One advantage of online news media is knowing how well [or poorly] a news story plays with readers based on how many opened the article and, gauging from time spent on that page, actually read it. With that in mind, we culled our databases for those news stories that received the most page views this year. Some were obvious; others, surprising.
Low-cost way(s) to 'foil' low-tech RFID tags"
Radio frequency identification tags were a hot topic at security conferences this year. With mega-retailer Wal-Mart soon requiring them from suppliers to track inventory, it's just a matter of time before their use is commonplace in retail. But RFID tags' other rumored uses raised eyebrows, leading to tales of tags embedded in clothing and, jokingly, strawberry smoothies and other foodstuff to track people, not just products. Privacy advocates sounded the sirens, and hackers took up the cause, creating ways to circumvent or counter the souped-up bar codes.
9. Security Bytes: Pix source code for sale
This year we launched a new feature called Security Bytes focused on advisories, business briefs and legal and policy news that security professionals could digest in small chunks. This issue in particular did well because of the top story about a hacker group selling the source code for particular versions of Cisco's Pix firewall. Given the firewall's prominence within enterprise networks, security practitioners had reason to worry about what could develop from the sale of the software's blueprints. Exploits? Firmware? The same group earlier in the year offered proprietary source code for P2P file-sharing Napster software and an Enterasys Networks IDS.
8. Sassy Sasser worms on the move
We all know virus and worm writers constantly release malicious code, particularly close to weekends [though one survey cited Wednesday as the biggest day for enterprise virus infections.] Like throwing pasta against the wall to see what sticks, Sasser's robustness proved more fettuccini than vermicelli. Now believed to be the work of a German teenager, Sasser hit hard in May by exploiting a Windows Local Security Authority Subsystem Service flaw left unpatched. After telling employees for years to avoid e-mail attachments, Sasser raised the bar by requiring no user action to propagate. Instead, it scanned random IP addresses for vulnerable systems, into which it sent a packet that caused a buffer overrun on LSSASS.EXE. Infected systems crashed worldwide within hours and Sasser became a household name, at least in the many households that were hit that first weekend -- reinforcing enterprise policies about home users who connect to corporate networks.
7. Microsoft reveals unprecedented 21 vulnerabilities on 'Patch Tuesday'"
In an effort to streamline its security bulletins, Microsoft began releasing updates the second Tuesday of every month. Recently, it's also begun giving a heads-up days prior to announcements so security administrators can brace themselves. In April, it began a new streak, unleashing patches for an unprecedented 21 vulnerabilities. It would repeat the feat in July and October, each time topping its previous record for most holes or patches released for a variety of Windows software, particularly Office, Exchange and Internet Explorer.
6. Microsoft ASN flaw may be biggest defect ever found
Some security vendors hyped this as the most critical flaw to surface, given the vulnerability affected multiple Windows operating systems, producing myriad ways for an attacker to gain illegal access to networks and execute arbitrary code with system privileges. Specifically, integer overflows and other flaws in integer arithmetic could cause a vulnerability in the ASN.1 parser library in Microsoft Windows NT 4.0, 4.0 TSE, 2000, XP and Server 2003. The patch was released in February, but the flaw actually was pointed out to Microsoft by eEye Digital Inc. the previous summer. This resurrected all-too-familiar debates within the security community on what constitutes timely security bulletins, full disclosure by security researchers and the narrowing window between a patch's release and exploit, which now averages less than two weeks.
Profile: Adam Stubblefield
This profile of a doctoral student at Johns Hopkins University hit a note with a lot of readers. Adam Stubblefield was part of a team of computer-science crusaders warning that serious flaws existed in current electronic voting technology, something they unmasked after an investigative journalist was able to find the source code for a popular voting machine on an unsecured FTP server. The chorus gained a stronger voice as the November elections approached, but despite lawsuits filed in key states, about a third of all votes cast were done with e-voting machines. Consumers liked the convenience and few poll workers reported problems, though groups like Black Box Voting have launched a massive record-gathering campaign to ensure there were indeed few glitches and not cover-ups.
4.Bagle-A worm moving quickly
This was the first of many, many stories chronicling more than two dozen variants of Bagle, a mass-mailer that was best known for being more prolific than problematic for corporate networks. Experts say many variants were produced to top worms created by rival writers of the Netsky series, creating a "worm war" that kept antivirus vendors on their toes, constantly tweaking signatures and advising enterprises to keep updating their software to prevent infections.
3. Security and Sarbanes-Oxley
No shock that this 2003 news feature on the corporate governance law made the Top Three a year later since this was the year public companies invested millions of dollars into meeting the security mandates of the Enron-inspired Sarbanes-Oxley Act. For security personnel, it meant finding the resources to implement and document internal controls on company data used in annual reports submitted to the Securities and Exchange Commission. But even non-public companies are following SOX to remain competitive. And despite the onus placed on security departments, SOX has also made their role in enterprises more prominent since flagrant violations can land a company's CEO and CFO in prison.
2. 'Whispering keyboard' could be next attack trend
This was the year's 'sleeper' story, an exclusive report on a new hacking technique that literally listened to the nuances of keystrokes beating against a drum-like membrane in keyboards to determine passwords and other secret messages. It required sophisticated equipment and uber-level skills and therefore remained a low threat, but it was proof of what the hacker underground could create with a little ingenuity.
1. XP SP2 finally arrives. Now what?
This top entry is no surprise. SearchSecurity.com was the first to let security administrators know the massive update was being distributed behind a hidden URL on a Friday afternoon in early August. Companion stories that offered security highlights [and lowpoints] and advice on installation also helped bolster this topic to the top of the stack. Now, there are patches to plug holes in the original patch itself. As the saying goes, the more things change, the more they stay the same.