[ISN] The Hidden Risks of Demo Discs

InfoSec News isn at c4i.org
Mon Dec 6 04:27:37 EST 2004


By Libe Goad 
December 3, 2004 

In mid-November, members of Sony's PlayStation Underground received
the Holiday Demo Disk and discovered that after executing one of the
game demos on the disc, their PS2 memory cards were completely erased.

While that doesn't mean much to nongamers, anyone who has spent
40-plus hours building a character in a role-playing game or playing
through a season of football - well, it's a huge boot in the trousers.  
The disc, sent via mail to PlayStation Underground members, was also
set to be polybagged with several gaming magazines. The glitch was
caught in time, so the bug didn't reach as many consumers as it might

Ryan Bowling, public relations manager for Sony Computer Entertainment
America, said Sony responded to the situation by sending out warning
e-mails to PlayStation Underground subscribers telling them to remove
their memory cards before playing the demo.

"It is unfortunate that it happened," Bowling said, "and we're going
to make sure it doesn't happen again."

But what does this mean for the rest of us?

There's more to the story than a handful of gamers losing their saved
game files. The implications of such a glitch can be huge, especially
as consumers start to set up networked computing systems in the home
with routers, networks, servers, etc. Minus cubicles and a water
cooler, it's the equivalent of a small enterprise network.

Rick Fleming, chief technology officer at Digital Defense Inc, said
that although most consumers don't realize it, game consoles are also
like computers that run off of their own proprietary operating system.  
As a result, a bug in a demo CD, CD-ROM or DVD-ROM could affect the
rest of a home network and has the potential to spread to an
enterprise network through a VPN connection or other portable storage

"PlayStation and Xbox are being networked with home computers 
 so I
can easily see how something like that would spread across a network,"  
Fleming said. "Every time you connect to something else, there's
another opportunity for something to go wrong."

Trouble Inside the Firewall

The idea that a removable disk can affect an entire networked system
seems almost quaint, reserved for corporate spoofs such as "Office
Space" where the protagonists use a program on a 3.5 floppy disk to
steal money from the company. Now, the companies and consumers focus
on outside threats, with the illusion that they're sitting pretty
behind Internet firewalls and anti-virus programs.

"It's like they'll leave the windows and sliding glass doors open,"  
Fleming said. "Not the front door, though. It's vaulted shut."

While there are few recent instances of companies sending out software
with embedded viruses, it still happens on occasion. In 2002,
Microsoft sent out a .Net developer disk infected with the Nimda
virus, though Microsoft says it didn't actually spread to any

In the entertainment sector, AOL Time-Warner released a "Powerpuff
Girls" DVD in 2001 that contained the peevish "FunLove" virus, which
spread to users who played the disc on PC.

In an earlier echo of the PlayStation Underground incident, MacAddict
Magazine sent out a demo with a version of the Auto-Start virus. In
most of these cases, the problems were easily fixed, but is still a
signifier that seemingly innocent CDs sent out by reputable companies
can contain malicious content.

With the CD drives in virtually every machine, it's more common than
ever for people to share information via optical media, Fleming said.  
Most people don't give a second thought to putting something like that
in their machine.

So, are these little glitches as banal as reports make them out to be?  
Maybe—though more conspiratorial analysts say these harmless bugs
could turn into an entirely new threat that the security community is
not ready to handle.

"Most of the time when we see threats show up, it's a concept for how
a Trojan or virus can be introduced," Fleming said. "When it's
introduced, it's mostly very benign—erasing the flash memory on a
PlayStation is not going to affect me personally—but what does concern
me is that we have a whole new threat vector. People are going to take
the concept and think, 'What's the next thing I can do?'"

An Ounce of Prevention

Not every security expert takes the same point of view, but they all
agree that any networked user needs to take the same precautions,
whether they're on a home or business network.

John Pescatore, vice president of Internet Security at Gartner Inc.,
said home network security has a long way to go, since most major
companies involved in home computing don't focus on that kind of
security environment.

"There's a funny thing going on," he said. "For many years, Microsoft
built Windows with home users in mind, but in 2001-2002, they got
religion and started doing more for enterprise security. They forgot
about the home user who doesn't have an IT staff to take care of their

Pescatore also said there's been discussion in the industry about how
to integrate security into consumer electronics. The problem is that
companies still say anything harder to use slows down consumer
adoption—so no one is willing to make security a priority in a
consumer environment.

"There's not a lot of incentive to say, 'My product is harder to
use,'" Pescatore said.

AOL has recently taken one of the first steps into helping consumers
with security by offering McAfee VirusScan Online services for free.

Businesses also can take a few notes from a home network invasion.  
Much like home users, Fleming said businesses keep a closer watch on
outside threats and don't do enough to make sure that nothing is
coming from within the company.

"Computer institutions and the FBI have surveys that show around 60
percent of all security instances occur internally," Fleming said.  
"This is where a lot of companies don't get it. They do all of the
testing on outside resources and don't monitor internally."

Fleming strongly recommended that businesses create a strong security
policy that's enforced through monitoring and training. People need to
be aware of bringing in software and other devices from home. That
includes things such as music CDs, which often store data other than
the actual music tracks.

"There has to be mandated vigilance in the enterprises," Fleming said.  
"It's got to be pounded into their heads to be careful."

More information about the ISN mailing list