As OpenDNS Security Labs reported earlier this week, Tesla received a somewhat embarrassing reminder of this fact. The Tesla Motors website was not “hacked.” Nor was it sophisticated. What happened was the Internet equivalent of storefront graffiti. Trolling attackers, suspected to be associated with LizardSquad, hijacked Tesla’s website and the official Twitter accounts of Tesla Motors and CEO Elon Musk. They did all this simply through phone calls to a couple vendors and password reset requests, according to Tesla’s statement.
The hijack was not significantly damaging, and Tesla responded quickly. It was corrected within hours, and–malicious as they were–the attackers were more bent on snark and self-promotion than outright destruction. In other words, it could have been much worse.
Unfortunately for Musk and Tesla, the attack could have been easily prevented. This particular attack was the result of “social hacking,” which is just a way of saying attackers got AT&T and Network Solutions–both vendors who have previously been called out for large-scale security mistakes–to do something unwarranted. Had AT&T followed proper protocol and verified the identity of whomever called initially to request forwarding for all incoming calls to an unknown number, the attack likely would have stopped there. Likewise, if Tesla had two-factor authentication enabled on corporate e-mail and on its domain controls, the attack would likely have stopped at the verification stage.
The measures that could have prevented this attack are all security 101. It’s a tough lesson for Tesla, but a good reminder for us all.
Forget the FUD and Cover the Basics
Verizon’s 2015 vulnerability report, arguably the authoritative assessment on the state of security, is rife with examples of how the security basics are leaving gaps wide open for attackers to exploit. Simple efforts are being left out of security plans for many companies, things like software patches, change alerts, two-factor verification, and so on.
Quentyn Taylor, head of security for Canon EMEA, reminded a crowd at 44Con that the emergence of new, scary attacks doesn’t mean companies should lose focus on the fundamentals. According to Talyor, it’s a good practice for executives and security practitioners to step back, and ask themselves what they truly understand, and if they have covered the basics.
“It’s fashionable to focus on the black swan events like cyber-espionage, but we ignore the fact that patching is generally done very, very poorly,” Taylor said. “The basics are absolutely being forgotten, and there is a mentality to focus on new things.”
Spend Ample Time Vetting Service Vendors
Before getting on board with a vendor and trusting it to provide quality service and security, it’s important to spend time digging into the company’s history, security precautions, and review their access regularly. According to OpenDNS Director of Security Tom Hash, this is the best way to keep out of an expensive breach. “It’s one thing to sign an NDA,” he said. “But it doesn’t give you any legal recourse if the company fails or gets compromised.”
Exhaustive security vetting aside, even a cursory news search by Tesla might have prevented the automaker from choosing Network Solutions in the first place, given the prior breaches and domain slamming accusations in its track record.
Marco Davids, a technical advisor with the Netherlands domain authority SIDN, says not all registrars are created equal, and companies often don’t know the difference. “There is a quality difference between registrars and DNS operators,” Davids said. “Some are better than others. But many registering [companies] don’t take the time to even compare them. They often just pick one.”
Ask Service Providers What Security Precautions Are Available
Tesla’s statement gave a succinct breakdown of how the attack occurred, first by getting AT&T to forward all calls. “Using the forwarded number, the imposter added a bogus email address to the Tesla domain admin account,” a spokesperson told Forbes. “The impostor then reset the password of the domain admin account, [and] routed most of the website traffic to a spoof website.”
Changes like these should not be allowed to happen, certainly not without at least an alert from the vendor. Davids says change discovery is also crucial when monitoring a company’s domain information. “Good monitoring is essential [at the registry level],” he said. “If an incident occurs, good monitoring will help discover anomalies instantly.”
For authoritative reference, ICANN provided a list of specific measures to protect domain name registrations back in 2010. The SAC 044 document specifically covers how to protect against unauthorized account access and chages:
- Use different credentials for each account
- Securely escrow all registration account details
- Define and implement a recovery process
- And use configuration change notifications to trigger checks by technical staff to verify changes are authorized and correct.
Two-Factor Everything. Every. Thing.
Speaking to TechWire FBI special agent Wes Drone made his advice unequivocal. “The single most important thing you can do as an individual is to protect your email account,” he said. “I’ll say it again: The single most important thing you can do is to protect your email account.”
And the best way to do that? A strong password with two-factor authentication. Multifactor authentication combines something you know–like a password–with something you have, hopefully a security token or even a mobile device to receive a temp code or text message verification. Even an e-mail verification is better than nothing.
But by all means, don’t stop at two-factor for e-mail. Had Tesla gone through two-factor efforts on its registry system, e-mail, and Twitter accounts, this incident would not have happened. It should be applied to anything that uses a password if possible.
For help finding out which vendors and social media companies have two-factor in place, consult the 2FA List.