Posted by Amanda Chapel Friday, September 28, 2007
The man pictured on the right is not a croupier, cabaret crooner, or even effete sommelier; it’s Text 100 EVP, Georg Kolb. Georg, as you are probably aware, is the guy whose claim to fame is that he spearheaded Text 100’s “seminal move into SecondLife,” i.e. the total debacle that’s still an embarrassment to the agency's CEO Aedhmar Hines. Well, he’s back.
By way of background, Georg is in PR “By accident!” (his words). According to Georg: “I was holding philosophy seminars at a German university when a friend of mine asked me to mediate between the new management of a small firm and its employees. As a leader of philosophy seminars, I was used to facilitating ‘difficult groups.’ The meeting turned out to be a huge success. People not only thanked me, but my friend also threw money at me!” Georg has since parleyed that into EVP and head of Text 100’s “Practices and Methodology Group” (“Worldwide,” no less). He presently oversees “the development of the company's service offering;" and is touted as the company’s "futurist." Specifically, "his work focuses on models that consider influencers in a company's ecosystem and reflect the importance of new peer-to-peer platforms like blogs or wikis.” (Apparently, English is not his native tongue.)
Anyway, Georg is apparently again confident and ready to stick his neck out. Maybe not. The following are excerpts of a recent interview with The Lapdog Reporter.
GEORG OUT ON A LIMB
Warning: The following statements by Georg may be a little startling to some.
A serious client-side vulnerability, affecting the accounts of Second life residents, has been discovered by the GNUCITIZEN Group. The malicious attack allows hackers to steal users' login credentials and hijack their profiles. With a simple one-line exploit code, ANY USER PASSWORD CAN BE COMPROMISED. Second Life residents should treat this vulnerability as HIGH RISK and suspend online activities until further notice.
The vulnerability was discovered within the Internet Explorer URL protocol handler. Specially crafted URLs can be used to launch the Second Life client and pass arbitrary command line options. One of the command line flags, described in the exploit, instructs the client to auto login. Another command line parameter instructs the client to connect and send the login details to arbitrary HTTP server over XML-RPC. Upon execution, the exploit will launch the client which will subsequently send the user credentials to a malicious server. This server will collect the data and reset the password to one known by the attacker, therefore, hijacking the victim's account.
1. Conduct Industrial Espionage - Many corporate initiatives in the real world debut in Second life. This practice allows companies to test various programs at a very early stage and before any real world expenditures are made. Hijacking SL identities gives attackers the opportunity to preview the competitor’s long-term market strategy before it is launched in the real world.
2. Cause Financial Damage - Credentials stolen by the attacker are bound to a bank account in Linden dollars. Stealing the financial assets could bring the virtual collapse of many small enterprises.
3. Implement Black PR - As with any society, Second Life has its very own opinion shapers and leaders. This online vulnerability allows attackers to hijack key profiles to influence public opinion. Conversely, attackers can put their rivals in many unpleasant situations by faking irrational decisions, initiating conflict situation, giving false and confusing information or simply blocking access to the system. Bottom line: the attacker will use this vulnerability to try to defame the target in front of its current and prospective stakeholders.
According to Petko D. Petkov, founder and leading contributor of GNUCITIZEN group: "Most attackers don’t event have to convert the hash back to a password string. Attackers can login with the hash itself by forging a request to one of the Second Life authentication servers. The unhashed password is only needed in situations where the attacker wants to explore other on-line service the victim is currently registered with."
GNUCITIZEN group is an Information Technology security think-tank. Some of their latest research projects include the latest 0day Apple QuickTime remote code execution vulnerability, in depth analysis of Web2.0 security issues and a database of the latest client-side cross-site scripting attack vectors. The GNUCITIZEN group members have participated in numerous tiger-team session for some of the biggest financial institutions in United Kingdom and abroad.
On Thursday, March 8, 2007 at 7:41 AM, Ronn Torossian, President and CEO of 5WPR, emphatically promised that he was going to sue us. No real reason, he was just irritated by our teasing him about getting in bed with pornographer Joe Francis. Anyway, Ronn gave his obscenity-laced word that we'd see the complaint in 72 hours. It's now late by
Kathleen Durazo about A Measly $2.8 Million Goes Missing, Lawsuit Results Fri, Jul 31, 10:58:34 AM Ray Durazo (the founder) sold the company to Dan in 1999. He was not involved in any of this. He (and I) found out about the lawsuit in the LA Times. In addition to embezzling this m [...]