Hacking from within SL?

Jupiter

Still under construction
Joined
Sep 20, 2018
Messages
122
Location
Australia
Joined SLU
07-05-2010
SLU Posts
1617
Hi everyone. This is a technical and cybersecurity question.

If you're inworld, is it possible for someone else who is inworld to hack into your router?

My initiatal reaction is no, but I think the more appropriate answer might be 'not easily'. I'm getting emails from a woman who claims this happened to her. She blames me because she was encouraged to join SL after reading an article I wrote about it back in October. I have not addressed her complaints yet and I'm not concerned that she'll take any action. I'm first trying to understand if and how it could happen.
 
  • 1ROFL
Reactions: Spirits Rising

Andi

Luskwood Staff
Joined
Sep 20, 2018
Messages
38
Location
Lusk
SL Rez
2009
Joined SLU
11-04-2010
SLU Posts
782
There is no LSL function that will allow control over your pc, SL is very secure, I'm going to bet she was one of the people that play master and pet, and used that extreme rlv thing that required team viewer and some program that changes the email and password of the account to what the master wants. THIS has been a real issue I have been reading about on the forum and LL is coming down on the issue as best as they can and yes there are people like this blaming other SL users and blaming LL themselves for their own stupidy
 
Joined
Sep 19, 2018
Messages
766
Location
Portland, OR
SL Rez
2003
SLU Posts
4494
Hi everyone. This is a technical and cybersecurity question.

If you're inworld, is it possible for someone else who is inworld to hack into your router?

My initiatal reaction is no, but I think the more appropriate answer might be 'not easily'. I'm getting emails from a woman who claims this happened to her. She blames me because she was encouraged to join SL after reading an article I wrote about it back in October. I have not addressed her complaints yet and I'm not concerned that she'll take any action. I'm first trying to understand if and how it could happen.
I am a total amateur when it comes to such things. Nevertheless I'll relay the first thoughts that come to my mind. If someone has some land with a music stream on it they might be able to locate your ip address. From there, if they know some exploit, they might be able to get into your router. Kind of a long shot though.
 

Jupiter

Still under construction
Joined
Sep 20, 2018
Messages
122
Location
Australia
Joined SLU
07-05-2010
SLU Posts
1617
There is no LSL function that will allow control over your pc, SL is very secure, I'm going to bet she was one of the people that play master and pet, and used that extreme rlv thing that required team viewer and some program that changes the email and password of the account to what the master wants. THIS has been a real issue I have been reading about on the forum and LL is coming down on the issue as best as they can and yes there are people like this blaming other SL users and blaming LL themselves for their own stupidy
In all my years working in online communities, every case of "hacking" I've seen involved the victim giving the hacker their user ID and password. I'm not familiar with that RLV issue and I doubt that was the case here, but I'll have a look at that. Thanks.

I am a total amateur when it comes to such things. Nevertheless I'll relay the first thoughts that come to my mind. If someone has some land with a music stream on it they might be able to locate your ip address. From there, if they know some exploit, they might be able to get into your router. Kind of a long shot though.
Yeah, that falls into my "not easily" thought. And also, why? I mean, I guess hackers hack for fun and malice, but it just seems like a lot of work.
 

Imaze Rhiano

New member
Joined
Jan 6, 2019
Messages
2
As Andi said, SL LSL itself is pretty secure. You could trick person to give permission for object to take money from account, but there is nothing that gives access to person computer. You could also trick person to visit in some website and get persons IP address for attack vector. Then you could use social hacking methods to overcome routers defences... Easier would be just trick person to download some troijan with social hacking.
 

Kathryn Elisabeth

[1/2 Baked Cookie!]
Joined
Sep 20, 2018
Messages
35
Location
Somewhere near a Candy Jar
Yeah... Uh....

When I was a noob back in the days of client side baking, I was told that those gray clothing layers that bake failed was Ebil HAXORS giving viruses! Since then, I have heard other things that resulted in a facepalm of such severity, that it left a red mark.

