Discussion on:

Laid-off employee uses coworker's password to disable car ignitions remotely

Using a former coworker's account name and password, a laid-off employee from an Austin car dealership remotely disabled the ignition system on over 100 cars.

Throughout my IT career, I've seen end users and IT pros (who should know better) use poor password policies--sharing accounts, failing to change default passwords, leaving written passwords in unsecured locations, and so forth.

Does it take a disaster for end users and IT pros to take password policy seriously? Take the poll in the post and let me know.

Article and poll:
http://blogs.techrepublic.com.com/itdojo/?p=1592

Most users think the whole password-policy,keep your password secret, etc. is useless, and nothing is ever going to happen to them. I've seen entire departments (around 10-20 people) share the SAME password for their individual accounts. This kind of "oh, we know better" attitude DESERVES something like this to happen...

Having your car repossessed may be about as pleasurable as having a root canal, but at least you know your car's one, and don't have to live your life in fear of an invisible enforcer.

I hope the car company learned their lesson with this incident. If I were their customer and my class b rv would be taken offline, I would probably be very upset and the company could have serious money problems.

An ex-employee used a current employee's password to access this remote disable feature. That's not hacking. Hacking may have been how they GOT that password, but there's no mention of that.

When I cross the street in the middle of the block, I'm not "hacking the transportation network," I'm jaywalking. This guy did something using a password he shouldn't have had, but at least as important as lax password policy is this:

Why was ANY individual account capable of doing this to more than 100 vehicles in such a short period of time? Shouldn't there have been some sort of "Oh wait, that can't be right" safeguards in place after the first five/ten cars? If it's not an automatic system attached to a billing routine, why would a "joe user" account be able to do this to so many cars at once?

I agree 100 percent. Unfortunately, many use the word "hacking" to refer to any unauthorized access of a computer system.

I can forgive the local NBC affiliate's reporter and anchor for mischaracterizing this individual's actions as "hacking," but I was surprised to see the more tech-savvy writers and editors at Wired call this individual a "Hacker."

Don't kid yourself most reporters/journalists know the difference but by sticking hacker or hacking in the headlines the grab people's attention.

Well, really, it IS hacking in one sense.
"Social Engineering", one of the oldest ricks in the book.

Wow, what model of cars can they do this with? Do you need anything like On-Star in order for them to have this capability.
As far as I???m concerned I don???t want anyone to be able to shut down my car. I don???t care if it???s the dealer or somebody with a government job. It???s just not right and I won???t be buying usa auto parts that has this capability.

I think your poll is skewed. I am an IT Director, and my department takes password policy very seriously. However, I consistently find that users do not take it as seriously. Excuses range from it is "too hard" to remember passwords, to "if IT is keeping the system secure enough, my password shouldn't matter". I agree that it takes both IT and end users taking password security seriously, and it might take a disaster for end users to take it seriously. On the whole, I think most IT departments understand the risks all to well and don't need a disaster to take it seriously.

We had great cooperation from our fellow employees on the restrictions we placed on our organization. We had good leadership and education was key in informing our peers about the reasoning behind our lock down policies.

But then, we were under HIPAA and I think there was a general understanding we were only following the law.

I've never worked for an IT department that waited for disaster to strike, so I tend to doubt the poll too.

However I do believe the public and some privately owned businesses, in general, are quite complacent to these realities.

People don't care about their credential, they seem to be unaware of the risks of sharing it.
Unfortunately,most of times ,even when workers get fired or something, the department managers don't say a word to the IT Team and those people still have all the privileges associated to their accounts.

Take a look at disaster recovery plans, funds, etc... I don't just mean in IT, but in government, small, medium, large and global corporations. Anything that takes money and time away from the bottom line will never get done until it's to late.

Unfortunately yes,

Look in our society; as soon as something needs to change or to be change, critics (i.e. complaints) are always present. Human doesn't like change and IT isn't an exception.

There are several ways to deal with security in companies, but too often, huge holes can be found about access security. I need to admit that replacing password after "XX" days isn't a ride in the park but if you care enough about the sensitive data transiting into our enterprise, you MUST do something to secure it properly.

I saw nightmare about security in my career previously and I'm sure that this guy is not the first one neither the last one...

And about those who ask about the ignition "politically correct" issue ... my answer is that technology brings good stuff and bad stuff, we need to live with it!

