Almost two years after the Sony-BMG rootkit scandal, Sony is back on its stupid side. This time, instead of including a rootkit with a music CD, they are including a rootkit with…a security device. Yup, they sell you a fingerprint reader and part of the software that comes with it is…another Sony rootkit!
So…now, if you care about security and decide to buy a fingerprint reader from Sony, your security gets busted up, how’s that for a helping hand?
The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under “c:\windows\”. So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API.
That comes from Mika Stahlberg, from F-Secure, who discovered the fun Sony is having cracking the security of users everywhere.
In other words, you need to use non-standard tools or a different OS, like Linux, to be able to see the directory that Sony’s software is protecting, but anybody who knows the name of the directory can write to it and execute stuff from it…so…if you write your cracking software so it sticks its files in the Sony protected directory, you can be sure that most people will never be able to find it…how fun, uh?
So…what is Sony going to do about this one? And what’s people going to do about it this time? Or the next time? Because I’m pretty damn sure that Sony is not going to learn, they’ll keep trying to pass stuff like this through, hoping that one day they’ll be able to get away with it and do only-$DEITY-knows what.
Tags: f secure, new sony rootkit, Security, sony bmg, sony rootkit
If you enjoyed this post, make sure you subscribe to my RSS feed!!
Comments
This entry was posted on Tuesday, August 28th, 2007 at 4:11 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
They never learn, do they?
Btw: I tend to classify the Windows WGA as a rootkit as well, although I have official XP and Vista, I simply don’t want to know Redmond which other programs I’m using.
Did you know that even the logfiles were transmitted?
Nah, they never learn.
And I didn’t know about the logfiles getting transmitted…do you have any URL with info about what gets transmitted by WGA? I’d love to see that.
Moreover, connecting to Microsoft brings security issue for corporate networks, and privacy issues for everyone. It is also unclear which information are transmitted (Microsoft published an official answer, but an individual study brought some questions). All of that, along the fact that Microsoft used deceptive ways to make you install this tool (it was told you it was an urgent security update, whereas it is a new installation giving you no extra security) makes me calling this tool a spyware.
Check this search.
I absolutely agree that any software that phones home without the user’s *explicit* approval is a bad thing, whether it’s sending info or not (the MS people say that WGA Notifiy doesn’t send info, it just checks to get new config files…if somebody’ll believe them) and it shouldn’t be done.
And that’s one of the many reasons why I’m a linux user…no program of mine calls home unless I tell it to call home. I have no problem with Mandriva knowing the settings of my computer…whenever I do a new install or a distro upgrade, I do submit my settings to their DB and it helps them make each version of Mandriva better…but it’s something you have to *explicitly* do, not something that happens behind your back.