Can a CD-ROM carry hidden security threat?

minnetonka
minnetonka used Ask the Experts™
on
Our parent organization has recently banned all personal and purchased CD-ROM's from our work area.  This includes purchased music CD's.  They claim that even a purchased commercial music CD can carry hidden security threats such as a virus, worm, trojan horse, etc.

We are laughing at this because it sounds as though someone just doesn't like the music several people play on their computer and dreamed this up.

I can understand the concern a personal CD might raise, but what about retail music CD's?

This will either give you a great laugh or will cause us to eat plenty of crow.
Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
Mmmm sounds unusuall to me,

Though its not impossible, its highly unlikeley a virus would be harboured on a commercial music CD, one burned at home then fair enuf.

I think you have allready hit the nail on the head, your employers dont want music in the workplace!

Still can you get the Internet Explorer Media Player to connect to the Radio??

Maybe a couple of weeks with the entire office tuned into "Death Metal FM" may force a policy rethink ;^)

Pete

Commented:
I guess if you don't like opera you could call that a virus.

Some music cd's will install software on the pc so you can play them, some admins don't like software being loaded by users, haven't heard of a virus coming from a real music cd......

Commented:
I think all the info is right here in the Question & comments.

There may be 1 or many reasons for the choice to ban all CD-ROM's, many a time anywhere in the world people have justified something by "Threat" although even if your organization actually legitimately believes their own reasoning (rather than perhaps having a negative outlook on music in the workplace) It's far easier to ban all CD's rather than policy a half there grey area policy on different type's of CD's.

Although, you can always argue, why not remove the CD/DVD drives, Floppy drives, Disconnect your internet services, and basically reduce your computer privileges to nothing to avoid the threat of "something" breaching security.
Perhaps this might slightly reduce your ability to do your job. ;-)

I think everyone can sit on either side of the fence and have a valid point on this issue. Maybe you should bring USB data-keyrings or USB-HDD's etc to work and see what they say!

Ah well best of luck.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Commented:
> Title: Can a CD-ROM carry hidden security threat?

Yes. There have been recalls to that effect, including from the major players in the market.

> They claim that even a purchased commercial music CD can carry hidden security threats such as a virus, worm, trojan horse, etc.

True, but I am unaware of any.

>  it sounds as though someone just doesn't like the music several people play on their computer and dreamed this up.

I agree. However ..... people do understand purpose and use of headphones, don't they?

> I can understand the concern a personal CD might raise, but what about retail music CD's?

As I agreed with you above, there should not only be less concern, but I am unaware of anything on the AP Wire about such an animal. But here are two things to consider, even thought I am doubtful they have. The reason I am doubtful is that my company is prone to such a panic, and has not jumped yet.

One: There is a history here for shrinkwrap and virus going back to pre-CD days

a) The 'blank' empty, certified, preformatted supply came delivered in bulk with virus installed (on a blank? yep)

b) There are a number of newer companies getting involved in the production process. Consider that they may have an infected PC being used that is a part of the production process, which can infect a disk version of the CD being copied.  There are other companies, such as WalMart, that are impsing a transparent adjustment (censorship) of some music, and you cannot tell by looking at the label, only by listening to a version from somewhere else. Now let me ask you in turn, what is it that they used to modify the original music, to replace it with their sanitized version? Is there a place in production where infected PC can infect the process, thus mass producing the bugger? Sh-h-h, they won't tell, and they've probably already laid off the techies who were helping them engineer initially, to save money, so probably they cannot answer that either.

> This will either give you a great laugh or will cause us to eat plenty of crow.

Initially a laugh, but ending with a                     :-((

The network should already have plenty of defenses built in to quickly contain any such critter. So even there, you end up with another slap in the face for your own tech support.  Yet I'd wager that your VIPs still have carefully phrased workarounds, so they can even abuse the firewall at will (which helps the known worms circumnavigate the globe)

Commented:
In review of above comments, some additional thoughts.

The anal part of my disposition tells me there is no room for anything personal in the workplace. So I don't want your music around, especially when you sing-a-long to what I cannot hear clearly, or are unresponsive when I ask you a question. But those are separate issues, to the more friendly me. As long as you are attentive and productive, what do I care?  For other anal types, who like to throw people out the door onto the steet in due haste, what can they do when person asks: "but my personal things, picture of pet, CDs, ..." a quick answer has been: "your coworker will pack" or: "you weren't supposed to bring anything in that is personal, tough luck."            :-((

> Still can you get the Internet Explorer Media Player to connect to the Radio??

