The Register Columnists

Robert Lemos

Contact Mail Follow RSS feed
graph up

Industry body to certify adware

An industry group formed to promote trust between consumers and websites will begin certifying adware programs starting next year, the organization announced on Wednesday. The group, TRUSTe, will put programs that meet certain criteria - such as only installing themselves after users accept an explicit agreement and allowing …
Robert Lemos, 18 Nov 2005
The Register breaking news

Counterfeiters send jammed printer for repair

Arizona authorities this week charged suspected members of a criminal ring thought responsible for 10 per cent of all fake money in the state after some members sent a printer, jammed with counterfeit bills, out for repair. A three-month investigation by the U.S. Secret Service and the local sheriff's office nabbed 10 suspects …
Robert Lemos, 17 Nov 2005
hands waving dollar bills in the air

Rainbow warriors crack password hashes

A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems. Over the past two years, three security enthusiasts from the United States and Europe set a host of computers to the task of …
Robert Lemos, 10 Nov 2005

Suspected bot master busted

In what prosecutors have labeled the first case of its kind in the nation, a federal grand jury charged Jeanson James Ancheta with 17 counts of conspiracy and computer crime stemming from his alleged profitable use of bot nets. Over nearly a year, Ancheta allegedly used automated software to infect Windows systems, advertised …
Robert Lemos, 04 Nov 2005

SDBot raises IM security concerns

The latest variant of SDBot spreads through America Online instant messaging software (AIM) and installs surreptitious remote control software on victims' computers, focusing the media on security experts' concerns that instant messaging will become the next popular vector for these programs. The program - known as W32.Loxbot.B …
Robert Lemos, 02 Nov 2005

Flaw finders score loyalty rewards from iDefense

Security firm iDefense, a subsidiary of VeriSign, announced on Friday the recipients of two rounds of bonuses rewarding the most prolific researchers taking part in the firm's Vulnerability Contributor Program (VCP). The researchers split $40,000 in bonuses: Three people divvied up $10,000 awarded to the top flaw finders for …
Robert Lemos, 24 Oct 2005
fingers pointing at man

Arrests 'unlikely' to impact botnet threat

The recent arrests of three men in The Netherlands who allegedly controlled a network of more than 100,000 compromised computers will not likely curtail the criminal economy surrounding so-called bot nets, security experts said this week. The arrests, announced last week by The Netherlands' National Prosecution Service, follow …
Robert Lemos, 13 Oct 2005
The Register breaking news

Fingerprint payments taking off despite security concerns

Consumers embarking on a shopping spree may be able to leave their wallets behind in the near future, despite some security and privacy experts' concerns. This week, Pay By Touch Solutions, a San Francisco-based firm whose system allows customers to pay at participating grocery stores with the press of a finger, announced that …
Robert Lemos, 08 Oct 2005
The Register breaking news

E-voting experts call for revised security guidelines

A federally funded group of voting system experts called on the United States' Election Assistance Commission, which oversees the nation's state-run elections, to revamp its recommended process for evaluating the security of electronic voting devices. In comments published last week, the ten researchers that collectively make …
Robert Lemos, 05 Oct 2005

Mozilla suffers growing pains

The Mozilla Foundation's Firefox browser successfully took market share away from software giant Microsoft's Internet Explorer over the past 18 months, but has found that popularity comes with growing pains. When Microsoft fixes problems, the public generally doesn't know about them. For Firefox, the nature of the process means …
Robert Lemos, 22 Sep 2005
homeless man with sign

Key clicks betray passwords, typed text

Eavesdroppers armed with a shotgun microphone or a small recording device could make off with a computer user's sensitive documents and data, three university researchers said in a paper released this week. The researchers, from the University of California at Berkeley, found that a 10-minute recording of a person typing at the …
Robert Lemos, 16 Sep 2005

Microsoft's delay to patch fuels concerns

Microsoft's decision to cancel a security fix after finding problems with the patch has security experts questioning whether waiting for the fix to come next month might leave them open to attack. The concerns come after Microsoft announced last Thursday that a critical fix for the Windows operating system would be distributed …
Robert Lemos, 14 Sep 2005

Big debate over small packets

Fernando Gont is nothing if not tenacious. Earlier this year, the Argentinian researcher highlighted several attacks that could disrupt network connections using the Internet control message protocol, or ICMP, and proposed four changes to the structure and handling of network-data packets that would essentially eliminate the …
Robert Lemos, 08 Sep 2005
For Sale sign detail

Hidden-code flaw in Windows renews worries over stealthy malware

Last week, the Internet Storm Center, a group of security professionals that track threats on the Net, flagged a flaw in how a common Microsoft Windows utility and several anti-spyware utilities detect system changes made by malicious software. By using long names for registry keys, spyware programs could, in a simple way, hide …
Robert Lemos, 31 Aug 2005

Zotob suspects arrested in Turkey and Morocco

Law enforcement officials in Turkey and Morocco arrested two men in connection with the recent release of the Zotob worm, the FBI announced Local authorities arrested 18-year-old Farid Essebar in Morocco and 21-year-old Atilla Ekici in Turkey on Thursday, according to the FBI. The U.S. law enforcement agency believes that …
Robert Lemos, 30 Aug 2005
The Register breaking news

Flies swarm around MS Honeymonkey

Microsoft 's experimental Honeymonkey project has found almost 750 web pages that attempt to load malicious code onto visitors' computers and detected an attack using a vulnerability that had not been publicly disclosed, the software giant said in a paper released this month. Known more formally as the Strider Honeymonkey …
Robert Lemos, 09 Aug 2005
The Register breaking news

Annual hacking game teaches security lessons

LAS VEGAS The weekend-long Capture the Flag tournament stressed code auditing as a measure of hacking skill this year, a move that emphasized more real-world skills, but not without controversy. The annual Capture the Flag tournament at DEF CON has always attracted participants from a variety of background, looking to try their …
Robert Lemos, 05 Aug 2005
The Register breaking news

Exploit writers team up to target Cisco routers

LAS VEGAS In a room at the Alexis Park Hotel, a nightmare scenario for Cisco has begun to unfold. It's Saturday night, a time for blowout parties at the annual DEF CON hacker convention, including the Goth-flavored Black and White Ball. But a half dozen researchers in the nondescript room quietly drink, stare at the screens of …
Robert Lemos, 02 Aug 2005

Settlement reached in Cisco flaw dispute

LAS VEGAS A researcher who showed off a way to remotely compromise Cisco routers has to turn over all materials and agree not to further disseminate information on the flaws or the technique he used to run code on the popular network hardware. The settlement, finalized Thursday afternoon, brought to a close a controversy that …
Robert Lemos, 29 Jul 2005

Cisco, ISS file suit against rogue researcher

LAS VEGAS--Networking giant Cisco and security company Internet Security Systems filed on Wednesday a restraining order against the management of the Black Hat Conference and a security expert who told conference attendees that attackers can broadly compromise Cisco routers. The legal action followed a presentation by security …
Robert Lemos, 28 Jul 2005

3Com puts a bounty on vulns

TippingPoint, a division of networking giant 3Com, plans to pay researchers for information about unannounced vulnerabilities in major systems and software and will add bonuses for prolific flaw finders, the company announced on Monday. Under the program, dubbed the Zero Day Initiative (ZDI), researchers will submit details of …
Robert Lemos, 25 Jul 2005

Oracle taken to task for time to fix vulnerabilities

Claiming that Oracle has failed to fix six vulnerabilities despite having more than 650 days to issue a patch, researchers at security firm Red Database Security published details of the flaws on Tuesday. The flaws vary in severity with three of the six classified by the firm as high risk, potentially allowing a remote attacker …
Robert Lemos, 20 Jul 2005
The Register breaking news

Typosquatters hijack US credit report site

Privacy-sensitive US citizens aiming to get their government-mandated annual free credit reports have to be careful not to endanger their sensitive data instead, stated a report released last Thursday. More than 200 domains with similar spellings to the official site have been registered by private …
Robert Lemos, 18 Jul 2005
The Register breaking news

Desktop port proliferation a security risk?

Software maker Opera's decision to support BitTorrent has added to some security experts' worries that applications which require open connections through firewalls are becoming increasingly popular. Last week, the Norwegian company revealed that its latest technical preview adds support for downloading BitTorrent files, or …
Robert Lemos, 14 Jul 2005
The Register breaking news

USC admissions site cracked wide open

A programming error in the University of Southern California's online system for accepting applications from prospective students left the personal information of users publicly accessible, school officials confirmed this week. The flaw put at risk "hundreds of thousands" of records containing personal information, including …
Robert Lemos, 06 Jul 2005

Reverse engineering patches making disclosure a moot choice?

When Microsoft released limited information on a critical vulnerability in Internet Explorer last month, reverse engineer Halvar Flake decided to dig deeper. Using his company's tool for analyzing the differences in the patched and unpatched versions of a program, Flake pinpointed the portable networked graphics (PNG) …
Robert Lemos, 01 Jul 2005

Open-source projects get free checkup by automated tools

More open-source software projects are gaining the benefits of the latest code-checking software, as the programs' makers look to prove their worth. On Tuesday, code-analysis software maker Coverity announced that its automated bug finding tool had analyzed the community-built operating system FreeBSD and flagged 306 potential …
Robert Lemos, 29 Jun 2005
For Sale sign detail

Phishers look to net small fry

Online fraudsters have started targeting smaller banks and credit unions in hopes of fooling a larger percentage of customers, according to groups that monitor phishing activity. Last week, Internet security firm Netcraft published an advisory warning that the number of phishing attacks aimed at smaller financial institutions …
Robert Lemos, 20 Jun 2005

