Sony BMG “rootkit” still widespread

Security Focus and Dan Kaminsky, principal security researcher, Doxpara Research report,

Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend.

Further Dan Kaminsky stated in an interview noted in the article,

“It is unquestionable that Sony’s code has gotten into military and government networks, and not necessarily just U.S. military and government networks,” Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains.

As backup information,

Sony BMG uses two types of digital-rights management (DRM) software: the Extended Copy Protection (XCP) program created by First 4 Internet and the MediaMax program created by SunnComm.

Kaminsky’s research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the 3 million systems, asking each to look up whether an address used by the XCP software–in this case,–was in the systems’ caches.

And to top it off …

While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

“I don’t see the federal government suing a big company like Sony,” she said. “The fact that military networks have likely been affected by this won’t change that.”

Now, I really have a bone to pick over this last part. Our tax dollars pay for those government and military networks — and — our tax dollars will also have to pay for the cleanup and mess left behind and the repercussions of those vulnerabilities as well. Why wouldn’t Sony, a non-US company, not have to do their fair share of that???


Tag Cloud

%d bloggers like this: