SAN JOSE, Calif. -- Those cute video clips now circulating around enterprise desktops via e-mail, instant messaging...
or blogs could bring more harm than humor in the months ahead as the hacker underground eyes their potential.
That's because digital video content is expected to provide the next major opportunity for computer hackers, identity thieves and spyware vendors, according to two computer security experts.
Consultants Robert Baldwin and Kevin Kingdon told an 2006 RSA Security Conference audience earlier this month that video and audio content that bypasses firewalls and security software to play directly on a consumer's machine is particularly dangerous.
Furthermore, anti-piracy software embedded in the content may prevent copying, but it also prevents security scanning, thus allowing popular video codecs such as MPEG 2 and MPEG 4 to carry data as well as video and audio files. Therefore, executable programs can be embedded the content.
Currently, there are layers of protection built into video content. For example, most consumers go to one trusted source, such as their cable provider, for video content. But increasingly video files are being circulated from a variety of sources including the Internet, iPods and cellular phones.
"I would urge people to be as cautious about swapping video files as they are with floppy disks," Baldwin said. "The complexity of video is such that the opportunity for exploits are enormous."
That goes for enterprises, too. Things are also bound to get worse as video becomes more pervasive in the corporate environment, where clips are often used to jazz up sales and marketing presentations and to train employees.
For security technologies to scan video for malware, it needs to be able to read plain text. However, the anti-piracy software prevents anyone from looking at (and therefore copying) plain text. "The security and entertainment industries are fundamentally at odds on this issue," Baldwin explained.
Consumers can expect to see many of the similar exploits using video files that have appeared in e-mail and browser attacks in the past, according to Kevin Kingdon, chief security expert with Intellitrove Inc., a security consultancy in Hayward, Calif. These could include buffer overflows, files submitted in the incorrect order and manipulated packet information.
"With any of these exploits you can crash the player, and once its player is crashed you can exploit the box," said Kingdon.
However, knowing video will become a major threat vector, the industry is working on a number of remedies. First, the experts expect the number of video formats to consolidate, making it easier for vendors to concentrate on protecting the most popular formats. Second, trusted third-party video distributors such as Apple Inc.'s iTunes or Google Video must have ways to ensure that the files they transfer do not include malware. Third, security and content providers will need to develop a way to open the content to scanning for viruses and spyware without making it easy for people to copy the information.
In the meantime, the duo said, video exploits are likely to wreak as much havoc in computer security industry are spyware has in the past.