internet community that anonymity is good, but required presentation of true identity is bad. However, I believe that several important aspects of online identity are overlooked in this very simplified view. First, identity is power. In many cases, if I know your identity but you don’t know mine, this knowledge gives me power over you that you do not have over me. Consider the examples of pretexting and identity theft in which the perpetrator uses knowledge of the victims identity to obtain personal information or make purchases. Different people or organizations may have different abilities to identify you and control or harm you through this knowledge. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: