Wednesday, November 16, 2005

Sony vs. piracy: Sony disqualified

At the end of October, a nice article by Mark Russinovich of SysInternals caught my eye at Mark's blog: it revealed that a rootkit was present on his system, as shown by Rootkit Revealer. After some digging with a few of SysInternals excellent tools, it appeared that the rootkit was actually a DRM protection scheme called XCP from First 4 Internet, installed by a CD that Mark had bought from Amazon. The DRM system that Sony was using on that CD installed an application on the (Windows) system that protected both the CD itself and the software player included on it. This 'application' really was a rootkit, and a very poorly written one at that too. It was actually pretty trivial to crash the system with the rootkit installed, and there was no uninstall option, or any mention of it in Sony's EULA.

Barely a week after Mark posted this on his blog, it generated an outcry that the mainstream media picked up on. Subsequently, Sony released a 'removal tool' for the rootkit, along with a message that claimed the rootkit wasn't really dangerous to your system and did not create any security issues when it was installed. Besides the fact that this was complete bullshit (having something hide all files and folders starting with '$sys$' is not dangerous? hah!), their 'patch' updated most of the existing DRM software already present, and uninstalled the rootkit improperly, possibly leading to system crashes. Also, the music player on the Sony CD's was phoning home to its server, which is not in the EULA either. Sony denied this.

So a few days later, Sony released the patch and announced it to the press only. Most customers still had no idea there was a rootkit on the Sony CD's, and even if they did know, it was pretty hard to get the uninstaller at all, requiring two confirmation emails, allowing an unsafe ActiveX control and using a link to download the thing that is unique to your system only.

This complete saga has led to quite a few results, among which:

And finally, today Sony published a public message on their Sony BMG website about the 'XCP content protection technology', providing a direct link to the patch that uninstalls the rootkit. And leaves the ActiveX control behind. Which has some pretty devastating code in it.

While they originally still refused to call back any of the CD's with the XCP rootkit, they have now decided to turn around and recall the CD's and offering rootkit-free swaps. They also decided to stop making any new CD's with the XCP rootkit.

For your reading enjoyment, here are the excellent posts Mark has written on his blog:
  1. Oct 31: Sony, Rootkits and Digital Rights Management Gone Too Far
  2. Nov 04: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
  3. Nov 06: Sony’s Rootkit: First 4 Internet Responds
  4. Nov 09: Sony: You don’t reeeeaaaally want to uninstall, do you?
  5. Nov 14: Sony: No More Rootkit - For Now
  6. Nov 16: Victory!

Oh, and on a final note, here are the one-line commands to disable the rootkit and the ActiveX control. You can enter them in the Run dialog (Start > Run):

cmd /k sc delete $sys$aries (followed by a reboot)
cmd /k del "%windir%\downloaded program files\codesupport.*"

And remember: the SHIFT key is your best friend! (Though I won't directly say for what it can be used. Might get sued for that.)

Tuesday, November 08, 2005

How to protect yourself from the Internets

The Internet is no longer what it used to be back when I started using it (roughly 1995). While this is good in some ways (more information that is easier to find), there's list of bad things so long it would make Al Gore wish he never invented the Internet. I frequently get emails asking me what the best way is to safely use the Internet, and most importantly, surf the web (yes, the WWW is actually a subsection of the Internet).

There are loads of entry points into a common Windows system that could allow a hacker to take control of your system, crash or reboot the system, or steal data. However, these can mostly be divided into a these groups:

  • Vulnerabilities in Windows or its components
  • Vulnerabilities in Internet-enabled programs
  • Default or bad configurations
  • User error or ignorance

I will discuss each of these to the best of my knowledge below.

Vulnerabilities in Windows or its components
Pretty often, vulnerabilities are discovered in Windows that can allow an attacker to do pretty much everything to your system, while it varies from simple things as stealing cookies to complete remote control. While tempting, this is not purely caused by bad programming on Microsoft's part: Windows is simply used by so many consumers, businesses and even governments that hackers just go for the largest common denominator. After all, the more you use a program, the faster you'll find errors in it. Microsoft has monthly patch security bulletins, in which they release any hotfixes for vulnerabilities of that month. The best way to stay on top of these is to simply on Automatic Updates, which is available natively for Windows 2000 and newer, and available seperately for Windows 98 and newer.
Solution: install security patches, turn on Automatic Updates

Vulnerabilities in Internet-enabled programs
Besides the basic flaws, there are also vulnerabilities in other programs. The most common one is probably Internet Explorer, which has several standing vulnerabilities which can cause your system to be infected with adware, spyware or worse by simply visiting a website. Due to the model Microsoft uses for its software, security may not come in first! Best is to use a different browser for your surfing habits: Mozilla FireFox and Opera are very good browsers that may not have won the browser wars, but make very good alternatives. While Internet Explorer is a major point of attack, file sharing (P2P) programs, email clients and instant messaging programs are the most commonly targeted. For servers, any web services are also frequently targeted. To counter this, always make sure you have the latest version of any programs that use the Internet or act as a server, and shutdown any that you don't use or need. Don't accept or run files from people you don't know over P2P, email or IM, and always have an antivirus program running that scans all files you download or receive. More importantly, if you use antivirus and/or antispyware, make sure they have the latest definitions so they'll be able to detect and delete any threats. Run weekly or monthly full-system scans with both to make sure your system stays clean. Run a firewall so you'll be able to block Internet access to a program that is partially vulnerable or outdated.
Solution: Don't use Internet Explorer. Update old programs, use a firewall, up-to-date antivirus and antispyware

Default or bad configurations
Early on in their rise, Microsoft decided to put user-friendlyness before security, sometimes setting up default configurations for programs like IIS that were insecure. While this does not happen that often, it is something to look out for. Like mentioned before, shutdown any services or programs that you do not need or use. Make sure you properly configure any Internet-enabled programs when you install them, and look up information on the web about securing such programs if you are not sure.
Solution: Properly customize programs, ask for help or search the web for help

User error or ignorance
After all the above, which mostly involves things you can't do anything about, there's always yourself or the people around you. I can't count the amount of emails I have received that started off with 'my son installed something on the computer last week...' and end up in a horrible spyware infestation. Make sure you and your peers know what is right and wrong online, look up information on a program before using it to see if it bundles any programs and functions properly. Don't trust everyone out there, as it is fairly simple for people to try and trick you into running a file, visiting a website or giving them private information. Phishing scams are on the rise and are very dangerous: someone will portray himself as a bank and ask for your account password, for example. Don't be fooled!
Solution: Don't trust everyone, use common sense, educate yourself and others

That's it for now. I'll add stuff later on when I think of anything I could have forgotten.