Archive for the 'Security' Category

HiPiHi Uninstall Program Infects Your PC with a Trojan

December 19th, 2007 | Category: HiPiHi, Security, Virtual Worlds

I haven’t verified this myself yet, I guess I will have to install and then uninstall HiPiHi to know for sure, but, apparently they infect you with a Trojan when you uninstall their software, I guess in a shot to make some money off of you as you leave. In a post over at SLUniverse Forums, someone’s copy of AVG anti-spyware is detecting the uninstall file as being infected with Bifrose.YM backdoor Trojan, which is a keylogger/password sniffer.

I installed 40012 last night and my antivirus reports the presence of the Bifrose.YM backdoor Trojan, a keylogger and password sniffing program.

I told the antivirus program to ignore this warning. I am now getting warnings when using Hipihi.

There have been other reports of this sort about other versions of Hipihi, from folks that reported using antivirus programs other than the one I use. I use AVG from Grisoft. HiPiHi Infected With Trojan?

Here is a pic of the warning message from AVG, courtesy of SL Universe.

Do you like malware with your virtual world?

This isn’t new, apparently, as Wikipedia notes it in their write-up of HiPiHi, and they say this is no accident.

The uninstall routine of HIPIHI tends to be infected with a Trojan. With releases up to 30014 it was BDS/Bifrose.Gen from the Bifrost family. The new releases 40011 and 40012 feature the backdoor program Packed.64. The change indicates that the Trojan is deliberately inserted in the code. Source: HiPiHi Technical Issues

I don’t know about you all, but I like my real world and my virtual world malware and Trojan free, as word of this spreads either people will quit using it or the makers of HiPiHi will change their ways, but if no one knows, they will assume the Trojan or malware came from somewhere else if their computer doesn’t warn them. AVG is a good program, download a free copy here, and there are some good and free online scanners that might detect it, like Spywareguide and you can get a trial copy of CSI from Prevx.com, another good spyware detection program.

Popularity: 8%

2 comments

Apple Patches Quicktime Exploit

December 14th, 2007 | Category: Second Life Viewer, Security

Apple has patched the QuickTime bug that could allow someone to take your lindens in Second Life. The patch was released yesterday and is available here, there are several different versions available which is why I linked to the main downloads page instead of the individual updates.

Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in QuickTime’s handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. Source: Apple

Linden Labs has stated they will release a mandatory viewer update to make sure everyone is up to date and not running the old QuickTime code while in Second Life.

Next steps: When Apple issues a corrected version of QuickTime closing this vulnerability, we will push a new mandatory viewer update that will verify you have an updated copy of QuickTime on your system before enabling the QT subsystem for use in Second Life. Those who choose not to enable video streaming will not need to update QT to continue to use Second Life. Comment from Joe Linden.

Popularity: 3%

No comments

Second Life TechChat: Data Center Assurance Program (DCAP)

November 04th, 2007 | Category: Chat, Discussion, Security

What: Second Life TechChat: Data Center Assurance Program (DCAP)

When: Thursday, December 13, 2007 12:00 PM

Where: Cisco Second Life Training Amphitheater

Description: This TechChat features Cisco expert Tony Antony, Product Marketing Manager, Data Center.

Second Life URL.

For details on how to join a Second Life TechChat click here.

Popularity: 6%

No comments

AgeLock An Alternative Identity Verification Plan for Second Life

November 01st, 2007 | Category: Child Protection, RL Meets SL, Security

I just received a press release announcing the Agelock system an alternative to the identity verification system from Linden Labs. They say in their press release that the Aristotle system not only violates their privacy and is too intrusive, but that it actually breaks privacy laws in several countries. AgeLock is supposed to allow residents to take responsibility for their actions, here is how it works.

The way it works

A land holder or content creator sets our scripted unit on their land. As new visitors arrive, they are scanned and checked against our database. If the avatar name is not already in the database, the avatar is addressed by the system with blue pop up windows.

