While we spend countless hours trying to determine whether Windows is more secure than Linux, the "offline" world is proving itself to be the biggest security risk of all. In two separate instances, GE Money said it was missing a computer tape with 650,000 personal records, including 150,000 Social Security numbers, and the UK's Ministry of Defense managed to lose a laptop with the personal details of 600,000 new and prospective military recruits.
I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.
Beats me why major newspapers don't hire computer techies to write about … Read more
Microsoft issued a security advisory late Tuesday that malicious attackers are targeting versions of its Office Excel with vulnerabilities.
Microsoft Office Excel 2003 with Service Pack 2; Excel Viewer 2003; Excel 2002; Excel 2000; and Microsoft Excel 2004 for the Mac are affected by the security vulnerabilities, according to the advisory.
People who open a malicious e-mail attachment or visit a malicious Web site may find that their systems are compromised and that arbitrary remote code is executed. Computers configured to allow the user to have administrative user rights are at greater risk that those with few user rights on … Read more
F-Secure is warning Mac users to beware of a rogue software application that is making the rounds.
The application, MacSweeper, purports to clean a user's Mac, but in reality will "always" claim to find something wrong with a user's system and seek payment to remove the unwanted file or spyware, security researcher F-Secure noted in a blog posting Tuesday.
"It's a scam...when you visit the MacSweeper Web site with a PC and click on "Scan", it will tell you that you have security vulnerabilities in folders that only exist on a … Read more
If security is a process, Oracle's users have checked out of the process completely. As CNET's Dawn Kawamoto reports, two-thirds of Oracle users report that they have never installed an Oracle Critical Patch Update (CPU). That's "never" as in "not ever."
The data comes from a survey of Oracle database administrators, consultants, and developers by Sentrigo. It's shocking.
Perhaps it's also a testament to the robust security of Oracle's products. Let's assume that the respondents to this survey are representative of Oracle users generally. With 66% of Oracle's databases essentially unprotected and yet rarely compromised, that says something about their quality.
Or maybe it just means that database hackers are lazy. :-)… Read more
If you build it, will they come?
Apparently not when it comes to Oracle's quarterly Critical Patch Updates (CPUs).
Database security firm Sentrigo released some surprising numbers Monday, culled from a survey of 305 database administrators, consultants, and developers in attendance at Oracle Users Group meetings last year.
The survey found that a staggering two-thirds of respondents had never applied an Oracle quarterly CPU. Not one, nada, a big fat zero.
And of the remaining 33 percent of survey respondents who did, only 10 percent noted they had gotten around to applying Oracle's more recent CPU, or the … Read more
According to security vendor McAfee, one of the profiles on MySpace currently serves up a fraudulent Microsoft security update that, if clicked, attempts to load malicious software. The profile of a 42-year-old woman from Arkansas appears to exist solely for the purpose of infecting visitors. McAfee says that both Microsoft and MySpace have been contacted.
Joris Evers, publicity director at McAfee, says "attackers send unwitting MySpace users a friend request, asking them to become friends with 'Rita.' When the user clicks to see who 'Rita' is they are sent to the profile that serves up malware." The profile … Read more
Last week up to 260,000 Medicaid, BadgerCare and SeniorCare participants in Wisconsin received a brochure that had something extra on the address label--their social security numbers. As a consequence, the company responsible for the mailing, Electronic Data Systems (EDS) says it will offer those affected free identity theft insurance and credit monitoring with all three credit bureaus for one year. EDS says the monitoring plus the cost of resending the brochure will cost the company nearly $1 million.
A letter detailing the insurance and monitoring programs will be sent out next week. Affected customers will have 90 days to … Read more
There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.
On the surface, it looks like we actually made some improvements in protecting private data in 2007. According to the Privacy Rights Clearinghouse, the number of publicly disclosed data breaches actually decreased, from 346 incidents in 2006 to 310 in 2007. Unfortunately, there are still more clouds than sunshine. In 2007, the 310 data breach incidents resulted in a total of 162 million records exposed, more than three times as many as in 2006 (when there were about 50 million).
Here's another frightening data point: Five of the 10 biggest data breaches occurred in 2007, including the record setter. … Read more