daily online news

Would you hire a former criminal hacker? Better question: would you elect a former criminal hacker to political office?

Credit goes to Brian Krebs over at the Washington Post's Security Fix blog for recognizing that Dmitri Ivanovich Golubov, a 24-year-old from Odessa, has started the "Internet Party of Ukraine." Golubov, whose hacker nickname is "Script," was arrested and even jailed in 2005 in connection with Carderplanet.com, a site that bought and traded credit and debit card credentials. After only six months in prision, Ukrainian politicians convinced a judge to set Golubov free.

What's really interesting, as Krebs points out, is that should Golubov gain a seat in the Ukrainian government, that position would grant him automatic immunity from prosecution for criminal activities under Ukrainian law.

Repeated breaches of data protection laws by government departments raise huge question marks over plans for the national identity register required for ID cards and biometric passport, an influential parliamentary human rights watchdog has warned.

MPs and peers on the Lords and Commons Joint Committee on Human Rights said repeated losses of personal information by departments had increased their concern, and announced they " intend to take a close interest in the government's detailed proposals for the national identity register as and when they emerge."

In a hard-hitting report the committee insisted the privacy of personal data is guaranteed under the European Convention on Human Rights as well as the Data Protection Act. The report demands that detailed rules must in future be written in to all relevant primary legislation to "help ensure that data protection becomes a primary concern of managers and frontline staff in the public sector."

The committee listed 18 previous occasions where it had expressed concern at the lack of data protection provisions in government bills, including one creating the unified HM Revenue and Customs (HMRC) department - responsible for the 25 million child benefit records data loss last year - where it had flagged up the " inadequacy of safeguards relating to HMRC information sharing powers".

The committee questioned the role of justice minister Michael Wills, responsible for data protection and human rights issues - who said he was not personally responsible for ensuring other departments obey the law - insisting he must be more proactive.

The MPs were also surprised to discover government departments have senior officials designated as "human rights champions" about whom it had never heard.

Committee chairman Andrew Dismore said people had been shocked at the loss of child benefit data and demanded individual information should be treated "as sensitively and carefully as hard cash".

"The government must demonstrate that it appreciates the seriousness of what needs to be done,” he said.

“The fundamental problem is a cultural one. There has been a rapid increase in the amount of data sharing in the public sector, which can be useful, important and necessary, but this has not been matched by the even more necessary strong commitment to safeguard the right to respect for privacy."

Oyster cards, the high-tech RFID swipe cards used to gain access to the London Underground, have been pwned.

Pro crackers have unlocked the card's cryptography system, which turns out to be garbage of the "security through obscurity" order. Bruce Schneier asks, "when will people learn not to invent their own crypto?," a question which might echoed by anyone else dumb enough to have licensed Mifare.

All the researchers had to do was examine the chip's conductive pathways, as one might do to an old arcade chip to get it emulated in MAME.

"The research team was able to obtain the card's proprietary encryption scheme by physically dissecting its chip and examining it under a microscope. They then photographed various levels of its circuitry and used optical recognition software to produce a 3D representation of the entire chip. By examining the logic gates in great detail, they were able to deduce the proprietary algorithm, which NXP dubs Crypto1."

Perhaps peer review won't be too hard for this particular paper, if dodgy market stall operators catch my drift.

Why should miscreants bother to develop cutting edge programming techniques when they can pay $3 to somebody to set up spam-ready webmail accounts on their behalf? Evidence has emerged that people as well as malware are being used to defeat CAPTCHAs, challenge-response systems that are often used to stop the automatic creation of webmail accounts by spammers.

CAPTCHAs typically help ensure that online accounts can't be created until a user correctly identifies letters depicted in an image. The tactic is designed to frustrate the use of automated sign-up tools by spammers and other miscreants.

Over recent months security firms have reported that first the Windows Live CAPTCHA used by Hotmail, and later the equivalent system at Gmail, have been broken by automated attacks.