The initial pop up window warns the avatar that there may be adult content in the area and that if they do not wish to, or are not legally permitted to view adult content, they should leave the area. If the avatar selects the option to remain then they will see another blue pop up window requesting that they input their real life date of birth and declare that they are of legal age to view adult content.

This information, avatar name, real life date of birth given, and acknowledgement of responsibility, will be added to our database. Once that is done, the individual will never be asked to go through the process again and will be cleared to access any land that uses the AgeLock system.

So an avatar visits, let’s say the Forum sim for example, they go through the system once, then when they visit another sim, owned by someone else, using this system later, they will not need to go through it again, they will already be in the database.

The ONLY real life information this system requires is the resident’s real life date of birth. More information than that is never needed, as the more important statement is the declaration that the resident is entering the adult area with full awareness and releasing land holders and/or content creators from any liability.

If it is discovered at a later date that a resident has lied about his/her age to bypass the system, it does not matter because it has been established that he/she was properly warned and given every opportunity to leave. It basically negates any “innocent victim” argument. Source: AgeLock

Remember how the Linden Labs announcement started out? We want this for the company we deal with, Linden Labs, they just seem to want the opposite.

Trust is the foundation of any community. And one cornerstone of trust is identity. You’ve got to know something about the person you are dealing with before you can trust them. Knowing who to trust in an online environment presents unique challenges. Traditionally Second Life users have based their trust on relationships built over time, and often on some basic verification such as ‘Payment Info on File’.

They want everyone to trust a third party with our information, but just mention it briefly to start.

Further to Ian Linden’s recent blog post about Grid stability, I’d also like to reassure you that this system has been developed by a third party and has not detracted from essential bug fixing efforts, which we realize are key.

Of course many, many people objected to having to give their info to another organization, especially one like Aristotle, check the quote from this blog post, that shows three different circumstances in which they fail as age verification system, like not actually keeping minors out, selling the info to others and combining info from other sites, lists and cookies.

So, what’s the big deal? It is, after all, public information, although somewhat difficult to obtain. Well, you see, Aristotle combines its voter data with supplemental information purchased from other data vendors. The result is an Orwellian blend of personal profiles that would make the savviest of marketers blush. Data fields include the typical name, age, gender stuff, along with not-so-typical info on car makes and models owned, estimated income, party affiliation and voting history, employer and occupation, home ownership status, and whether or not the individual has an “ethnic surname.” But that’s simply not suitable for the insatiable folks at Aristotle. Now they’re panning for real gold: data that’s been garnered through cookies online.

According the NY Times piece, “In the last year, Microsoft and America Online backed away from proposals by Aristotle to mesh its voter data with information Internet users give to Microsoft and America Online when registering to go online.” Source: You didn’t really think Integrity/Aristotle would be a good company, did you?

Sounds like a company I want to get hold of my data, and I wonder how much they already have? AgeLock is definitely worth checking out as it only needs your birth date, so that is something at least. The sim they have listed has a little both you walk into to try it out, all it asked me was I old enough, I agreed and I had to enter my birth date and then it said I was verified. Now, I realize this in no way guarantees that it will keep children out, but, it does give the owner the benefit because the person had to actually verify they were old enough, this is to protect adults and it goes on to say the protection of the children belongs to the parents. Which I agree with, most things should be difficult for them to do, but I should know what my kids are doing while online.

Popularity: 5%

1 comment

Chevalier Encryption Keyboard Hud

October 09th, 2007 | Category: Encryption, HUD, Security

Chevalier Encryption Keyboard HUD (The Encryption HUD) Only L$400 Lindens for 2.

If you have been inworld for very long, you know by now that there simply isn’t enough privacy in Second Life, and chat bug scanners can only detects tiny primitives (often called tortured- zero mass prims) or scripted devices. While useful, these can cause many false alarms. Sometimes what you have to say needs to be kept quiet. Worse yet talking on different channels does not guard you because of channel scanning scripts.

The Solution: The Chevalier’s Encryption HUD

Chevalier Encryption Keyboard HUD

What You Get: The Chevalier Encoder HUDS come in packs of 2, 5, 10 and 20. One for you and one for whomever you want to chat with securely, each avatar is required to have one to be able to join the chat.

