The Sony rootkit controversy opens our eyes to hidden threats

Lately I’ve been seeing the usual rash of reports that appear around this time of year indicating how many people continue to have reservations about shopping online. This is not entirely reactionary, in light of the increased visibility given to issues such as spyware and risks to personal information privacy.

What has changed about this awareness in the past two months, however, is the sudden and alarming recognition that these risks aren’t limited to the malicious attacks by the bad guys.

Take, for example, the recent scandal involving Sony BMG and its use of CD copy-protection software. The software allegedly includes spyware as well as rootkit functionality and has thus far prompted actions from the attorneys general of Texas, Massachusetts, Illinois and Michigan, and class-action litigation at both the state and federal levels. This episode shows that we must now be awake to the threats posed by names we trust. This has shaken us because trusted names are part of the “us” in the “us vs. them” world view that, up to now, is how many of us think of IT security.

One of the most worrisome aspects of the Sony BMG case is the allegation that the copy-protection software in question uses techniques to hide some of its most worrisome functionality – techniques that allegedly could be used to hide other things as well. This has raised concerns regarding hidden threats – such as rootkits and kernel-level exploits – to a new level. Because of these concerns, you can expect to see defenses against rootkits, kernel-level attacks and other hidden threats play a larger role in the messages coming from security management vendors next year.

Even more disconcerting is the knowledge that this issue did not become widely known until experts such as Mark Russinovich discovered it. This begs the question: How many more similar threats exist that no one has yet discovered? Yet another reason why we can expect hidden threat revealers who look deeper than current solutions to emerge in force sooner rather than later. While it would be FUD-mongering to suggest that the numbers of such covert threats in the wild are huge, it is entirely possible, given how they operate, that there are more than we think there are.

If nothing else, the Sony BMG imbroglio has at least raised awareness about how hidden threats often get themselves installed: They may pose as something legitimate, or they may hide themselves in or alongside legitimate functionality. Security managers are doubtless capitalizing on the opportunity the Sony BMG case provides to drive home the point that trust without verification will fail sooner or later, and that the enforcement of protections against threatening behavior is the only reliable way to assure that trust is valid.

This suggests that the market for tools that do a more granular job than most of today’s trust enforcement technologies may be about to emerge, on multiple levels. From tools that go beyond techniques such as code signature, to strong authentication of a range of ordinarily trustworthy services, to solutions that take network policy enforcement down to the level of the individual host or port, high granularity in trust enforcement can be expected to be one of the more prominent security and IT risk management messages for 2006.