Obtaining a working Gmail account has a number of advantages for spammers. As well as gaining access to Google's services in general, spammers receive an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defences. Gmail also has the benefit of being free to use.

An analysis of spam trends in February 2008 by net security firm MessageLabs revealed that 4.6 per cent of all spam originates from web mail-based services.

The proportion of spam from Gmail increased two-fold from 1.3 per cent in January to 2.6 per cent in February, most of which spamvertised skin-flick websites. Yahoo! Mail was the most abused web mail service, responsible for sending 88.7 per cent of all web mail-based spam.

The idea that automated tools have been used by spammers to set up these webmail accounts has become, if not the conventional wisdom, then at least a working hypothesis in security circles of late.

However a senior engineer at Google has stepped forward to cast doubt on these reports.

Brad Taylor, a Google software engineer, said internal evidence suggests that low-paid laborers in third-world countries (rather than compromised PCs) are been used to register accounts that are subsequently used to send spam.

"You can see it is clearly done by humans," Taylor told the New York Times . "There are patterns in the rate we find bogus accounts, like at night time and when people get off work" in particular locations around the world.

Taylor conceded that software might be used to partially automate the process - with bots signing-up for accounts before sending the puzzles to real people - but maintains that the CAPTCHA process remains effective.

Google's contention that low-wage workers are been paid to break watchers is supported by anecdotal evidence unearthed by Websense, which has been active in researching the issue over recent months. The firm found Russian language documents instructing modern day serfs on the art of CAPTCHA breaking.

"If you are unable to recognize a picture or she is not loaded (picture appears black, empty picture), just press Enter. In no case do not enter random characters! If there is delay in downloading images, exit from your account, refresh the page and go again," the documents, found on a website and translated into English, state.

The documents go on to say that CAPTCHA-busters are paid a minimum of $3 a day.

Even if miscreants need human involvement in breaking CAPTCHAs right now this might not always be the case. The solutions to solve puzzles might be fed back to make CAPTCHA-busting algorithms smarter, MessageLabs warns. It said that focusing on whether miscreants are an algorithm, a 'mechanical turk', or combination of the two to break CAPTCHAs misses the bigger point that the approach no longer provides a reliable security mechanism to protect email services from abuse.

If you travel across national borders, it's time to customs-proof your laptop.

Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. Laptops and other electronic devices can be seized without reason, their contents copied, and the hardware returned hours or even weeks later.

Executives have been told that they must hand over their laptop to be analyzed by border police--or be barred from boarding their flight. A report from a U.S.-based marijuana activist says U.S. border guards browsed through her laptop's contents; British customs agents scan laptops for sexual material; so do their U.S. counterparts.

These procedures are entirely legal, according to court precedents so far. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine." One lawsuit is seeking to force the government to disclose what policies it follows.

The information security implications are worrisome. Sensitive business documents can be stored in computers; lawyers may have notes protected by the attorney-client privilege; and journalists may save notes about confidential sources. Regulations like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley may apply. A 2006 survey of business travelers showed that almost 90 percent of them didn't know that customs officials can peruse the contents of laptops and confiscate them without giving a reason.

Fortunately, you have some technological defenses against overly snoopy border agents. Keep reading for our easy-to-understand, Homeland-Security-inspired, color-coded News.com Guide to Customs-Proofing Your Laptop. (And no, we're not responsible if you end up cooling your heels in some Burmese prison for using PGP; check local laws and use good judgment.)

Let's assume you've already backed up your files before traveling in case your laptop gets seized for an indefinite period of time. The next thing to know is that merely setting an account password is insufficient.

Unless you use encryption, a customs agent can simply remove your laptop's hard drive, plug it into another computer, and peruse its contents. There are plenty of programs, including Guidance Software's EnCase Forensic, that let police extract every bit of data possible from that hard drive.

To guard against that, you can set aside a section of your computer's hard drive to be encrypted. This is the simplest approach because not all the files will be encrypted; the operating system itself and, in most cases, applications you use will remain unencrypted.

