The Register Columnists

Robert Lemos

Contact Mail Follow RSS feed
The Register breaking news

US issues revised e-voting standards

The National Institute of Standards and Technology (NIST) delivered an update on Monday to the United States' electronic voting standards, adding more requirements to test systems for accuracy and reliability and additional rules to make paper audit trails easier to review. The draft revision, known as the Voluntary Voting …
Robert Lemos, 03 Jun 2009
The Register breaking news

Cyber attack could bring US military response

The United States' top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response. During a press briefing on Thursday, US Air Force General Kevin Chilton, who heads the US Strategic Command, said that top Pentagon advisors would not rule out …
Robert Lemos, 13 May 2009
The Register breaking news

Better metrics needed for security, says expert

BOSTON — The security industry has done a poor job of finding ways for companies to measure their security, but that does not mean that collecting data is not valuable, the former head of the U.S. Department of Homeland Security's cyber group told attendees at the SOURCE Boston conference on Thursday. Amit Yoran, CEO of security …
Robert Lemos, 16 Mar 2009
The Register breaking news

US spy agency gains support for cyber security role

The United States' top intelligence official argued last week that the National Security Agency should become the nation's cyber defender, adding his voice to the growing murmur of support for the agency's future role in cyberspace. In comments before the US House of Representatives' intelligence committee on Wednesday, the …
Robert Lemos, 03 Mar 2009
The Register breaking news

Kaminsky calls for DNSSEC deployment

ARLINGTON, VA. -- Dan Kaminsky's second act has begun: Pushing the adoption of the DNSSEC security standard for the domain-name system. So many security frameworks — from password resets via e-mail to SSL certificates — rely on DNS in some way that the protocol has to be secured for Internet security to work, Kaminsky told …
Robert Lemos, 21 Feb 2009

Researchers find more flaws in wireless security

Wireless networks that use a popular form of security known as Wi-Fi Protected Access (WPA) are vulnerable to an attack that could compromise certain communications in less than 15 minutes, two researchers plan to tell attendees next week at the PacSec 2008 conference in Tokyo. Martin Beck and Erik Tews - two graduate students …
Robert Lemos, 08 Nov 2008
The Register breaking news

US kicks off secure hash competition

Dozens of amateur and professional cryptographers signed up last week for the United States' first open competition to create a secure algorithm for generating hashes - the digital fingerprints widely used in a variety of security functions. The contest, run by the National Institute of Standards and Technology (NIST), seeks to …
Robert Lemos, 04 Nov 2008
The Register breaking news

Feds charge 11 in TJX ID fraud case

Federal prosecutors announced on Tuesday that they had indicted eleven people in the largest case of identity theft and hacking ever prosecuted by the US Department of Justice. The eleven suspects, including three US citizens, allegedly took part in stealing more than 40 million credit and debit card accounts from nine major …
Robert Lemos, 06 Aug 2008

Vendors form alliance to fix DNS poisoning flaw

An alliance of software makers and network-hardware vendors announced on Tuesday that they had banded together to fix a fundamental flaw in the design of the internet's address system. The vulnerability in the domain name system (DNS) - the distributed database that matches a host and domain name with the numerical address of a …
Robert Lemos, 09 Jul 2008
The Register breaking news

Legal experts wary of MySpace hacking charges

On October 16, 2006, 13-year-old Megan Meier fled from her family's computer, distraught over the cutting comments of her supposed "friends" on MySpace. Twenty minutes later, the troubled teen was dead; she had hung herself in her closet. The story, widely reported, garnered the girl's family widespread sympathy on the Internet …
Robert Lemos, 17 May 2008

MS patch system poses 'significant risk', say researchers

A group of four computer scientists urged Microsoft to redesign the way it distributes patches, after they created a technique that automatically produces attack code by comparing the vulnerable and repaired versions of a program. The technique, which the researchers refer to as automatic patch-based exploit generation (APEG), …
Robert Lemos, 25 Apr 2008
The Register breaking news

Lawmakers voice concerns over cybersecurity plan

Members of the House of Representatives sought details on Thursday of a $30bn plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals. Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of …
Robert Lemos, 04 Mar 2008
Warning: biohazard

