Sunday, July 15, 2007

Are passwords and codes, available in too many places, enabling crime?

Wired News (Kevin Poulsen) reported another instance, where an ATM was easily reprogrammed to think it was dispensing $1 bill instead of 20's.

The same thing happened in Virginia Beach last September.

Wired News reports:

Police in Derry, Pennsylvania are baffled by a June ATM robbery in which an unidentified man wearing flip flops and shorts strolled into Mastrorocco's Market and reprogrammed the cash machine to think it was dispensing dollar bills when it was actually spewing twenties.

In this instance, the factory code not removed from the ATM was "123456" and programming manuals are available on-line.

Wired story, here.

Of course, the ATM company in the article accepts no liability. Somewhere in their technical manual, they warned the buyer to remove the code.

Unfortunately, this doesn't only apply to ATM machines, and it's not the first time I've seen a factory code as simple as "123456."

Hackers love to target people, who forget to change default codes. The reason for this is because it is easy, and a surprising number of businesses fail to change them.

In the technology driven society of today, default codes are put into cell phones, point-of-sale equipment, alarm systems, and even safes. The list of devices using codes, or passwords could go on and on.

I even found instructions on how to hack a soda machine, using their default code on Google. As a matter of fact, besides technical manuals posting their default codes online, hackers seem more than happy to share this kind of information and post it (online), also.

In many of the data breaches, we read about too frequently, default codes, or not very strong passwords might have enabled hackers to breach a system containing financial information. Visa listed this as one of the top three vulnerabilities in point-of-sale systems in a November CISP bulletin.

If you are interested you can read Visa's CISP bulletin regarding this, here.

The bulletin is focused on merchant systems, and not banking ones? Does that mean there are no vulnerabilities in banking systems?

Of course, most of the information from banks is stolen via phishing -- where a person is tricked into giving up their information (passwords highly desirable) by social engineering methods, or more and more frequently -- (at least according to the last APWG report) by downloading malware (crimeware). When malware is downloaded, no more human interface is needed, and the information is stolen (normally with keylogging software).

Maybe, we are making it too easy to hack systems? Whether we call it a code, or a password, both of these are used to open something. Essentially, they are a key, which opens up the lock of whatever you are trying to keep locked (secure). Is the problem that we've created too many different keys?

At least with keys, you have to go to a little more trouble to duplicate them. It's hard to post them online, and a little more difficult to write them down, or even memorize them.

My best advice to the less technical people out there -- dealing with layers of passwords, or default codes -- is to read the technical manuals, carefully. It might also be a good idea to consult with the salesperson selling you the device on how to make it 100 percent secure, also.

Of course, it also might be a good idea, to see what is being posted online and not to hand out your keys to the wrong person.

I recently did a post on Dariusz Grabowski, a Polish immigrant, who describes himself as the "eBay king of stolen cars." As part of his plea bargain agreement, he disclosed information on how he was stealing a lot of cars and made the statement:

You go online, you find anything you need," Grabowski told the investigators in the videotaped interview. "You can go on eBay at this point and purchase any of the equipment you need. Of course, I might pick this up easier than other people.
Maybe if some of the people selling the devices, protected the keys a little better, the information wouldn't be so easily picked up?

R. Lee Ermey, who played Senior Drill Instructor Gunnery Sergeant Hartman in Full Metal Jacket might have have said it best in a scene from the now classic movie.


Courtesy of YouTube and Warner Home Video

No comments: