http://www.estripes.com/article.asp?section=104&article=33184
By Charlie Coon
Stars and Stripes
Mideast edition
November 23, 2005
It seems innocent enough.
A Sony BMG music CD bought at a Power Zone, when inserted into a
computer, requires the Sony player be downloaded in order to play the
music.
But the software also includes anti-piracy software and a "root kit"
that secretly enables Sony to track usage and alter the computer's
operating system.
This surreptitious software allows hackers to access data stored on
the computer and introduce viruses.
Military network analysts are assessing a possible security threat
that could result if the software is installed on government
computers, according to Tom Ryan, an information assurance manager
with the 5th Signal Command based in Mannheim, Germany.
"It's not so much [a threat] on the classified network because
everything on it is already encrypted," Ryan said. "But as far as
[operational security], on the unclassified side it's possible for
somebody to pull down enough information to put together some really
sensitive stuff."
Ryan said that the command is about to install a security patch
developed by Defense Information Systems Agency.
"You have a certain amount of time to comply with installing those
security patches," Ryan said, adding that the current patch needs to
be installed by Dec. 14.
About 2 million Sony BMG music CDs have been sold with the anti-piracy
software embedded on the discs, which makes computers running Windows
products more vulnerable to hackers.
The CDs, released under 52 different titles, install a program on
Windows-based computers that limits the number of copies that can be
made, such as is done with MP3 files.
Tim Madden, a spokesman for Joint Task Force Global Network
Operations, a component of U.S. Strategic Command that oversees the
operation and protection of military networks, downplayed the risk to
Department of Defense computer security.
"It doesn't pose any threat," Madden said. "You can't install [the
software] because of security configurations on DOD computers.
"If somebody were to get [an affected CD] and put it on a government
computer, it asks them to install [the software], but they can't
because they don't have the permissions."
When asked if someone could bring an infected computer from home and
hook it up to a military network, Madden said, "there are a lot of
'what ifs.'"
"This has not been an issue for DOD computers because of the blocks
that have been put in place," Madden said. "Whatever processes and
procedures we may do to manage that is something we're not going to
talk about publicly."
The Army and Air Force Exchange Service, which operates Power Zones
and other stores that sell CDs, is offering customers a full refund
for opened or unopened packages.
Army Lt. Col. Dave Accetta, a spokesman for AAFES Europe, said stores
are complying with the Sony recall and pulling the affected CDs from
its shelves.
"It is a voluntary recall, but we want to make sure customers are
aware and are not placing computer systems at risk," he said.
The software does not affect stereo equipment, just computers,
according to Sony and AAFES.
Sony is being sued by the state of Texas, which contends that the
electronics giant violated the state's new spyware law.
"Sony has engaged in a technological version of cloak and dagger
deceit against consumers by hiding secret files on their computers,"
said Greg Abbott, the Texas attorney general.
¶ Information on the recall and the software can be found at
www.sonybmg.com. Click on "Information on xcp content protection."
The Associated Press contributed to this report.
_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.
