Since the dawn of humanity, man has taken pride in his achievements of days past. The courageous defense of his cave from long-toothed predators. A fruitful hunt of the elusive wildebeest. The successful programming of his complicated BlackBerry.
In ancient times, these great achievements were told and re-told in tales, in song, in poetry. Today, journalists have evolved this retelling to a higher art form: the annual "year in review" story. This story is done and re-done each year by virtually every publication in existence, from Sports Illustrated to Hog Monthly.
As a new, innovative Web destination, we thought about not doing one of those stories. Break the mold and all that. But it's the end of the year. The drums are beating. The fire is burning high. The smell of roasted wildebeest hangs pungent in the air. The ceremonial conch shell is passed to us -- it's our turn to, uhh, blow.
So, what the hell. Who are we to argue with evolution?
The following is Dark Reading's look back at six of the most clever and devious IT security exploits of 2006, which we call "The Six Dirtiest Tricks of 2006." (Catchy, ain't it?) These are the exploits that attracted the most attention from our readers during our first seven months of publication. (Okay, so it's not the whole year. Sue us.)
Interestingly, none of the "hot security topics" of 2006 appear on this list. In general, our readers didn't find our stories about Windows vulnerabilities, lost laptops, NAC, or HP pretexting to be as interesting as these six. Could it be that you actually want to read about something different for a change? Well, watch out for Dark Reading in 2007: We're making it our quest to give it to you.
In the meantime, pull up a rock and grab a slice of wildebeest. Our look back is about to start.
- No. 1: The Thumb Drive Caper
In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.
The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.
- No. 2: Everything in XSS
In September, hackers on a popular hacking message board began posting cross-site scripting (XSS) vulnerabilities they found on popular Websites, including those of Dell, HP, MySpace, and Photobucket, as well as security companies F5 and Acunetix. Heck, after we published the story, the blighters even posted a couple of XSS vulnerabilities found on Dark Reading.
The vulnerability postings were a tangible illustration of another trend that emerged in 2006: XSS has become hackers' favorite vector of attack. While many vendors struggled to keep up with viruses and worms during the year, XSS gave attackers a newer, more targeted weapon, and they continue to use it.
- No. 3: The Month of Browser Bugs
After a year of watching flaw after flaw appear in popular browsers -- and writing a few of them himself -- famed security researcher HD Moore decided to make a statement. He would publish a new browser bug every day in July -- the supreme illustration of the insecurity of the modern browser.
Moore's "Month of Browser Bugs" was met with consternation, as vendors and IT managers worried that attackers would pick up the vulnerabilities and run amok through their applications and systems. But although there were a number of exploits launched, the exercise proved to be more of a lesson for the industry. Vendors launched a variety of patches, and IT people gained a better understanding of the flaws in their browsers -- and the inevitability that hackers will find more.
The Month of Browser Bugs also helped to inspire other themed vulnerability exposures, including the Month of Kernel Bugs, which took place last month.
- No. 4: The Copier Repairman Cometh
Just a few weeks ago, our resident pen tester and social engineer, Steve Stasiukonis, was at it again. This time, at the request of management, Stasiukonis and one of his colleagues walked into a regional bank dressed as copier repairmen. They proceeded to pull the wool over the eyes of all of the bank's employees, using a copier room connection to tap into the network.
Once again, if Stasiukonis hadn't been a white hat, he might have walked away with the account information for thousands of the bank's customers. As with the thumb drive caper, his exploit proved that companies must train their employees to beware of seemingly-innocent people and devices, and to ask the right questions before letting them in.
See Banking on Security.
- No. 5: What Hard Drive?
Once in a while, we post a story from another site that attracts droves of readers. Such was the case in June, when we ran a piece from our sister pub, VARbusiness, that recounted a new technology for quickly erasing hard drives. The story recapped a new development at the Georgia Institute of Technology, where researchers had discovered a magnetic means of wiping hard drives clean for the U.S. military.
Okay, technically, it's not an exploit or a dirty trick (unless you're trying to steal the data from that hard drive). But the hard drive erasure issue clearly struck a nerve. As we discussed in subsequent stories, there remains a crying need for a fast, sure-fire way of cleaning off the data from hard drives before they are sold or recycled. The folks at Georgia Tech and L-3 Communications are still working on a "garbage can" for hard drives that would do just that.
- No. 6: They're in MySpace
Throughout the year, social networking site MySpace.com has become astoundingly popular, not just for teenagers, but for grown-ups who access it from their work computers. Unfortunately, the popularity of the site has made it an excellent target for attackers -- and a major risk for enterprises.
In October, a researcher published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme. Since that time, researchers have found more vulnerabilities in the social networking site, and the hacks keep coming. Attackers like MySpace because it gives them the freedom to use a combination of social engineering and technical hacking to get the data they need, experts say.
Could be that MySpace will be on our "dirty tricks" list again when we look back at 2007.
Tim Wilson, Site Editor, Dark Reading