by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I blogged about a rather shocking incident. It's shocking both because it even happened and because it continues to happen. The incident I'm referring to is that Best Buy shipped digital picture frames that contained a virus that was installed during the manufacturing process. Can you believe it? In this day and age, given all the focus put on computer security problems by nearly every media outlet in the world, Best Buy still shipped a product infected with a virus. There's no excuse for that whatsoever.

But Best Buy isn't alone in making such a gigantic mistake. Several other companies have faced heat for shipping products already infected with viruses. In August of 2007, Seagate Technology reportedly shipped a bunch of Maxtor Basics Personal Storage 3200 devices with spyware that snoops around the system looking for passwords and then sends them to an external site over the Internet. For more information about the Seagate Technology incident, go to
www.seagate.com/www/en-us/support/downloads/personal_storage/ps3200-sw
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141780-0-0-0-1-2-207.

In September of 2007, Apple shipped some of its hugely popular video iPods with the RavMon worm. (For more information, go to www.apple.com/support/windowsvirus (http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141781-0-0-0-1-2-207) Apple then had the audacity to state that "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." Talk about shifting the blame! Wow. To Apple I would say, "just own up to your catastrophic mistake and leave it at that."

Also in September of 2007, German manufacturer Medion reported that several of its ALDI laptops were infected with the Stoned.Angelina boot-sector virus. In case you didn't know, variants of the Stoned virus have been floating around for more than a decade, so it's amazing that a variant of it found its way onto a new laptop direct from the factory.  To read Medion's bulletin (translated from German to English via Google), go to
http://translate.google.com/translate?u=http%3A%2F%2Fwww.medion.de%2Fpopup_md96290.htm&langpair=de%7Cen&hl=en&ie=UTF-8 
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141782-0-0-0-1-2-207.

In January of 2007, TomTom International admitted that it shipped several of its TomTom GO 910 GPS units with an unnamed virus. The affected units were manufactured between September and November of 2006. You can read more about the incident at
www.tomtom.com/news/category.php?ID=2&NID=349&Language=1
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141783-0-0-0-1-2-207).

If that weren't enough already, in 2005, Creative shipped several thousand Zen Neeon digital audio players that contained a variant of the Wullik mass-mailing worm. You can read about that fiasco (translated from Japanese to English via Google) at
http://translate.google.com/translate?u=http%3A%2F%2Fjp.creative.com%2Fcorporate%2Fpressroom%2Freleases%2Fwelcome.asp%3Fpid%3D12173&langpair=ja%7Cen&hl=en&ie=UTF-8
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141784-0-0-0-1-2-207).

Even big shots such as IBM have made the same mistake. In 1999, the company revealed that several of its Aptiva 2158 laptop systems were shipped with the CIH virus, which later became more commonly known as the Chernobyl virus. You can read IBM's admission at
www.pc.ibm.com/partner/us/ssg/2b7e.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-1843-803-202-5219-141785-0-0-0-1-2-207).

There are probably several other companies that have made similar mistakes, but the seven companies I've listed here are more than enough to make one think (possibly in disgust) about just how terrible the security practices of these major companies really are. They obviously didn't take security seriously enough, if they even considered it at all.

The ramifications of their oversights could have been enormous. Imagine a hiker using a TomTom GPS unit to navigate in the wilderness, only to find that the device was giving out bogus coordinates. Or imagine a doctor using an Aptiva or ALDI laptop that suddenly started deleting patient records or important diagnostic results.

The lesson here is pretty clear. A vendor's lax security practices quickly become their customers' problem. Vendors need to have adequate security at all levels of their organizations, particularly those vendors who manufacture any type of electronic products.