According to a Ponemon Institute survey, more than 10,000 laptops are reported lost each week at the largest airports in the US. Of those, roughly 65 percent aren't reclaimed. The US airports that reported the most missing laptops were Los Angeles International, Miami International, John F. Kennedy International, Chicago O'Hare, and Newark Liberty International. Of those respondents, roughly 53 percent said the missing laptops contained sensitive company information, and 65 percent didn't take security measures to protect their laptops in the event of loss, such as encrypting data.
The PCI Security Standards Council has released new security guidelines for unattended payment terminals (UPT) that accept personal identification numbers (PINs) at places such as kiosks, self-service ticketing machines, and fuel pumps. The PIN Entry Device (PED) security standards will require more rigorous testing by approved labs on encrypted PIN pads. The council has yet to release a date for compliance by retailers.
In June, Apple released a Mac OS X update that fixed 25 vulnerabilities. Of the 25, half of those were deemed critical and included patches to Safari that plugged a hole that the company had previously fixed in the browser's Windows version. The update fixed flaws in open source components that use Ruby and Apache Tomcat. Users can download the update from Apple's site or install it using OS X's update service.
As part of its Critical Patch Update, Oracle released 45 security fixes across its products in July. Among the patches, the most critical are fixes for vulnerabilities in Oracle's Application Server and WebLogic Server. Left unpatched, the flaws in these products could let attackers exploit the servers remotely without authentication. Also included are fixes for Oracle's TimesTen In-Memory Database, Enterprise Manager, E-Business Suite, and its PeopleSoft Enterprise products. The next release for critical patches is scheduled for 14 October 2008.
A survey of roughly 300 attendees at the RSA Conference in 2008 found that more than 89 percent of security incidents went unreported in 2007. The survey identified security incidents as "unexpected activity that brought sudden risk to the organization and took one or more security personnel to address." The survey respondents identified lost or stolen devices as the number one security challenge to combat (49 percent), followed by nonmalicious employee error (47 percent), budget constraints (44 percent), external hacking (38 percent), executive buy-in (26 percent), and insider threat (22 percent).
In August, NASA confirmed that malware was found on laptops aboard the international space station. The worm—identified as W32.Gammima.AG—spreads by copying itself onto removable media and is designed to steal passwords for online games. Symantec has classified the worm as a very low risk. A spokesperson for NASA said the virus hadn't infected the command and control computers of the space station. In September, NASA will send up new flash memory cards to that have been screened for the virus. NASA is currently conducting an internal search to discover how the virus got onboard.
A lost USB stick is the culprit in the loss of 84,000 prisoners' personal information in England and Wales. Data on the USB stick included names, birth dates, expected release dates, and drug intervention data. The information was downloaded to the memory stick for processing purposes and was subsequently lost by a contractor working for the UK Home Office.
In August, The Royal Bank of Scotland acknowledged that a server from Graphic Data, an archiving company, which contained personal information of more than 1 million of its customers, had been sold to a third party on eBay. The information included account numbers, passwords, cell phone numbers, and signatures. The server's hard drive hadn't been wiped before being placed on the online auction site. The buyer alerted Britain's Information Commissioner's Office, which has launched an investigation into the breach. eBay advises sellers to wipe all hard disks before selling computers on its site.
A federal judge in Virginia has ruled that a privacy advocate doesn't have to remove from her Web site the social security numbers (SSNs) she legally obtained off of government Web sites. The privacy advocate, Betty Ostergren, has been trying to force county governments in Virginia to redact SSNs and other personal data from their Web sites by regularly posting unredacted public documents on her site. Ostergren has posted the SSNs of high-profile individuals such as former Florida Governor Jeb Bush, Colin Powell, and several county clerks in Virginia. With the help of the American Civil Liberties Union (ACLU), Ostergren challenged an amendment to Virginia's Personal Information Act, which forbids anyone from disseminating SSNs no matter how they were obtained. Ostergren claimed the amendment would force her from posting the SSNs while doing nothing to stop Virginia's county governments from posting the same data.
The Business Software Alliance (BSA) has released the results of its study that shows the US still ranks as the world's best environment for a competitive IT industry. After the US, Taiwan, the UK, Sweden, and Denmark round out the top five. BSA president Robert Holleyman said the US's overall score fell from 2007 and could signal that US lawmakers need to concentrate on efforts to retain its number one spot as an IT leader, such as increasing the number of visas handed out to skilled immigrant IT workers. Countries that fell out of the top 10 include Japan, which fell from second to number 12, and South Korea, which fell from third to eighth. Iran, Algeria, and Nigeria were ranked at the bottom of the 66-nation survey. The study ranked each country in its overall business environment, IT infrastructure, human capital, legal environment, research and development environment, and support for IT industry development.
In September, the California state legislature sent an amended version of the Consumer Data Protection Act to Governor Arnold Schwarzenegger that he vetoed last year. The amended act has dropped a provision that would require retailers to reimburse financial institutions for the cost to replace compromised cards in the event of a data breach. Additionally, an added provision would let retailers keep data necessary to process recurring payments.
A feature in Google's Chrome browser has some privacy advocates concerned over data retention. Chrome's address and search bar, OmniBox, contains a suggest feature that shows users related search queries and popular Web sites based on the text they typed in. To do so, the feature must transmit keystrokes back to Google's servers. Roughly 2 percent of the keystrokes are recorded, along with users' IP addresses, which Google says it needs to log to improve the feature. In response to concerns about user privacy, Google has announced that it will start anonymizing the data within 24 hours of receiving it.