[LongFang]

Here is what hapined to Seconed Life The 6th of Sept


Hello Second Lifers,

As announced on our website at http://secondlife.com/corporate/bulletin.php and corporate blog at http://blog.secondlife.com/?tag=security, Second Life discovered an attack on our servers on September 6, 2006. The full security bulletin is reprinted below, followed by a FAQ that includes important security advice for our community.

===================
SECURITY BULLETIN


*SAN FRANCISCO, CA. (September 8, 2006)* - Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.

The breach was discovered on September 6, 2006 and promptly repaired. The company then launched a detailed investigation that revealed an intruder was able to access the Second Life databases utilizing a "Zero-Day Exploit" through third-party software utilized on Second Life servers. Due to the nature of the attack, the company cannot determine which individual data were exposed. The company's technical investigation is ongoing.

"We're taking a very conservative approach and assuming passwords were compromised and therefore we're requiring users to change their Second Life passwords immediately," said Cory Ondrejka, CTO of Linden Lab. "While we realize this is an inconvenience for residents, we believe it's the safest course of action. We place the highest priority on protecting customer data and will continue to take aggressive measures to protect the privacy and security of the community."

Linden Lab advises all users to take appropriate precautions against misuse of personal information. To reduce the risk of fraud, Linden Lab will not contact individuals by phone or any other method asking for private information unless it is in response to an inquiry from the individual user.

===================
FREQUENTLY ASKED QUESTIONS

Q: I can't log in to Second Life. How can I regain login access?

A: As a security precaution, all Second Life account passwords have been invalidated. You need to establish a new password in order to log in. You can receive instructions for changing your password by visiting http://secondlife.com/password. Please note that we are updating the password request process - if you have recently tried that page and could not change your password, please try again.


Q: Was my account information compromised?

A: We discovered that a database was accessed by the intruder, and we are able to determine the aggregate size of the data that was downloaded through the intrusion. The database accessed includes customer account information, including Second Life account names, real-life name and contact information in unencrypted form. Account passwords and payment information (consisting of credit card numbers and Paypal transaction IDs) are stored in this same database in encrypted form. However, there is no way to identify which data were accessed at the level of individual users, only the aggregate size of the downloads returned from the intruding database queries. We are conducting further investigation to try to determine the class of data exposed.


Q. Is my information still at risk from another attacker?

A: The compromised system was rebuilt and made more secure. We will be announcing additional plans for security improvements in a post to come on our blog, at http://blog.secondlife.com/?tag=security.


Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.


Q: What kind of attack was used to gain access to the Second Life databases? Has the identity of the attacker been established?

A: We have gathered a significant amount of information regarding the attack and the attacker. However, because the investigation is ongoing, we cannot provide very detailed information regarding the type of attack or identity of the attacker. We can disclose that the intrusion path took advantage of a "zero-day exploit" in third-party web software.


Q: What was the timing of the attack and Linden Lab's investigation?

A: Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. The investigation is ongoing and we will report further results as they become available at http://blog.secondlife.com/?tag=security.

Sincerely,

Linden Lab and the Second Life team
_________________
Im Not Lost. I know im on Earth

¥£ongFang »W°Ð°Ð«

[Scotsman]

*shakes head*

Anybody still wonder why I'm so paranoid about security?

Oh, and btw, THIS is why I don't keep anything more than name and email address in any of the MadWolf databases.

[Bri]

It was really no biggy, just a password change for members. The database that got hit was nicks and passwords. I imagine they expect the Bad Boys every hour since they have so many members and a lot of RL cash transactions going on.
The "ignore the tiny ones" is what helps protect Macs and visual chats like ours. The Russian and Chinese exploiters have no honeypot to raid.

Read the police blotter 2nd Life has if you wanna get a feel for the frequency of nasty chatters you get when you have 6000 + online at a time and big $ in memberships, gaming, props and land sales.
_________________
RL..now with 100% less lag!

[Scotsman]

I'm crushed. Macs yes, Manor, not so much. You forget for the day job 6000 hitting the system is a slow spell. I actually do know what I'm doing, especially when it comes to security.

[Bri]

You do a gret job on security, didnt mean different.. 2nd Life has an advantage in that they also control the server side totally. There are even 3rd partys trading L$ for real $ which is kinda wacko to me. I just looked and they had 6527 online chatting or crashing.
Even if a determined hacker could break into a vulnerable Manor thru say a SSH breakin, but thats not Madwolf''s database. My point is our hacker appeal is low.
_________________
RL..now with 100% less lag!

[Scotsman]

aahh, but you see a distributed server model as Manor has is also by design. Your absolutly right, an individual Manor is going to be a low priority target, and the MadWolf database employs a layered security approach the bottom level of which is there is no data kept in the database that could be used for identity theft in the first place.

Besides, owning all the servers is a double edged sword. Sure they have ultimate control. But that also means when they go under kiss everything you've done in there goodbye. Conversely in Manor, you own the server, all the media you've put into it, and if I got hit by a buss tomorrow you would still be in control of your world.

The security is good enough I could implement an in world currency and not be overly concerned about it being corrupted. Not that I would want to do such a thing. Manor is about chat, not being a video game (that's not to say I don't plan on having video games available, but the over all environment is not a game).