Security and Car Dealers: The Hidden Truth

This morning I grabbed a new laptop and took a trip to a few dealerships in my area to check out security. As a former coder I’m not up to speed with the latest hacking techniques but I thought it would be interesting to see how much data I could get from these stores. Now before the privacy advocates go crazy here let it be known that this was a controlled experiment with a hard drive in the laptop that was wiped clean by our security team immediately following the test. No data from any customers of these dealerships were reviewed, looked at beyond a cursory glance and no staff member at iMagicLab had any access to anything. I went to 5 stores at random that did not use iMagicLab software and that I had no relationship whatsoever. Each store in the test did not know me, did not actively participate and probably would be really pissed off that I was doing this. At no time did I break any laws or use any devices or programs to enter into a network without authorization. With all the appropriate caveats in place, let’s look at the methodology and test results:

The Method

I decided before I started this that I would try the same techniques on each store. To make it fair I did them in the same order and in the same way. I was going to wear a lab coat as well but I thought that might stand out. Here’s what I did:

·         I scanned for a wireless network and if it existed I tried to connect to it

·         I went into each dealership and asked if I could use their internet connection to check my email

·         I used a freeware packet sniffer to detect and record network traffic

·         I used a printer reverse decryption program to read documents intended for a printer

·         I spent zero money on software products beyond the Vista software on the machine

·         I used the built-in Windows networking features to check out anything I could that was freely available without a password. If the file, directory or computer had security on it I made no attempt to open it or download it.

The Results

If you have a seatbelt on your office chair now would be a good time to buckle up: The results are really unbelievable. I’m chomping at the bit here to write the conclusions section here but I won’t if you promise that you will read to the end:

·         5 out of 5 dealers had wireless networks at the dealership. 4 out of the 5 actually had multiple wireless access points and in ALL cases I was able to access the dealership network by simply hitting the “connect” button. It’s important to note that some of these networks were ‘ad-hoc’ networks and were obviously created for the use of one or two people using a $60 usb instant wireless network product (the kind used by many consultants and trainers to run their laptops)

·         Every store let me hook up my laptop to their network without objection. Two stores actually instructed staff to get me a private room and a network cable.

·         Packet sniffing each of the networks was like being in a Harrison Ford movie. Social Security numbers, credit results and huge amounts of personal information just started streaming into my machine. All of the dealerships I sampled offered a huge amount of data available for the asking.

·         Printer page interception was more difficult but offered far more data than the packet sniffing. Where the packet sniffing needed to be assembled after the data was downloaded, the printer was always sent a complete page of information. It was very easy to get a nice package of info on every customer who was penciled or bought a car.

·         File downloads from unsecure directories included reams of pornography, staff reviews, customer spreadsheets and just about everything you can imagine. Several computers had text files or Excel spreadsheets including passwords for store systems etc. There was virtually no security anywhere once on the network.

What You Can Do

It’s really very simple; hire a security consultant and adopt a Security Strategy like this:

Layer 1 - A dedicated, private Internet connection.

A dedicated Internet connection like a T1 service will reduce the amount of unwanted attacks by about half.

Layer 2 – Only use Internet-based software that is truly secure

You know that little lock in the browser that says you are secure? Did you know that companies can buy that “security” for $199 without any background checks or technology? Scary but true, those certificates do nothing to help you tell that the company you are dealing with has done anything to secure your data. Only the new EV certification or higher can really be trusted to make sure your data is safe and that the Company you are dealing with is real. Login to eBay or PayPal and look at the address line in Internet Explorer (7 or above). See the green address bar? Green means go, anything else is a deal stopper.

Layer 3 – Make sure your DMS is secure

I could write here for hours but the Readers Digest version is that most of the technology nearly all stores use to safeguard their customers information is woefully outdated and has more holes than Swiss cheese. Call your vendor, conduct an INDEPENDENT security audit and make whatever changes you need to. Almost 50% of the data I was able to get came directly from the DMS systems in those stores. It’s just frightening.

Layer 4 - Securing the LAN with a reliable firewall capable of handling today's "Blended Threats"

A firewall that analyses data in real-time and monitors all traffic coming in and out of the dealership's Internet connection will help in protecting sensitive data. Intrusion methods change with technology. Dealership firewalls must be able to identify the traffic going through the firewall and be able to determine if this data is wanted, safe, and secure enough to deliver to the end user. Moreover, a managed firewall with timely updates will keep the dealership up-to-date with the newest technologies and threats.

Layer 5 - Securing the LAN through a repeating process of monitoring and adjusting

A security program is only as good as the party that monitors the attacks and adjusts the security policy appropriately. Without this continual process of monitoring and adjusting, a dealership will become further and further behind putting themselves at a high risk.