For Apple OS X users, FileVault does this by seamlessly scrambling the contents of your home directory (to enable, select the Security panel in Preferences and also click the "Use secure virtual memory" option). PGP sells volume encryption software for OS X and Windows. There's also the free TrueCrypt application, which runs on Windows Vista, Windows XP, OS X, and Linux.

Most people use encrypted volumes to do things like save sensitive files--think tax returns, bank and credit card statements, medical records, and so on.

But encryption isn't enough. Research published last month ("Lest We Remember: Cold Boot Attacks on Encryption Keys") demonstrates how encryption keys can be extracted from a laptop that's placed in sleep mode when the contents are retained in RAM. They haven't released the software to extract the contents yet, but it's not terribly difficult to write and you may not want to bet your privacy on government agencies being ignorant of this attack.

The solution is to let the contents of RAM decay by turning off your computer and letting it sit for a few minutes. A test they did showed that, after five minutes, the memory contents had completely disappeared and could not be retrieved.

Turning off your computer is especially important for OS X users, at least until Apple patches a security glitch that keeps account passwords in RAM. In the default configuration, the account password is the keychain password and yields passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, etc.

There's more. You'll want to delete cookies and browser-stored passwords for Web sites. Erase the cache and Web browsing history. Securely delete files not protected by the encrypted volume so they can't be undeleted at the border. Here are still more tips.

Another problem is that if customs agents have physical possession of your laptop and you can't see what they're doing, they can install spyware. (They have the technical ability to do so; let's put aside for the moment in which circumstances they would have the legal authority to do so. Besides, in some non-democratic regimes, questions about due process are irrelevant.)

There are at least three cases in which the Feds have, with a court order, installed spyware on a suspect's computer. As encryption becomes more popular, so will the use of fedware. There may be no easy way to detect it--security software vendors generally say they will--short of booting off of a DVD or another trusted device and checking the operating system for tampering. Linux users can use a Knoppix CD or DVD for this.

All these extra steps are irksome, and stem from the fact that Threat Level Yellow with an encrypted volume doesn't completely protect you.

Why not? Unix-derived systems including Apple's OS X store details about VPN usage and user login times in unencrypted form. Some applications including Thunderbird save working copies of documents in an unencrypted area (/tmp or /private/tmp) outside the home directory. And the contents of the computer's virtual memory file may be readable as well.

That brings us to Threat Level Orange, at which point you should encrypt everything. That means you won't have to worry about whether applications leak data outside the virtual safe of an encrypted volume.

Microsoft has included the BitLocker Drive Encryption feature in the Enterprise and Ultimate versions of Windows Vista. A perpetual license for PGP Whole Disk Encryption 9.8--often viewed as the gold standard of encryption products--for Windows costs $149. Macintosh users are out of luck for now, though PGP did tell us last month that whole disk encryption for OS X is "in active development." Linux users have loop-aes and dm-crypt to choose from.

The same advice as Threat Level Yellow holds for laptopping-across-the-border: shut down your computer for a few minutes to make sure the memory decays.

While you're at Threat Level Orange, you might as well take some additional steps to harden your machine against other attacks. One of those is guard against having the entire contents of your computer's memory siphoned off through FireWire.

This isn't new. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the FireWire port. A subsequent presentation by Adam Boileau in 2006 expanded the FireWire attack to Windows-based systems; he released exploit code this month.

Under OS X, according to a security guide (PDF) by Paul Day, setting an Open Firmware password disables physical memory access for FireWire devices. Here's how to set an Open Firmware password.

If they're out to get you, or if you're sufficiently paranoid to think they are, you're at Threat Level Red.

One downside with encrypted drives is that they can be a huge blinking neon side to customs officers saying: "Contraband! Likely! Here!" Even if you're law-abiding, an encrypted drive could mean unwanted hassles and delays, and the unpleasant prospect of customs officials preventing you from entering the country unless you type in your password. In the U.S., whether you can be compelled to divulge it by court order remains an unanswered question--and other nations may not observe such legal niceties.

