Top 10 stupid security stories of 2011

Stupidity comes in many guises, covering the spectrum from funny through FUD to fail. During the course of 2011 the IT security industry has seen almost every conceivable definition of stupid, including more than a handful that have originated from within the industry itself. Davey Winder has been raking through the archives to compile his top ten stupid security moments of the year…

1. Your printer will not kill you

Ah yes, file this one under “too much time on their hands” perhaps? A security story about a printer. Not a network-enabled printer that may allow a clever hacker access to your data in a slightly convoluted manner. Oh no, a printer that could be hijacked by terrorists and blow up. Yep, security researchers from Columbia University warned that it was possible to exploit a security vulnerability in the firmware of certain HP printers that enabled hackers to overheat paper and disable a thermal cut-off switch to cause a fire. Possibly. Apart from the fact that HP soon poured cold water on this by confirming said thermal breakers couldn’t be controlled by the firmware updates mentioned.

2. GCHQ code breaker blunder

GCHQ, for those of you who don’t know, is the UK’s top secret Government Communications HQ – the place where all the spying on telephone calls and reading of emails goes on. It is, quite rightly, thought of as being home to some very clever people indeed. In 2011 GCHQ decided to run a recruitment campaign for more clever people to join in the snooping fun. Applicants needed skills in C++ and cryptography, of course, and the ability to break a specially created code consisting of 160-paired alphanumeric characters in order to find out more and move to the next step in the application process. So why is this in my stupid security list? Ah, well that would be down to whoever created the code-breaking job application Can You Crack It? micro-site, forgetting that a simple Google search would reveal the location of the webpage supposedly only visible to the clever types who could, indeed, crack it. Whoops.

3. Reckless Wi-Fi advice

A well-known US computer publication that shall remain nameless decided to offer advice about securing your Wi-Fi network. Which would have been great had this particular how-to piece not explained how the author was ditching WPA2 encryption as he was “tired of entering a lengthy password every time I add a new device to the network” and instead thinking of giving his access point “a scary name” to deter would-be hackers instead.

Having concluded that calling his network “iwillhackyou” was probably a bit silly, the security advice actually provided was even more stupid: don’t broadcast your SSID so nobody can see you. Here’s the rub, hiding your SSID just makes hackers more interested in your network and doesn’t actually make it invisible at all, as there are plenty of wireless sniffers that will detect it regardless. The sensible advice is encrypt. Always.

4. Samsung isn’t spying on you

The stupidest security scares have to be the ones that don’t exist at all, as was the case earlier in the year when Samsung was accused of shipping laptops complete with pre-installed keyloggers. This unlikely scenario, which was widely reported, came about after an IT consultant and blogger noticed that a Samsung laptop had shipped with a directory called SL in the Windows root. The VIPRE antivirus he was using detects the StarLogger keylogger by looking for, you guessed it, just such a directory. Oh, and the SL directory on those Samsung laptops? That would be the Windows Live one containing localisation files for Slovenia…

5. Eco-security FUD

I’m used to seeing the environment used as a subject matter for spam, or sometimes as part of a phishing scam, so you can imagine my intrigue when I was offered an article for publication (something neither myself nor PC Pro accept anyway) that suggested that HSBC was destroying the planet by making its accounts more secure. The argument, put forward by security vendor SecurEnvoy, was essentially that using physical tokens (you know, the little calculator things that create a one-time password for login) is damaging the planet.