Study: Flaw disclosure hurts software makers' stock

Software makers stand to lose significant market value whenever a flaw is found in their products, two university researcher said in a paper published last week. The study analyzed the release of 146 vulnerabilities and found that a software company's stock price decreases 0.63 percent compared to the tech-heavy NASDAQ on the …
Robert Lemos, 07 Jun 2005
The Register breaking news

Device drivers filled with flaws

The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say. Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say. While buffer …
Robert Lemos, 27 May 2005
hands waving dollar bills in the air

Witty worm traced to 'Patient Zero'

The Witty worm, which infected more than 12,000 servers a year ago, came from a single computer in Europe and used a US military base's vulnerable systems to kick-start the epidemic, according to an analysis released by three researchers this week. The researchers combined records from the initial spread of the Witty worm along …
Robert Lemos, 25 May 2005

Underground showdown: defacers take on phishers

Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: website defacers. On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti …
Robert Lemos, 22 May 2005
graph up

Microsoft hunts web nasties with honey monkeys

Researchers for the software giant are building a system of Windows XP clients that crawl the web finding sites that use unreported vulnerabilities to compromise unsuspecting users, writes SecurityFocus's Robert Lemos. Researchers at Microsoft are creating their own version of a million monkeys to crawl the internet looking for …
Robert Lemos, 17 May 2005

Firefox loses its shine

The Mozilla Foundation's Firefox web browser has made security a major part of its marketing, but a spate of vulnerabilities found over the last nine months had sullied that message. In the latest incident, a 16-year-old security researcher - who asked only to be identified by his first name, Paul - found three vulnerabilities …
Robert Lemos, 13 May 2005

Microsoft fortifies monthly patches with interim advisories

Microsoft opened up a new line of communication to its customers on Tuesday, pledging to provide more authoritative information about incidents involving, and changes to, the company's products that could affect customers' security. The information will be distributed as needed in the form of security advisories, which will be …
Robert Lemos, 10 May 2005
The Register breaking news

Genome may be future step for virus writers

Advances in genetic circuits may mean that virologists will have to look at the mechanics of Internet worms for a model of future threats. Recent technological advances in so-called genetic circuits have brought closer a world where cells and viruses could be modified to more effectively serve humans, but also have raised …
Robert Lemos, 06 May 2005
arrow pointing up

Backup tapes are backdoor for ID thieves

Large companies are reconsidering their security and backup policies after a handful of financial and information-technology companies have admitted that tapes holding unencrypted customer data have gone missing. Last week, trading firm Ameritrade acknowledged that the company that handles its backup data had lost a tape …
Robert Lemos, 29 Apr 2005

Microsoft reveals hardware security plans

Can trusted computing hardware deliver security without locking out competition, asks SecurityFocus's Robert Lemos. The next version of Windows, codenamed "Longhorn," will have security features to take advantage of the trusted computing hardware now showing up in the marketplace, Microsoft executives announced on Monday. The …
Robert Lemos, 26 Apr 2005

Privacy watchdog warns job seekers to beware

Would-be workers need to be more cautious with resume services and posting their personal information online. Online fraudsters and scammers are waiting. Online fraudsters are increasingly taking advantage of vulnerable job seekers by using online résumés to steal their identity, a privacy expert warned this week. The threats …
Robert Lemos, 22 Apr 2005
The Register breaking news

Privacy groups slam US passport technology

SEATTLE - Privacy advocates took the US government to task last week for the government's plans to add a wireless chips to next-generation passports. The concerns focus on the US government's initiative to create machine-readable passports that will be rolled out to the diplomatic corps this year and to the general public …
Robert Lemos, 20 Apr 2005
The Register breaking news

Teenagers want computer security lessons

High-school students have a message for their parents: Trust us with technology. Security and privacy? We have it covered. A panel of teenagers speaking at the Computers, Freedom and Privacy Conference told attendees on Friday that they are far more in tune with technology than their parents and have come to understand the …
Robert Lemos, 19 Apr 2005

DNS attacks attempt to mislead consumers

Employees at more than 500 companies have fallen victim to domain attacks in the last month, underscoring the increasing popularity of the tactic among Internet fraudsters, security experts said this week. The attacks aim to redirect consumers to potentially malicious web servers by changing the records used to convert domain …
Robert Lemos, 08 Apr 2005
For Sale sign detail

Sybase invokes licence gag in flaw disclosure row

Database maker Sybase will likely drop legal threats against a UK-based security company this week, allowing the company to publish details on six flaws, a source familiar with the negotiations said on Monday. The potential agreement between Sybase and Next-Generation Security Software comes after a two-week dispute over …
Robert Lemos, 05 Apr 2005