DR's 10 Most Popular Stories Ever (Second Edition)

When you're in IT security, you spend most of your time looking forward, not backward. But occasionally, it pays to take a quick look to see where you've been, where you went right -- and where you didn't.

This week, Dark Reading marks its second birthday, and we're celebrating by sneaking a look back -- just for a minute -- at where we've been. So we've compiled a list of the 10 most popular and controversial stories we've done so far -- those that have generated the most clicks from readers and those that have generated the most messages on our bulletin boards (or others').

So come with us on a trip down our short-but-eventful, two-year memory lane. We hope you'll find a few things you'll remember -- and a few lessons you don't want to forget.

1. The Coolest Hacks
They hacked WiFi networks. They hacked the iPhone -- before most of us had even seen one up close. Heck, they even cracked both cars and trucks. (See The Five Coolest Hacks of 2007.)

"The Five Coolest Hacks of 2007," which first appeared on New Year's Eve, took only two weeks to become the most widely read story we've ever published. It offered a look at some of the most innovative and offbeat exploits of the year, and a couple that were particularly dangerous.

Why was this story so popular? Partly because it took a look at some seriously inventive hacking ideas, and the minds behind them. But mostly, readers loved the notion that hackers and their exploits could be considered "cool" because of their ingenuity. Like the "best dressed" and "worst dressed" lists in the fashion industry, our "coolest hacks" story turned out to be the kind of story that every security fan wanted to read.

2. Thumbs Down
It may have been one of the simplest exploits ever, but we still get a ton of traffic on the column we ran in June of 2005, when Trojan-ridden USB thumb drives were scattered around the parking lots, bathrooms, and other public places at a regional credit union to see if its users would take the bait. (See Social Engineering, the USB Way.)

The story was a hit because it struck a nerve. The credit union users got punk'd, of course, and installed the thumb drives on their office computers -- something all security managers fear their own users would do. The brains behind this bold social engineering scheme, penetration tester and Dark Reading columnist Steve Stasiukonis, was sure that users would be unable to resist the urge to plug those little babies into their computers -- no matter what malware was waiting inside.

It worked too well: All 15 of the 20 USB drives that were found were installed on a credit union machine. But the Trojan infecting the USB sticks was a benign one, merely busting the duped users by collecting their passwords, logins, and machine information, and emailing the findings back to Stasiukonis and company.

Nervous laughter helped make this story one of our biggest ever.

3. Botnet Mania
Yes, there were botnets before 2007. But with the arrival of Storm, users and security pros got a taste of what a large botnet can really do -- and it scared the hell out of them. And when we ran a story in November that said there were several other "Storms" brewing out on the Web -- well, they nearly went bonkers. (See The World's Biggest Botnets .)

The story gave users a closer look at the inner workings of Storm, offering some insights as to why it had become more despised -- and more feared -- than its previous counterparts. It also looked at two rival botnets, Rbot and Bobax, and how they operate differently.

Providing analysis from some of the country's top botnet researchers, this story helped remove some of the mystique around Storm and its capabilities. It also gave readers some advice on what to watch out for -- and the likelihood that they might be hit again.

4. Dramatic Dogfight
When you find out that antivirus products don't stop every threat, it's bad enough. But when you find out that they don't always even stop viruses, well -- that's a horse of a different color. (See Antivirus Tools Underperform When Tested in LinuxWorld 'Fight Club'.)

At the Linuxworld show in August of last year, security vendor Untangle got a simple-but-deadly idea: Let's put off-the-shelf antivirus software on 10 different computers, then run the same batch of known viruses through all of them and see how they do.

This low-key, antivirus "fight club" produced fascinating results that surprised all of those who previously assumed that all AV products are pretty much the same. In fact, only three of the 10 products blocked all of the viruses thrown at them; one product blocked fewer than 10 percent.

The story provoked ire among AV vendors and a good deal of discussion among users of the nearly ubiquitous AV technology. One thing's for sure now -- nobody's assuming that antivirus products are all the same anymore.

5. The Trouble With End Users
Beating up on end users is something security folks do -- a lot. But there's a good reason for their complaints: Users are the single biggest security threat to a company's IT infrastructure. (See The 10 Most Dangerous Things Users Do Online.)

You train them, hold their hands, yet they still do stupid user tricks like click on email attachments from unknown senders, give out passwords, surf untrusted Websites, and link to unprotected WiFi networks. They are your weakest link.

Still, you're stuck with them. So you should at least be up on all the dangerous things they do on your network -- including installing unauthorized apps, disabling automated security tools, filling out Web scripts and forms, and hanging out in chat rooms or social networking sites. Most of these problems may be innocent (dare we say clueless?) mistakes, but unintentional or not, they're putting you at risk.

This article gave readers an inside look at just what their users are up to -- and how those activities might affect the business.

