Friday, March 19, 2010

There's a reason that you change your passwords

Especially if you're a business. Especially if you fire one of your computer people:
More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots.

The headline reads Hacker Disables More Than 100 Cars Remotely. Anyone want to bet that he just logged into the web portal using the same password that he'd used when he was still an employee? And that the web portal gave him a nice menu of recently purchased cars, so that all he had to do was point and click?

He's not a hacker. He's not even a script kiddie. He's a click kiddie.

Passwords. Change 'em when someone leaves, people.

7 comments:

scotaku said...

My password, "staPuftB0sc0" is the one I use for everything - my online banking, family history records, access to my fully automated home... I don't think anyone would ever discover it, because the internets are secure... I mean, this post is behind a word verification thingie for a reason, right?

For some reason, that bit of idiocy made me giggle.

ASM826 said...

I expected you to make teh snark on this when I saw it yesterday.

wolfwalker said...

Anyone want to bet that he just logged into the web portal using the same password that he'd used when he was still an employee?

Don't. You'll lose. From the article:

"Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says."

Borepatch said...

Dang! Busted ...

OK, then the moral of the story is that shared passwords are bad ...

ASM826 said...

Shared passwords are the same as no passwords at all. Just have the system allow anonymous logins and be done with it.

Sabra said...

OK, then the moral of the story is that shared passwords are bad ...

Yep. Also bad are ridiculously easy passwords. When I worked for Frost Bank through a temp agency back in '07, all employee usernames and passwords were employer-assigned and followed the exact same format. Knowing the first and last name of my supervisor I could have, in theory, easily logged in using her information and gained access to MUCH more of the system than I was given as a temporary employee.

My account for my college suffers from much the same weakness. PINs for the college system all follow the exact same format. Usernames and passwords for Blackboard Vista likewise follow a uniform format. The people with the most impetus to cause a problem are the ones most likely to have the information needed to log in to someone else's account.

Ian Argent said...

Sharing account info is a disciplinable offense at my employer's. And even the read-only tools are audit-tracked (for good reason).