It seems innocent enough.
A Sony BMG music CD bought at a Power Zone, when inserted into a computer, requires the Sony player be downloaded in order to play the music.
But the software also includes anti-piracy software and a “root kit” that secretly enables Sony to track usage and alter the computer’s operating system.
This surreptitious software allows hackers to access data stored on the computer and introduce viruses.
Military network analysts are assessing a possible security threat that could result if the software is installed on government computers, according to Tom Ryan, an information assurance manager with the 5th Signal Command based in Mannheim, Germany.
“It’s not so much [a threat] on the classified network because everything on it is already encrypted,” Ryan said. “But as far as [operational security], on the unclassified side it’s possible for somebody to pull down enough information to put together some really sensitive stuff.”
Ryan said that the command is about to install a security patch developed by Defense Information Systems Agency.
“You have a certain amount of time to comply with installing those security patches,” Ryan said, adding that the current patch needs to be installed by Dec. 14.
About 2 million Sony BMG music CDs have been sold with the anti-piracy software embedded on the discs, which makes computers running Windows products more vulnerable to hackers.
The CDs, released under 52 different titles, install a program on Windows-based computers that limits the number of copies that can be made, such as is done with MP3 files.
Tim Madden, a spokesman for Joint Task Force Global Network Operations, a component of U.S. Strategic Command that oversees the operation and protection of military networks, downplayed the risk to Department of Defense computer security.
“It doesn’t pose any threat,” Madden said. “You can’t install [the software] because of security configurations on DOD computers.
“If somebody were to get [an affected CD] and put it on a government computer, it asks them to install [the software], but they can’t because they don’t have the permissions.”
When asked if someone could bring an infected computer from home and hook it up to a military network, Madden said, “there are a lot of ‘what ifs.’”
“This has not been an issue for DOD computers because of the blocks that have been put in place,” Madden said. “Whatever processes and procedures we may do to manage that is something we’re not going to talk about publicly.”
The Army and Air Force Exchange Service, which operates Power Zones and other stores that sell CDs, is offering customers a full refund for opened or unopened packages.
Army Lt. Col. Dave Accetta, a spokesman for AAFES Europe, said stores are complying with the Sony recall and pulling the affected CDs from its shelves.
“It is a voluntary recall, but we want to make sure customers are aware and are not placing computer systems at risk,” he said.
The software does not affect stereo equipment, just computers, according to Sony and AAFES.
Sony is being sued by the state of Texas, which contends that the electronics giant violated the state’s new spyware law.
“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Greg Abbott, the Texas attorney general.
¶ Information on the recall and the software can be found at www.sonybmg.com. Click on “Information on xcp content protection.”
The Associated Press contributed to this report.