Sophos, a developer of corporate anti-virus software, has released the latest in a series of monthly charts counting down the ten most frequently occurring viruses and hoaxes. The company detected 817 new viruses, worms and Trojan horses in the month of November.

The Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, also know as the Gilmore Commission, recently released its Fourth Annual Report. The report notes that while much work has been done to enhance the physical protection of critical infrastructure, the cyber security aspect remains very problematic. The Commission states that the current government plan “relies on private sector willingness to take certain security measures and bear their costs, and chooses not to use government’s power to legislate, regulate or otherwise require certain actions. The report criticizes the current policy for failing to recognize the importance of market factors which has resulted in “no change in the significant market disincentives to the adoption of cyber security measures.”

Business Week documents the growing opposition to the Defense Advanced Research Projects Agency (DARPA) “Total Information Awareness” program run by John Poindexter. I first commented on TIA back in December ( Virtual, Centralized Grand Database,
12/2/2002). As the Electronic Privacy Information Center accurately points out, it is very important that a program of this nature be monitored carefully to insure it does not violate federal privacy laws or the U.S. Constitution. When considering a data-mining initiative of this scale and magnitude, promises by the DoD to “research and develop technologies to protect the system from internal abuses and external threats” ring a little hollow. The potential for the abuse of such a system is painfully obvious. And let’s be serious, does the DoD, particularly from a PR standpoint, really think that Admiral Poindexter is the right person to be in charge of a project of this nature?

SB 1836 is designed to protect identity theft and requires that any “state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal nformation, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.” There appear to be a number loopholes contained in the law. For example, references to “unencrypted personal information.” This appears to indicate that data that was accessed from an encrypted database would not require notification. Regardless, this law and similar bills that are certain to begin appearing will seriously impact that manner in which business views information security.

Dennis Fischer, always on the ball at eWeek, continues to keep the focus on the frustrations of using Microsoft’s automated update tools for patches and security updates. Recently, he noted two disturbing trends. First, Microsoft is using the critical update features as a sales tool to push upgrades for its latest software. More notable, however, are the technical problems that users - experienced, trained users - are having installing the updates. Many updates require that security setting configured to make a system more secure be disabled in order download and install patches! See his latest article on Microsoft Security: What’s Next?.