Search  
You are here:  Articles    
Article Categories Minimize

Articles Minimize

Current Articles | Categories | Search

IN FOCUS: Vendors' Lax Security is Our Problem
Posted by SteveT on Thursday, January 31, 2008 :: Last Updated on Thursday, January 31, 2008:: Views 274

   

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I blogged about a rather shocking incident. It's shocking both because it even happened and because it continues to happen. The incident I'm referring to is that Best Buy shipped digital picture frames that contained a virus that was installed during the manufacturing process. Can you believe it? In this day and age, given all the focus put on computer security problems by nearly every media outlet in the world, Best Buy still shipped a product infected with a virus. There's no excuse for that whatsoever.

But Best Buy isn't alone in making such a gigantic mistake. Several other companies have faced heat for shipping products already infected with viruses. In August of 2007, Seagate Technology reportedly shipped a bunch of Maxtor Basics Personal Storage 3200 devices with spyware that snoops around the system looking for passwords and then sends them to an external site over the Internet. For more information about the Seagate Technology incident, go to
www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141780-0-0-0-1-2-207.

In September of 2007, Apple shipped some of its hugely popular video iPods with the RavMon worm. (For more information, go to www.apple.com/support/windowsvirus (http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141781-0-0-0-1-2-207) Apple then had the audacity to state that "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." Talk about shifting the blame! Wow. To Apple I would say, "just own up to your catastrophic mistake and leave it at that."

Also in September of 2007, German manufacturer Medion reported that several of its ALDI laptops were infected with the Stoned.Angelina boot-sector virus. In case you didn't know, variants of the Stoned virus have been floating around for more than a decade, so it's amazing that a variant of it found its way onto a new laptop direct from the factory.  To read Medion's bulletin (translated from German to English via Google), go to
http://translate.google.com/translate?u=http%3A%2F%2Fwww.medion.de%2Fpopup_md96290.htm&langpair=de%7Cen&hl=en&ie=UTF-8 
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141782-0-0-0-1-2-207.

In January of 2007, TomTom International admitted that it shipped several of its TomTom GO 910 GPS units with an unnamed virus. The affected units were manufactured between September and November of 2006. You can read more about the incident at
www.tomtom.com/news/category.php?ID=2&NID=349&Language=1
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141783-0-0-0-1-2-207).

If that weren't enough already, in 2005, Creative shipped several thousand Zen Neeon digital audio players that contained a variant of the Wullik mass-mailing worm. You can read about that fiasco (translated from Japanese to English via Google) at
http://translate.google.com/translate?u=http%3A%2F%2Fjp.creative.com%2Fcorporate%2Fpressroom%2Freleases%2Fwelcome.asp%3Fpid%3D12173&langpair=ja%7Cen&hl=en&ie=UTF-8
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141784-0-0-0-1-2-207).

Even big shots such as IBM have made the same mistake. In 1999, the company revealed that several of its Aptiva 2158 laptop systems were shipped with the CIH virus, which later became more commonly known as the Chernobyl virus. You can read IBM's admission at
www.pc.ibm.com/partner/us/ssg/2b7e.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141785-0-0-0-1-2-207).

There are probably several other companies that have made similar mistakes, but the seven companies I've listed here are more than enough to make one think (possibly in disgust) about just how terrible the security practices of these major companies really are. They obviously didn't take security seriously enough, if they even considered it at all.

The ramifications of their oversights could have been enormous. Imagine a hiker using a TomTom GPS unit to navigate in the wilderness, only to find that the device was giving out bogus coordinates. Or imagine a doctor using an Aptiva or ALDI laptop that suddenly started deleting patient records or important diagnostic results.

The lesson here is pretty clear. A vendor's lax security practices quickly become their customers' problem. Vendors need to have adequate security at all levels of their organizations, particularly those vendors who manufacture any type of electronic products.

