WASHINGTON POST.COM
SECURITY FIX
Brian Krebs on Computer Security
More Sony Problems to Be Revealed
Several groups of privacy and security experts are expected to release
research later today that points to multiple, serious security flaws
present in "*XCP*," the anti-piracy software used on an undisclosed
number of *Sony BMG* music CDs. (For the record, *Security Fix* observed
that experts were busily searching for such flaws
<http://blogs.washingtonpost.com/securityfix/2005/11/hackers_raid_so_1.html>
shortly after this whole fiasco began).
According to details provided by prominent security researcher *Dan
Kaminsky <http://www.doxpara.com>*, the resulting public outcry could
make Sony feel like the last two weeks of consumer backlash were a walk
in the park.
Kaminsky will be unveiling research that indicates just how many
computer networks have Sony's anti-piracy software installed on them.
Kaminsky declined to be more specific, but numbers referenced
<http://www.washingtonpost.com/wp-srv/technology/daily/graphics/complaint_111405.pdf>
in a class-action lawsuit filed Tuesday in New York
<http://blogs.washingtonpost.com/securityfix/2005/11/sony_faces_anot.html>
against Sony and XCP maker *First4Internet* indicate that Sony sold
approximately 3 million music CDs carrying the software.
"The net effect is that it's not in doubt that Sony has created a major
security event on the Net," Kaminsky said in an online chat last night.
But wait, it gets ... er ... better. The researchers discovered a
security flaw in XCP (which stands for "extended copyright protection")
that could afford attackers a window through which to break into
computers running the software and install additional software or viruses.
Kaminsky told me that one of the researchers involved in the
investigation is *Edward Felten
<http://www.cs.princeton.edu/%7Efelten/>*, a professor of computer
science and public affairs at Princeton University.
And indeed, Felten's blog -- *Freedom to Tinker*
<http://www.freedom-to-tinker.com/?p=926> -- hints as to the research he
will release tomorrow along with *Alex Halderman
<http://www.princeton.edu/%7Ejhalderm/>*, a Ph.D. student at Princeton
whose research <http://www.cs.princeton.edu/%7Ejhalderm/cd3/> includes
digital rights management technologies, including *SunnComm Technologies
<http://www.sunncomm.com/index_flash.html>*, a different anti-piracy
program used by other Sony titles
<http://www.boingboing.net/2005/11/10/sony_music_cds_infec.html> :
"Alex Halderman and I have confirmed that Sony’s Web-based XCP
uninstallation utility exposes users to serious security risk. Under at
least some circumstances, running Sony’s Web-based uninstaller opens a
huge security hole on your computer. We have a working demonstration
exploit. ... In the meantime, we recommend strongly against downloading
or running Sony’s Web-based XCP uninstaller."
(The name of Felten's blog is a nod to his prior
<http://www.boingboing.net/2005/11/10/sony_music_cds_infec.html>high-profile
legal dust-up with the entertainment industry
<http://www.eff.org/IP/DMCA/Felten_v_RIAA/faq_felten.html> over alleged
violations of the Digital Millennium Copyright Act
<http://www.copyright.gov/legislation/dmca.pdf>.)
I tried to contact Felten earlier today, and no doubt he was too busy
with this research to grab the phone. I contacted Halderman by e-mail,
who confirmed that "the uninstaller can create even worse problems than"
those created by the anti-piracy software itself. Halderman said further
details would be available on Felten's site later today.
One of XCP's most alarming traits for security researchers has been its
ability to hide not just its own files on a user's PC but also those of
any other files, viruses or worms that follow the program's file-naming
rules -- hidden so well that even antivirus programs can't find it.
Last week, about the same time that someone mass-spammed several
versions of a virus
<http://blogs.washingtonpost.com/securityfix/2005/11/virus_writers_e.html>
designed to take advantage of XCP's file-hiding abilities, Sony issued a
"patch" to help users remove the file-hiding function. (The patch did
not uninstall the program itself, which resists removal so effectively
that security researchers have equated it to a "rootkit
<http://en.wikipedia.org/wiki/Rootkit>".)
But according to research to be presented tomorrow, that very same patch
Sony issued to help close the security hole exposed by its software
actually introduces additional security flaws.
While exposing oblivious users to additional risks when someone or
something has already compromised their computer is in itself
inexcusable, opening that user's system to backdoor security flaws and
then paving the way for attackers to install whatever they please
without fear of detection or removal is unconscionable.
Imagine the potential consequences of military personnel or government
employees at work on a sensitive government network popping one of these
CDs into their computer to listen to their favorite Sony-label music
artist. If only half of this research turns out to be supported by the
broader security community, Sony is about to find itself in big-league
legal trouble.
_______________________________________________
Finale mailing list
[email protected]
http://lists.shsu.edu/mailman/listinfo/finale