Continue to Page Two

6. What a Waste of Time
When Peter Tippett invented the software that became Norton Antivirus more than a decade ago, everybody was happy. But earlier this year, when he told security pros that they were wasting their time, some of them were not too thrilled. (See Antivirus Inventor: Security Departments Are Wasting Their Time.)

Tippett raised some eyebrows across the industry by suggesting that security teams spend too much time working on vulnerability research, testing, and patching. Only a tiny percentage of vulnerabilities are ever exploited, he noted, and the time spent on detecting and fixing them could better be spent elsewhere. He also suggested that security pros are too picky about their solutions, and that it is folly to insist on perfection before implementing a security technology.

Many security professionals rejected Tippett's arguments, defending their efforts in vulnerability research and patch management. Others agreed with Tippett's premise, but expressed frustration that he had not proposed more concrete alternatives.

Despite Tippett's protests, vulnerability research continues apace. But we have to admit it -- when we see one of those "proofs of concept" that's a real stretch now, it's hard not to think of Tippett's car-and-sunroof analogy.

7. Maxx'd Out
Okay, it wasn't a single story. Sue us. And while you're at it, sue TJX. Everybody else is. (See Security's Biggest Train Wrecks of 2007, TJX Settles With Banks for $41 Million, Canadian Government Sheds Light On TJX Breach, TJX Proposes to Settle Customer Lawsuit for $6.5M, and oh, heck -- just do a search of "TJX" on the Dark Reading home page.)

Our coverage of the debacle at the TJX Companies made up a sizable chunk of reader traffic during 2007. The loss of 45 million credit card records put the retail giant at the high end of history, outpacing the ChoicePoint disaster and the fatal loss at CardSystems. Security pros will remember TJX the way football fans remember Jim Marshall running the wrong way, or the way journalists remember the headline "Dewey Wins!"

What's remarkable about the TJX breach is that it went on for years and involved records that the retailer should have purged nearly four years earlier. It was truly a wake-up call for security departments all over the world, and it caused many other companies to stop sticking their heads in the sand, stirring a whole wave of interest in PCI compliance.

8. Offense Intended
Here at Dark Reading, we know that the good guys aren't the only ones who read our stories. But that fact was never demonstrated to us quite so loudly to us as it was in October, when we posted John Sawyer's column on how to "weaponize" the Web browser. (See How to Turn Your Browser Into a Weapon.)

Sawyer, our technical expert and geek-in-residence, wrote a two-part series in which he discussed methods for enhancing and modifying the browser. Part 2, which dealt with defensive schemes for protecting the browser, garnered a bit of attention from readers on the Web. But his piece on offensive tools for the browser was one of the most popular columns we've ever posted, right down to its list of extensions.

Sawyer's perspective on the usefulness of popular cracking tools clearly struck a nerve, probably because it was helpful to both those who do the attacking and those who defend against them. It also opened our eyes to the number of readers out there who turn to Dark Reading not only for the defensive insights they need during the day, but also the "insider" tips they might be able to use when they put on their black hats late at night.

Other myths -- such as Microsoft is the most unsafe OS, your employees are trustworthy, or increased spending will improve security -- can put you into a false sense of security la-la land.

9. Mistaken Spam Identity
Careful what you label as spam: You could be next. (See Seven Ways to Be Mistaken for a Spammer.)

Everyone complains about receiving spam, but what if you're on the sending end of the email? Naiveté, dumb luck, or just plain laziness can stuff a legitimate company into the spam can if it's not careful. The result of blocked marketing emails, newsletters, or other key customer interactions, could be a major blow for the bottom line.

Being mistaken for a spammer -- and yes, there is sometimes a fine line between spam and aggressive marketing -- can happen if you don't stay on top of your "unsubscribe" requests, if you repurpose user lists, or if you provide unclear checkbox instructions. Users today have the power of being able to hit the "this is spam" button on their email service if they've had enough of your marketing emails.

Avoiding the ugly label of a spammer can be as simple as providing "opt in," rather than "opt out," choices, and ensuring you have a strong accounting of your servers and desktops. The last thing you want to do is find what one security expert found on during a client audit: an infected machine hidden in the janitor's broom closet pumping out spam.

10. XSS Excess
Cross-site scripting attacks have been around a lot longer than Dark Reading. But in our two years of life, we've had a chance to see the growth of XSS up close. Really close. (See Hackers Reveal Vulnerable Websites.)

Yup, Dark Reading got punk'd. It wasn't the first time, nor the last, and we're sure it will happen again. But it was sort of flattering that somebody cared enough to hack us because we helped to expose their exploits.

As for XSS, it continues to be one of the most popular attack vectors currently on the Web, and experts say the threat will only grow as attackers focus their attention on browsers and Web servers. Will it be on our "birthday list" next year? Stay tuned and find out.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.