Now it could be some sort of malicious thing, and not someone confused b/c they are not rezzing fast enough on an underpowered PC with integrated graphics.

People do wind up getting phished , and calling it hacking.... because they gave their password away, or they used their pets name as a security question. Followed by telling avatars in local that they need to AFK to feed Fluffers.

'Mai Router was Hacked!' does sound overly dramatic, but what would SL be without... drama?
It might just be that they remembered the word router from some an old episode of CSI. :sneaky:
 
  • 1Thanks
Reactions: Jupiter
Joined
Sep 21, 2018
Messages
125
Location
Scotland
Joined SLU
July 2007
SLU Posts
319
When I was a noob back in the days of client side baking, I was told that those gray clothing layers that bake failed was Ebil HAXORS giving viruses!
When I was new I had a stalkery "friend" who insisted that someone had "put lag on him" because things were sometimes slow. Never mind that he was living on the mainland in a casino full of scripted objects and wearing another 8 million scripts in his guns and digital watches and so on... He was completely convinced that someone was sabotaging his SL experience out of spite.
 

Amity Slade

Active member
Joined
Sep 24, 2018
Messages
52
SL Rez
2007
Joined SLU
Oct 2010
SLU Posts
3965
I don't know how secure one is exposing oneself to Shared Media in Second Life. I have plug-ins for my computer's web browser to help protect from website exploits. I don't know if the SL Viewer's built-in browser, or media-on-a-prim, are safe.

While I don't know the specifics of the security problem related to Windows and Quicktime, I do know that Quicktime is considered to be completely unsafe to run in Windows. But Quicktime is what SL wants you to use if you ever want to see video media on Land.
 

Han Held

Active member
Joined
Sep 20, 2018
Messages
318
Location
Anchorage
Joined SLU
September, 2010
SLU Posts
7705
anything's possible? If you can send a command to a webserver via LSL then it would follow that you're able to do anything a webserver can do.

Someone like Argent would know better than I would; but since (as far as I know) your IP, router and other identifying information isn't revealed to anyone but Linden Lab, then I wouldn't think they'd be able to attack your router.

But if they're able to trick you (social engineering) into using their webserver (probably via MOAP?) then they'd be able to get your info that way and do whatever.

I'm not sure how practical that is; but in theory I'd imagine that yes, it can be done.
 
  • 1Thanks
Reactions: Jupiter

Han Held

Active member
Joined
Sep 20, 2018
Messages
318
Location
Anchorage
Joined SLU
September, 2010
SLU Posts
7705
For what it's worth; there are some, not a lot, but some hypergrid locations I won't go to for that exact reason. Opensim harvests your IP, MAC address and hard drive number whenever you log into a region. Making a hop over to skeevyhax0rz.ru a dicey proposition.
 

Casey Pelous

Senior Discount
VVO Supporter 🍦🎈👾❤
Joined
Sep 24, 2018
Messages
245
Location
USA, upper left corner
SL Rez
2007
Joined SLU
February, 2011
SLU Posts
10461
They're STILL using Quicktime? Holy smokes!

That hasn't been supported since --- *googles* -- 2016! :eyepop:
 

Kara Spengler

Queer OccupyE9 Sluni-Goon
Joined
Sep 20, 2018
Messages
1,964
Location
SL: November RL: DC
SL Rez
2007
Joined SLU
December, 2008
SLU Posts
23289
There is no LSL function that will allow control over your pc, SL is very secure, I'm going to bet she was one of the people that play master and pet, and used that extreme rlv thing that required team viewer and some program that changes the email and password of the account to what the master wants. THIS has been a real issue I have been reading about on the forum and LL is coming down on the issue as best as they can and yes there are people like this blaming other SL users and blaming LL themselves for their own stupidy
Actually ...

There is an LSL function to send/receive data on the net, it is how things like pets and those banlinks work. Let your imagination wander from there.

