Downloading Music (MP3) Files

POLICY & PROCEDURE
MEMORANDUM
9203.00

Chief Information Officer

Effective Date
03/11/2002
Review Date
01/2006

1.0 SUBJECT: Downloading Music (MP3) Files

2.0 DISTRIBUTION: Department Of Administration

3.0 FROM: Denise Moore, Chief Information Officer

4.0 PURPOSE: To advise Department of Administration employees of security risks associated with the use of MP3 files.

5.0 BACKGROUND: For some time, a number of computer users have used the internet to download music files (MP3 and others). This process consumes a significant amount of bandwidth, is not usually related to the conduct of State business, and nearly always constitutes copyright infringement.

The Department of Administration has received notice from NASCIO Security and consultants that virus authors are now distributing a utility that converts MP3 to .exe files. Security sources advise that both the Windows Media Player and the RealOne Player from RealNetworks are susceptible to the attack. The end result is a system that allows these malicious users to avoid anti-virus and anti-trojan software in order to first infect, then use systems for sending pornography or launching remote attacks, mostly Distributed Denial of Service (DDoS) against other users.

The infection takes place when an internet user visits a site to download some MP3 files. These files have code embedded within them to allow remote control of the computer to launch attacks, while the user is an unknowing accomplice.

The issue for system administrators is that a large portion of some networks is already consumed by the bandwidth to download MP3 files and the additional load factor of a DDoS attack will create latency problems across the network. Downloading MP3 files of copyrighted materials is a violation of the Digital Millenium Copyright Act and is also a violation of § 7.A. of the Department of Administration Security Policy

6.0 PROCEDURE: Users should remove all MP3 files from all local and network drives. DISC Bureau of Customer Services will review routine electronic inventories of software installed on Department of Administration desktop computers. Software determined to be in violation of the security policy will be removed by Customer Services staff. Notification will be provided to the end user and their respective Division head prior to removal of the software.

In the event the MP3 file serves a legitimate business purpose, the user will complete form DISC-CSC-005, with written permission from the copyright owner, and forward to DISC Bureau of Customer Services.

7.0 HISTORY: This PPM was issued under Number 9203.00 effective 3/11/2002.

8.0 COMPLIANCE: Employees must comply with these policies and procedures. Failure to comply may lead to disciplinary action up to and including proposal for termination under K.S.A. 2949e(a)(3), careless negligent or improper use of state property, and/or K.S.A. 2949f(r), grossly improper use of state property.

9.0 CONTACT PERSON: Deputy Director
DISC Bureau of Customer Services
785-296-4999
FAX: 785-296-6729