At no time should a BANK have access to technology that can disable any function on a vehicle. Re focus Automotive Technology to Power Train and electronic dependability. Leave the Asset Recovery back in the hands of Banks. If Banks where more active in their management of Assets; loans would be made with greater accuracy. True, one could argue the point you would see less loans in market; More true, less fraud, deficiencies and spending beyond acceptable means.
I would never allow a Bank to shut down my vehicle with Technology due to an accounting dispute. If I where ever late with a loan payment beyond 90 days: the vechile could be considered stolen, Law Enforcement would investigate, recovery would be made in conventional means. It?s simple: Banks make loans, get some real Skin in the Game.

When you own your vehicle its yours. When your name is on the pink slip its yours. Until then, the owner can do with the car you drive whatever he wants within the law. Don't like it? Don't go in debt. Its as simple as that - like it or not. You chose to put your skin in the owner's hands.

the auto dealership is the lender. probably a buy here, pay here place that has weekly payments and high interest for people with bad credit.

Id like to use a device my sister's company requires her to use (she deals in chapter 11 software) its a key fob that has a constantly changing code on it. You don't remember a password you have to type in the code as the password.

I suspect she also has a password.
The fob is "something she has" with a constantly changing number, the password would be "something she knows". Otherwise anyone could use her fob to enter her account if there was no password (like a password on a post-it-note). There is also "something I am" like a fingerprint. Use all 3 in a properly created system and it's pretty secure.

What are the odds GM's On*Star has some "undocumented" goodies such as this, too?

I'm wagering the odds are pretty good.

It's not undocumented, it's in their commercials. On*Star can remote disable your car to assist law enforcement with recovering stolen vehicles. They've openly talked about it as a feature.

Thanks, Bill. This story shows once again that companies need to think through their policies and then FOLLOW them. Social activism always beats security in the short term simply because its easier not to bother. 100% of the onus should be on the company. The ex-employee is an ex. Anyone wish to speculate why???

I read an article a few years back about Radio Shack firing a bunch of their employees via email. My first thought was that assuming that these employees are at work, you now have upset employees that are currently in your system with the ability to do harm to your company. I never heard what happened but I always wondered if anything happened.

Setting system policy for complex passwords and dealing with timely account management is something any IT person dealing with PCI-DSS, SOX or any other regulation that has come down the pipe have been implementing for some time. Getting users to understand that we are not just trying to make their life hell with the seemingly endless password changes is another matter all together.

Password management is not a disaster waiting to happen the disaster has already come. What we need is a better system, Something the user can not loose, give away or change. Something that no matter what would remain private.

But at least here in the US we are not all ready to give up privacy in the form of advanced biometrics to get privacy and security. I for one would love to not need to maintain a laundry list of passwords constantly changing.

in IT on whether the password model is failing and how to think outside convention to enhance security further. We are going to have to pay more attention to the psychology of security management as well. The human factor cannot be ignored in a discussion of a redesign in security development.

So, biometrics get introduced - finger print readers, retnal scanners, voice activation, maybe even DNA samplers? Sounds kinda "24-ish". All of these are hijackable, are they not? Compromised systems are able to track KB strokes. Why not hack and steal fingerprint, retnal, or voice data? Even DNA sampling is lame cause you can just pull the persons used soda can out of the recycle bin... So what's the solution?

You can never anticipate every possible avenue of approach. You can never completely prevent spoofing the system. You take all the reasonable steps you can take to enhance security, then keep a watchful eye out to catch those that bypass that security. If somebody breaches the system, you move to prevent that type of breach. Not much else you can do.

Anybody that thinks 100% security is possible, or even plausible, is not playing with a full deck.

Just thought this out:
You know those PIN code dispenser cards?
It's like a credit card, but with a display and a button. Press it and it generates a key from a seed and the time of day and position data, which is then verified by the login.
But the card also serves as a punch-in card, and perhaps as a workstation key.
And it has an RFID chip which is tracked throughout the compound (that's where the position data for the key comes from).
Finally there's company policy to match: An employee who loses their key must report it immediately. If a card is found which hasn't been reported, the owner is fined. The card doesn't have any identifying information written on it, so a finder can't deliver it to the holder, only to management. And of course, if abuse is reported the system can trace the movement of the card to help locate the culprit.

All just to make it slightly more inconvenient to break than the average criminal is likely to bother with.

P.S. the point of the position data is that the card will not give valid keys if removed from the compound.

I agree that this is bad security but did anyone notice why this ability exists? The dealership can DISABLE a car becuase of non-payment!!! REALLY!!! IS this something that should be explored and exposed? An out of work single mother doesn't pay her bills and is out somewhere with the kids buying groceries and the dealership decides that this is the time to disbale the car and she is stuck in a parking lot. Come on ...