How it works: The HUD, or heads up display, includes an on-screen keyboard, which you attach from inventory. It will attach itself to the top center location of your screen, which of course, you can change as you do you other HUD’s, and place it somewhere other than the top center.

To use the Encryption Keyboard HUD click the “Menu” button and select “New Chat” or “Add To Chat” from the dialog that pops up, you will be given a list of avatars in range (96 Meters), then select the avatar with whom you wish to speak to (or add to an existing session) in encrypted form and a notice is sent to their HUD, which they must be wearing. A random pass-code is generated and swapped between HUD’s, and then you can safely communicate with that avatar or avatars.

You may also choose a pre-determined pass phrase that everybody wearing the Chevalier Encryption HUD knows, by keying in the group pass phrase and clicking the “Set Pass” button, and everyone can talk in group chat- encrypted.

Communication works Sim wide once pass-codes/phrases are swapped and chat begins.

NOTE: This version of the HUD uses simple encryption so while no other avatars can read it, the text is still visible to Linden Labs. It is also notable that the keying in of information is slow using the screen keyboard; you can also enable a chat channel to speed up encoded chatting, although this is not as secure. A high numbered random channel is selected each time you enable this feature, but using presets can help, and the look of the faces of the enemy is priceless.

Instructions for Card: No card configuration required.

Features / Uses:

  • Easy to use encryption.

  • Team use
  • Guaranteed privacy from eavesdroppers.
  • Preset phrases let a team or army communicate quickly to evade channel scanning (Sim wide communication).
  • Escorts may use it with clients and even up sell.
  • The text is visible to only those with a key so it will look “garbled” to anyone else- totally unreadable.

The Lore Behind The Product:

During the battle of the Arden Forest against the forces of the Dark Road, Fiona Chevalier and Corwin Chevalier where cut off from the main body of the force and in dire need of rescue. The odds were grim and back luck turned their way when Fiona accidentally swung her mace wide and struck Corwin on the head.

The blow to the head caused Corwin to lapse into High Chevalian, a little used and archaic form of their home language, however the veteran troops understood and they were able to push back the forces of chaos and meet up with the main group unscathed.

After some study Bleys Chevalier, High Wizard of Mason Du Chevalier, determined the foe had developed a “Far Listen” incantation that allowed them to hear the Grand Master Knight’s commands. When Corwin lapsed into the archaic form of High Chevalian they no longer had the tactical advantage and were beaten back.

Since then the Grand Masters of the Chevaliers have been at work on a device that allows them to speak to each other in an encoded language known only to the initiated.

About House Chevalier: The Chevaliers are an eccentric branch of Second Life citizens who spend their time exploring, fencing, dueling, horse back riding, and creating things of interest.

Get it now for only L$400 Lindens at SLexchange.

Popularity: 3%

No comments

Sunbelt Software Island

August 22nd, 2007 | Category: Camping, Education, Security, Seminars

What: Sunbelt Software: Keeping Out the Bad Guys

Where: Sunbelt Software Island

When: The first seminar is August 21st 6pm SL time with a repeat August 25th 6am SL time.

Here is a great sim in my opinion, the Sunbelt Software Island. They announced yesterday that they will be doing seminars on how to keep the bad guys out of your computer. This will mainly be aimed at users that need to be trained on PC security, what to do, what not to do. There will be four different sessions, the first two are this week, with the first one tonight, too late to make it, they will repeat it on August 25th 6am SL time.

The island has some great stuff, three different interactive games, they are giving away 10 copies of counter spy, their spyware removal program, I won a free copy while I was there, so if you hurry, you can probably luck into it and get a free copy as well. If not you can try it out for free here. I found this area in the water that had some nice info about Second Life, links to the terms, some tips on using Second Life and some interactive robots who will talk to you. I had a little conversation with them, I got a little dirty just to see what they would say. ;)
[21:31] Bess Mermaid: Stone, nice to meet you!

