DRM Protection and your computers - are YOU safe?
Most IT professionals have a series of security procedures and software in place to protect machines in their networks. Firewalls block access to an internal network from the outside world. Antivirus software and appliances are in place to prevent takeovers of computers on a network. Spyware is routinely squashed and erased from machines. IM clients are banned or protected from malicious worms that are cropping up. It's big business, and in many instances saves hours, possibly weeks, of work in reconstructing damaged systems.
Sony takes a hit
Until Oct. 31, however, most IT professionals didn't realize one of the risks was being toted in to work every day. Blogger Mark Russinovich posted information regarding software installed on computers after inserting certain Sony BMG CDs. Labeled XCP - Extended Copy Protection, the software was originally intended to control the numbers of times a CD could be burned or copied on a single computer. However, the software was being installed without the user's permission and was being hidden from the view of the computer's operating system. Sony believed this to be their right - controlling who could copy their songs on CDs recorded by 52 of the biggest artists on their label was protecting intellectual property.
However, F-Secure, a computer security company, received wind of this software earlier in October, and had warned Sony of the hazardous potential in their software. In hiding XCP from the operating system, Sony BMG's protection scheme was using something called a rootkit; a program that is designed to hide running programs from the operating system. In this case, the best laid plans from Sony BMG opened up potentially hundreds of thousands of computers to attacks. Worms that could hide behind the Sony BMG XCP software quickly showed up on the scene.
Since October, the media coverage for the Sony BMG has been devastating. Backpedaling to control the bad press, Sony initially offered a program to remove the rootkit from computers. This was shown to cause an even larger vulnerability. Sony BMG is recalling CDs with the XCP software installed and offering free replacements. Sales of the CDs with XCP have plummeted, creating a band of irate musicians that Sony BMG has to contend with as well.
The software Sony was using had been in place for months, but advanced security programs were not detecting the software. Sony, being a large corporation, was considered a trusted company by many vendors and never researched for possible security issues. It is still unclear what other companies are doing for DRM protection on their CDs and DVDs. Other programs like this may still be undiscovered. In fact, this week another vulnerability was found on an entirely different set of CDs that Sony has sold - all 5.7 million of them.
So, what's the solution?
For IT professionals with networks that need to be secure, this opens up a whole new can of worms. How big of a security risk is this? 2 million CDs with XCP (and now at least one other set of even more) were sold before the whole story broke on the news, so it's entirely likely that computers on your network have the software installed. Many consider a best practices wipe and reinstall to be the only solution to a rootkit infection, but in companies where a large number of machines have the XCP software installed, this may be costly and unreasonable.
Security vendors are rushing to add XCP to their list of potential violations, so one path would be to wait for a solid solution from your vendor. You may check with your vendors about efforts to clear the XCP software from infected machines. For those that can't wait, there are information resources, including information Sony BMG regarding XCP. Sysinternals has a program called Rookit Revealer that will find many rootkits. F-Secure, the company that initially talked with Sony BMG about the problems with XCP has a beta program called Blacklight that can remove the offending software. And, Microsoft's antispyware program considers the XCP software spyware and will attempt to remove it.
Sony will weather the storm, but this latest development in the "battle" between the sellers and buyers of copyrighted digital media may define how far companies can go to protect the products they sell. US-CERT, part of the Department of Homeland Security, issued an advisory on the XCP DRM software. New York, California and Texas are all involved in lawsuits against Sony BMG. Microsoft's anti spyware program now treats the Sony BMG XCP program as spyware that needs to be removed. This battle is far from over, and the future of digital media distribution may be more clearly defined in the coming months.