One answer is steganography, which means concealing data in a way that nobody even knows it's there. It's an electronic form of invisible ink. Data can be stored in MP3s, in videos, and even in apparently-empty space on the hard drive.

Unfortunately, steganographic file systems are about as well developed as cryptographic ones were a decade ago--they're still more of a laboratory curiosity than something that's been thoroughly tested and built into commercial products. One exception is TrueCrypt, which offers two levels of plausible deniability, including a standard TrueCrypt volume that appears when you're forced to give your "password," and a hidden one that remains concealed.

Some technologists remain skeptical. Jon Callas, PGP's chief technology officer, says:

I have a rather negative opinion about steganographic file systems. I just flat don't believe they work. I don't believe you can hide the data so that nobody can find it...

If this customs official says, "Aha! I see you have a steganographic file system, tell me the other password,' what do you do?" It is unsafe to use a product that has a steganographic file system since you can never prove you have no steganographic data...

For stegonography to work it must be custom-built for you. Or you're relying on the fact that the person searching for the data is stupid.

So what's left? Concealing the data in other ways. Bring your laptop with tourist snapshots and no steganography. Put your sensitive files on your camera's memory card or your phone's SD card; Sandisk's 32 GB SD card is supposed to ship soon.

Finally, there's always the option of bringing your data across the border electronically--by securely downloading it once you and your laptop have made it safely past customs. It may not work for everyone, and extremely large files may make it unwieldy as an option, but it may be the safest and easiest way to travel internationally nowadays.

The statement, signed by 20 Democratic members of the House Judiciary Committee, refused to extend immunity to companies retroactively because the Bush Administration had not presented a "credible case justifying the extraordinary action." Instead, the Committee members support a resolution that would allow telecommunications companies to defend themselves in court, allowing classified information to presented to only the judge as a safety measure.

"Our review of the classified information has reinforced serious concerns about the potential illegality of the Administration's actions in authorizing and carrying out its warrantless surveillance program," stated the signatories, led by John Conyers, Jr. (D-MI). "We, therefore, recommend the creation of a bipartisan commission to conduct hearings and take other evidence to fully examine that program."

On Tuesday, House Representatives circulated a bill that would deny telecommunications firms retroactive immunity from lawsuits and would set up a commission to investigate the Bush Administration's actions. The bill would continue to make the Foreign Intelligence Surveillance Court (FISC) the sole body able to approve surveillance, has provisions for emergency wiretaps, does not allow intelligence officials to skirt the rules if targeting people outside the U.S., and gives immunity to telecommunications companies for current and future cooperation, according to a summary posted by Wired News.

The Attorney General and Director of National Intelligence released a joint statement on Tuesday condemning the latest House draft.

"Based on initial summaries of what the proposal contains, we are concerned that the proposal would not provide the Intelligence Community the critical tools needed to protect the country," the intelligence officials stated (pdf). "The Senate already has passed a bipartisan bill that would give our intelligence professionals the tools they need to keep America safe. The bipartisan bill was carefully crafted to ensure important intelligence operations were not harmed by new legislation."

Revising the 30-year-old Foreign Intelligence Surveillance Act (FISA) has preoccupied Congressional leaders and the Bush Administration ever since the New York Times revealed that the National Security Agency (NSA) had broadly eavesdropped on telephone and Internet communications. The agency had allegedly installed special rooms equipped with wiretapping hardware in important communications hubs with the blessing of major telecommunications firms. A whistleblower has claimed that AT&T had one such room, while a security consultant recently stated that a major cellular telecommunications company allowed a third party to directly connect, via a line known as the "Quantico circuit," into their systems.