What about cars that had the ignition disabled while on a freeway?

I've seen this sort of system (in a shared car co-op) and usually it's only to disable the STARTER, not to actually turn the car off while it's on. Once it's running, it's running. I agree that it can mean people are stranded in a parking lot somewhere, though.

I can see people that are over four days past their payment just keeping their cars running.

A whole new market, fill er up with some cheap fuel that just gives enough power to idle, with fuel switch for regular gas,
WARNING - Don't do this in your closed garage!
I want one of these things, does Radio shack sell them?

....just park on a steep hill!

Imagine a worse scenario. Your wife is pregnant. She goes into labor, oops, the car won't start. Or perhaps you need to get to the emergency room. Any number of situations. This is just a large court case waiting to happen.
Finally, the car is legally yours. What right do they have to install some device in it? If you stop payments, they reposses it.

you do have some ownership rights, but they would be very different to outright purchasing of a vehicle. I'd say it is a system that was bound to happen with all the technology coming on board in the auto industry.

Police can already disable On Star vehicles, I would not doubt but what the government hasn't hacked a way to disable all autos built after a date where almost all of them have started installing what is basically a PC to control onboard systems in vehicles now.

Imagine your wife is going into labor, you didn't pay your car loan for a few months, you go outside and, oops, the car is GONE!

In the "old days", the guys come in the middle of the night and get your car.

This is just a way of:
1) Locating the car
2) preventing you from moving / hiding the car from the rightful owners, the re-possessors.

You don't own anything that has a lien on it until it is paid in full.

mcb

Here is an even more common senario

You have a standard transmission car and pull out in front of traffic thinking you have plenty of time except you let the clutch out too fast and stall the car. Normally you would quickly restart the car and move clear of the traffic except it has just been disabled and you take a hit in your drivers door (normally fatal).

Most Americans much prefer an automatic. That way they don't have to actually learn to drive. They can get away with just aiming...and putting on makeup, combing their hair, shaving, reading, writing, texting, and all the other stupid things Americans do behind their wheels at highway speed.

The car is usually NOT yours if you're making payments on it. It is the property of the lien holder, who has every right to install such a device. If the car WAS legally yours (meaning fully paid and no liens against it) and it was repossessed, that would be something called Grand Theft Auto... and I'm not referring to a video game.

That said, I think such devices are lame and can cause serious issues. But if you can't make the payments, you shouldn't have purchased the car. Sure, no one can foresee losing their job, but the lien holder has a right to protect their asset how they see fit.

This isn't a new technology. It's been used in the Southwest for years.

The responsible person for the car note is quite aware of the unit being installed.

And the technology is mature enough to not be a danger to a driver.

It keeps you from starting the car ....

Google the technology.

How about this one? Someone intentionally buys a car they cannot afford and tries to elude repossession by moving from one area to the next.

There are two sides to every coin. As long as the company or bank OWNS the property, they can do whatever the hell they want especially if they disclose this capability before the buyer signs on the dotted line.

My least favorite thing is passwords that expire every XX number of days. That just leads to people having insecure, easily guessed, passwords. Or worse, it leads to people writing them down and "hiding" them near their computer. Which security genius thought password expiration was a good idea? Just force users to set one good password and let them keep it until you are sure there has been a security breach.

The problem with that plan is that a breach can go undetected (maybe the stolen password in this case was 20+ characters long and complex, but once it was stolen it's useless). Nobody knew this guy had his buddy's password until *after* the cars had been shut down. Timed password changes can mean that the password the ex-employee has lifted won't do anything by the time they decide to try to use it.

I know in my experience that the higher up in the executive food chain someone is, the less likely they are to have a password rotation ("It's annoying to have to remember it") and so you can easily end up with President of a multi-billion-dollar company having the same password for email, contracts, budgets, HR, etc for YEARS without a change.

That's an awfully large security hole to just leave open hoping that whomever might use it will be foolish enough to get caught, and THEN change the password.

If someone gets your password, they will test it before they use it. A message showing the last time you logged in and the ip address is all that is needed to check on that. I always look at that message on the systems that provide that info.

That idiot must have had a lot of clout. As a security-conscious engineer, even I behave like a normal user in everyday life when it comes to passwords.

The fact of the matter is that we have so many of them and managing them all mentally is a huge chore. So we take the path of least resistance.

It can even be argued that password resets make passwords less secure!