DR's 10 Most Popular Stories EverOur first year featured thumb-drive lures, lax end users, dumb smart cards, myths, and a Microsoft misstep
Remember senior superlatives in high school? You always knew the Most Popular guy and girl -- or you could at least point them out in the hallway, anyway.
Well, we've compiled the 10 Most Popular Articles on Dark Reading from our freshman year. By definition, this also makes them the most popular articles ever on this one-year-old site. These are the stories that attracted the most page views by our readers, many who likely shared the story links among friends and colleagues, and maybe even among old high school chums. You might remember them, or at least their headlines. Either way, we're reconnecting you with the stories that got the most votes (clicks).
So kick back and enjoy this retrospective on our sexiest and Most Popular stories. It is prom season, you know.
1. Thumbs Down
It may have been one of the most significant security non-events ever, but hardly a day goes by when we don't hear about "that incident" last June when Trojan-ridden USB thumb drives were scattered around the parking lot, smoking area, and other public places at a regional credit union to see if its users would take the bait. (See Social Engineering, the USB Way.)
The story was a hit because it struck a nerve. The credit union users got punk'd, of course, and installed the thumb drives on their office computers -- something all security managers fear their own users would do. The brains behind this bold social engineering scheme, penetration tester and Dark Reading columnist Steve Stasiukonis, had decided to try something different from his usual M.O. of taking a drag with the smokers, sweet-talking the receptionist, and commandeering a conference room to jack into his clients' networks.
It worked too well: All 15 of the 20 USB drives that were found were installed on a credit union machine. But the Trojan infecting the USB sticks was a benign one, merely busting the duped users by collecting their passwords, logins, and machine information, and emailing the findings back to Stasiukonis and company.
Nervous laughter helped make this story our biggest one so far.
2. Into Thin Air
An American spy plane, a Chinese fighter, a mid-air collision, and an emergency landing in Chinese territory: Yep, thats all it took for researchers to come up with a way to erase hard drives quickly. (See Researchers Find Technique to Quickly Erase Hard Drives.)
The U.S.'s loss of sensitive intelligence data to the Chinese after this incident in 2001 led to the announcement last year of a speedy but hefty 125-pound prototype eraser that can wipe magnetic media within minutes, rather than hours. Scientists at the Georgia Institute of Technology and L-3 Communications developed the new technique, which is based on powerful magnets that penetrate hard disk enclosures, and permanently erase data in a single sweep.
No, commercial businesses won't have to schlep this big fat eraser onto their offices. The researchers subsequently developed a commercial "trash can" that achieves similar results. (See A Garbage Can for Hard Drives.)
3. In Case of Fire, Break Glass
We all know there really is no such thing as impenetrable security. But how many organizations really have a gameplan in case of emergency? (See What to Do When Your Security's Breached.)
The reality is many organizations don't have the resources to put in place a full-blown, fully-tested incident response strategy, and others don't have top-level executives who are clued in to set such a plan in motion, anyway. There is no one formula for what to do when your security is breached, but our site editor Tim Wilson came up with six key steps, based on interviews with experts who know things like when to remediate, and when not to.
Speaking of remediation, nobody wants to accidentally taint the crime scene by doing something that could compromise nabbing the bad guys. Sometimes that means not touching anything until a forensics team arrives. But if the breach is actively hurting the business, you may need to take action right away, such as unplugging the infected machines or turning off Port 80. Otherwise, you might not have anything left for the forensics folks to look at.
4. The Trouble With End Users
Beating up on end users is something security folks do -- a lot. But there's a good reason for their complaints: Users are the single biggest security threat to a company's IT infrastructure. (See The 10 Most Dangerous Things Users Do Online.)
You train them, hold their hands, yet they still do stupid user tricks like click on email attachments from unknown senders, give out passwords, surf untrusted Websites, and link to unprotected WiFi networks. They are your weakest link.
Still, you're stuck with them. So you should at least be up on all the dangerous things they do on your network -- including installing unauthorized apps, disabling automated security tools, filling out Web scripts and forms, and hanging out in chat rooms or social networking sites. Most of this behavior may be innocent (and did we say clueless?) mistakes, but unintentional or not, it's putting you at risk.
This article gave readers an inside look at just what their users are up to -- and how those activities might affect the business.
5. Not-So Smart Card
Stasiukonis and his crew strolled through the front door of a HIPAA-regulated laboratory -- with a swipe of his grocery-store shopping card. Really. (See Social Engineering, the Shoppers' Way.)
Turns out the door access system had mistakenly been set to deploy a feature called "man-trap," which lets banks secure their ATM machines and also allow access to customers from other banks -- a feature that most magnetic stripe systems have.
