Golden Rant : Sony issues a security warning - about its USB sticks

I must confess to rarely being surprised at what happens in the IT security business, but I was amazed to read this week about Sony - home of the rootkit fiasco - admitting to a security flaw on its USB sticks.

Yes folks, it seems that software bundled with the fingerprint-reading versions of the MicroVault USB stick use virus-like techniques to create hidden directories on users' hard drives.

The bad news is that, once loaded, the software can be hi-jacked by hackers to create hidden malware-laden directories that fail to be recognised by all conventional IT security software.

Sony is pointing an accusing finger at FineArt Technology, a Taiwanese firm that developed the MicroVault software for the company, but I strongly suspect that the firm did exactly what Sony asked it to.

A spokesperson for Sony is quoted as saying that "while relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation."

"No customers have reported problems related to situation to date." That's not the point, Sony. It's a security failure in the design of the software that you should have identified before shipping it to unsuspecting punters.

And as for trying to shift the blame on to a remote Taiwanese company? Well that's almost as bad as architecting the security problem into your USB sticks in the first place.

And if the the USB stick vulnerability sounds familiar, it's because it's remarkably similar to a "flaw" discovered on Sony BMG music CDs in 2005, which led to a widespread recall of discs and lawsuits being issued against the music label.