Security Policy Considerations for Virtual Worlds

Virtual worlds increasingly offer significant outreach and business development opportunities to companies, governments, and the world at large. These virtual worlds – such as Second Life, World of Warcraft, Entropia Universe, EVE On-Line and others – allow people to interact through digital personas or avatars. As these worlds evolve and grow in popularity and acceptance, and become more integrated into many aspects of business and society, they offer new and uncharted terrain for security practitioners to embrace, explore and apply corporate governance and information security policy.

As security practitioners, there are many things to consider before advising our business leaders on how to make the leap into virtual realms. In many cases, the old rules apply, but some things we simply have not had to think about before. Walk into the uncharted terrain, but go with trepidation.

Terms of Service – Many third-party companies now provide virtual services to individuals and businesses. Most require a monthly fee but some are free of charge. All of them require participants to agree to the company’s terms of service. These terms of service are an attempt to protect the virtual world service provider’s control over all aspects of the service, content and data generated in that virtual world. Thus, ability to remain a member of a virtual world or to have or use a space within that world is behavior dependent and not always guaranteed.

Each virtual world provider has its own unique characteristics and terms of service. In signing up to participate, businesses should fully understand the terms and conditions to which they are agreeing as members of that community. Users who sign up for service should also recognize that, unless specifically directed by their management, they are signing those terms and conditions as an individual. Therefore, the individual and not the business are responsible for all aspects of participation in a virtual world. If an account is for business purposes, ensure that it is not paid for with personal funds and review the terms of service with appropriate legal counsel.

Public Forum – It is also important to remember that virtual worlds are public, software-based, open societies in which having a dialogue is similar to having a discussion or meeting in a public place such as a hotel lobby or an airport. Individuals acting for themselves or as part of a directed business venture should operate on the assumption that all actions, communications and data can be seen, heard and recorded by anyone, including the service provider – which may not, and often does not, have any obligation to protect your communications or information.

In the conduct of personal or employer business, many rules of the physical world apply to the virtual world(s):

1. Do not run the client on an account with Administrative privilege.

2. Do not disclose proprietary information or talk about company business in a non-company forum.

3. Do not use the same password to access the virtual world as you do for internal company or personal business.

4. Never give out your password.

5. Follow the company dress code.

Now you may be asking yourself “Follow the dress code?” Yes! If your avatar is conducting company business then follow the company dress code. In many virtual worlds, there are many clothing types. Do you want users to conduct business as (or with) a ring-tailed lemur in bunny slippers or would you rather work with an avatar in business casual attire? If your business does not enforce dress codes, then insist people use good judgment.

Be mindful that all actions will be public and may be visible for a long time. Many software tools exist to screen capture. If you or your users can see other avatar, they can see you. Every user within sight of an avatar has the ability to immortalize a single poor choice for the entire Web to see.

Understand the software client and connection – Each virtual world uses a client to connect to the server cluster. Every virtual world mentioned above requires that numerous ports and protocols are opened through the corporate firewall. Contact each virtual world service provider and research how each is open port is used. Just like their web counterparts, virtual world clients are subject to attacks.

The years 2006 and 2007 for example, saw an increase in the number of malware and Trojan programs written with the primary purpose of stealing passwords from virtual world users. These malicious programs utilized exploitable vulnerabilities (for example, the Web browser) to install password-stealing software or account “harvesting” programs.

The virtual world developed by Linden Lab, Second Life, has a client with its own XML HTTP Request that uses asynchronous callbacks; it gives the platform the capability to communicate with the Web on demand. Every object is scriptable and can be aware and active. In Second Life, a QuickTime file can automatically play on the machine of a user who enters another user’s virtual land or accepts a scripted object. Once played, the malicious QuickTime file can cause the user’s machine to do anything that file tells it to do (especially if the user is running Second Life under an account with administrative access (remember rule number 1!).

If you build it, accept that good and bad will come – Aside from password stealing on the client side, there is fraud that can be committed within the virtual world itself. There is also the potential for exploitation of scenarios that the developers (or users) never envisioned when designing the world or user created content.

For example: The attacks against Second Life such as the “Grey Goo” infestation where replicating objects brought about a shut down of the Second Life Grid for all but Linden Lab staff or the exploit in Blizzard Entertainment’s World of Warcraft that allowed “item duping” before the developers implemented a patch.

So what is the big deal with duplication? In the case of the “Grey Goo” item replication resulted in a denial of service (DoS) due to database loads. Outside of that, in virtual worlds, items hold a value. Just as it is in the real economy value is determined by demand or rarity. If I can flood the market with perfect copies of your virtual product then I can drive down demand by making it less rare or I can sell my copies for much less and undersell you. In Second Life, this could lead to legal consequences as the users hold the intellectual property rights to items they create. If a user is in the virtual world on a directed business initiative, the employer may hold the rights depending on the employment contract or agreement.

There is much to gain by embracing a growing population of virtual world users, but there is nothing virtual about the business consequences of a lapse in judgment.

Jeff Surratt, CISSP MSIA, has seventeen years of experience in IT and information security. Jeff holds a degree in Internetworking Technology from Strayer University and a Masters degree in Information Assurance from Norwich University.