Sony's ill-fated decision to include rootkit-like copy-restrictions on some of its music CDs is prompting some companies to review whether they allow their staff to use personal CDs at work.
Andrew Yeomans, vice-president for global information security at investment bank Dresdner Kleinwort Wasserstein, told ZDNet UK that he is already assessing whether his firm need to tighten up their controls. Last week, Trojan horses emerged that avoid detection by using the digital rights management (DRM) software used by Sony on some of its audio CDs. This software uses the same techniques used by rootkit malware to hide itself from the operating system, which makes it particularly difficult to detect.
"I'm reviewing the autorun settings for music CDs, but not planning to ban their use," said Yeomans. "We certainly don't want arbitrary software to be installed."
Yeomans added that it cannot prevent all its employees from running executable programs from a CD or download, as some users have to be given administrator rights to use certain applications — which would allow them to override such restrictions.
Richard Starnes, president of the Information Systems Security Association (ISSA), told ZDNet UK that other companies should consider whether they need a policy on CD use.
"This is certainly something that would trigger a review of policies. I would advise companies to review the situation," said Starnes.
"If it's solely a Sony issue, it is easier for a company to make a decision that it will not allow particular Sony CDs, but if it becomes widespread then it becomes difficult to decide what CDs are allowed or not allow," added Starnes, who was speaking before Sony announced it had stopped producing CDs containing the rootkit-like software, called XCP.
Other companies have confirmed that they are also watching the situation closely.
"Something that can get in and hide itself would have the security people screaming their heads off," said the capacity manager at one major financial firm, who asked to remain anonymous.
"Up until now they thought that audio CDs are safe. I think that will change, and I wouldn't be surprised if every major bank changed their policy. The fact that this software can be used to hide other stuff means that the possibilities for getting at customer data are horrendous," he added.
Opposition to Sony's behaviour has been fierce, with threats of boycotts and even legal action.
Talkback
It's not the CD, it's the operating system that installs the rootkit. Sony's got no clear conscience here both from the rootkit and from apparently violating copyright by stealing code, but lets call them as they are: the operating system should not be automatically installing rootkits.
DBY = Don't Buy SONY
yea yea, I look like an idoit, it should have been: DBS = Don't Buy SONY
idiot
Surely the review should be about allowing users default administrator access to their machines. If the reason this is done is that some software requires the user to run as administrator, then the review should include the use of that software.
We must take account of the extremely caustic nature of the environment in which we operate today; where any innocent looking email, web site or music CD could hide programs that will burrow into your machines' operating software and start taking actions on your behalf without your knowledge or permission.
If the user is running with administrator permissions, then this software is free to do what it will. You can't install rootkits unless you are running as administrator.
The simple and obvious response would be to do as is routine in Unix/Linux-land, and only allow the user basic permissions until they are explicitly needed .. and only grant those permissions for the actions that needs them.
Bad application design is not such a reason.