Now if your company is really responding to technical threats, they first should have blocked radio, real-audio etc as being too detrimental to throughput and work.  Now with both IE and Media Player having so many vulnerabilities, it is quite possible that they are so swamped with upgrades that they are looking for ways to make it easier, and one way could be to just nix the media player itself, if only to give your platforms more stability and help keep the other applications running.  Expect that kind of panic for another few weeks, if not a couple months, according to my tech weanies.
This is simple...

Ban personal CDs... but how do you monitor this? Can a quick glance at someone inserting a CD really let you know if it is actually a retail music cd or a cleverly disguised personal CD with viruses galore? NO. So the answer is to ban all CDs, no more worries, if you see someone inserting a CD, then they are to be dealt with.

Author

Commented:
I am really appreciative of all your comments on the cause of this policy.  I didn't see a comment block to go with the accepted answer, so will make a few here before closing the question.  

There's clearly no stand-out concrete answer to this, but SunBow's remark, "Yes. There have been recalls to that effect, including from the major players in the market" is what stood out the most (even if no specifics).  I work in a secure government environment where paranoia has been high since the advent of CD-RW's several years ago.  In addition to our local IT policies, we have other policies from a different location which is where the recent ban on "personal music CDs" came from, with the rational that they constitute a security threat.

Chaddupuis' comment makes sense, but we've already had a ban for years on bringing in any personal floppies, zips, or homemade CDs, and any recordable media is issued with inventory numbers and descriptions.  Troppix is right, but our computers block any .exe or similar from being downloaded.  And, HA! we are also getting USB HDD's!   Go figure . . .

Neither our local techs or anyone else in our office could figure out how a commercially produced read only CD could fall into this category, but I have more confidence in the information I find here because the EE Community is so large and diverse.  

I too have thought about how ironic it is that we still have the Windows Media Player which is fully operational, except for the radio portion.  But we can't have "real" radios in the office anyway so the music CDs were our only outlet.  

I have been thinking I was lucky because I had already copied most of my music to the Media Player, but from your remarks, I now realize that's likely to hit the wall too.   I want my "Earth X!"  Gawd help us if we start hearing those solo sing-alongs!

One last irony:  we just discovered information about data fragments that get saved on a less sensitive document that gets e-mailed somewhere else.  The article focuses on Word in particular and as of October, we are having all our non-MS software stripped from the computers to create a more "standard" environment.  I think I'll open a new question on that one because nobody in computer support has heard of that one either!

If I hear anything more specific on the CD issue, I'll let you know.  Thanks!

Commented:
Thanx.                                                                 -[Good Fortune]-

Commented:
>  I work in a secure                 environment where paranoia has been high

Same here. But even in government there are definitive policies to permit personal use (limited) and stress relief, etc.  While those who get paranoid here are also claiming friendly, there remains a looseness on CDs, many homegrowns likely floating around, policy or naught. I hadn't thought of it before, but maybe there is a little trust after all.

If they are really freaky-ed out on music CD virus, and that is all there is to it, it would be very simple to have I little old PC set aside to do a little simple virus scan on any media brought it, as it'll always be brought in whether you see it or not.

I'd consider the main vulnerability (outside of media player) to be where someone more independent like Walmart, Makes up an entire batch of infections. Usually that kind of a thing would be found out before long, and any older CDs would fairly well be certified, simply for lifespan. A question could arise, that when you are listening, the boss cannot see the label of the CD you are listening to.

But I think that in the end, my analysis is that not only does this policy show increase in distrust over their employees, but increase in distrust over their own security methods. Sad.                   :-(

[btw - concerning latest paranoia, there's a story of pending arrest in Blaster case, of an 18 year old NW US]

Commented:
..also suppose, a CD may not have music, despite label.  My take is ... so what? Suppose an airplane falls on your head.  Suppose it fall on your CDROM. You just do the best you can to get by.  Maybe, rent a DVD and watch it instead                             ;-)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial