The Register Columnists

Robert Lemos

Contact Mail Follow RSS feed
channel

Attackers end-run around IE security

The dependence of Internet Explorer on other Windows components has allowed online attackers to work around the shored-up security of Microsoft's latest browser. Last weekend, security researchers discovered a website using an previously unknown, or zero-day, vulnerability in a relatively unused ActiveX component of Windows to …
Robert Lemos, 08 Nov 2006
The Register breaking news

Quantum attacks worry computer scientists

In the weird world of quantum computing, the state of computer systems networked together is so fragile that a read access to a single quantum bit, or qubit, on one machine would require a network-wide reset. It's no wonder, then, that two researchers who are working on ways of defending against the future possibility of …
Robert Lemos, 02 Nov 2006
channel

Bot nets likely behind jump in spam

A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk email. Estimates of the magnitude of the increase in junk email vary, but experts agree that an uncommon surge in spam is …
Robert Lemos, 31 Oct 2006
The Register breaking news

Researcher attempts to shed light on security troll

For over a year, subscribers to the Full Disclosure security mailing list had to endure the taunts and rants of a self-styled vulnerability researcher known as "n3td3v." The troll - as such taunting posters are dubbed - would frequently ignite massive angry email responses, or flame wars, at times limiting the usefulness of the …
Robert Lemos, 23 Oct 2006
channel

Targeted Trojan attacks on the rise

Analysis On December 1, 2005, two email messages were sent from a computer in Western Australia to members of two different human rights organizations. Each email message carried a Microsoft Word document with a previously unknown exploit that would take control of the targeted person's computer and open up a beachhead into the group's …
Robert Lemos, 15 Oct 2006
The Register breaking news

Google Code Search peers into programs' flaws

Security professionals warned developers on Thursday that they need to be aware that their open-source repositories can now be easily mined, allowing attackers to target programs that are likely to be flawed. While Google could previously be used to look for specific strings, now the search engine riffles through code that much …
Robert Lemos, 08 Oct 2006
homeless man with sign

Mozilla flaws more joke than jeopardy

Two presenters razzed developers of the open source Mozilla browser this weekend at the ToorCon hacking convention in San Diego with claims that the browser's Javascript implementation is flawed, but the lecture appears to have been more stand-up comedy routine than substantiative research. The two researchers - college student …
Robert Lemos, 05 Oct 2006
globalisation

Web vulns top security threat index

Analysis Less rigor in web programming, an increasing variety of software, and restrictions on web security testing have combined to make flaws in web software the most reported security issues this year to date, according to the latest data from the Common Vulnerabilities and Exposures (CVE) project. A draft report on the latest …
Robert Lemos, 18 Sep 2006
fingers pointing at man

Trusted computing a shield against worst attacks?

Trusted computing proponents may have found their best argument yet for incorporating specialised security hardware into every computer system. A report published this week by computer firmware developer Phoenix Technologies concluded that the risks posed by the most damaging digital attacks could be eliminated if companies …
Robert Lemos, 03 Sep 2006
hands waving dollar bills in the air

Linux patch becomes terminal pain

Many users of the increasingly popular Ubuntu Linux distribution found themselves thrown back to mid-1990s on Tuesday, when a botched update to the graphical X Window subsystem brought them face-to-face with the command-line terminal. The update, pushed out to Ubuntu users Monday night, aimed to fix some hardware issues to the …
Robert Lemos, 26 Aug 2006
arrow pointing up

Microsoft flaw fix opens users to attack

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer. The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have …
Robert Lemos, 24 Aug 2006
fingers pointing at man

Bot spreads using latest Windows flaw

Security firms reiterated advice to companies and home users to patch their Windows systems, after a bot program was detected last week that used a recently fixed flaw to compromise computers. The bot has reportedly not spread very widely, according to advisories posted by Microsoft, Symantec, and security firm LURHQ, which …
Robert Lemos, 17 Aug 2006
The Register breaking news

