Security

On Friday, Internet movie database IMDB fell victim to a sustained distributed denial-of-service (DDoS) attack that coincided with Amazon.com being offline, says one researcher.

Soups Ranjan, a senior member of the technical staff of network protection and management company Narus, said in a blog that he found evidence that at least one of the IP addresses used by IMDB fell under a sustained DDoS attack between 10:30 a.m. and 1:30 p.m. PDT Friday.

"My attempt to load the IMDB page via a direct connection to the Web server under attack (http://72.21.206.… Read more

On Friday Opera announced that version 9.5 of the browser (download Opera 9.5 beta for Windows or Mac) will include built-in antimalware protection from Haute Secure (download for Windows 32-bit or Windows 64-bit).

This is, of course, to counter the antimalware protection built into Firefox 3, currently available as a final release candidate (download for Windows or Mac). Firefox uses data from Google and StopBadware to block a site before it loads on your browser.

Haute Secure counters that its offering is better because it relies upon a community of dedicated users to inform the product when to … Read more

Microsoft is planning seven security bulletins for its Patch Tuesday this month, the company announced Thursday.

Three of the bulletins are deemed critical by Microsoft, and cover Bluetooth, Internet Explorer, and DirectX. The Internet Explorer bulletin is expected to be cumulative and might include some remediation for the Safari for Windows vulnerability disclosed last month by Nitesh Dhanjani.

Three of the bulletins are termed important, and cover WINS, Active Directory, and PGM. One of the bulletins is considered moderate and covers kill bits.

The bulletins will be released on Tuesday.

As a follow-up to last week's story on Hotmail users getting locked out, the second account mentioned has been restored.

Last Wednesday, Hotmail account holder Will showed CNET an e-mail verifying that he notified Microsoft on May 2 that his Hotmail password had been changed without his knowledge. Microsoft support staff responded with the following message: "Thank you for your message to MSN and Windows Live Privacy. I understand you are having difficulties accessing your MSN Hotmail account because you believe someone has gained unauthorized access to your account. For assistance with this issue, please contact the MSN … Read more

This week, I had a chance to talk by phone with Ari Takanen, co-founder and CTO of Codenomicon. Takanen's company doesn't engage in vulnerability research but instead creates the tools by which enterprises can check their own software for vulnerabilities.

Which raises a question. On previous shows I've interviewed independent researchers who, outside of a given company, have identified and made public serious vulnerabilities. One would think an independent voice might be better than one located inside a company.

Below is a transcript of part of my interview. The entire podcast can be heard here.

Q: What … Read more

Using attacks similar to those used to break .Net PassPort, a group of students at the Ruhr Universitat Bochum in Germany claim to have stolen CardSpace's security tokens from a compromised machine. But Microsoft dismisses the attack, saying an attacker would need a user's help.

CardSpace is included within .NET Framework 3.0 and allows users to create personal information cards that are shared with participating Web sites for authentication. A user creates a CardSpace card for a site and the .NET software then obtains a digitally signed XML token from the site issuer. What the students in … Read more

Microsoft has issued an advisory warning Windows users who have installed the Apple Safari for Windows browser that their systems may be vulnerable to attack.

The Safari "carpet bombing" attack was first described by Nitesh Dhanjani last month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights … Read more

Imagine getting an e-mail from a friend or family member with the following subject line: "ITS IMPORTANT YOU GET BACK ME TODAY."

CNET is aware of a couple of Hotmail users who have recently gotten locked out of their accounts. In one case, someone who had hacked into an account sent a desperate-sounding e-mail asking for money under the account holder's name.

Microsoft had no direct comment.

The body of one of the e-mails, sent to a CNET reporter, reads:

"I am in a hurry writing this mail. I had a trip to oxfordshire, United Kingdom … Read more

On this week's EIC Squared podcast, ZDNet's Larry Dignan and I discuss the celebrity interviews at the D6 conference, hosted by Walt Mossberg and Kara Swisher. Unfortunately, I called in from the San Diego airport United Airlines gate area, so you'll hear crying children and the ticker taker coaxing me to get on the plane. Larry gives the lowdown on Dell's earnings and the most recent security issues, patches from Apple, and the Comcast hack.