The Foreign Intelligence Surveillance Act (FISA) passed in 1978, requires that all government surveillance for intelligence purposes must first be sanctioned by a court order allowing the eavesdropping from the Foreign Intelligence Surveillance Court (FISC). The secretive court, which rarely issues rulings, also allows emergency warrants up to 72 hours after surveillance has begun. Some critics have argued that the 72-hour limit is not long enough to file and get approved a warrant.

Last month, the Senate passed a bi-partisan bill that would give the Attorney General and the Director of National Intelligence the ability to authorize warrants and would have granted full, retroactive, immunity to any telecommunications carrier that cooperated with the Bush Administration's surveillance.

President Bush slammed House Democrats on Thursday for not passing the bill and for allowing the expiration of a law that temporarily broadened the government surveillance powers.

"Unfortunately, instead of holding a vote on the good bipartisan bill that passed the United States Senate, they introduced a partisan bill that would undermine America's security," President Bush said in a statement Thursday morning. "This bill is unwise. The House leaders know that the Senate will not pass it. And even if the Senate did pass it, they know I will veto it."

President Bush has threaten to veto any bill that does not grant retroactive immunity to telecommunications companies that allowed access to their networks.

Retroactive immunity has never before been granted wholesale to companies. The current FISA law, passed in 1978, came after a similar investigation by Congress into government eavesdropping on telegraph communications under Project Shamrock and the Watergate breakins. Congress considered retroactive immunity for the companies that cooperated with U.S. intelligence agencies at the request of the Ford Administration, but the proposal failed.

Just as the Church Commission investigated excesses of the intelligence community and executive branch, the bi-partisan commission called for by the House bill would investigate the latest surveillance apparatus, said Tim Sparapani, senior legislative counsel for the American Civil Liberties Union (ACLU).

"This is history literally repeating itself," Sparapani said. "It is mass, untargeted surveillance of the entire communications stream. From our point of view, we think it is no different."

In denying the Bush Administration's strong position on retroactive immunity, the House Judiciary Committee members cited a number of issues that made immunity unnecessary, chief among them that telecommunications companies already do have immunity to prosecution under many circumstances, such as if they can provide a statement from the Attorney General that no warrant was required for the information turned over to the U.S. Department of Justice.

Other issues with the Bush Administration's arguments included that different carriers had different responses to the administration's request for access to communications, that the legal case was not clear at the time the surveillance requests were made. Moreover, and that the Bush Administration used no single legal justification for asking for surveillance capabilities from the telecommunications firms without first getting a warrant as required by FISA. The Judiciary Committee members also underscored that important legal issues remain and need to be ruled upon by the courts.

"The House leadership deserves real credit," the ACLU's Sparapani stated. "For not budging on immunity, and that's important, given that they have been under relentless assault by the White House bully pulpit."

Harvard says about 10,000 of last year's applicants may have had their personal information compromised. At least 6,600 Social Security numbers were exposed. Worse, a compressed 125 M-byte file containing the stolen student data is currently available via BitTorrent, a peer-to-peer network.

In a statement published Monday night Harvard officials said the database containing summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information had been compromised. The server had been taken offline for several days last month to investigate the extent of the problem.

Most troubling are the 6,600 summaries from admissions candidates from the United States that were copied. Harvard officials said the data includes the applicant's name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.

A BitTorrent file containing the stolen data includes a note that reads in part "maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website." The BitTorrent file consists of a server backup of the GSAS site with a full directory structure and three databases: joomla.slq, the main database; contacts.sql which is a database of contacts; and hgs.sql, a miscellaneous file.

Harvard University has informed the affected students, and apologized for the error. The university said it would provide identity theft recovery services from Kroll Inc. to those who might potentially be affected.

Only the paranoid survive. But which ones - the kind who choose to live in solitude, à la Unabomber Ted Kaczynski, patiently loading and unloading their weaponry to protect themselves from the dystopian techno-state? Or the kind living in Washington, who yearn for proto-totalitarian surveillance authority, all the better to protect us from ill-defined archetypal foreign threats and solitary lunatics living in the middle of nowhere?