Layer 6 - Securing PCs with reliable anti-virus/spy ware protection.

Security starts from within the dealership. Since a network will be compromised at its weakest link. each PC must have up-to-date anti-virus protection. A corporate anti-virus solution is the best fit for dealerships of all sizes. Many of today's current corporate anti-virus solutions also include spy ware protection and key logger protection.

Layer 7 - Employee background checks, monitoring and education

Most theft occurrences start from the inside out. Usually this can be prevented by properly educating employees on ways in which they can help to protect the companies privacy and their customer's privacy. Examples include social engineering, proper passwords and storage of passwords, remembering to logout and locking their workstation when they leave. Background checks are absolutely necessary as our industry tends to employ folks that need money. Did you know that mortgage companies buy credit applications from salespeople for $10 per app? It gets worse and you need a real plan to make sure your staff is not working against you on the side.

While no dealership can be "completely" safe, securing each layer of the dealership is the best way to reduce their risk against threats from within and outside the dealership and mitigate any liability acts committed by attackers. Turning to experts in security, technology, and dealership infrastructure is the best way to make sure the dealership is better protected.

The Conclusion

Do I even need to write this now? While the results of this security audit were expected the depth of negligence was startling. Privacy and data safeguards are buzz words that every dealer talks or hears almost monthly but few actually take seriously. I know I don’t need to write this but the implications to the business and its customers are enormous. All the manufacturers have programs dealing with store security but here in Northern California, where you’d expect security to be up to speed, it’s obvious that dealerships just don’t get it. Make it your business to be secure and then make sure your customers know they are secure. In all the horror stories about car dealers the last thing we need is massive identity theft that can be traced to our stores.

It’s not too late: Call me, call someone, call anyone and get your dealership secure.

Divorce and Children: Don't Pick Sides and Don't Hurt Your Kids

Can there ever be a divorce where one person wasn't the obvious villain? It does not matter what your personal opinion is about what you think you know (the truth is usually in the middle somewhere) PLEASE leave the children out of it.

I bring this up because the mother of a long time friend of my daughters felt it was important that my daughter "know" that I pled guilty to hiding my ex-wife's wedding ring. My daughter is 9 (pause to let it sink in how old my daughter is) and this woman felt it was her responsibility to parent my daughter. I was smoldering angry but Alisa wrote her an email which basically told her to mind her own business and this was the response we got back (I've removed any child's name for privacy and replaced with XXXXX):
________________________________________
From: Julie Westle [mailto:@yahoo.com]
Sent: Tue 7/17/2007 1:28 AM
To: Alisa Latman
Subject: RE: goodbye play date
Alisa,
Of course you are standing by Rick, he is your husband.  However, he is under house arrest for crimes he has committed - that is not a lie. 

Honestly, I was shocked that XXXXX did not know the facts about her father, but she was going to find out sooner or later. I did not spread any lies or horror stories - I just told XXXXX that XXXXX's dad is under house arrest just like her friend XXXXX's father.  XXXXX is a friend of XXXXX's from her school.   That child has full knowledge of her father's situation, and I assumed your kids did too!! 

Unfortunately there had to be a messenger, and that was me.  XXXXX is too young to understand what her father has done, and of course she does not want to believe it.   Please accept my apology, but we had to explain to XXXXX why she was not allowed to go to your house.
 
FYI - I am not caught up in your drama, I think the whole thing is very sad for all involved.  As far as what I believe - which are simply  the facts (it is not that difficult to confirm that the crimes were committed) are that Rick is under house arrest,  and he cheated on Bettina. (I actually saw you & Rick in a bar many years ago kissing while he was still married to Bettina).   Other than that, other info. I have is only hearsay, I cannot judge anyone by that. 

I would be more than willing to come pickup XXXXX and drop her off this weekend.  XXXXX desperately wants to say "goodbye" to her best friend of 6 years.  You are only punishing the girls by not allowing them to see each other.

They will be able to stay in touch verbally or through writing, but a physical goodbye is very important for closure.  If you do not allow this, XXXXX will be very sad one day that she did not say goodbye to XXXXX.  It is difficult for a child of this age to put that in perspective. 

If it would help, I will talk to XXXXX and apologize, and explain to her that I do not think her father has done anything wrong - or whatever you think I should say, if it would help.  I truly did not realize that she did not know about Rick. 

Hopefully you understand our decision as parents (you would probably do the same if there was a family/house that you were not comfortable having your kids go to!!).   I truly do wish the best for you & your family - it is really sad that this "drama" has continued for so long, I agree. 

