The Register Columnists

Robert Lemos

Contact Mail Follow RSS feed

Attackers end-run around IE security

The dependence of Internet Explorer on other Windows components has allowed online attackers to work around the shored-up security of Microsoft's latest browser. Last weekend, security researchers discovered a website using an previously unknown, or zero-day, vulnerability in a relatively unused ActiveX component of Windows to …
Robert Lemos, 08 Nov 2006
The Register breaking news

Quantum attacks worry computer scientists

In the weird world of quantum computing, the state of computer systems networked together is so fragile that a read access to a single quantum bit, or qubit, on one machine would require a network-wide reset. It's no wonder, then, that two researchers who are working on ways of defending against the future possibility of …
Robert Lemos, 02 Nov 2006

Bot nets likely behind jump in spam

A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk email. Estimates of the magnitude of the increase in junk email vary, but experts agree that an uncommon surge in spam is …
Robert Lemos, 31 Oct 2006
The Register breaking news

Researcher attempts to shed light on security troll

For over a year, subscribers to the Full Disclosure security mailing list had to endure the taunts and rants of a self-styled vulnerability researcher known as "n3td3v." The troll - as such taunting posters are dubbed - would frequently ignite massive angry email responses, or flame wars, at times limiting the usefulness of the …
Robert Lemos, 23 Oct 2006

Targeted Trojan attacks on the rise

Analysis On December 1, 2005, two email messages were sent from a computer in Western Australia to members of two different human rights organizations. Each email message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's …
Robert Lemos, 15 Oct 2006
The Register breaking news

Google Code Search peers into programs' flaws

Security professionals warned developers on Thursday that they need to be aware that their open-source repositories can now be easily mined, allowing attackers to target programs that are likely to be flawed. While Google could previously be used to look for specific strings, now the search engine riffles through code that much …
Robert Lemos, 08 Oct 2006
homeless man with sign

Mozilla flaws more joke than jeopardy

Two presenters razzed developers of the open source Mozilla browser this weekend at the ToorCon hacking convention in San Diego with claims that the browser's Javascript implementation is flawed, but the lecture appears to have been more stand-up comedy routine than substantiative research. The two researchers - college student …
Robert Lemos, 05 Oct 2006

Web vulns top security threat index

Analysis Less rigor in web programming, an increasing variety of software, and restrictions on web security testing have combined to make flaws in web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project. A draft report on the latest …
Robert Lemos, 18 Sep 2006
fingers pointing at man

Trusted computing a shield against worst attacks?

Trusted computing proponents may have found their best argument yet for incorporating specialised security hardware into every computer system. A report published this week by computer firmware developer Phoenix Technologies concluded that the risks posed by the most damaging digital attacks could be eliminated if companies …
Robert Lemos, 03 Sep 2006
hands waving dollar bills in the air

Linux patch becomes terminal pain

Many users of the increasingly popular Ubuntu Linux distribution found themselves thrown back to mid-1990s on Tuesday, when a botched update to the graphical X Window subsystem brought them face-to-face with the command-line terminal. The update, pushed out to Ubuntu users Monday night, aimed to fix some hardware issues to the …
Robert Lemos, 26 Aug 2006
arrow pointing up

Microsoft flaw fix opens users to attack

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer. The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have …
Robert Lemos, 24 Aug 2006
fingers pointing at man

Bot spreads using latest Windows flaw

Security firms reiterated advice to companies and home users to patch their Windows systems, after a bot program was detected last week that used a recently fixed flaw to compromise computers. The bot has reportedly not spread very widely, according to advisories posted by Microsoft, Symantec, and security firm LURHQ, which …
Robert Lemos, 17 Aug 2006
The Register breaking news

Covert channel tool hides data in IPv6

An independent security researcher showed off an early version of a tool for creating covert channels that, he claims, can pass undetected through most firewalls and intrusion detection systems. The tool, dubbed VoodooNet or v00d00n3t, uses the ability of most computers to encapsulate next-generation network traffic, known as …
Robert Lemos, 14 Aug 2006
arrow pointing up