Those rival camps - pass the medication, please - briefly crossed existential paths on the floor of the House of Representatives last week, when the Republicans took another stab at retroactive immunity for the as yet unrevealed - and almost assuredly illegal - warrantless surveillance activities of the American telecoms companies.

Crazy as it sounds, the latest maneuver by House Republicans to outflank Democrats, civil rights activists, and Constitutional scholars sought to attach retroactive immunity for the telecoms giants onto a completely unrelated mental health bill.

“This bill is intended to ensure the mental health of Americans; yet, no American’s health can be fully secured if they are under attack by a terrorist or facing the potential threat of terrorist attack,” Representative Peter Hoekstra , R-Mich., said last week on the floor of the House of Representatives, in support of his attempt to amend the Paul Wellstone Mental Health and Addiction Equity Act.

The act - which sought to end discriminatory treatment by insurance providers against individuals with mental health or substance-related disorders - was over ten years in the making, and had the support of the nation’s mental health experts, including the American Medical Association, American Hospital Association, and the American Psychological Association. Maybe a test run in Congress is in order.

It’s difficult to see how increased secret surveillance will reduce the paranoia of those most in need - those such as Dylan Stephen Jayne, who live their lives peeking out from behind the curtains in anticipation of black helicopters spiriting them away.

Fortunately, sanity - as practiced in the august halls of Congress, at least - appears for now to have prevailed. Pass the meds, Congressman.

From iPods to navigation systems, some of today's hottest gadgets are landing on store shelves with some unwanted extras from the factory — pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.

Computer users have been warned for years about virus threats from downloading Internet porn and opening suspicious e-mail attachments. Now they run the risk of picking up a digital infection just by plugging a new gizmo into their PCs.

Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.

So far, the virus problem appears to come from lax quality control — perhaps a careless worker plugging an infected music player into a factory computer used for testing — rather than organized sabotage by hackers or the Chinese factories.

It's the digital equivalent of the recent series of tainted products traced to China, including toxic toothpaste, poisonous pet food and toy trains coated in lead paint.

But sloppiness is the simplest explanation, not the only one.

If a virus is introduced at an earlier stage of production, by a corrupt employee or a hacker when software is uploaded to the gadget, then the problems could be far more serious and widespread.

Knowing how many devices have been sold, or tracking the viruses with any precision, is impossible because of the secrecy kept by electronics makers and the companies they hire to build their products.

But given the nature of mass manufacturing, the numbers could be huge.

"It's like the old cockroach thing — you flip the lights on in the kitchen and they run away," said Marcus Sachs, a former White House cybersecurity official who now runs the security research group SANS Internet Storm Center. "You think you've got just one cockroach? There's probably thousands more of those little boogers that you can't see."

Jerry Askew, a Los Angeles computer consultant, bought a new Uniek digital picture frame to surprise his 81-year-old mother for her birthday. But when he added family photos, it tried to unload a few surprises of its own.

When he plugged the frame into his Windows PC, his antivirus program alerted him to a threat. The $50 frame, built in China and bought at Target, was infested with four viruses, including one that steals passwords.

"You expect quality control coming out of the manufacturers," said Askew, 42. "You don't expect that sort of thing to be on there."

Security experts say the malicious software is apparently being loaded at the final stage of production, when gadgets are pulled from the assembly line and plugged in to a computer to make sure everything works.

If the testing computer is infected — say, by a worker who used it to charge his own infected iPod — the digital germ can spread to anything else that gets plugged in.

The recent infections may be accidental, but security experts say they point out an avenue of attack that could be exploited by hackers.

"We'll probably see a steady increase over time," said Zulfikar Ramzan, a computer security researcher at Symantec Corp. "The hackers are still in a bit of a testing period — they're trying to figure out if it's really worth it."

Thousands of people whose antivirus software isn't up to date may have been infected by new products without even knowing it, experts warn. And even protective software may not be enough.