Previous Page | Next Page

Donations Minimize

Find our site useful? Make a donation to show your support

Donate

logo_ccMC.giflogo_ccVisa.giflogo_ccDiscover.giflogo_ccAmex.gif

ArGoStuff Supporters

 

News from ArGoSoft Minimize
1 2 3 4 5

Mid-Summer Promotion - Mail Server .NET

We are launching mid-summer promotion with our Mail Server .NET. You can upgrade, or get a new license for $50.00 less until July 15 2008.

7/4/2008 9:36:35 AM
ArGoSoft Mail Server .NET v1.0.5.2

Mail Server

  • Added Available Updates checking. Of course, it will show up only after we release the next version... If new version is avialable, a link will be displayed on the bottom of the UI, suggesting to upgrade
  • "SMTP Log In" will be no longer be registered in the last login database, because it causes confusion when the web interface displays last login protocol;
  • Updated help files, now they reflect new Remoting services;

Web Interface

  • "Wiping" of trash folder now works. With each login, messages, located in the trash folder, and older than 3 days will be wiped out;
6/16/2008 8:45:05 AM
German Resources for Web Interface

Now we have a German translation of the web interface of Mail Server .NET! Thanks to Roland Bieri.

6/6/2008 10:50:26 PM
ArGoSoft Mail Server .NET v1.0.5.1

Mail Server

  • Fixed a bug from 1.0.5.0 - was impossible to add domain groups and domains from the UI;

Web Interface

  • Created a page for localized resource files. If you are willing to contribute your resources, we would be very thankful;
  • It turns out, major IMAP clients do not allow rename of the Inbox folder. They display localized name of Inbox, but an actual name of folder on the server stays "Inbox". Now the web interface will allow the same - you can specify the name of inbox, but it will be just a display name, how it will appear on the web interface. It will keep compatibility with IMAP clients;
  • CC and BCC headers on the Write Email page are now initially hidden.
  • When accessing the web interface initially, user will be prompted to enter default SMTP server address;
6/3/2008 11:43:33 AM
ArGoSoft Mail Server .NET v1.0.5.0

Web Interface

It is a major change, even though there are no significant changes in the "look and feel" of the web interface.

  • Now all the communication with mail server is performed via a remoting object, which is hosted in the mail server.
    • It allows to run the mail server and the web interface on separate computers;
    • Eliminates access right problems to directories and databases;
    • Web interface no longer requires SQL Server 2005 or SQL Server Express on the computer where it runs;
  • Something you've been asking for very long time! Now users can send out HTML messages
  • Almost entire text that appears in the UI is placed in resource files, allowing easy localization of string resources;
  • When going out, mail is relayd to mail server via SMTP, instead of going directly to outbox. It ensures, that all server plugins are called, and all server generated headers (including Domain Keys) are properly inserted;
  • Server and Domain Group administration temporarily are not available. We will be releasing new separate web application, which will be doing that. Currently, you still can use old version of web interface for administering server via web, old and new version can co-exist peacefully;

Mail Server

  • Now each account has No SMTP access flag, allowing to have "incoming only" accounts; Works only when SMTP authentication is enabled;
  • Optimized the load of Edit Domain Group box. In earlier versions it was taking long time, because that calculation of the usage was being performed at the box load. Now calculation will be not perfomed, unless user clicks Calculate Usage link;

Following changes are related to the major change of the web interface (see above):

  • Added remoting object, which is used to communicate with the web interface;
  • Added Default Content-Type field to users, allowing them to select in which initial state is the Compose Mail message body editor: plain text or HTML;
  • Now each user can select the name for their Inbox.  Useful when creating localized versions.
5/30/2008 11:18:43 PM

1 2 3 4 5

Protect Your Computer today withGet AVG Today

VB100


Home:ArGoStuff:Forums:Articles:Cyber Security Tips:FAQ:Downloads:Links
Copyright 2006-2008 by ArGoStuff Terms Of Use Privacy Statement