Sony versus F-Secure

Yet another development in the Sony DRM saga. Looks like Sony might have moved rather slowly after they were first alerted to a serious risk to consumer safety. BusinessWeek has a fascinating update called “Sony BMG’s Costly Silence”:

Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 — nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn’t understand the software it was introducing to people’s computers and was slow to react.

“If [Sony] had woken up and smelled the coffee when we told them there was a problem, they could have avoided this trouble,” says Mikko H. Hypponen, F-Secure’s director of antivirus research.

Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis.

Indeed, I think it fair to say Sony BMG’s response was scrambled. To make matters even worse, the Attorney General in New York very recently found the rootkit still being sold on music shelves in his state. More from BusinessWeek:

Spitzer’s office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets — and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart (WMT), BestBuy (BBY), Sam Goody, Circuit City (CC), FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer’s office.

This is not only a “cautionary tale for other entertainment companies hoping to make use of copyright-protection software” but a horrifying lesson in how NOT to handle incident response.

My question is why Wal-Mart, BestBuy, SamGoody, Circuit City, FYE and Virgin Megastore are not taking action. Are they liable for selling known malware from their shelves? I mean if you are a retailer and you get a notice (or read the news, for pete’s sake) that something is harmful to consumers, are you at fault if you keep selling it?

“It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year,” Spitzer said in a written statement. “I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony.”

Do not go gentle into that good night

By Dylan Thomas (1914-1953)

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

Though wise men at their end know dark is right,
Because their words had forked no lightning they
Do not go gentle into that good night.

Good men, the last wave by, crying how bright
Their frail deeds might have danced in a green bay,
Rage, rage against the dying of the light.

Wild men who caught and sang the sun in flight,
And learn, too late, they grieved it on its way,
Do not go gentle into that good night.

Grave men, near death, who see with blinding sight
Blind eyes could blaze like meteors and be gay,
Rage, rage against the dying of the light.

And you, my father, there on the sad height,
Curse, bless me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.

Actiontec UDP ports 517 and 518

Responded to an odd incident tonight.

An admin noticed UDP ports 517 and 518 were reported as open on a linux system, but they knew of no services that were supposed to be attached to them:

    # nmap xx.xx.xx.xx -sU -p 500-520
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-28 23:20 PST
    Interesting ports on xx.xx.xx.xx:
    (The 19 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    517/udp open|filtered talk
    518/udp open|filtered ntalk

No services seemed willing to confess that they were using the ports flagged by the network scan:

    # netstat -tunap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5387/mysqld
    tcp 0 0 :::80 :::* LISTEN 5633/httpd2-prefork
    tcp 0 0 :::22 :::* LISTEN 5356/sshd
    tcp 0 0 :::443 :::* LISTEN 5633/httpd2-prefork

Monitored all traffic to the port via tcpdump, and saw no unusual UDP packets. Tried to establish communication with the listener, but it instantly closed the connections. Did a quick rootkit check and looked for signs of hidden processes, trojaned binaries, etc. on the system but it came back clean. Considered doing a signature match on the binaries themselves, but then had a hunch that a network device might be at fault.

Swapped out an Actiontec GT701-WG with a Cisco 678 and sure enough, the ports closed:

    # nmap xx.xx.xx.xx -sU -p 500-520
    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-28 23:36 PST
    All 21 scanned ports on xx.xx.xx.xx are: closed

Might be enough to finger-print the Actiontec’s of the world (scan Quest blocks for UDP 517/518). Also might be worth isolating the device to get a better idea of how broken/exposed it is, if it turns out enough people are still using these things.