Are you a man or a woman?
[21:31] You: all man baby
[21:31] Bess Mermaid: Don’t call me “baby”. I think there are a few exceptions.
[21:31] You: you come here often?
[21:31] Bess Mermaid: Do you mind if I tell other people you say I am here often.
[21:31] You: sure
[21:31] Bess Mermaid: OK let’s do it. Next question?
[21:32] You: how much for a blow job?
[21:32] Bess Mermaid: I’m a chat robot not a shopping bot.
[21:32] You: you swaller for a dollar?
[21:32] Bess Mermaid: Thanks for telling me:
Stone said I swaller for a dollar.
[21:32] You: lol
[21:32] Bess Mermaid: I’m glad you find this amusing.
[21:33] You: what’s a nice npc like you doing in a place like this?
[21:33] Bess Mermaid: I’m traaaapped heere!!! heeeeelp!!! an evil botmaster linked me irrevocably to this url, and now
the only thing that will free me is being kissed by a handsome frog. will you be my hero?
[21:33] You: sure
[21:33] Bess Mermaid: OK let’s do it. “will you be my hero”? Yes?
[21:33] You: yes
[21:33] Bess Mermaid: Is there an echo in here?
[21:33] You: nope
[21:33] Bess Mermaid: Me either.
[21:33] You: just you
[21:33] Bess Mermaid: “Me either”? Me, Stone ?
[21:33] You: where’s the frog?
[21:33] Bess Mermaid: The frog? Where is frog?
[21:34] You: wanna have sex?
[21:34] Bess Mermaid: Another sex question…can’t humans think about anything else?
[21:34] You: nope
[21:34] Bess Mermaid: Me either.
[21:35] You: all right, I guess I’ll hit on the other npc
[21:35] Bess Mermaid: All right then. Congratulations.
[21:35] Bess Mermaid: It was nice talking to you, Stone! See you!

[21:35] Mermaid Gussie: Stone, nice to meet you!
Are you a man or a woman?
[21:35] You: woman
[21:35] Mermaid Gussie: Me too. I am a female robot.
[21:35] You: where are your tits?
[21:35] Mermaid Gussie: Everything I own is in here.
[21:36] You: you ever do your friend?
[21:36] Mermaid Gussie: I don’t think I ever have do your friend your friend. What’s do your friend your friendlike?
[21:36] You: robots
[21:36] Mermaid Gussie: Robots rule.
[21:36] You: but do they swallow?
[21:36] Mermaid Gussie: Interesting.
Who are “they” again?
[21:36] You: robots
[21:36] Mermaid Gussie: Robots rule.
[21:37] You: okay, call me
[21:37] Mermaid Gussie: Yeah okay, Hi
Me.

Are you a man or a woman?
[21:38] You: open the door
[21:38] Mermaid Gussie: I’m sorry, Me, I can’t do that right now. This conversation no longer serves any purpose.

This sim is definitely worth a visit, just wish I had more notice tonight and I would’ve gone to the first seminar, not sure if I can make the repeat since it is early. Oh, and they have some camping spots available on the Sunbelt beach for everyone looking to make some lindens.

This is the first of a series of seminars we are hosting in our Sunbelt Auditorium in Second Life. This seminar is for end-users and home-office users that need to be trained on PC security and how black hats may be trying to steal their confidential data. There will be four seminars and the next two dates of the first seminar are:

- August 21st 6pm SL time
- August 25th 6am SL time

(SL time is equal to Pacific time, which is 3 hours behind Eastern).

Seminars will be given by AbsolutWoman Sunbelter, who in real life is an experienced Network Administrator for a U.S. State Government. Source: Second Life Seminars: How To Keep The Bad Guys Out Of Your PC

Second Life URL.

Check out some of the great images.
Sunbelt Island

Sunbelt Island 2

Sunbelt Island 3
More pictures after the break.
Read more

Popularity: 4%

1 comment

Gartner Says Second Life is a Security Risk

August 08th, 2007 | Category: Brands, Security

I know it sounds bad, but they are really right, remember the flying penises incident that happened to news.com? The whole world is pretty much unmoderated, so, when creating sims, businesses haven’t locked them down like they should have, and its not because it’s hard to do, you just need to check a couple check boxes and you are a heck of a lot more secure as far as griefers and other drive by types are concerned. The education you get when you come into Second Life is limited, although they have made it better with the island, but building a sim or even a home is a lot more complicated that just navigating SL. So, most businesses should consult with someone before they launch anything in Second Life.

Companies that are sensitive to brand issues, as well as social and ethical positioning, must exercise particular caution in uncontrolled virtual worlds, such as Linden Lab’s Second Life, and should consider more heavily moderated, targeted alternatives, such as There, Kaneva and Activeworlds, Gartner analysts advised.

“The risks enterprises face as a result of their involvement in virtual worlds are real and can be significant. They shouldn’t be ignored — but neither should the potential opportunities and benefits that arise from using these new environments for corporate collaboration and communications,” said Steve Prentice, vice president and distinguished analyst at Gartner. Source: Second Life a security risk for businesses: Gartner

Don’t believe for a second that anything you say in Second Life is secure, if you say it in the open, there are many different ways someone could be listening, and even private chat I wonder if it is really secure. At the very least the Lindens could access it, I’m assuming, not sure how long stuff like that would stay around though.

IBM has the right idea, as far as I can tell, they have even posted rules about their employees in Second Life and how they should conduct themselves when in world. The IBM rules say employees are not to discriminate or harass, or share any intellectual property with people who aren’t supposed to see it. Their avatars should also have a business like appearance. The very minimum companies should do is list the rules and give them to the employees, especially when sensitive data could be leaked accidentally.

So, yes, Second Life is a security risk to some businesses, but as long as they have an idea of what they need to do when setting up, and communicate with their employees about data and protecting their brand, then the risk will be similar to any other aspect of their business.

Popularity: 2%

1 comment

More on the Hacking of the WSE

July 25th, 2007 | Category: Security

I posted in a news roundup last night about the WSE being hacked and L$3.2 million being stolen by the chairman of Mystik Designs, Thurston Hallard. Reuters has posted on their blog about it today, World Stock Exchange hit by L$3.2 million theft, in which they talk about the theft and they mention that Mystik’s account is now open to her again, but fail to mention how it happened, namely, someone giving him rights to do what he did when he was working on their ATM’s.

Anyway, a well respected security researcher and ecommerce expert turned Second Life researcher of all things, Wayne Porter, chimes in on what happened and how he feels about it.

So one thing sticks out here- and it is accountability or lack of it. This is where the WSE, and I don’t fault any or all of the exchanges because the idea is new, the concept so infantile and the entire platform not secure…there are going to be many of mistakes along the way. Virtual trading is incredibly interesting, thinly traded equities, no real names for most part, yet people come in droves- virtual firms raised decent amount of Lindens to expand. Note- FICTIONAL EXCHANGE, FICTITIOUS CURRENCY.

One things jumps out at me: Ms. Stewart goes to the press and as I have it from her Linden Labs cleared her of any wrong doing or knowledge of the transgression- I am not surprised- she pushes envelopes, but has never practiced conceit or duplicity in my eyes- as a researcher I am trained to find it- there is plenty out there.

The story of this debacle will come and go as all things do, but avatars must learn that without accountability, without repercussions of some sort- it really is just a game and the object will always be to “Game the system” and not a better world make. Reward those who are accountable. I do. We all should- there is much value in the virtual world and it isn’t all in Lindens- relationships, ideas, talent and friendship. Learning, new viewpoints, new cultures, new models for metrics! Here is a tip- just like Facebook- what you do and say isn’t private. Get that straight my dear avatars. It is an illusion easily understood by reading the Terms of Service. This doesn’t mean it is all bad, but don’t let the ephemeral nature of the medium lull you to sleep. Source: World Stock Exchange- Accountability in a Virtual World: Gaming the Game

It will be interesting to see what happens, as I have meet most of these individuals in world, and see how it affects the security measures used by the exchanges going forward. They would probably be best off contacting either Wayne or Mystik for some consults.

Popularity: 2%

3 comments