Julie
________________________________________

Now here's the rub, not only did she tell my child things that were not true, (I am not on "house arrest", was not convicted of anything but the hiding a wedding ring and NEVER cheated on my ex) she feels justified in doing so. The things she claims are "facts" are stories she was told by my ex-wife and have not been reported anywhere in the media. Even the notoriously flagrant Seattle Times did not report false things like that (Google it if you must and look for anything reported AFTER the indictment was announced) but she felt she should be the "messenger" of bad news to a 9 year old child who was not hers. It was shameful and rather than be repentant she justified her actions as if it was no big deal.

I am sharing this story not to slam anyone but to ask each of you to examine your behavior when you are dealing with the children of divorced parents. Do not assume you know the facts simply because you know one of the parties involved or have heard one-side of a story. Even if you desperately want to hurt one side or the other shut your mouth so you don't hurt innocent children.

I unfortunately find myself a little bit of an expert here on divorce and kids: My parents were divorced when I was 13 and of course my divorce led my ex becoming the key witness against me (for hiding her own wedding ring!). What's that you say? What's my opinion about what to do? How can you reduce the possible traumatic effects of divorce on your children? I'm glad you asked...

Many children go through their parents’ divorce with relatively few problems or permanent negative effects. However, for other children, the effects of divorce can be traumatic and long-lived. Changes in a child’s living arrangements, time with parents, education and lifestyle can trigger the body’s fight-or-flight response – anger or fear. But when a child cannot adequately express or mentally process those emotions, the child may feel extremely powerless and “freeze.” This reaction is the basis of traumatic stress.

Trauma is determined by the child’s experience of the event, not simply the event itself. Different children in the same family may have a dramatically different emotional reaction to the numerous changes related to divorce. Your attitude shapes your children's attitude. Your words and actions can either expose your children to unnecessary emotional pain or help them develop in positive ways.
Trauma may cause depression and anxiety at the time of the separation or years after the divorce. It may also reoccur during weekends, holidays, birthdays or times when the child misses the complete family unit.

Here are some steps to decrease the possible traumatic effects of a separation or divorce.

•       Be honest about the potential for emotional trauma in your individual children.
•       Allow your children to communicate openly.
•       Offer your children choices, whenever possible, to increase their sense of power over their lives.
•       Find support for yourself and your children

If you are feeling intense anger, fear, grief, shame or guilt about your spouse, find someone to help you work through those feelings. Also, try journaling – but don’t let your children “accidentally find” your notes. By processing your emotions through writing or talking with supportive people, you will be modeling ways for your kids to better cope with their strong emotions.

You can also help your kids by not exposing them to marital conflict:

•       Do not argue with your spouse in front of your children or on the phone.
•       Refrain from  talking with your children about details of your spouse’s negative behavior.
•       Develop an amicable relationship with your spouse, as soon as possible, and be polite in your interactions.
•       Choose to focus on the strengths of all the family members.
•       Try to maintain your routines and your children’s routines.

What are some suggestions for talking with my kids about separation and divorce?

When talking with your children about separation or divorce, it is important to be honest, but not critical of your spouse. Most children want to know why their lives are being upset. Depending on the age of your children and reason for divorce, this may require some diplomacy. As children mature, they will probably want more information.  Here are a few suggestions:

•       Make plans to talk with your children before any changes in the living arrangements occur.
•       Plan to talk when your spouse is present, if possible.
•       Remind your children of your love.
•       Be respectful of your spouse when giving the reasons for the separation.
•       Tell them that your marriage problems are not their fault. Let them know they are not responsible for fixing them.
•       Tell them about changes in living arrangements, school or activities. Let them know when they will happen. But do not overwhelm kids with details.
•       Be emotionally available to comfort them. Even if there has been much conflict in the home, children may deeply experience the loss of the leaving parent, or the loss of hope for reconciliation.

Are you getting my point here? Stay focused on the child's well being and whether you are a parent or a friend, remember that children are not to be involved anymore than necessary.

Best,

Keith

P.S. The book is coming, buy the book :)

And now... the Richard Keith Latman Book!

For the past 30 years my life has been a roller coaster. OK, maybe for the past 41 years my life has been a roller coaster. If you are on this BLOG then you know I am the picture postcard of the "never quit" committee. Now Harper apparently thinks the same thing because this week I was signed to write my first novel.

I always dreamed of writing a book but I never imagined it would be my story that people wanted to read. I suppose it's true that I've managed to push on despite adversity, despite a broken home and a terrible marriage. This is a story of perseverance, a story of fighting against the odds and a story about defeating my own demons. It will be inspirational for those trying to climb up the Corporate ladder and telling about the back room deals that made up the dot com era.

I believe that this will be an amazing read and I hope you will too. Trust me, I won't be filtering the content in the book like I do on this BLOG, it will be the whole story!

Stay tuned...