Second Life Security Break
So last week while I was in the middle of a symposium, I received a distressing email telling me that information regarding my Second Life account had been leaked. Worse yet, in addition to my password being leaked, but also credit card details were leaked including credit card number and home address. Yikes!Part of the email was posted on the SL website as Second Life Security Bulletin.
But I was a little surprised to find the following Question and Answer in the email:
Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?
A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm.
This sounds great, except that the statement "an industry standard technique that is commonly regarded as difficult to defeat," is nearly completely false. The use of MD5 as a secure hash function has not been industry best practice for several years. Even when I worked at RSA in the mid 1990's we told people that we suggested SHA1 for new applications because we were concerned about weaknesses in MD5 that could eventually be exploited. For a reference, look at the Summer 1996 CryptoBytes [PDF]. I think the most significant quote from this 10 year old article is:
Therefore we suggest that in the future MD5 should no longer be implemented in applications like signature schemes, where a collision-resistant hash function is required...
Security guru Bruce Schneier has a page on his blog, More Hash Function Attacks, demonstrating why using MD5 is a bad idea. And if you don't believe Bruce, just read what RSA Labs says about it Collisions for SHA0, MD5, HAVAL, MD4, and RIPEMD, but SHA1 Still Secure. Note that this tech note from RSA came out over two years ago.
But aside from the poor security properties of MD5, and the fact that MD5 is not an encryption scheme, but a message digest function, the technique they're describing sounds a little like "password based encryption" or PBE for short. Mohan Atreya has a nice description of PBE at http://www.rsasecurity.com/products/bsafe/overview/Article3-PBE.pdf [PDF]. It is appropriate for password security, but not for encrypting things like credit cards number in databases, and here's why.
Linden Labs uses your credit card for two types of things: First, you have to pay an initial fee to get a persistent avatar. Second, if you want to buy land, you have to setup a recurring payment. You can have an avatar that persists bast the trial period without buying land, so it is possible that you have a one time payment with Linden Labs.
I seriously hope that after people make these initial payments, the credit card number is not retained. Why? Because it's a liability waiting to happen. I imagine that somewhere out there, there's a lawyer setting up a class action suit on behalf of everyone whose information was exposed. If Linden Labs did not retain my credit card number, then it's pretty hard to argue that any damages were done.
But I'm not sure how MD5 is related to the discussion of credit card number retention for people who "bought land" and make recurring payments. Follow me here... MD5 is not an encryption technique. It does not encrypt things. It can be used with a Password Based Encryption scheme to derive a key used to encrypt data, but it's use for this purpose was discounted long ago. Even if Linden Labs had used SHA-256, it's still inappropriate to use a password to encrypt credit card data. Why? Because that password would need to be available to LL's billing system when it's time to submit a payment request to the customer's credit card company.
So what password is being used to encrypt payment information? I sure as heck hope it's not the account password used to login to the system. Why? because from the sound of it, the Linden guys are saying that they don't store your password, only a hash of the password. But in order for this to work with payment information, you need an encryption key. So the question is "how is the encryption key related to the hashed password?" If the answer is "not at all," then great, we don't have to worry too much about the use of MD5 here. (Other than the fact that someone now has a database of passwords or hashed and salted passwords.)
So my question is, if the encryption key used to encrypt my credit card data (which shouldn't even be on their servers, because they don't need it) isn't related to the password, then why is the term "payment information" used in the same breath with "password" and "MD5". It's all just a touch confusing.
Then there's the San Jose Mercury-News article, Security breach at fantasy site Second Life which indicates:
Engineers discovered the hack Thursday and, after investigating computer logs, decided Friday to alert members. The hacker gained access through a flaw in software known as TikiWiki, an open source program engineers use on the game's "support" site, which explains rules and answers users' questions.
To which I respond... "how do you design a back-end infrastructure that allows an attacker on the support machine to gain access to payment information."
Sadly, I believe the answer is "by ignoring security best practice."
Tags: security, second life