Researchers warn over web worms

LAS VEGAS - Exploiting a lack of security checks in browsers and Web servers, web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday. In separate presentations, researchers showed off techniques for using Javascript code on Web pages to …
Robert Lemos, 06 Aug 2006

Attackers pass on operating systems

The disappearance of easy-to-find flaws in the major operating systems has pushed vulnerability researchers to branch out from finding security issues in core system software and instead concentrate on the device drivers and client-side agents present on all PCs, security experts said on Wednesday at the Black Hat Briefings. …
Robert Lemos, 04 Aug 2006
fingers pointing at man

ActiveX security faces storm before calm

HD Moore is at it again. Using a custom-built data fuzzing tool, the security researcher pinpointed more than 100 vulnerabilities in the ActiveX controls included with the default installation of Microsoft's Windows XP operating system. Data fuzzing tools combine knowledge of the input parameters accepted by a software package …
Robert Lemos, 02 Aug 2006
The Register breaking news

SCADA system makers urged to tighten security

Idaho National Laboratory and the New York State Office of Cyber Security and Critical Infrastructure have teamed up with utilities and makers of distributed control system software to offer advice on how to make system security a major part of the critical infrastructure. Later this week, the group will release the latest …
Robert Lemos, 28 Jul 2006

Flaw finders lay siege to Microsoft Office

For most of the summer, Microsoft's Office product teams have had little time for development. Responding to a steady influx of flaws in the company's Office productivity suite has occupied many of Microsoft's programmers since late 2005. So far this year, the software giant has detailed at least 24 Office flaws found by outside …
Robert Lemos, 22 Jul 2006
The Register breaking news

Daily flaws ratchet up debate

HD Moore is used to polarising the vulnerability-research community. As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals. However, his latest endeavour - releasing a browser bug every …
Robert Lemos, 17 Jul 2006
The Register breaking news

Researchers look to predict software flaws

Want to know how many flaws will be in the next version of a software product? Using historical data, researchers at Colorado State University are attempting to build models that predict the number of flaws in a particular operating system or application. In an analysis to be presented at a secure computing conference in …
Robert Lemos, 10 Jul 2006
The Register breaking news

AT&T privacy policy overreaches, lawyers say

A recent change to AT&T's privacy policy for broadband and video users is overbroad and likely will leave the courts or Congress to decide whether the company's practices are standard or sinister, legal experts said. The policy change, which comes as the telecommunications giant is defending itself in court against multiple …
Robert Lemos, 03 Jul 2006
The Register breaking news

USB drives pose insider threat

In a recent test of a credit union's network security, consultants working for New York-based security audit firm Secure Network Technologies scattered 20 USB flash drives around the financial group's building. Each memory fob held a program - disguised as an image file - that would collect passwords, user names and information …
Robert Lemos, 27 Jun 2006
The Register breaking news

SCADA industry debates flaw disclosure

The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. The flaw, in a particular vendor's implementation of the Inter-Control Centre Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server. Yet, …
Robert Lemos, 19 Jun 2006
The Register breaking news

Researchers eye machines to tackle malware

The reverse engineer - better known amongst security researchers by his nom de plume, Halvar Flake - created an automated system for classifying software into groups, a process for which he believes machines are much better suited. Research using the system has underscored the sometimes-arbitrary decisions humans make in …
Robert Lemos, 10 Jun 2006
arrow pointing up

Cybersecurity contests go national

It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The …
Robert Lemos, 05 Jun 2006
The Register breaking news

Diebold voting systems critically flawed

Michael Shamos remembers that the call came late at night, during the last week of April. The call - from election watchdog - described a critical vulnerability in Diebold Election Systems' touchscreen voting systems that could allow any person with access to a voting terminal the ability to completely change …
Robert Lemos, 14 May 2006