Malware hitches a ride on digital devices

It's time to add digital picture frames to the group of consumer products that could carry computer viruses and Trojan horse programs. In the past month, at least three consumers have reported that photo frames - small flat-panel displays for displaying digital images - received over the holidays attempted to install malicious …
Robert Lemos, 11 Jan 2008
The Register breaking news

Task force aims to improve US cybersecurity

A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve the United States' cybersecurity by the time the next president takes office, the Center for Strategic and International Studies (CSIS), and the task force's Congressional sponsors, announced on Tuesday. The bipartisan Commission on Cyber …
Robert Lemos, 02 Nov 2007
The Register breaking news

Universities warned of Storm Worm attacks

Colleges and universities have come under attack by Storm Worm botnets following attempts to detect infections through vulnerability scanning, a response centre for academic networks stated last week. The Research and Education Networking Information Sharing and Analysis Centre (REN-ISAC) sent out the warning last Thursday …
Robert Lemos, 17 Aug 2007
Mortar board

Teaching hacking helps students, professors say

When Sam Bowne visited the DEFCON hacking conference in 2006, he saw a lot of people having fun with a really interesting topic: computer security. As a professor of computer science at the City College of San Francisco, Bowne wanted to find a way to make computer security accessible to the average student. So, following his …
Robert Lemos, 07 Aug 2007

Will the iPhone be iPwned?

LAS VEGAS - The Apple Store at the Fashion Show Mall has a solid crowd for a Monday afternoon and it's easy to pinpoint the favourite. A dozen iPhone stations collect at the front of the store, and they are rarely lonely. A stylish 20-something couple laughs as the man snaps a picture of the woman and shows her the screen. A …
Robert Lemos, 03 Aug 2007

Firm finds danger in dangling pointers

In December 2005, technology consultant Inge Henriksen announced he had found a flaw in Microsoft's flagship web server platform, Internet Information Server (IIS) 5.1. Yet, because the vulnerability appeared impossible to exploit, Microsoft put off patching the issue. The programming problem represented a fairly common …
Robert Lemos, 26 Jul 2007

MPack developer on automated infection kit

Interview In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious websites. A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal …
Robert Lemos, 23 Jul 2007

Spammers dump images, switch to PDF files

Foiled by increasingly accurate corporate spam filters, spammers have dumped pictures for PDFs in their bulk emailings, according to the latest data from security firms. Image spam, which at the beginning of the year accounted for nearly 60 per cent of all junk email, has plummeted and now accounts for only about 15 per cent of …
Robert Lemos, 23 Jul 2007

Fast flux foils botnet takedown

Network security analyst Lawrence Baldwin has helped take down his share of bot nets, but he worries that those days may largely be over. Traditional bot nets have used Internet relay chat (IRC) servers to control each of the compromised PCs, or bots, but the central IRC server is also a weakness, giving defenders a single …
Robert Lemos, 11 Jul 2007

Lawmakers worry over government network breaches

Long an afterthought for U.S. lawmakers, cybersecurity has received renewed attention in some parts of Congress. Last Wednesday, a U.S. House of Representatives' subcommittee took the chief information officer of the Department of Homeland Security, Scott Charbo, to task for allowing 844 significant cybersecurity incidents in …
Robert Lemos, 29 Jun 2007
The Register breaking news

Amero case spawns effort to educate

A group of security professionals, legal experts, and educators who helped former Connecticut substitute teacher Julie Amero overturn a conviction on charges of exposing her students to pornographic pop-up ads has formed a permanent organisation that aims to educate the courts and legislators about technology, crime, and digital …
Robert Lemos, 20 Jun 2007

Anti-hacking laws 'can hobble net security'

Jeremiah Grossman has long stopped looking for vulnerabilities in specific websites, and even if he suspects a site to have a critical flaw that could be compromised by an attacker, he's decided to keep quiet. The silence weighs heavily on the web security researcher. While ideally he would like to find flaws, and help …
Robert Lemos, 18 Jun 2007

Zero-day sales not 'fair' - to researchers

Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information. Having recently left the National Security Agency, the security professional decided to try his hand at …
Robert Lemos, 03 Jun 2007
mozilla foundation

Insecure plug-ins pose danger to Firefox users

A security weakness in the update mechanism for third-party add-ons to the Firefox browser could give an attacker the ability to exploit unsecured downloads and install malicious code on the victim's computer, a security researcher warned on Wednesday. The vulnerability affects any third-party add-ons that use an unsecured …
Robert Lemos, 01 Jun 2007
arrow pointing up

