Friday, January 02, 2009

Top 10 Security Stories Of 2008 - Part 1

Top 10 Security Stories Of 2008 By Thomas Claburn | InformationWeek | January 2, 2009 04:00 AM - "A municipal network held hostage, the hacking of a public official's private e-mail account, court battles to gag security researchers, and dire warnings about the Internet's Domain Name System were just a few of the highlights of the IT security landscape in 2008."

Ah, the fun of living in a hi-tech world. Let's see what the year held for us.

10. Transit Hackers 2, Gag Orders 0
"In separate but related incidents this year, Massachusetts Bay Transportation Agency and NXP Semiconductors lost court battles to gag security researchers. MBTA wanted to keep three MIT students from talking about security flaws in Boston's transit fare card system known for its "Charlie Card." NXP wanted to prevent researchers at Radboud University in the Netherlands from publishing details about security flaws in NXP's MIFARE Classic card, on which the Oyster card used by the London transit system is based."

The worst thing you can do with a security problem is hide it. Some may think this is counter intuitive but unlike with physical security, hiding computer security problems makes them more susceptible to exploitation. That's because only the bad guys will know about them. When it comes to computer security the sad truth is that the bad guys are always five steps ahead of the good guys.

9. Sarah Palin's Rogue E-mail Account Hacked
"In a case that highlighted the insecurity of online password recovery schemes, the risk of public officials going rogue and relying on consumer services for official communication, and the deductive power of the crowd, Alaska Gov. Sarah Palin saw the contents of her Yahoo Mail account published all over the Web."

Bruce Schneier has written about this in his Crypto-Gram newsletter. Basically all those questions like, "What is your mothers maiden name?" are just to easy to figure out. Security through obscurity is no security at all.

8. Involuntary Data Sharing
"As of Nov. 25, 2008, the Identity Theft Resource reported 585 data breaches that exposed over 33 million records. In all of 2007, the ITRC reported 446 data breaches. It's not clear how much of this 31% rise should be attributed to increased reporting of incidents, but just about every security firm reports that online crime is surging. There's more malware out there than ever and it's designed for data theft."

It doesn't help that companies have little or no real expertise in system, application and network security.

7. I Locked My Network In San Francisco
"For a few days over the summer, the IT community had its own soap opera.

In July, San Francisco network administrator Terry Childs, fearing he might be laid off, took the city's network hostage. He changed the administrative passwords on the network's switches and routers and then refused to divulge them.
"

This is another example of the single biggest computer security problem of all; the people inside the company.

6. CAPTCHA Cracker
"CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It's a technique that involves displaying an image depicting distorted text that people, but not machines, can identify.
[...]
In January, "John Wane," who identified himself as a Russian security researcher, posted software that he claimed can defeat the CAPTCHA system Yahoo uses to prevent automated registration of free Yahoo Mail accounts. He claimed a success rate of 35%.
"

I have no idea why people thought this would work. More specifically, why didn't they realize it could be cracked?

That's it for part one. I'll post the top five tomorrow. Maybe Sunday. Well, sometime before New Years Eve 2009.

Powered by ScribeFire.

No comments:

Post a Comment