In one case, digital frames sold at Sam's Club contained a previously unknown bug that not only steals online gaming passwords but disables antivirus software, according to security researchers at CA Inc.

"It's like if you pick up a gun you've never seen before — before you pull the trigger you'd probably check the chamber," said Joe Telafici, vice president of operations of McAfee Avert Labs, the security software maker's threat-research arm.

"It's an extreme analogy, but it's the right idea. It's best to spend the extra 30 seconds to be sure than be wrong," he added.

Consumers can protect themselves from most factory-loaded infections by running an antivirus program and keeping it up to date. The software checks for known viruses and suspicious behaviors that indicate an attack by malicious code — whether from a download or a gadget attached to the PC via USB cable.

One information-technology worker wrote to the SANS security group that his new digital picture frame delivered "the nastiest virus that I've ever encountered in my 20-plus-year IT career." Another complained his new external hard drive had malfunctioned because it came loaded with a password-stealing virus.

Monitoring suppliers in China and elsewhere is expensive, and cuts into the savings of outsourcing. But it's what U.S. companies must do to prevent poisoning on the assembly line, said Yossi Sheffi, a professor at the Massachusetts Institute of Technology specializing in supply chain management.

"It's exactly the same thing, whether it happened in cyberspace or software or lead paint or toothpaste or dog food — they're all quality control issues," Sheffi said.

While manufacturing breakdowns don't happen often, they have become frequent enough — especially amid intense competition among Chinese suppliers — to warrant more scrutiny by companies that rely on them, Sheffi said.

"Most of the time it works," he said. "The Chinese suppliers have every reason to be good suppliers because they're in it for the long run. But it's a higher risk, and we've now seen the results of that higher risk."

The AP contacted some of the world's largest electronics manufacturers for details on how they guard against infections — among them Hon Hai Precision Industry Co., which is based in Taiwan and has an iPod factory in China; Singapore-based Flextronics International Ltd.; and Taiwan-based Quanta Computer Inc. and Asustek Computer Inc. All declined comment or did not respond.

The companies whose products were infected in cases reviewed by AP refused to reveal details about the incidents. Of those that confirmed factory infections, all said they had corrected the problems and taken steps to prevent recurrences.

Apple disclosed the most information, saying the virus that infected a small number of video iPods in 2006 came from a PC used to test compatibility with the gadget's software.

Best Buy, the biggest consumer electronics outlet in the U.S., said it pulled its affected China-made frames from the shelves and took "corrective action" against its vendor. But the company declined repeated requests to provide details.

Sam's Club and Target say they are investigating complaints but have not been able to verify their frames were contaminated.

Legal experts say manufacturing infections could become a big headache for retailers that sell infected devices and the companies that make them, if customers can demonstrate they were harmed by the viruses.

"The photo situation is really a cautionary tale — they were just lucky that the virus that got installed happened to be one that didn't do a lot of damage," said Cindy Cohn, legal director for the Electronic Frontier Foundation. "But there's nothing about that situation that means next time the virus won't be a more serious one."

An unpatched bug in RealPlayer leaves the media player open to drive-by-download attacks, which hackers use to trick prospective marks into visiting maliciously constructed websites.

The vulnerability stems from coding errors in a RealPlayer ActiveX control (rmoc3260.dll), which enables content to be played within a user's Internet Explorer browser. The ActiveX control fails to properly handle multiple properties, including Console, creating a heap memory corruption risk.

RealPlayer version 11.0.1 is confirmed as vulnerable. Other versions of the media player may also be flawed. Security clearing house Secunia advises users to kill the affected ActiveX control pending the availability of a patch from Real Networks. Instructions and pointers on how to disable RealPlayer ActiveX controls in Internet Explorer can be found in an advisory by US CERT here.

Details of the vulnerability were posted by its discoverer, Elazar Broad, on a full disclosure mailing list on Monday.

