Legion of Angels News Archive

(AP) – From iPods to navigation systems, some of today’s hottest gadgets are landing on store shelves with some unwanted extras from the factory: pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.

Computer users have been warned for years about virus threats from downloading Internet porn and opening suspicious e-mail attachments. Now they run the risk of picking up a digital infection just by plugging a new gizmo into their PCs.

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores, and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

So far, the virus problem appears to come from lax quality control, perhaps a careless worker plugging an infected music player into a factory computer used for testing, rather than organized sabotage by hackers or the Chinese factories.

It’s the digital equivalent of the recent series of tainted products traced to China, including toxic toothpaste, poisonous pet food and toy trains coated in lead paint.

But sloppiness is the simplest explanation, not the only one.

If a virus is introduced at an earlier stage of production, by a corrupt employee or a hacker when software is uploaded to the gadget, then the problems could be far more serious and widespread.

Knowing how many devices have been sold, or tracking the viruses with any precision, is impossible because of the secrecy kept by electronics makers and the companies they hire to build their products.

But given the nature of mass manufacturing, the numbers could be huge.

“It’s like the old cockroach thing: You flip the lights on in the kitchen, and they run away,” said Marcus Sachs, a former White House cybersecurity official who now runs the security research group SANS Internet Storm Center. “You think you’ve got just one cockroach? There’s probably thousands more of those little boogers that you can’t see.”

Jerry Askew, a Los Angeles computer consultant, bought a Uniek digital picture frame to surprise his 81-year-old mother for her birthday. But when he added family photos, it tried to unload a few surprises of its own.

When he plugged the frame into his Windows PC, his antivirus program alerted him to a threat. The $50 frame, built in China and bought at Target, was infected with four viruses, including one that steals passwords.

“You expect quality control coming out of the manufacturers,” said Askew, 42. “You don’t expect that sort of thing to be on there.”

Security experts say the malicious software is apparently being loaded at the final stage of production, when gadgets are pulled from the assembly line and plugged in to a computer to make sure everything works.

If the testing computer is infected — say, by a worker who used it to charge his own infected iPod — the digital germ can spread to anything else that gets plugged in.

The recent infections may be accidental, but security experts say they point out an avenue of attack that could be exploited by hackers.

“We’ll probably see a steady increase over time,” said Zulfikar Ramzan, a computer security researcher at Symantec Corp. “The hackers are still in a bit of a testing period; they’re trying to figure out if it’s really worth it.”

Thousands of people whose antivirus software isn’t up to date may have been infected without even knowing it, experts warn. And even protective software may not be enough.

In one case, digital frames sold at Sam’s Club contained a previously unknown bug that not only steals online gaming passwords but disables antivirus software, according to security researchers at CA Inc.

“It’s like if you pick up a gun you’ve never seen before. Before you pull the trigger, you’d probably check the chamber,” said Joe Telafici, vice president of operations of McAfee Avert Labs, the security software maker’s threat-research arm.

“It’s an extreme analogy, but it’s the right idea. It’s best to spend the extra 30 seconds to be sure than be wrong,” he added.

Consumers can protect themselves from most factory-loaded infections by running an antivirus program and keeping it up to date. The software checks for known viruses and suspicious behaviors that indicate an attack by malicious code, whether from a download or a gadget attached to the PC via USB cable.

The AP contacted some of the world’s largest electronics manufacturers for details on how they guard against infections, among them Hon Hai Precision Industry Co., which is based in Taiwan and has an iPod factory in China; Singapore-based Flextronics International Ltd.; and Taiwan-based Quanta Computer Inc. and Asustek Computer Inc. All declined comment or did not respond.

The companies whose products were infected in cases reviewed by the AP refused to reveal details about the incidents. Of those that confirmed factory infections, all said they had corrected the problems and taken steps to prevent recurrences.

Apple disclosed the most information, saying that the virus that infected a small number of video iPods in 2006 came from a PC used to test compatibility with the gadget’s software.

Best Buy, the biggest consumer electronics outlet in the U.S., said it pulled its affected China-made frames from the shelves and took “corrective action” against its vendor. But the company declined repeated requests to provide details.

Sam’s Club and Target say they are investigating complaints but have not been able to verify that their frames were contaminated.

Legal experts say that manufacturing infections could become a big headache for retailers that sell infected devices and the companies that make them, if customers can demonstrate that they were harmed by the viruses.

“The photo situation is really a cautionary tale. They were just lucky that the virus that got installed happened to be one that didn’t do a lot of damage,” said Cindy Cohn, legal director for the Electronic Frontier Foundation. “But there’s nothing about that situation that means next time, the virus won’t be a more serious one.”

Source — CNN

WASHINGTON (CNN) – The FBI continued in 2006 to badly mishandle letters that it uses to obtain personal records without a court order, according to a Justice Department report released Thursday.

The new report cites “issuance of NSLs [national security letters] without proper authorization, improper requests and unauthorized collection of telephone or Internet e-mail records due to FBI errors or mistakes made by NSL recipients.”

But a top department official said significant progress has been made in the past year toward correcting those errors.

Inspector General Glenn Fine said it’s too soon to tell if the problems will be eliminated.

Thursday’s report came a year after Fine’s first report on national security letters, which the FBI issues to third parties to get information on individuals — such as telephone, e-mail and financial records — in connection with terrorism or spy investigations.

The original report, which covered 2004 and 2005, found serious systematic failures by the bureau in its use of the letters.

Fine said it is no surprise that the latest report found continued violations in 2006, since that was before he issued last year’s stinging appraisal.

“The FBI and DOJ [Department of Justice] have made significant progress in implementing the recommendations contained in our first report and in adopting additional corrective measures to address the serious problems,” Fine said.

“However, several of the FBI’s and the department’s corrective measures are not yet fully implemented and it is too early to determine whether these measures will eliminate the problems with the use of these authorities,” he said.

 The Justice Department and FBI were quick to latch onto Fine’s comments and praise the FBI for doing a much better job, but Democratic lawmakers were just as fast to pounce on the report as evidence of continued FBI failings.

“We are pleased with the Office of Inspector General’s positive assessment of the many actions taken by the Justice Department and FBI to improve oversight of the use of national security letters,” said spokesman Dean Boyd of the Justice Department’s National Security Division.

 ”Despite the low error rate we continue to strive for zero errors and we believe that the measures we have put in place will help ensure that,” an FBI statement said.

But Senate Judiciary Committee Chairman Patrick Leahy, a Vermont Democrat, promised to hold a hearing on the issue. The report, he said, “outlines more abuses and what appears to be the improper use of national security letters for years in a systemic failure throughout the FBI.”

And House Judiciary Committee Chairman John Conyers, D-Michigan, said, “At the same time the administration is trying to intimidate the Congress into giving it additional spying power, we find out yet again that it has abused its authority to pry into the lives of law-abiding Americans.”

The new report shows the FBI continued in 2006 to increase its use of the secret letters. The 49,425 requests represented a 4.7 percent increase over 2005.

In an accompanying report the inspector general said the FBI made 47 requests to the Foreign Intelligence Surveillance Court for warrants to pursue business records. All requests were approved.

The report, however, singled out one classified case in which the FBI was turned down by the FISA court, and pursued the matter anyway. Although the details were blacked out in the report, the inspector general said Congress was provided a classified version of the report, which contains the information.

Source — CNN