Stories by: Carl Jongsma

There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.

Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.

Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind chunkylover53@aol.com (Homer Simpson, for the curious), it apparently isn't much harder.

If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's gov.palin@yahoo.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, gov.sarah@yahoo.com, have been suspended.

Last week Microsoft released MS08-055 [1], patching a remote code execution vulnerability affecting the handling of onenote:// URLs in different versions of Office. What was surprising about the patch is that the vulnerability being fixed only bore a passing resemblance to the one that was notified to Microsoft in March of this year.

Once the USAF Cyber Command was effectively put on ice recently, coverage of the US military's approach to network warfare and defence also went away. The existing infrastructure and systems that had been in place prior to the attempted set up of Cyber Command still continue to operate and the head of US Strategic Command, General Kevin Chilton, recently spoke about a range of the issues being faced in operating the US military's lesser-classified networks.

Unless you're a dyed in the wool cryptographic geek you probably didn't know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren't crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language.

Information Security is an odd environment in that most of the leading edge research takes place away from academic and designated research institutions, out in the industry. As a result there is a curious approach to publishing new information that doesn't really exist anywhere else.

Microsoft's Malware Protection Center has picked up on some positive news that comes at a time when online threats are apparently increasing without limit. According to the MMPC's blog, there have been two VX (Virus writing and sharing) groups to have shut down in a very short period of time, seemingly without any external pressure. According to the post, there is really only one active group remaining, something which would have seemed far fetched not even a decade ago.

Microsoft's impending announcement at Black Hat on the 7th of this month, titled "Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World", being delivered by some of the best security names inside Microsoft, has already gained the attention of many in the wider community.

Dan Kaminsky's disclosed DNS flaw seems to be causing more and more problems for Internet users as time goes on. With detailed exploit code readily available from any number of sources, and with talented researchers creating their own highly tuned versions of the exploit, things are beginning to look perilous for a large portion of the Internet's userbase, including Australian ISPs.