Bot software looks to improve peerage

Peer-to-peer technology appears to have resurfaced in a worm last weekend. The worm, dubbed Nugache and classified also as bot software, attempts to infect systems through email, America Online's instant messaging network, and network shares on vulnerable computers. Once it compromises a computer, the program uses a seed list …
Robert Lemos, 04 May 2006

Breach case could curtail web flaw finders

Security researchers and legal experts have voiced concern this week over the prosecution of an information technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission. Last Thursday, the US Attorney's Office in the …
Robert Lemos, 28 Apr 2006

Email authentication gaining steam

A host of software companies, security firms and internet service providers met in Chicago on Wednesday to urge corporations and bulk message senders to adopt email authentication technologies. The technologies, known as Sender ID and DomainKeys, aim to allow email recipients to positively identify the sender of an email …
Robert Lemos, 24 Apr 2006

Browser crashers warm to data fuzzing

Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws. The technique - called packet, or data, fuzzing - is frequently used …
Robert Lemos, 13 Apr 2006
arrow pointing up

Groups argue over merits of flaw bounties

Vulnerability researchers, software makers, and security companies that buy information about software flaws found little in common during a panel discussion on Wednesday debating the merits of vulnerability-purchasing programs. The discussion, wrapping up the first day of the CanSecWest Security Conference, left software …
Robert Lemos, 06 Apr 2006

Patches released for zero-day IE threat

Hundreds of malicious websites are attempting to exploit the most critical of two flaws announced last week in Microsoft's browser, convincing two companies to release workarounds late Monday to head off the threat. Security firms Determina and eEye Digital Security each created a standalone patch to protect Windows systems …
Robert Lemos, 29 Mar 2006

Debit-card fraud underscores legal loopholes

Recent widespread debit-card fraud likely has roots in three major data leaks that occurred in the last six months, two of which have yet to be publicly disclosed by the companies involved. Consumers have noted a large increase in the amount of debit-card fraud since the beginning of 2006, as well as a wide recall of cards by …
Robert Lemos, 22 Mar 2006
arrow pointing up

Debit card fraud underscores legal loopholes

Consumers have noted a large increase in the amount of debit card fraud since the beginning of 2006, as well as a wide recall of cards by banks and financial institutions. Three major incidents are likely fueling the fraud, according to financial and security experts. A breach associated with bulk goods retailer Sam's Club last …
Robert Lemos, 22 Mar 2006
fingers pointing at man

Virus names likely a lost cause

In early February, anti-virus firms warned customers about a computer virus programmed to delete files on the third of each month, but almost every company called the program by a different name. A month later, the companies still use a hodge-podge of monikers for the program: Blackmal, Nyxem, MyWife, KamaSutra, Blackworm, …
Robert Lemos, 11 Mar 2006
fingers pointing at man

Anti-virus groups fight over Crossover sharing

A virus that spreads from PCs to mobile devices has become the focus of a power play between the anti-virus industry and the relatively young Mobile Anti-virus Research Association, which obtained the only sample of the program. This week, the Mobile Anti-virus Research Association (MARA), a collection of professors, authors …
Robert Lemos, 06 Mar 2006

Triple threat to Mac OS X largely academic

At first blush, the past two weeks have not been good for the image of Apple's Mac OS X: Public descriptions of two worms and a trivial exploit for a serious software issue in the operating system appeared on the internet. However, the three programs are hardly a threat to systems running Mac OS X, according to security …
Robert Lemos, 27 Feb 2006

Private identities become a corporate focus

During his keynote during the RSA Conference, Scott McNealy seemed almost apologetic. The Sun Microsystems CEO, infamous for his pronouncement, "You have zero privacy anyway - Get over it," took a conciliatory tone on the stage here, allowing that privacy might be something for which consumers should fight. He warned companies …
Robert Lemos, 21 Feb 2006
For Sale sign detail

