There are a few highly publicised vulnerabilities at the moment which haven't completely been disclosed and which, it is claimed, could threaten the whole Internet as-we-know-it. Only, when the vulnerabilities are finally disclosed, it seems that the whole incident has been somewhat Chicken Little.
Stories by Carl Jongsma
Via the RISKS mailing list comes an interesting tale of poor online account management at a major online retailer. According to Graham Bennett, accounts with Amazon display an odd behaviour that doesn't seem to have attracted much attention in the past.
For the last several months Microsoft has been pushing for their Office Open XML (OOXML) office suite file specification to be accepted as an international standard by ISO, presumably to help them gain traction for future government contracts (look, this file specification is an ISO standard, it must be good).
PHP security guru Stefan Esser recently posted on some of the changes and important security issues that are likely to have significant effects for the everyday PHP coder (and user) with the release of the upcoming PHP 5.3.
What if I was to tell you that I have a secret that could end the Internet as you know it? What if I was only going to tell you at a fee-based conference once speculation had gone on for a month or more? How would you respond to that?
Who is the real identity behind that Gmail account? While finding out may not be as easy as knowing who is behind firstname.lastname@example.org (Homer Simpson, for the curious), it apparently isn't much harder.
After being plagued with project overruns and a scaling back of the final system, the US military's next generation satellite communications network is another step closer to reality, with completion of the payload module for the third and final Advanced Extremely High Frequency (EHF) satellite.
If you needed any more reminders about why it isn't a good idea to use external mail services to conduct critical business, the recent break-in to US Republican Vice-Presidential candidate Sarah Palin's email@example.com Yahoo inbox should be it. Of note is that following the disclosure of the inboxes the compromised address and another address, firstname.lastname@example.org, have been suspended.
Last week Microsoft released MS08-055 , patching a remote code execution vulnerability affecting the handling of onenote:// URLs in different versions of Office. What was surprising about the patch is that the vulnerability being fixed only bore a passing resemblance to the one that was notified to Microsoft in March of this year.
Once the USAF Cyber Command was effectively put on ice recently, coverage of the US military's approach to network warfare and defence also went away. The existing infrastructure and systems that had been in place prior to the attempted set up of Cyber Command still continue to operate and the head of US Strategic Command, General Kevin Chilton, recently spoke about a range of the issues being faced in operating the US military's lesser-classified networks.
Something that might have gone unnoticed from Google this week is the patching of a serious vulnerability that previously allowed an attacker to exploit a weakness in Google's Single Sign-On service used with Google Apps to take over a victim's Google account.
How do you justify maintaining a defence against historical vulnerabilities that should be well out of common circulation or not viable against a modern system? An infected system on the International Space Station has demonstrated the importance of maintaining such a posture just last week when it was infected with a worm that was more than a year old.
Reports of data losses and system breaches are almost becoming passe but from time to time events happen that take on a life of their own and have effects far beyond what the initial breach would normally represent.
Microsoft's Security Vulnerability Research & Defense team (SVRD) have recently posted information online about the Cross Site Scripting (XSS) filter to be incorporated into Internet Explorer 8 when it is released.
Unless you're a dyed in the wool cryptographic geek you probably didn't know that there was a Crypto conference, or even a chain of worldwide crypto conferences that take place each year. Fortunately, for the most of us that aren't crypto geeks there are a handful of very highly skilled people who are; they can take the highly theoretical and complex mathematical proofs and arguments that make up most of modern cryptographic and cryptanalytic research and put it into plain language.