BIRMINGHAM – Wired’s ThreatLevel reported that a disgruntled ex-employee of a car dealership in Austin, Texas, used a black box lock-out device on over a hundred vehicles to disable them or make their horns sound. The service he used is provided by Payment Technologies in Cleveland. The product is well thought out with safety features and back up batteries. If a car owner fails to make a payment the car will not start. There is a one-time emergency code to use once per pay period and other safeguards.
One little issue is the lack of access controls on the web-based service provided to the dealer. Like so many web based services (think Twitter 18 months ago ) the login is a simple web page that asks for username and password. Since the publishing of Wired’s article it is easy to predict that that login page is getting hammered by brute force password guessing tools already. It is only a matter of time before a cracker gets access to the system with some other dealership’s credentials.
The lesson learned is simple. Do not ever provide a service over the web that controls something critical (house lights, surveillance cameras, bank accounts, car lock-out devices, street signs, traffic lights, bank accounts, stock trading accounts, etc.) without having at least rudimentary controls in place. Those controls are:
1. Lockout the user after four failed attempts. (Works great when you do not have a lot of users and their usernames are not easily guessable. If you have millions of users like FaceBook or Twitter you have another problem. The attacker assumes a password (abc123, password, Celtics) and brute forces the username. Twitter has the issue of publicly revealed usernames: the Twitter ID.)
2. Require CAPTCHAS. As annoying as this is it stops brute force attempts and assures your customers that you are protecting their accounts.
3. If large sums of money are involved use two-factor authentication. (A one time password token, call back to cell phone, see PhoneFactor.com for one such tool)
Unfortunately, most new services are rolled out with the simplest login requirements. Do that and you will learn the hard way: a disruptive incident and public exposure in the press.
Richard Stiennon is a security industry analyst based in Birmingham, MI. He has presented on the topics of cyber threats and cyber defense in 28 countries on six continents. He writes the ThreatChaos blog. His first book, Surviving Cyber War, is due to be published by Government Institutes in mid 2010. Stiennon?s publishing group, IT-Harvest, is a joint venture partner of MITechNews.Com. For joint advertising information, email email [email protected]
a>>