Oracle in war of words with security researcher

ARLINGTON, Virginia - A security researcher released details of a critical flaw in Oracle's application and Web software on Wednesday, criticising the company for not cooperating with the security community and taking too long to fix software issues that threaten its customers. The flaw occurs in the way that a module in Oracle …
Robert Lemos, 26 Jan 2006

Researcher: Sony BMG rootkit still widespread

WASHINGTON D.C. Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this …
Robert Lemos, 16 Jan 2006
hands waving dollar bills in the air

Zero-day WMF flaw underscores patch problems

For four days in January, network administrators and security-savvy home users had a choice: download and install an unofficial open-source fix for the critical flaw in the Windows Meta File (WMF) format, or wait an estimated week for an official patch from Microsoft. With security experts warning about the spread of exploits …
Robert Lemos, 13 Jan 2006
arrow pointing up

Security flaws on the rise, questions remain

After three years of modest or no gains, the number of publicly reported vulnerabilities jumped in 2005, boosted by easy-to-find bugs in web applications. Yet, questions remain about the value of analyzing current databases, whose data rarely correlates easily. A survey of four major vulnerability databases found that the …
Robert Lemos, 09 Jan 2006
For Sale sign detail

Researchers: Flaw auctions would improve security

The auction may have set a record price for a highlighter pen and an 8-by-11-inch sheet of paper. The last reported bid before the listing was deleted without ceremony was $1,200. The price might seem excessive, but the value lay in what some researchers believed was on the paper: Information about an unpatched vulnerability in …
Robert Lemos, 16 Dec 2005
arrow pointing up

eBay pulls Excel vulnerability auction

Online auction giant eBay shut down the bidding for a vulnerability in Microsoft's Excel spreadsheet program on Thursday, saying that the sale of flaw research violates the site's policy against encouraging illegal activity. The vulnerability, which could allow a malicious programmer to create an Excel file that could take …
Robert Lemos, 10 Dec 2005
homeless man with sign

Consumers improving security, but gaps remain

Spyware and viruses have infected fewer home PCs than a year ago, but the large majority of computer users still lack a critical software defense, such as spyware protection, up-to-date antivirus or a properly configured firewall, according to a study of Internet users released on Wednesday. The Online Safety Study, conducted …
Robert Lemos, 07 Dec 2005
hands waving dollar bills in the air

Federal flaw database commits to grading system

A federal database of software vulnerabilities funded by the US Department of Homeland Security has decided on a common method of ranking flaw severity and has assigned scores to the more than 13,000 vulnerabilities currently contained in its database, the group announced last week. The National Vulnerability Database, unveiled …
Robert Lemos, 04 Dec 2005
fingers pointing at man

Zone Labs sued over spyware classification

Marketing company 180solutions filed a lawsuit against desktop-security firm Zone Labs taking issue with a warning generated by the security firm's personal firewall software, which labels 180solutions advertising client as spyware. The lawsuit--filed last month but only recently came to light - cites warnings generated by Zone …
Robert Lemos, 02 Dec 2005

Mac OS X security under scrutiny

When the SANS Institute, a computer-security training organization, released its Top-20 vulnerabilities last week, the rankings continued an annual ritual aimed at highlighting the worst flaws for network administrators. This year, the list had something different, however: the group flagged the collective vulnerabilities in …
Robert Lemos, 01 Dec 2005
The Register breaking news

Study suggests DMCA takedown regs abused

One third of all requests to Internet service providers to remove stolen copyrighted material from their servers could likely be defeated in court, according to a study of some 900 notices by two legal experts. The survey examined takedown notices served to Google and another large Internet provider under the Digital Millennium …
Robert Lemos, 27 Nov 2005
The Register breaking news

Texas puts Sony BMG in its sights

The Attorney General for the state of Texas filed a lawsuit against Sony BMG Music Entertainment on Monday, calling the media giant's copy-protection technology "illegal spyware". The complaint alleges that Sony BMG violated the Texas Consumer Protection Against Computer Spyware (CPACS) Act, which includes provisions that …
Robert Lemos, 22 Nov 2005