Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Diebold ATMs hit by Nachi Worm 414

red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
This discussion has been archived. No new comments can be posted.

Diebold ATMs hit by Nachi Worm

Comments Filter:
  • Diebold spins it. (Score:5, Insightful)

    by grub ( 11606 ) <slashdot@grub.net> on Tuesday November 25, 2003 @11:41AM (#7558996) Homepage Journal

    A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.

    Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.
    • by Anonymous Coward on Tuesday November 25, 2003 @11:50AM (#7559111)
      I watched guy patch an ATM once.

      It was done from a laptop.

      My guess is that an infected laptop managed to screw things up (but no-one would admit to that). If it were because of a network connection, it would have been an 'all or nothing' infection and would've spread like wildfire. I'm not sure how exactly ATMs are connected, but they have to be networked in the grander scale of things for the system to work properly.

      Anyways, my bet is an unsecure laptop - that's how most RPC hole attacks I've seen have spread recently. Having said that, we'll see lots of posts of an anti-MS nature in response to this story, when in actual fact, it's down to user bad practise, patch deployment and the fact that some people get a kick out of writing this stuff in the first place...
      • And please don't forget lousy programming, design and engineering on the part of M$. Not to mention the complete dain bramage on the part of the management schmuck at Deibold who decided that XP embedded was a suitable choice for an ATM, even if they didn't build the ATMs themselves.
        • Re:Diebold spins it. (Score:3, Interesting)

          by Anonymous Coward
          In all honesty I'd say that Embedded XP is a pretty awful choice, you want something you can fit and forget. While it's nice to poke fun at M$ every once in a while, it gets boring, and someday the Schandenfreude is gonna backfire.

          Heh! Although the picture of having a bunch of guys driving all over every Wednesday to patch a truckload of ATMs is kinda amusing...

          Thinking about it that way, it'd be all to easy for them to not admit they made the wrong software choice, or to neglect patching altogether until
      • Re:Diebold spins it. (Score:3, Informative)

        by garrulous ( 653996 )
        I believe they generally are connected via STUN to a front end processor, newer models are using data link switching without the FEP so they are likely to have greater vulnerability to bug in a box schemes.
      • ATM Horror (Score:5, Interesting)

        by h4rm0ny ( 722443 ) * on Tuesday November 25, 2003 @01:04PM (#7559977) Journal

        A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.

        Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.

        Oh - how young I was.
        • Re:ATM Horror (Score:5, Interesting)

          by Angst Badger ( 8636 ) on Tuesday November 25, 2003 @03:09PM (#7561421)
          Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.

          I had assumed they were 8-bit machines, probably packing a 6502 or a Z80, with an EEPROM containing all of the necessary code. I made this assumption because that should be enough to handle ATM operations, the actual computing hardware would be cheap and secure, and that block font most of them use is the same as the uppercase-only font on the early Apple II machines.

          I walked up to an ATM this past weekend and saw an OS/2 error window floating over the simulated bitmap font. I was grateful it wasn't Windows, but still...
        • "A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box."

          My bank, Purdue Employees Federal Credit Union [purdueefcu.com], has biometrics (i.e. finger scanner) ATMs in several locations. One day I came to make a deposit and BLAMO! Blue screen of death. NT Kernel Protection error. I bet windoze is more widespread than you think in the banking industry (unfortunately), and not always

          • Re:ATM Horror (Score:3, Informative)

            by zrail ( 50290 )
            The Navy does use Windows NT. See here [gcn.com].

            Choice quote: The Navy selected NT 4.0 as the standard operating system aboard the Yorktown for its reliability, functionality, low cost and ease of integration, said Lt. Danny Bethel, Yorktown's electronics material officer. NT runs the Yorktown's integrated bridge, engineering, condition assessment and damage control systems.
      • by SatanicPuppy ( 611928 ) <Satanicpuppy@nosPAm.gmail.com> on Tuesday November 25, 2003 @01:05PM (#7559991) Journal
        It's just as likely to be a scrap of code inloaded off the back of a credit card. Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines? Are ATMs so complex that you need a whole operating system running on the damn things? I seriously doubt it.

        The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.

        Diebold should go back to making safes and padlocks, because they sure as hell don't know crap about ATMs and Voting Machines.
        • by pmz ( 462998 ) on Tuesday November 25, 2003 @01:31PM (#7560254) Homepage
          Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines?

          Because their executives are idiots and their engineers are sheep.
        • Re:Diebold spins it. (Score:3, Interesting)

          by yomahz ( 35486 )
          The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.

          Just a thought... how hard would it be to make an operating s
          • Re:Diebold spins it. (Score:3, Informative)

            by nathanh ( 1214 )

            Just a thought... how hard would it be to make an operating system that only executed signed code?

            Trivial. You could modify the Linux ELF loader to do this right now.

            The problem is in proving that the signed code is not flawed. For example, the Xbox was compromised despite only executing signed code because Goldeneye had an overflow bug. Also you might remember the ActiveX signing was ridiculed when somebody managed to get Microsoft's signature on a program that simply rebooted your machine.

