[ISN] Spies' Battleground Turns Virtual

From: InfoSec News (alerts@private)
Date: Wed Feb 06 2008 - 00:05:00 PST


http://www.washingtonpost.com/wp-dyn/content/article/2008/02/05/AR2008020503144.html

By Robert O'Harrow Jr.
Washington Post Staff Writer
February 6, 2008

U.S. intelligence officials are cautioning that popular Internet 
services that enable computer users to adopt cartoon-like personas in 
three-dimensional online spaces also are creating security 
vulnerabilities by opening novel ways for terrorists and criminals to 
move money, organize and conduct corporate espionage.

Over the last few years, "virtual worlds" such as Second Life and other 
role-playing games have become home to millions of computer-generated 
personas known as avatars. By directing their avatars, people can take 
on alternate personalities, socialize, explore and earn and spend money 
across uncharted online landscapes.

Nascent economies have sprung to life in these 3-D worlds, complete with 
currency, banks and shopping malls. Corporations and government agencies 
have opened animated virtual offices, and a growing number of 
organizations hold meetings where avatars gather and converse in newly 
minted conference centers.

Intelligence officials who have examined these systems say they're 
convinced that the qualities that many computer users find so attractive 
about virtual worlds -- including anonymity, global access and the 
expanded ability to make financial transfers outside normal channels -- 
have turned them into seedbeds for transnational threats.

"The virtual world is the next great frontier and in some respects is 
still very much a Wild West environment," a recent paper by the 
government's new Intelligence Advanced Research Projects Activity said.

"Unfortunately, what started out as a benign environment where people 
would congregate to share information or explore fantasy worlds is now 
offering the opportunity for religious/political extremists to recruit, 
rehearse, transfer money, and ultimately engage in information warfare 
or worse with impunity."

The government's growing concern seems likely to make virtual worlds the 
next battlefield in the struggle over the proper limits on the 
government's quest to improve security through data collection and 
analysis and the surveillance of commercial computer systems.

Virtual worlds could also become an actual battlefield. The intelligence 
community has begun contemplating how to use Second Life and other such 
communities as platforms for cyber weapons that could be used against 
terrorists or enemies, intelligence officials said. One analyst 
suggested beginning tests with so-called teams of cyber warfare experts.

The IARPA paper concurred: "What additional things are possible in the 
virtual world that cannot be done in the real world? The [intelligence 
community] needs to 'red team' some possible scenarios of use."

The CIA has created a few virtual islands for internal use, such as 
training and unclassified meetings, government officials said.

Some veterans of privacy debates said they believe that law enforcement 
and national security authorities are preparing to make a move, through 
coercion or new laws, to gain access to the giant computer servers where 
virtual worlds reside.

Jim Dempsey, policy director at the Center for Democracy and Technology, 
a nonpartisan group that monitors privacy issues, said he heard the same 
worries from the government when cell phones became popular in the 1980s 
and again when mainstream American logged on to the Internet in the 
1990s.

Dempsey said the national security fears are overblown, in part because 
the country already has legal and technical mechanisms in place to give 
the government access to digital records it needs.

"They want to control this technology and make it even easier to tap 
than it already is," Dempsey said. "When the government is finished, 
every new technology becomes a more powerful surveillance tool than the 
technology before it."

Questions about the impact of innovations in communications technology 
are nothing new. Criminals, terrorists and others have used Web sites 
for more than a decade to recruit, operate scams and trade pornography. 
Law enforcement and intelligence authorities responded to new 
technologies by repeatedly seeking out new surveillance authorities.

Intelligence officials said, however, that the spread of virtual worlds 
has created additional challenges because commercial services do not 
keep records of communication among avatars. Because of the nature of 
the systems, the companies also have almost no way of monitoring the 
creation and use of virtual buildings and training centers, some of them 
protected by nearly unbreakable passwords.

"Virtual environments provide many opportunities to exchange messages in 
the clear without drawing unnecessary attention," the IARPA paper said. 
"Additionally, there are many private channels that can be employed to 
exchange secret messages."

And there are the numbers. Some marketers and technology observers are 
predicting explosive growth in the use of virtual worlds in coming 
years. As more people create avatars, it will become harder to identify 
bad guys, intelligence officials said. As in the real world, one of the 
central difficulties is establishing the identity of individuals.

"The challenge that we face is to be able to distinguish the fanatics 
from the average person looking for some simple enjoyment," said the 
IARPA paper.

One intelligence official, who spoke on condition of anonymity, said he 
had no evidence of activity by terrorist cells or widespread organized 
crime in virtual worlds. There have been numerous instances of fraud, 
harassment and other virtual crimes. Some computer users have used their 
avatars to destroy virtual buildings.

Last month, Second Life operators shut down a dozen online banks holding 
virtual currency worth an undetermined amount of actual dollars, after 
computer users raised questions about whether the banks were paying 
promised interest.

National security officials have begun working informally to take stock 
of virtual worlds. That research likely will take on more urgency this 
year, as companies in other countries prepare to unveil their own 
virtual worlds.

One such world, called HiPiHi, is being created in China. HiPiHi 
founders said they want to create ways for avatars to be able to travel 
freely between its virtual world, Second Life and other systems -- a 
development that intelligence officials say make it doubly hard to track 
down the identity of avatars.

In promotional material, HiPiHi officials said that they believe that 
virtual worlds "are the next phase of the Internet."

"The residents are the Gods of this virtual world; it is a world of 
limitless possibilities for creativity and self-expression, within a 
complex social structure and a full functioning economy," the 
promotional material says.

"Virtual worlds are ready-made havens," said a senior intelligence 
official who declined to be identified because of the nature of his 
work. "There's no way to monitor it."

The popularity of virtual worlds has grown despite the technology being 
in an early stage of development. The systems don't work well on older 
computers or those with relatively slow connections to the Internet. 
Though Second Life has more than 12 million registered users, only about 
10 percent of those accounts are active. About 50,000 people around the 
world are on the system at a given moment, according to Linden Lab, 
which operates Second Life.

Officials from Linden Lab have initiated meetings with people in the 
intelligence community about virtual worlds. They try to stress that 
systems to monitor avatar activity and identify risky behavior are built 
into the technology, according to Ken Dreifach, Linden's deputy general 
counsel.

Dreifach said that all financial transactions are reviewed 
electronically, and some are reviewed by people. For investigators, 
there also are also plenty of trails that avatars and users leave 
behind.

"There are a real range and depth of electronic footprints," Dreifach 
said. "We don't disclose those fraud tools."

Jeff Jonas, chief scientist of IBM Entity Analytic Solutions, who has 
been examining developments in virtual worlds, which have attracted some 
investment from the company, said there's no way to predict how this 
technology will develop and what kind of capabilities it will provide -- 
good or bad. But he believes that virtual worlds are about to become far 
more popular.

"As the virtual worlds create more and more immersive experiences and as 
global accessibility to computers increases, I can envision a scenario 
in which hundreds of millions of people become engaged almost 
overnight," Jonas said.

Jonas said it's almost a certainty that clandestine activity associated 
with real criminals and terrorists will flourish in these environments 
because of the ease, reach and obscurity they offer.

"With these actors there will be organized criminal planning and 
behavior," he said. "The likelihood that somebody is recruiting, 
strategizing or planning is almost a certainty."

Copyright 2008 The Washington Post Company


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Wed Feb 06 2008 - 00:19:43 PST