Acronis True Image backup software.
(Credit: Dong Ngo/CNET)After I blogged about how Acronis misinterpreted its survey data, mistakenly reporting an alarming 87 percent of users back up their data only once every two or three months, the company released a revised report on the matter on Thursday.
The new report shows that nearly two-thirds (64 percent, as opposed to the earlier contention of 87 percent) of users back up their computers every two or three months, which is still much less frequently than is recommended to keep data safe.
In addition, the survey found that 80 percent of the some 6,100 participants surveyed in North America have experienced data loss or recovery of some sort.
The survey suggests that most of us need to take backup more seriously, and do it on a much more frequent basis. This is especially important considering the increasing risk of malware to computers, which often store critical data, such as financial and personal information.
The survey also found that 81 percent of users have had to reinstall their computers' operating systems or software applications. According to the survey, data loss cost those affected significant time and effort, with 48 percent of those surveyed reporting that the reinstallation process took more than four hours on average.
Personally, I don't know how credible these numbers are considering the error found in the previous report. Nonetheless, I can't stress how important backing up is. I've seen many friends learn this lesson the hardest and most expensive way.
Apart from Acronis True Image--which is one of my favorite backup programs, because of its capability to automatically create an exact copy of the hard disk and allow you to restore the entire machine--you can also use other free programs, such as GFI Back Up Home Edition. Or just get an external hard drive and simply copying information over.
Think of backing up as automobile insurance: it's a hassle to have and you hope you'll never have to use it, but it's really dangerous and sort of irresponsible to go without it.
The survey section where the percentages were taken out--the numbers just don't justify what Acronis said in its report.
(Credit: Acronis)Acronis, a major vendor of backup software, released a report earlier this week stating that about 87 percent of computer users back up their data once every two or three months--way less frequently than recommended. This suggests that most of us live dangerously when it comes to backing up.
The survey was widely reported in the press, but it turns out the numbers didn't seem to go well with Acronis' report.
The percentages released to the media were taken from the question "How often do you back up your hard drive or files?" Results include: 48 percent for "once a week (or more)"; 55 percent for "2-3 times a month"; 81.5 percent for "once a month"; 86.8 percent for "every 2-3 months", 91.4 percent for "2-3 times a year", 94.6 percent for "once a year or less"; and 25.5 percent for "never."
It may be that I'm Asian and extra good with math, but I couldn't help but notice that when added up, the numbers total around 500 percent. Other ways to interpret the chart didn't justify the reported 87 percent, either. So maybe you're not as bad at backing up as some media reports told you you were.
... Read more
Dutch chipmaker NXP Semiconductors has sued a university in The Netherlands to block publication of research that details security flaws in NXP's Mifare Classic wireless smart cards, which are used in transit and building entry systems around the world.
NXP, formerly Philips Semiconductors, sued to prevent Radboud University Nijmegen from publishing a scientific paper on the technology in October. A hearing is scheduled for Thursday in the Dutch court, Rechtbank Arnhem.
"We feel the publication would not be responsible," NXP said in an e-mail statement when asked to comment for this article on Wednesday. "We cannot give further comments at this time, as it is in the hands of the court and the court has given a confidentiality order."
A court decision on the matter is expected next week, according to Karsten Nohl, a University of Virginia graduate student who worked with others to break the crypto algorithm last year and has been closely following the case.
The Dutch university's research builds upon Nohl's work. Nohl said he plans to publish his research in August and that NXP has not sued him to halt publication of his work.
"NXP spent most of this year defending the technology," Nohl told CNET News in a phone interview this week. "Only recently have they started admitting that the security is flawed, but they are still not ready for this to leak into the public domain."
"The only thing NXP would achieve if they win the lawsuit is prevent information from getting to other research groups that might very well be looking for solutions to this problem," Nohl said. Meanwhile, information on how to break the cryptography on the smart cards is already available to criminals who are willing to pay tens of thousands of dollars, he added.
A statement issued by the Dutch University in March says: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."
Dr. Bart Jacobs of Radboud University Nijmegen demonstrated last month how he could ride the London transit system for free. Once he obtained the key used by the London transit system, he then brushed up aside passengers carrying the Oyster transit cards and was able to collect their card information on his laptop and make a clone of it.
This YouTube video shows how it is done:
In addition to the transit system in The Netherlands, the technology is used in the subway systems in London, Hong Kong and Boston, as well as in cards for accessing buildings and facilities. The Mifare technology is used in more than 80 percent of the market, Nohl said.
The university defended its plans to publish the research in a statement released Monday in Dutch, saying it has a duty to research and publish data on security technology flaws so that they can be fixed.
Video surveillance firm VideoIQ is set to announce on Wednesday morning a $10 million Series B funding round.
Lehman Brothers Venture Partners is leading the round, and current investors Matrix Partners and Atlas Venture are participating.
The funding will be used to help VideoIQ expand to new markets and continue product development of its IP video surveillance and video analytics products, the company says.
Bedford, Mass.-based VideoIQ was spun out of GE Security in 2007 and is headed by Scott Schnell, a former RSA executive.
Google on Tuesday said it is now using an e-mail authentication technology to keep phishers from luring Gmail users to fake eBay and PayPal Web pages in order to steal usernames and passwords.
The technology, DomainKeys, uses cryptography to verify the domain of the sender of an e-mail. It allows e-mail providers to validate the domain from which an e-mail originates, and it enables easier detection of phishing attempts by helping identify abusive domains.
Last October, Yahoo announced that it was protecting Yahoo Mail users with eBay and PayPal accounts from phishing attempts using the same technology.