Peer-to-peer networks co-opted for DOS attacks

A flaw in the design of a popular peer-to-peer network software has given attackers the ability to create massive denial-of-service attacks that can easily overwhelm corporate websites, a security firm warned last week. Over the past three months, more than 40 companies have endured attacks emanating from hundreds of thousands …
Robert Lemos, 30 May 2007
The Register breaking news

'Data storm' blamed for nuclear plant shutdown

The US House of Representative's Committee on Homeland Security called this week for the Nuclear Regulatory Commission (NRC) to further investigate the cause of excessive network traffic that shut down an Alabama nuclear plant. During the incident, which happened last August at Unit 3 of the Browns Ferry nuclear power plant, …
Robert Lemos, 21 May 2007
triangular warning sign featuring exclamation mark

Experts scramble to quash IPv6 flaw

A flawed feature that could amplify denial-of-service attacks on next-generation networks has vendors and engineers rushing to eliminate the potential security issue. This week, experts sent two drafts to the Internet Engineering Task Force (IETF) - the technical standards-setting body for the internet - proposing different …
Robert Lemos, 11 May 2007
The Register breaking news

A Mac gets whacked, a second survives

Shane Macaulay strode into the conference hall at the CanSecWest conference on Friday afternoon, balancing a MacBook Pro on his palm and making a beeline for the table displaying two more of the silver laptops. The well-known security researcher had just spent the morning testing an exploit designed to take advantage of a …
Robert Lemos, 23 Apr 2007

Attackers improve on JavaScript trickery

CanSecWest As JavaScript becomes an increasingly key component of online attacks, attackers are investing more energy in obfuscation and other techniques to make defenders' attempts at reverse engineering more difficult, a security researcher told attendees at the annual CanSecWest conference on Wednesday. Attackers have adopted the same …
Robert Lemos, 20 Apr 2007
The Register breaking news

Developers' secure-coding skill put to the test

A coalition of security companies and organisations announced a plan this week to create assessment tests that would certify programmers' knowledge of secure-coding practices. The groups, led by the SANS Institute, aim to create a set of four tests covering major programming languages that could give companies a tool to measure …
Robert Lemos, 29 Mar 2007
The Register breaking news

Account pretexters plague Xbox Live

When Kevin Finisterre got his virtual guns handed to him in an online game of Halo 2 last Thursday, he called his opponents on their none-too-subtle hacks that skewed the game in their favour and turned the battle into a rout. His opponents - who rarely died while racking up nearly 100 kills on Finisterre's team - didn't take …
Robert Lemos, 23 Mar 2007

Anti-spyware bill could mean tougher fines

On Thursday, the anti-spyware bill - which has twice passed the U.S. House of Representatives only to be rejected by the Senate - got its third hearing in the House Subcommittee on Commerce, Trade and Consumer Protection. The bill, whose full title is the "Securely Protect Yourself Against Cyber Trespass Act," would prohibit …
Robert Lemos, 18 Mar 2007
homeless man with sign

Stormy weather for malware defenses

When the Storm Worm swept through the internet in mid-January, the program's writers took a brute force approach to evading anti-virus defenses: They created a massive number of slightly different copies of the program and released them all at the same time. On 18 January, the day the misnamed program - a Trojan horse, not a …
Robert Lemos, 07 Mar 2007

Maynor reveals missing Apple flaw

Security researcher David Maynor got some measure of vindication at the Black Hat DC Conference this year. Six months after he and his colleague Jon Ellch claimed that Mac OS X wireless drivers were vulnerable to attack, Maynor on Wednesday revealed the code he used to exploit a native flaw in the platform as well as emails …
Robert Lemos, 02 Mar 2007
arrow pointing up

Imperfect Storm aids spammers

For 24 hours in mid-January, stock-fraud investigation site StockPatrol disappeared from the internet, overwhelmed by a massive flood of web requests coming from thousands of sources. The attack came after the site wrote a handful of reports investigating and condemning the practice of pump-and-dump stock spam campaigns. No …
Robert Lemos, 19 Feb 2007
The Register breaking news

Security pros work to undo teacher's conviction

Researchers led by the head of a Florida anti-spyware firm aim to recreate what caused a Connecticut school's classroom computer to start displaying pornographic pop-ups in October 2004, an incident that recently led to four felony convictions for the substitute teacher involved. This was a Windows 98 SE machine with IE 5 and …
Robert Lemos, 04 Feb 2007