To get into the router I am assuming the web interface. Which would work if it were internal (most people use cable company defaults so it is not hard to have a list) but I *think* that lsl call would route it via your server.
 
  • 1Thanks
Reactions: Jupiter

Pamela

Well-known member
Joined
Oct 7, 2018
Messages
538
Location
Austin
SL Rez
2007
Joined SLU
2009
A couple of times a week someone announces in the official forum that he has been hacked. Some people assume some bad actor is to blame for anything that happens that irritates, annoys, scares, inconveniences, or angers them. It somehow never occurs to them that they just might not understand how SL works. Or that they take trivial annoyances VERY seriously, because everything that happens to them must be taken seriously.
 

NeoBokrug Elytis

++post_count;
Joined
Sep 20, 2018
Messages
38
Location
The Wastelands
SL Rez
2005
Joined SLU
Sept 2007
SLU Posts
2161
To my knowledge there's only one LSL function that could expose any sort of user data, and it involves parcel media. Everything else that makes calls to outside of Second Life is sourced from the simulator and returns simulator IPs, headers, and responses.

Unofficial Third Party viewers are probably the worst infringers of SL "hacking", but that requires an uneducated person to download and run said viewers -- which are probably loaded with trojans.

That being said, parcel media is probably the culprit if it is -- but only if someone isn't using an unofficial third party viewer. To this day someone still could get your IP and associate it with your SL account if you enable parcel media. If your system is vulnerable to zero day exploits, they could leverage that to crack your system.

Back in the day there were multiple Quicktime exploits that would allow people to access local files on your system, but LL has moved to using VLC in the viewer. I think at one point VLC had an issue too, but it was patched.

Maybe SL voice too, but I typically run around with voice and parcel media off, for just such reasons.
 

Myficals

Pop!
Joined
Sep 19, 2018
Messages
371
Location
a sunburnt country
SL Rez
2007
Joined SLU
Feb 2010
SLU Posts
4075
But Quicktime is what SL wants you to use if you ever want to see video media on Land.
Not in a quite a while. The Lab removed SL's ability to stream from a QT/Darwin server a couple of years ago. It was in the cards for some time, but then the whole QT deprecation and announcement of potential, never to be patched, exploits thing happened and the Lab shut it down fairly soon after.
 

NeoBokrug Elytis

++post_count;
Joined
Sep 20, 2018
Messages
38
Location
The Wastelands
SL Rez
2005
Joined SLU
Sept 2007
SLU Posts
2161
You can actually still stream from a QT/Darwin server, but it's through VLC in the viewer now. There was a time where it was impossible to stream through QT/Darwin of about two years, but it's back.
 
  • 1Thanks
Reactions: Myficals

Couldbe Yue

Syncing with reality
Joined
Sep 26, 2018
Messages
86
Location
Second Life
SL Rez
2006
Joined SLU
07-16-2008
SLU Posts
5036
my firewall once reported a port scan that originated from one of the sl regions.

People eh?
 

nebula

NOPE
Joined
Oct 4, 2018
Messages
27
SL Rez
2007
Joined SLU
2009
You can get an ip from someone pretty easy, but the requires media, but directly just hoppin on over to someone's router and boopin their bits is kinda far fetched.
 

Qie Niangao

Coin-operated
Joined
Sep 25, 2018
Messages
16
SL Rez
2006
I think IP address is exposed to the stream provider with all the streaming interfaces (not just Parcel Media, but also Parcel Audio and Shared Media), although the agent-specific variety of Parcel Media is still the easiest to associate with a single avatar. But there are so many other, non-SL ways to harvest IP address that I'm unclear why this person would think SL had anything to do with whatever happened to her, unless something about this "hack" was directly associated with her SL identity or account (and even then, that SL association could result from an unrelated hack).

If I were forced to dream up an SL-related vulnerability, I might look at Voice, but that's more superstition than substance.

This is all assuming the router "hack" happened and wasn't a follow-on from phishing, which may or may not be nominally SL-related.