Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Hackin' At The Car Wash, Yeah
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/28/2016 | 10:12:16 AM
Re: Online security while travelling
VPNs are a must-have in public WiFi, for sure. 
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/28/2016 | 10:04:37 AM
Online security while travelling
Yeah so good on me that I always use vpn server while I travel. And that does not only include overseas travel, I deploy purevpn, my vpn server, no matter if I am going to a restaurant or trainstation drive thru. The reason being these are the hotspot places which have pretty high data hacking ratio since hackers are always on the look outs for places like these. 
ODA155
50%
50%
ODA155,
User Rank: Ninja
2/27/2015 | 9:30:05 AM
Re: Perspectives from the CW industry
Brian Krebs did a peice on this back in June 2014 "Card Wash: Card Breaches at Car Washes" and the very first thing I think these companies should do is hire someone who actually understands the technology and how it is configured and how it works. Second, they should change the default passwords to the PCANywhere and LogMeIn software built into those systems and insist those passwords are changed regularly and not hard-coded. Third, keep the OS and applications updated and patched, because when you put all of that together and just let hang out on the Internet you're begging for trouble.
anon7758935109
50%
50%
anon7758935109,
User Rank: Apprentice
2/23/2015 | 7:13:05 PM
Perspectives from the CW industry
I'm in the CW business as a tech for a manufacturer (not PDQ). Some things to keep in mind here.

1. The CW industry is very fragmented and proprietary.  A lot of the hardware and software is very proprietary to manufacturer, and very often site specific.  So any hacker gaining access to one system is going to have to spend some time learning what does what in terms of actually controlling the hardware.  For some manufacturers, this will be easier, for others, a hacker is more likely to do damage by accident, than on purpose. 

2. Automatic car washes with web interfaces are still not the majority of that type of equipment in the US.  Most washes are run for 10, 15 years or more and there are a lot of washes still in existance from the late 90s and early 2000s. 

3. One thing I've learned is that many car wash owners don't want to pay for or deal with security.  A lot of these are businesses owned by people who think they will build the site, then go down and pick up their quarters once a week, maybe order soap once in awhile and that's it. It is, quite literally, for a good chunk of the car wash sites, a side business for people who have full time jobs elsewhere.  For some of these guys, it doesn't matter what security the manufacturers build in to the systems, owners will do things like not change passwords from default (even when told to) or will change them to be simple stuff.  So any security regulation aimed solely at the manufacturers will fail if it doesn't take owners into account. 

4. A lot of the current network security flaws at car washes are a direct result of car wash owners refusing to use higher end equipment and hire competent people to install and manage their networks. They're using consumer level routers and modems with default passwords. It makes my job easier when they do use default passwords, but it's a glaring security flaw that many refuse or are too lazy to fix, despite being told to (and being a Payment Card Industry requirement on sites that take credit card). 

 

I honestly think that the biggest threat of malicious hacking of a car wash to cause damage is not going to come from outside the industry, but is inside the industry, from things like competitors and disgruntled employees. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/23/2015 | 11:26:16 AM
Re: Hackin' At The Car Wash, Yeah
Or slapped around by those brushes! But think of the upside - if you drive through the car wash in a convertible with the top down, as a friend of mine did many years ago, you can get a free bath and blow dry afterwards.
theb0x
100%
0%
theb0x,
User Rank: Ninja
2/21/2015 | 10:37:22 AM
Re: Hackin' At The Car Wash, Yeah
Someone could get soaped to death.
freespiritny25
50%
50%
freespiritny25,
User Rank: Apprentice
2/20/2015 | 5:33:11 PM
Re: Hackin' At The Car Wash, Yeah
Pretty scary. Who would ever want to hurt someone at a car wash? There are some pretty insane people out there!
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 3:22:37 PM
Re: Car wireless
Dr. T., here is a real doozy, forget distracted drivers.   Cars are becoming more autonomous and relying less on humans for decisions - think of features like collision detection with automatic braking.  Hackers have already proven they can access and control the instrument panel wirelessly through built-in wireless adapters.  With this level of intrusion, rogue modification of features e.g. from auto-braking  to auto-accelerate no longer seems far fetched.  Yes, there is a lot more in the horizon...  
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 3:07:24 PM
Re: Connectivity spells vulnerability, software lockdown is only a start
I agree and would take it a step further.  There is a role for regulation to every product that has a 'brain' (some processor running firmware), including all consumer devices.  I say so because such products are potential agents of evil.  For example, it is not difficult to imagine a safe sonic emitting toy like the furby in the wrong hands 'tuned' to negatively impact an implantable medical device like pacemakers or cardioverter-defibrillators long feared to be susceptible to sonic emissions.

 I think Billy Rios is approaching this from the angle of product manufacturers having to anticipate the criminal psyche  and defending against it.  That would be a tall order if at all possible.  However, it is reasonable to expect manufacturers to ensure every product they put out to the public operate as originally intended or fail predictably.  To achieve this all manufacturers need to do is assure only certified firmware run in the product and secure chips are available to provide just such assurance.  Regulation can bring this to reality if manufacturers are held accountable when products become direct or contributing agents to human safety or public harzards.

 

 
1eustace
50%
50%
1eustace,
User Rank: Strategist
2/20/2015 | 2:25:36 PM
Re: Have anyone of the reader here deployed any changes into production?
Changes are deployed into production system all the times.  You don't hear of airport shutting down because they need to update firmware in air traffic control or baggage systems, you don't hear of city blackouts because the smart grid systems need updates and/or repair, United and Continental airlines merged a few years back without taking (much) break from flights or bookings, etc., etc.  I think a better questions is were the systems designed to accommodate changes e.g. for the car wash, was it designed to accommodate secure local and remote interraction in operation and maintenance?  

Forethought in security has historically been associated only with large and/or critical systems or products and everything else receives security treatment, if any, as an afterthought.  This model worked in the past because systems and products lived in their own islands.  With the ever growing connectedness in the new world, there is no choice but to make security part of the design and development process of every system or products.
Page 1 / 2   >   >>


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.