The Six Dirtiest Tricks of 2006

No. 1: The Thumb Drive Caper

In June, a penetration testing firm planted 20 infected USB drives in the bathrooms and parking lots of a busy credit union. It was a simple, non-technical exploit -- and also one of the most effective of the year. Out of the 20 drives, 15 were inserted into PCs by curious credit union employees. If the infection hadn't been benign, the entire business might have gone up in smoke.

The account of this exploit -- perpetrated by one of our own columnists, Steve Stasiukonis, vice president and founder of Secure Network Technologies Inc. -- was by far our best-read story of the year. It exposed a frequently-overlooked vulnerability in most organizations, and it brought forth a whole range of vendors and products that are now attempting to close the hole.

See Social Engineering, the USB Way and Thumbs Down on Thumb Drives.

No. 2: Everything in XSS

In September, hackers on a popular hacking message board began posting cross-site scripting (XSS) vulnerabilities they found on popular Websites, including those of Dell, HP, MySpace, and Photobucket, as well as security companies F5 and Acunetix. Heck, after we published the story, the blighters even posted a couple of XSS vulnerabilities found on Dark Reading.

The vulnerability postings were a tangible illustration of another trend that emerged in 2006: XSS has become hackers' favorite vector of attack. While many vendors struggled to keep up with viruses and worms during the year, XSS gave attackers a newer, more targeted weapon, and they continue to use it.

See Hackers Reveal Vulnerable Websites and Cross-Site Scripting: Attackers' New Favorite Flaw.

No. 3: The Month of Browser Bugs

After a year of watching flaw after flaw appear in popular browsers -- and writing a few of them himself -- famed security researcher HD Moore decided to make a statement. He would publish a new browser bug every day in July -- the supreme illustration of the insecurity of the modern browser.

Moore's "Month of Browser Bugs" was met with consternation, as vendors and IT managers worried that attackers would pick up the vulnerabilities and run amok through their applications and systems. But although there were a number of exploits launched, the exercise proved to be more of a lesson for the industry. Vendors launched a variety of patches, and IT people gained a better understanding of the flaws in their browsers -- and the inevitability that hackers will find more.

The Month of Browser Bugs also helped to inspire other themed vulnerability exposures, including the Month of Kernel Bugs, which took place last month.

See Getting Buggy with the MOBB and MOBB Bug Among Mozilla Patches .

No. 4: The Copier Repairman Cometh

Just a few weeks ago, our resident pen tester and social engineer, Steve Stasiukonis, was at it again. This time, at the request of management, Stasiukonis and one of his colleagues walked into a regional bank dressed as copier repairmen. They proceeded to pull the wool over the eyes of all of the bank's employees, using a copier room connection to tap into the network.

Once again, if Stasiukonis hadn't been a white hat, he might have walked away with the account information for thousands of the bank's customers. As with the thumb drive caper, his exploit proved that companies must train their employees to beware of seemingly-innocent people and devices, and to ask the right questions before letting them in.

See Banking on Security.

No. 5: What Hard Drive?

Once in a while, we post a story from another site that attracts droves of readers. Such was the case in June, when we ran a piece from our sister pub, VARbusiness, that recounted a new technology for quickly erasing hard drives. The story recapped a new development at the Georgia Institute of Technology, where researchers had discovered a magnetic means of wiping hard drives clean for the U.S. military.

Okay, technically, it's not an exploit or a dirty trick (unless you're trying to steal the data from that hard drive). But the hard drive erasure issue clearly struck a nerve. As we discussed in subsequent stories, there remains a crying need for a fast, sure-fire way of cleaning off the data from hard drives before they are sold or recycled. The folks at Georgia Tech and L-3 Communications are still working on a "garbage can" for hard drives that would do just that.

See Researchers Find Technique to Quickly Erase Hard Drives and A Garbage Can for Hard Drives.

No. 6: They're in MySpace

Throughout the year, social networking site MySpace.com has become astoundingly popular, not just for teenagers, but for grown-ups who access it from their work computers. Unfortunately, the popularity of the site has made it an excellent target for attackers -- and a major risk for enterprises.

In October, a researcher published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme. Since that time, researchers have found more vulnerabilities in the social networking site, and the hacks keep coming. Attackers like MySpace because it gives them the freedom to use a combination of social engineering and technical hacking to get the data they need, experts say.

Could be that MySpace will be on our "dirty tricks" list again when we look back at 2007.

See Zero Day Flaw Found in MySpace and MySpace Under Siege.

Microsoft Corp. (Nasdaq: MSFT)