Material gains in virtual worlds can have real-world impact. There are often secondary markets where goods inside of virtual worlds can be bought and sold for real currency. Attackers go where the money is.

2. Virtual currencies and goods are not regulated. Therefore, the legal implications for performing theft are murky. That’s good news for the attacker.

3. Converting virtual currencies and goods can provide a money laundering mechanism. Because currencies and goods can be traded inside the virtual world and then subsequently sold into secondary markets for real money, it becomes difficult to trace a crime.

4. Many people are willing to go to great lengths to acquire assets inside a virtual world, and might compromise their security in the process. For example, suppose that the virtual world takes the form of an online game. If a hacker posing as a player or game administrator offers you a tool that claims to improve your performance in the game, you might use that tool without thinking through the repercussions. The tool could really be a keystroke logger in disguise. Virtual worlds offer really interesting opportunities for attackers, and to the extent that attackers can use social context in these worlds, they will be that much more powerful.

Over the past few years, business-oriented social networking sites have increased in use, even by top-level executives. What security implications should enterprises consider regarding these sites?

In general, business-oriented social networks can be safe as long as users take some precautions. First, be careful with information you put on your profile. Any information you disseminate to a social networking site is no longer in your control. Don’t reveal anything that you wouldn’t want to be made public.

Also, be selective of people you allow into your network. It is generally not a good idea to link to someone you do not know, even if they say they know you. One risk lies in the sometimes automatic nature in which users accept invitations from people claiming to be past business acquaintances. Once you allow them into your network, they can more easily gain access to all of your contacts and subsequently attempt to target them.

The human element presents enterprises with perhaps the greatest danger of social networking. In the case of phishing, users are often too trusting and open themselves and their employer up to attack. If a hacker wants to target company XYZ, it’s not difficult to find an employee from that company on a social networking site. All an attacker would have to do is make friends with one or several employees, gather sensitive information about the company and its IT infrastructure, and launch an attack.

What policies and technology solutions should enterprises put in place to protect themselves?

Ensuring that IT infrastructure is running good and up-to-date security software is always important. Policy compliance software can also go a long way to ensure that unauthorized client software is not installed on corporate computers. Beyond that, unless the company requires it, consider disabling access to popular social networking sites at the perimeter for both security and productivity purposesOne must not assume they are entirely safe due to the software and tools they useUsers across the enterprise need to modify their behaviour as well

IT administrators should keep in mind that it is human nature to want to take the short and quick path. Companies should train employees and executives to question the validity of URLs they see or receive in emails, even if they come from friends and co-workersEnterprise users should also be wary about opening and viewing emails sent from users they do not know