Covert channel tool hides data in IPv6

An independent security researcher showed off an early version of a tool for creating covert channels that, he claims, can pass undetected through most firewalls and intrusion detection systems. The tool, dubbed VoodooNet or v00d00n3t, uses the ability of most computers to encapsulate next-generation network traffic, known as …
Robert Lemos, 14 Aug 2006
arrow pointing up

Researchers warn over web worms

LAS VEGAS - Exploiting a lack of security checks in browsers and Web servers, web worms and viruses are likely to become a major threat to surfers, security researchers speaking at the Black Hat Briefings warned on Thursday. In separate presentations, researchers showed off techniques for using Javascript code on Web pages to …
Robert Lemos, 06 Aug 2006
channel

Attackers pass on operating systems

The disappearance of easy-to-find flaws in the major operating systems has pushed vulnerability researchers to branch out from finding security issues in core system software and instead concentrate on the device drivers and client-side agents present on all PCs, security experts said on Wednesday at the Black Hat Briefings. …
Robert Lemos, 04 Aug 2006
fingers pointing at man

ActiveX security faces storm before calm

HD Moore is at it again. Using a custom-built data fuzzing tool, the security researcher pinpointed more than 100 vulnerabilities in the ActiveX controls included with the default installation of Microsoft's Windows XP operating system. Data fuzzing tools combine knowledge of the input parameters accepted by a software package …
Robert Lemos, 02 Aug 2006
The Register breaking news

SCADA system makers urged to tighten security

Idaho National Laboratory and the New York State Office of Cyber Security and Critical Infrastructure have teamed up with utilities and makers of distributed control system software to offer advice on how to make system security a major part of the critical infrastructure. Later this week, the group will release the latest …
Robert Lemos, 28 Jul 2006
channel

Flaw finders lay siege to Microsoft Office

For most of the summer, Microsoft's Office product teams have had little time for development. Responding to a steady influx of flaws in the company's Office productivity suite has occupied many of Microsoft's programmers since late 2005. So far this year, the software giant has detailed at least 24 Office flaws found by outside …
Robert Lemos, 22 Jul 2006
The Register breaking news

Daily flaws ratchet up debate

HD Moore is used to polarising the vulnerability-research community. As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals. However, his latest endeavour - releasing a browser bug every …
Robert Lemos, 17 Jul 2006
The Register breaking news

Researchers look to predict software flaws

Want to know how many flaws will be in the next version of a software product? Using historical data, researchers at Colorado State University are attempting to build models that predict the number of flaws in a particular operating system or application. In an analysis to be presented at a secure computing conference in …
Robert Lemos, 10 Jul 2006
The Register breaking news

AT&T privacy policy overreaches, lawyers say

A recent change to AT&T's privacy policy for broadband and video users is overbroad and likely will leave the courts or Congress to decide whether the company's practices are standard or sinister, legal experts said. The policy change, which comes as the telecommunications giant is defending itself in court against multiple …
Robert Lemos, 03 Jul 2006
The Register breaking news

USB drives pose insider threat

In a recent test of a credit union's network security, consultants working for New York-based security audit firm Secure Network Technologies scattered 20 USB flash drives around the financial group's building. Each memory fob held a program - disguised as an image file - that would collect passwords, user names and information …
Robert Lemos, 27 Jun 2006
The Register breaking news

SCADA industry debates flaw disclosure

The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities. The flaw, in a particular vendor's implementation of the Inter-Control Centre Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server. Yet, …
Robert Lemos, 19 Jun 2006
The Register breaking news

Researchers eye machines to tackle malware

The reverse engineer - better known amongst security researchers by his nom de plume, Halvar Flake - created an automated system for classifying software into groups, a process for which he believes machines are much better suited. Research using the system has underscored the sometimes-arbitrary decisions humans make in …
Robert Lemos, 10 Jun 2006
arrow pointing up

Cybersecurity contests go national

It has all the makings of a B-movie plot: A corporate network targeted by hackers and a half dozen high-school students as the company's only defense. Yet, teams of students from ten different Iowa high schools faced exactly that scenario during a single night in late May in the High School Cyber Defense Competition. The …
Robert Lemos, 05 Jun 2006