[ISN] Military assessing possible threat posed by Sony security software

[InfoSec News]

http://www.estripes.com/article.asp?section=104&article=33184

By Charlie Coon
Stars and Stripes
Mideast edition
November 23, 2005

It seems innocent enough.

A Sony BMG music CD bought at a Power Zone, when inserted into a 
computer, requires the Sony player be downloaded in order to play the 
music.

But the software also includes anti-piracy software and a "root kit" 
that secretly enables Sony to track usage and alter the computer's 
operating system.

This surreptitious software allows hackers to access data stored on 
the computer and introduce viruses.

Military network analysts are assessing a possible security threat 
that could result if the software is installed on government 
computers, according to Tom Ryan, an information assurance manager 
with the 5th Signal Command based in Mannheim, Germany.

"It's not so much [a threat] on the classified network because 
everything on it is already encrypted," Ryan said. "But as far as 
[operational security], on the unclassified side it's possible for 
somebody to pull down enough information to put together some really 
sensitive stuff."

Ryan said that the command is about to install a security patch 
developed by Defense Information Systems Agency.

"You have a certain amount of time to comply with installing those 
security patches," Ryan said, adding that the current patch needs to 
be installed by Dec. 14.

About 2 million Sony BMG music CDs have been sold with the anti-piracy 
software embedded on the discs, which makes computers running Windows 
products more vulnerable to hackers.

The CDs, released under 52 different titles, install a program on 
Windows-based computers that limits the number of copies that can be 
made, such as is done with MP3 files.

Tim Madden, a spokesman for Joint Task Force Global Network 
Operations, a component of U.S. Strategic Command that oversees the 
operation and protection of military networks, downplayed the risk to 
Department of Defense computer security.

"It doesn't pose any threat," Madden said. "You can't install [the 
software] because of security configurations on DOD computers.

"If somebody were to get [an affected CD] and put it on a government 
computer, it asks them to install [the software], but they can't 
because they don't have the permissions."

When asked if someone could bring an infected computer from home and 
hook it up to a military network, Madden said, "there are a lot of 
'what ifs.'"

"This has not been an issue for DOD computers because of the blocks 
that have been put in place," Madden said. "Whatever processes and 
procedures we may do to manage that is something we're not going to 
talk about publicly."

The Army and Air Force Exchange Service, which operates Power Zones 
and other stores that sell CDs, is offering customers a full refund 
for opened or unopened packages.

Army Lt. Col. Dave Accetta, a spokesman for AAFES Europe, said stores 
are complying with the Sony recall and pulling the affected CDs from 
its shelves.

"It is a voluntary recall, but we want to make sure customers are 
aware and are not placing computer systems at risk," he said.

The software does not affect stereo equipment, just computers, 
according to Sony and AAFES.

Sony is being sued by the state of Texas, which contends that the 
electronics giant violated the state's new spyware law.

"Sony has engaged in a technological version of cloak and dagger 
deceit against consumers by hiding secret files on their computers," 
said Greg Abbott, the Texas attorney general.

¶ Information on the recall and the software can be found at 
www.sonybmg.com. Click on "Information on xcp content protection."

The Associated Press contributed to this report.