Dennis Fisher

Over the course of a few days in February 2000, a lone hacker was able to bring some of the Web’s larger sites to their knees, using just a few dozen machines and some relatively primitive software to cripple Yahoo, eBay, E*trade, Amazon, ZDnet and others for hours at a time. No one knew it at the time, but these attacks would come to be seen in later years as some of the earlier outbreaks of what has become a massive online pandemic.Jose Nazario on Botnets and the History of DDoS AttacksDennis Fisher talks with Jose Nazario of Arbor Networks
about the Mafiaboy attacks, the history of DDoS attacks and the botnet
epidemic.

After several years in forced exile, the venerable L0phtcrack password-auditing tool made its return to the scene earlier this year.

Dennis Fisher talks with Steve Lipner of Microsoft about the Security Development Lifecycle, changes in the threat modeling process and the security of Windows 7.

Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.The company said that although there is public exploit code available for the vulnerability, it has not seen any evidence of ongoing attacks against the IE flaw yet. Experts said that the exploit code for the vulnerability, which was published on Friday on Bugtraq, was unreliable. However, researchers at IBM ISS’s X-Force said on Monday that they had developed a reliable exploit of their own for the flaw.In its advisory on the IE flaw, Microsoft said that the weakness affects IE6 and IE7 running on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. The vulnerability does not affect Windows 7, the company’s newest release, or IE8, the latest version of the browser. Microsoft also said that running IE7 in Protected Mode, which limits some of its functionality, on Windows Vista, mitigates some of the effects of the vulnerability.”At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” Microsoft said in its advisory.The next monthly patch release from Microsoft is due Dec. 8. Until a patch is available, Microsoft suggests several actions that could help mitigate the vulnerability, including setting IE to prompt you before it runs ActiveX controls or active scripting; and enabling DEP (Data Execution Protection) in IE7. To enable DEP, go to the Tools menu, click on Internet Options and then on the Advanced tab. Select the check box for “Enable memory protection to help mitigate online attacks.”Microsoft also has published a FixIt tool that will autoatically enable DEP.Microsoft has acknowledged a new unpatched vulnerability in Internet Explorer 6 and 7, and said that the company is investigating methods for fixing the flaw.

There is a newly discovered vulnerability in both Internet Explorer 6 and Internet Explorer 7 that could enable an attacker to take complete control of a vulnerable machine.

Google’s new operating system, Chromium, is designed to be more secure than existing operating systems, and is meant for people who spend most of their time on the Web.

Security researcher Dino Dai Zovi discusses advanced techniques in exploitation, as well as exploit mitigation and shellcoding.