A similar vulnerability involving the interaction between RealPlayer and IE, but affecting a different ActiveX control, was discovered last October

Fixes for Microsoft's Office productivity suite dominated this month's Patch Tuesday release.

The four bulletins in yesterday's Security Update addressed 12 vulnerabilities in the popular software.

Each of the bulletins fix vulnerabilities which could allow an attacker to remotely execute code on the target system. Microsoft has rated all four as 'critical', the highest of its four alert levels.

The bulletins address flaws in Outlook, Excel and Office web components. The update applies to Office XP, 2000, 2003 and 2007. Mac versions of Office 2004 and 2008 were also updated, each receiving fixes rated 'important'.

Windows XP and Windows Vista were not affected by the monthly update.

Dave Marcus, security research and communications manager at McAfee, said that the update addresses an important attack vector.

"Vulnerabilities in Office applications have been a favourite attack method among cyber-crooks, especially in stealthy attacks that seek to steal high-value intellectual property," he said.

"Trojan attacks often use rigged Office files that exploit vulnerabilities in the productivity suite."

American researchers have proven it's possible to maliciously turn off individuals' heart monitors through a wireless hacking attack.

Many thousands of people across the world have the monitors, medically known as implantable cardiac defibrillators (ICDs), installed to help their hearts beat regularly.

ICDs treat abnormal heart conditions; more recent models also incorporate the abilities of a Pacemaker. Their function is to speed up a heartbeat which is too slow, or to deliver an electrical shock to a heart which is beating too quickly.

According to the research (pdf) by the Medical Device Security Center - which is backed by the Harvard Medical School among others - hackers would be able to intercept medical information on the patient, turn off the device, or, even worse, deliver an unnecessary electrical shock to the patient.

The hack takes advantage of the fact the ICD possesses a radio which is designed to allow reprogramming by a hospital doctor. The ICD's radio signals are not encrypted, the Security Center said.

The Security Center demonstrated the hack on an ICD made by Medtronic using a PC, radio hardware and an antenna. The ICD was not in a patient at the time. The research is detailed in a report released today.

The report reveals that a hacker could "render the ICD incapable of responding to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, a potentially lethal arrhythmia."

The Security Center says manufacturers of ICDs could implement several measures to prevent the threat. These include making the IMD produce an audible alert when an unauthorised party tries to communicate with their IMD. It also suggests employing cryptography to provide secure authentication for doctors.

The researchers added that the risk facing patients is negligible. "We believe the risk to patients is low and that patients should not be alarmed," it said in the report.

"We do not know of a single case where an IMD patient has ever been harmed by a malicious security attack."

It added that hackers would need to be physically close to their intended victim and would need sophisticated equipment. The kit used in the demoed attack cost $30,000.

The researchers omitted their methodology from the paper to help prevent such an attack ever happening, they said.

Medtronic said the chance of such an attack is "extremely low". Future versions of its IMDs, which will send radio signals ten metres, will incorporate stronger security, it told the Associated Press

A HIGH RANKING US military figurine has told the Wall Street Journal that American military networks are under siege from hackers trying to nick sensitive, classified information. He pointed the finger at China. Sort of.

Gen. Kevin Chilton, who is a former astronaut and now heads the military's Strategic Command and all things cyberspace, was somewhat reluctant to point the finger directly at China, but said that there was plenty of evidence to suggest that China was behind most of the incidents and that 'you can kind of connect the dots'.

In the past, the U.S. has expressly linked China to a number of embarrassingly successful cyber attacks against their military networks, accusations which China hotly denies.

The US reckons that it has serious grounds for concern, admitting that its classified military and government networks come under attack tens of thousands of times a day.

Gen. Chilton, tactfully likened the hacking attempts to Cold War-era espionage, and accused the (possibly Chinese) hackers of trying to mine classified data.

The Chinese had better watch their backs because, according to the General, even if hackers don’t manage to crash the US military system and only slow it down a little bit, he still reckons "I would consider that an attack".

Beijing, consider thyself warned.