Interesting commentary by Adrian Lane, Analyst and CTO of Securosis, writing at DarkReading, and targeting the truncated utilization of DAM, the acronym for Database Activity Monitoring. In this case, the widespread lack of proper deployment and implementation of the query blocking mechanisms inherent to nearly all DAM products.
Coupled with the apparent lack of core competency in the DAM arena, clients of the software manufacturers flogging theses products are probably also deficient in at least three other fundamental aspects of DBMS security activity monitoring products:  Education / Training within the scope of the products,  Scrutiny of the Monitoring Log Output, and  probably the key to everything - the ability to read SQL statements.
Reported by Bloomberg's Karin Matusek and edited by Anthony Aarons comes this well-wrought screed focusing on the recent targeted Bundesrepublik Deutschland fine of Google Inc. (NasdaqGS: GOOG), due to privacy violation in the European Union. The key issue here - other than the obvious egregious criminal privacy infractions - is the unbelievably low sum the search leviathan has been ordered to cough up. As it were...
via the recently released Veracode State of Software Security Volume 5 Report, SQL Injection flaws are rampant on the interwebs [suprised?], which points to fundamental coding failures brought on by both incompetent development staff plus the oft mentioned cruft.
The entire scenario equates to simple leadership failure; this fail condition is indicated by the inability to enforce both secure development practices and a verifiable training regime.
While the company responsible for the report is in the business of software security scanning and code review, there is efficacy to the document's underlying information...
Reportedly, evidence, detailing intrusions into a United States National Aeronautics and Space Administration [NASA] database management system has forced the Agency to subsequently terminate external connectivity to the system, pending a thorough investigation.
Apparently, a PRC national - Bo Jiang - was arrested by Federal Bureau of Investigation Special Agents, after boarding a plane to Beijing at Dulles International Airport. Jiang had ben working as a contractor at NASA’s Langley Research Center; additional information regarding the arrest of the Chinese national points to false statements, possession of specific items [laptop, external storage devices], et cetera. Statements regarding previous exfiltration of data have been made, regarding this individual's past, perhaps leading to this arrest.
Quite negative news indeed, for the all-encompassing server, daemon, code and database control product, not to mention the huge numbers of deployed bits in both the public and private sectors. Recent Java exploits, piggybacked on these Oracle Enterprise Manager vulns, puts the database leviathan into a tenuous posture of insecure cruft deployment.
Whilst all of the enumerated vulns have been officially patched by the company, a vast ocean of deployments are not being updated, generally due to recalcitrant DBAs and their System Administrator colleagues (thereby displaying misguided rationale, as generally, they're fearful of patchsets targeting Oracle products, due to the severe impact of the crufty bits applied to extant Oracle instances, and the subsequent possibility of significant downtime). - mxh
Meanwhile, in Oracle Database news, Tanel Poder, perhaps one of the most highly respected, yet quitely competent Oracle professionals has released version 4.2 of his well known [and heavily utilized by DBAs in-the-know] Snapper tool targeting Oracle Database performance metrics.
Whilst not necessarily security related his work is both highly rated, feature rich, yet lightweight in DBMS impact, oh, and did I mention available at no charge? If you are in any way related to Oracle DBMS products, you need Snapper 4.x. Keep a sharp eye out for Tanel's seminars, also highly rated.
Whilst social network espionage and data mining has been a function of those networks from day one [anyone that believes this is not the case is sorely misled], state - not too mention corporate - surveillance of those 'networks' , is, of course, a common practice.
After all, 'social media' platforms, Facebook, Twitter, Identi.ca, App.net, et al. being exemplary, are essentially scaleable relational database management systems, with in-built rule sets, of which, store and make available data that can be mined for information gold, as it were.
The Security Benchmarks division (formerly the Center for Internet Security) has released the organization's new benchmark targeting Oracle Corporations' (NasdaqGS: ORCL) Database 11g Release 2. Highly recommended as the 'playbook' for managing security parameters of existing and new Oracle instances.
News, of Swiss Federal Intelligence Service (FIS) (Deutsch: Nachrichtendienst des Bundes NDB, Français: Service de Renseignement de la Confédération SRC) warnings issued to the the United States of America and the United Kingdom of Great Britain and Northern Ireland, detaling a data leakage incident perpetrated by a insider. The data: Counterterror in scope.
A newly discovered and pernicious SQL Server targeting malware package has emerged, in this case targeting Microsoft Corporation (NasdaqGS: MSFT) SQL Server databases utilizing an OLEDB vector, specifically in the Middle East. Monikered W32.Narilam, this worm appears to function like most other infect code, copying and traversing drives and network file shares.