The DomainKeys technology is covered by a patent assigned to Yahoo. The company released it under a dual-license scheme that allows the companies to use it royalty-free under the GNU General Public License (GPL 2.0), which enabled the Internet Engineering Task Force to approve it as a proposed Internet standard.
Summertime is the season for traveling circuses and local fairs, so I shouldn't be surprised that this carnival atmosphere has spread to security. A company named Permanent Privacy just announced a $1 million prize to the person who can crack its algorithm and uncover the underlying encryption keys.
Now I realize there is some history here. In January 1999, a group of academics cracked the 56-bit Data Encryption Standard in just over 22 hours and won a prize of $10,000. That said, I am not a big fan of security showmanship like this from unknown security start-ups.
Why? First of all, this "challenge" isn't really a challenge at all. Permanent Privacy technology is based upon the AES (Advanced Encryption Standard) algorithm and since no one has cracked AES, it's highly unlikely that anyone will crack AES with an additional proprietary security wrapper . Furthermore, information security is no longer an academic playground for brainiacs at Berkeley and MIT. Rather, it's serious business that impacts everything we do. Given this level of criticality, I'd rather see things like Common Criteria or FIPS certification than a publicity gimmick.
As a start-up, I understand that Permanent Privacy needs to generate buzz and all PR is good PR. Heck, I did the same thing as VP of marketing at a misguided CLEC during the boom. Security isn't like other technologies however, it's more about law, order, and safety. Oracle was dragged through the mud when it advertised its database as "unbreakable." Perhaps it's just me, but I think Permanent Privacy deserves a similar treatment in the market.
Microsoft issued a security advisory on Monday warning about targeted attacks being launched that exploit a hole in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.
Basically, an attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-in user has.
The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, 2002 and 2003.
The ActiveX control, which allows a user to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access, ships with the standalone Snapshot Viewer and with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 run in a restricted mode known as Enhanced Security Configuration that sets the security level for the Internet zone to "high." This is a mitigating factor for Web sites that a user has not added to the Internet Explorer Trusted sites zone, according to Bill Sisk, security response communications manager for Microsoft.
In addition, a security feature in Internet Explorer can be set to prevent ActiveX controls from being loaded by the IE HTML-rendering engine, the advisory says.
Microsoft suggests that users adopt a workaround, such as configuring IE to disable Active Scripting or to prompt before running it, or setting Internet and local intranet security zone settings to "high" to prompt before running ActiveX Controls and Active Scripting.
Eventually, Microsoft may provide a security update for the vulnerability, according to the frequently-asked-questions section of the advisory.
"While the attack appears to be targeted, and not widespread, we are monitoring the issue and are working with our MSRA (Microsoft Security Response Alliance) partners to help protect customers," Sisk says.
VeriSign, which runs the master database for the .com and .net domains, has replaced its CEO and president, who resigned suddenly earlier this week.
Jim Bidzos
(Credit: VeriSign)The company said Thursday that William Roper had resigned as of Monday. Roper, who had served as CEO for just more than a year, has been replaced on an interim basis by VeriSign's founder and chairman, Jim Bidzos.
Bidzos, who founded the Mountain View, Calif.-based company in 1995, has served as either chairman or vice chairman of the board of directors since its start. He was also the company's first CEO.
Roper had been working on whittling VeriSign down to its core Internet-services businesses.
"VeriSign remains committed to our strategy of focusing the company on its core businesses while continuing the divestiture of all non-core operations, which will proceed as planned," Bidzos said in a statement. "We appreciate Bill's contributions in implementing this divestiture strategy, which the board and the company are fully committed to continuing."
According to the San Jose Mercury News, Roper's decision to leave right now was voluntary, so to speak. "I don't think it was fair to have him around while we were looking for a replacement, so he chose to leave," Bidzos told analysts on a conference call.
A day before the United States celebrates its independence, we continue to question our individual freedoms online. In Thursday's Daily Debrief, CNET News.com Editor in Chief Dan Farber and I discuss a federal judge's recent ruling in the ongoing Google-Viacom lawsuit that orders Google to turn over YouTube user activity. This will include videos watched, IP addresses, and usernames as part of an ongoing copyright infringement case.
Understandably, this news is disconcerting for YouTube users. Sources tell CNET News.com, however, that if Viacom uses this information for anything other than investigating piracy issues, it will be held in contempt of court. Regardless, Farber makes the point that this ruling could now set a precedent for other online privacy and security battles. Representatives from the Electronic Frontier Foundation agree, arguing that this court order will slowly erode the online rights we have come to enjoy and appreciate. Sounds like fireworks of a different kind this Fourth of July.
A former vice president of Hewlett-Packard's printing division has been indicted by federal prosecutors for allegedly sharing with HP confidential information from his previous employer.
First reported by Wired, the indictment was filed Friday in U.S. District Court in San Jose, Calif. As director of sales and business development in IBM's printing division in March 2006, Atul Malhotra allegedly requested confidential information about IBM pricing. Just two months later, Malhotra took the position of vice president of HP's printing division.
In the indictment, prosecutors say Malhotra e-mailed the IBM information, marked "confidential," to an unnamed HP senior vice president on July 25, 2006, and again to another HP senior vice president two days later.
He was fired shortly thereafter, in September 2006, according to HP.
"The activity with which Malhotra is charged was in direct violation of clear HP policies, including HP Standards of Business Conduct," the company said in a statement. "HP detected this activity, conducted an internal investigation, terminated Malhotra's employment from HP, and reported the activity to appropriate enforcement agencies and to IBM. HP has cooperated fully with the government's investigation."