That revelation sent chills down the spine of many an organization that uses smart card-based physical security. But even more chilling was how Stasiukonis and his pen-tester colleague were able to navigate the hallways of this highly sensitive facility, and score clean smocks and scrubs in the men's room so they could blend in.
No one challenged their presence in the facility -- they even asked some unsuspecting employees for directions -- and they found a treasure-trove of sticky-note passwords on monitors and under keyboards and were able to easily hack into the network.
Stasiukonis now always tests access security when he goes on a job. And he expects this same scenario to play itself out again at another client's site.
Continue to Page Two
6. Copy That
You can bet no one looks at the copier repairman the same way anymore. (See Banking on Security.)
This caper by Stasiukonis and his team of penetration testers/social engineers entailed dressing up as a copier repairman for a regional bank, and pretending to fix the copier -- while instead unplugging it from the network, plugging in his laptop, and "sniffing" the network for passwords, access to data, folders, and administrative accounts.
The bank hired the pen-testing team after getting nervous about the revolving door of technicians coming and going from the IT outsourcing firm it had recently hired. It wanted to be sure its employees were properly verifying credentials of customers and contractors.
No one asked why Stasiukonis was taking flash digital photos of his handiwork, either. And he left his calling card as proof of the successful "breach": his bank contact's password, scrawled on a ream of paper and tucked under the copier. The bank got the message.
7. Mistaken Spam Identity
Careful what you label as spam: You could be next. (See Seven Ways to Be Mistaken for a Spammer.)
Everyone complains about receiving spam, but what if you're on the sending end of the email? Naiveté, dumb luck, or just plain laziness can stuff a legitimate company into the spam can if it's not careful. The result of blocked marketing emails, newsletters, or other key customer interactions, could be a major blow for the bottom line.
Being mistaken for a spammer -- and yes, there is sometimes a fine line between spam and aggressive marketing -- can happen if you don't stay on top of your "unsubscribe" requests, if you repurpose user lists, or providing unclear checkbox instructions. Users today have the power of being able to hit the "this is spam" button on their email service if they've had enough of your marketing emails.
Avoiding the ugly label of a spammer can be as simple as providing "opt in," rather than "opt out," choices, and ensuring you have a strong accounting of your servers and desktops. The last thing you want to do is find what one security expert found on during a client audit: an infected machine hidden in the janitor's broom closet pumping out spam.
8. Myth Busters
Separating fact from fiction isn't easy, especially in security, where innovation and technology change in rapid-fire. But sometimes you need a little help. (See The 10 Biggest Myths of IT Security.)
Here's a quick quiz to test whether you can keep it real. True or false: Many more companies are losing data than ever before.
If you said "true," you're dead wrong. Yes, we are more aware than ever before of breaches, but that doesn't mean data losses have actually increased. It's just that state and federal regulations require companies to inform customers of even potential data loss or theft -- any sort of exposure that might compromise a customer. Basically, our awareness of data losses has increased.
Other myths -- such as Microsoft is the most unsafe OS, your employees are trustworthy, or increased spending will improve security -- can put you into a false sense of security la-la land.
Some exploits just stick with you. Aside from the USB stick caper in '06, there was the sla.ckers.org hacker group's cross-site scripting (XSS) party, where they posted XSS holes they found on popular Websites, including those of Dell, HP, MySpace, and Photobucket, as well as security companies F5 and Acunetix. They even exposed a couple of XSS vulnerabilities on Dark Reading. (See The Six Dirtiest Tricks of 2006.)
The XSS coming-out party demonstrated just how pervasive this vulnerability is on Websites, even high-profile ones.
The Month of Browser Bugs, meanwhile, opened the floodgates for researchers to get vendors on the stick to plug zero-day vulnerabilities. Some of those that weren't plugged still haunt us today.
Meanwhile, the bull's eye landed on the popular MySpace social networking site, which became a hacker's playground, with worms, spyware, and XSS attacks aplenty. Attackers go for MySpace because it's fertile ground for them to flex their social engineering and technical hacking muscles.
10. Why Vista Didn't Go .NET
It's not often that Microsoft admits a mistake, especially a potentially strategic one. A Microsoft scientist lamented to our columnist, Cigital CTO Gary McGraw, that Microsoft missed its chance to make a big impact on security. Microsoft did not build Vista Longhorn out of the "type-safe" language found in its .NET framework. (See Microsoft's Missed Opportunity.)
Butler Lampson, a computer scientist with Microsoft Research, said he has seen adoption of type-safe languages fizzle several times during his career. The big issue is Microsoft OS developers rely on C++, a well-known security bug inducing language (as is C proper).
It could take another decade for Microsoft to say "see ya" to C, but McGraw pointed out in his column that there's hope for a more secure OS if you go with a type-safe platform.
Kelly Jackson Higgins, Senior Editor, Dark Reading
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio