The Commerce Department recently reported that it has lost over 1,100 laptops in the past five years with the Census Bureau accounting for 672. I'm deriving from this that keeping count of human population is somewhat easier than keeping track of laptops. As you might imagine, some of these laptops contained critical information including personel related data.

In the missing laptops derby, Census Bureau is far and away the winner. Coming in a distant second is NOAA (yes, they're the weather guys!) which lost 325 laptops. Details of the entire story here.

At least one congressman is trying to tackle the problem in the only way he knows how - via legislation.
Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, is putting forth legislation that requires all federal agencies to tell the public when they have data breaches of sensitive information. I commend Tom Davis for his efforts but the long term solution will be multi-dimensional including both legislation and technology. I think ongoing battle to secure privacy data will result in increasing traction for Software as a Service (SaaS). I know SaaS already has traction but it's mostly because of its simplicity of deployment and management.
It's also most popular in the SMB market but security concerns will drive its use into large enterprises and as a model for legacy systems as well. Mark my words, it'll happen.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

A vulnerability associated with the Vector Markup Language (VML) was first discovered around September 19th. It was initially discovered when shady pornography websites were exploited resulting in massive loading of adware. Read CNet's article - Porn Sites exploit new IE flaw. The specifics of the vulnerability concern vgx.dll, a component of the VML subsystem.

Since then, Microsoft has apparently seen enough to warrant breaking its usual practice to push out fixes on its monthly Patch Tuesday. It released a new fix together with the following comment in its security advisory MS06-055
"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
We recommend that customers apply the update immediately."

Microsoft doesn't often break its cycle of monthly Patch Tuesdays but it did this time...perhaps in part due to third party pressure. A number of other groups supplied "unofficial" fixes over a week ago that perhaps forced Microsoft to act. In any case, it was the right thing to do.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Rumors were flying the latter part of last week about this. EMC made it official today by acquiring Network Intelligence for $175M. The acquisition immediately follows EMC's completion of the RSA Security acquisition for $2.1B. With this acqusition, EMC continues to strongly signal its intention to be a strategic player in the security landscape.

Network Intelligence is a notable company in the SIM (security information manager) space. Unlike some of the other SIM players, Network Intelligence has proven technology and a long history in systems/network event management. When I've discussed SIMs with customers and clients, many have noted Network Intelligence as a company with enterprise proven and scalable technology...so I think this is a good move for Art Coviello and the EMC security division. Prior to the acquisition, they were already working together from a partnership standpoint so the element of "try before you buy" lowers the risk profile for EMC.

Last month, IBM made a strong move into security by acquiring ISS. Now EMC follows up the RSA acquisition with Network Intelligence. Together with Cisco, will this be the new power structure in the security space? How will traditional security pure play companies like Mcafee and Checkpoint respond?

Is there an advantage to the security pure play....will they have a place in the new power structure...is it good for the buying community? I think the answer to that is a resounding YES!

Posted by andreyee in Industry Trends | Permalink | Comments (0) | TrackBacks (0)

Last month's security bulletin from Microsoft included the MS06-040, revealing a critical vulnerability in Windows Server service. MS06-040 attacks continued to proliferate throughout the month and into September.

What's interesting is that it's led to a discussion on how Macs are inherently far more secure than Windows. Of course, that view is championed by a Mac proponent.
In response, the Security Curve weblog poses the idea that Apple is actually becoming too smug for its own good.

Maybe so, but we know is that no platform is absolutely secure and Macs have recently experienced an increase in exploits. I don't rejoice in exploits on any platform but the reality is that Macs have been as much the beneficiary of the lack of interest from the hacker community as they have from their own inherent security. In other words, their lack of market share makes them uninteresting as a targeted platform for hackers. On the practical front, it also limits the rate of proliferation.

Apple, smug? Yes. Does it surprise us? No...but if they start getting targeted, the smugness won't last long.

Posted by andreyee in | Permalink | Comments (0) | TrackBacks (0)