Vista raises the bar for flaw finders

Microsoft launched its latest operating system - Windows Vista - on Monday, a move that will make finding easily exploitable vulnerabilities a lot harder, according to security researchers. In a launch event in New York City, the software giant took the wraps off both Windows Vista and its Office 2007 productivity suite. Long …
Robert Lemos, 31 Jan 2007
The Register breaking news

Fraud linked to TJX data heist spreads

Banks and retailers in the United States and Canada have begun to report an increasing amount of illicit transactions thought to be linked to the server breach announced last week by the TJX Companies, the commercial giant that owns retail chains in the US, Canada, and Europe. More than 60 of the 205 banks in Massachusetts have …
Robert Lemos, 29 Jan 2007
hands waving dollar bills in the air

Bug brokers offering higher bounties

Adriel Desautels aims to be the go-to guy for researchers that want to sell information regarding serious security vulnerabilities. The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms - as well as the odd …
Robert Lemos, 25 Jan 2007
fingers pointing at man

Vulnerability tallies surged in 2006

Flaws in Web applications boosted the bug counts for 2006 by more than a third over the previous year, according to data obtained by SecurityFocus from the four major vulnerability databases. On Monday, the Computer Emergency Response Team (CERT) Coordination Center released its final tally of the number of flaws the …
Robert Lemos, 21 Jan 2007
The Register breaking news

Spammers get bullish on stocks

A week before Christmas, Diamant Art seemingly got a holiday bonus: On 18 December, the small Canadian maker of plastic food wrap saw its sub-penny stock price triple from 0.08 cents to a peak of 0.25 cents while trading in shares of the firm skyrocketed. Yet, the price boost was not driven by good news issued by the company …
Robert Lemos, 15 Jan 2007
The Register breaking news

Stock scammer gets coal for the holidays

The US Securities and Exchange Commission put a suspected Russian brokerage-account thief's money on ice last week, after he allegedly used illicit access to people's online portfolios to drive up stock prices. The SEC charged Grand Logistic SA, a Belize corporation located in Estonia, and its owner Evgeny Gashichev of Russia, …
Robert Lemos, 28 Dec 2006

PHP security under scrutiny

A week after a prominent bug finder and developer left the PHP Group, data from the National Vulnerability Database has underscored the need for better security in PHP-based web applications. A search of the database, maintained by the National Institute of Standards and Technology (NIST), found that web applications written in …
Robert Lemos, 21 Dec 2006

Social sites' insecurity increasingly worrisome

Personal web spaces on MySpace, videos on YouTube, and blogs - community sites hosting user-created content - have become increasingly popular. While the web has always been about publishing digital information, the stunning popularity of hubs for content created by the audience has attracted more people to the world of quick- …
Robert Lemos, 05 Dec 2006

Bot spreads through anti-virus, Windows flaws

University security experts warned administrators on Monday that a bot program has started to spread by exploiting five patched Microsoft vulnerabilities and a six-month-old flaw in Symantec's anti-virus software. The bot program, identified as W32.Spybot.ACYR by Symantec, has compromised a small number of systems at various …
Robert Lemos, 29 Nov 2006
The Register breaking news

Second life plagued by 'grey goo' attack

For about two hours, the virtual landscape of Second Life filled with golden rings and the distinctive two-tone ding of Sega's popular Sonic the Hedgehog games. The rings' listed creator was the fictional "Dr Robotnik," a character from the Sonic games. However, the deluge of rings was not some form of cross promotion, but a …
Robert Lemos, 24 Nov 2006

Malware goes to the movies

Online attackers have started to experiment with embedding malicious code or links to such code in different video formats. On Tuesday, anti-virus firm McAfee warned Windows users that the company had discovered a worm, dubbed W32/Realor, actively infecting Real Media files. The infected video files do not contain an exploit …
Robert Lemos, 16 Nov 2006
The Register breaking news

E-voting worries focus on failures, not fraud

Major electronic voting machine problems occurred in at least six US states during the country's midterm elections, underscoring that system failure, not fraud, is the biggest issue facing future races, voting-rights activists and technologists said this week. Machine problems delayed voting in many precincts in Colorado, …
Robert Lemos, 12 Nov 2006