            And th

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Tuesday November 25, 2003 @02:31PM (#7560987)
      Comment removed based on user account deletion
  • by RobertB-DC ( 622190 ) * on Tuesday November 25, 2003 @11:41AM (#7559010) Homepage Journal
    From the article:
    "The actual point of service terminal itself getting infected-- that's pretty crazy," said [Windows expert Marc] Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

    Oh, yeah, that's crazy. As I recall, we discussed this very issue in a previous Slashdot story [slashdot.org], and all the experts told us mere geeks that we were ignorant and stupid to even worry about it. Some of the most choice comments came in reply to my own post [slashdot.org] on the subject.

    Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.

    Well, ok... I'm not going to worry about my own personal finances, because I'll just ask the bank to reverse any bogus transactions. But if/when some savvy hacker does figure out how to infiltrate an ATM and walks away with a few hundred bucks, someone's going to come up short on their books at the end of the day...
    • by abb3w ( 696381 ) on Tuesday November 25, 2003 @11:46AM (#7559066) Journal
      The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.
    • Yeah, that was my first thoughts. "If a worm got there, why couldn't something else?"

      I suppose that's the problem with writing something that can spread from some random user's desktop onto a couple ATMs.... (running Windows or a number of Linux services on an ATM.)

      I mean, first of all... RPC on an ATM machine? Why? Oh, because Windows NEEDS it to be open. (I had a machine at a lan party the other day, and I was just like, "How do you turn off RPC?" and they laughed and said, "You can't.")
    • by Angstroem ( 692547 ) on Tuesday November 25, 2003 @11:56AM (#7559182)
      I still don't see any reason why a ATM machine must run a bloated operating system. That thing needs:

      (1) A display driver; any text console is sufficient, but if the banks prefer to show logos and useless graphics, fine, make it a simple framebuffer device.

      (2) A rudimentary keyboard controller; any 4x4 matrix will easily do the job. Make it 8x8 and you have more keys you'll ever need.

      (3) Some additional hardware controls to perform currency selection and output, and receipt printing.

      (4) A network driver to hook the ATM machine into the banking network plus the relevant service applications including mandatory security services. Shouldn't be much different from setting up credit card terminals, BTDT.

      So why does anyone need anything like a striped down consumer OS, no matter if it is Windows Embedded or some embedded Linux for that?

      But if I decide to use it, then I better hurry and apply any goddamn bugfix meant to close wide-open security holes. Plus, I keep my networks strictly separated and eventual gateway points heavily firewalled. How could Nachi enter the money transfer network anyway?

      Somebody obviously did not make their homework, both on ATM and network infrastructure design.

      • by jrumney ( 197329 ) on Tuesday November 25, 2003 @12:08PM (#7559309)
        So why does anyone need anything like a striped down consumer OS, no matter if it is Windows Embedded or some embedded Linux for that?

        Because it is a lot easier to develop the software if it can be debugged on the developer's PC. Most embedded OS's have been based on POSIX or stripped down Win32 APIs for years now (QNX and Paradigm being two examples I've personally used over 5 years ago).

        • by alfredw ( 318652 ) <alfNO@SPAMfreealf.com> on Tuesday November 25, 2003 @12:31PM (#7559531) Homepage
          A number of ATMs also run a stripped-down version of OS/2. Thank god. Unfortunately, Microsoft is pushing vendors to move to Windows [microsoft.com] as IBM is soon to discontinue OS/2 support.
          • IBM warned 'em (Score:5, Informative)

            by Cybrex ( 156654 ) on Tuesday November 25, 2003 @02:15PM (#7560781)
            The timing on this is perfect, as I just read an article yesterday (in InfoWeek, I believe) about the effect of IBM's plan to discontinue OS/2 support on ATM manufacturers. The article was a couple of months old, but focused on them suggesting that financial institutions migrate their ATMs to Linux instead of Windows. It seems that the big ATM manufacturers (including Diebold, which featured heavily in the article) are leaning heavily toward Windows despite IBM's recommendation that they go with Linux. Their attitude is that they're running Windows on the back end, so they want it in the ATMs as well.

            Well, now they're getting what they wanted, and I doubt that they'll learn from this. Large banks seem to have a monolithic mindset that's averse to anything new. They're also decidedly pro-Microsoft.

            IBM offers some very effective solutions for integrating Linux-based ATMs with both UNIX and Windows-based back end systems. That companies like Diebold insist on going with insecure, unstable (I've seen an ATM stuck with a BSOD!) software for such sensitive systems is asinine.

            -Cybrex
      • ATMs run bloated operating systems for the same reasons that certain web browsers [mozilla.org] can read email. Because it's possible. ;)

        At some point someone thought it would be really cool to have ATMs with 10" color screens and speakers, so it can show commercials while you wait for your mugger.

        They also seem to be moving away from the keypad. I had the unfortunate experience of using a touch-screen ATM the other day. The touchscreen was horribly calibrated (probably due to the thickness of the glass, and it was
    • Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.

      Where do you get that? The only people arguing that this is ok is Diebold. And we already knew they were unethical. What Windows Expert is saying there's nothing to worry about in regards to this story?
    • The problem here is you actually believe that the security of an ATM is that skin deep. Well, let me just say I'd trust Microsoft more about security than someone whose idea of security is "if they manage to do something to the ATM, then that's it, we all may as well go home".

      The level of infiltration here is nothing. Its vastly less penetration than, say, someone who finds your lost card and tries it in a machine. At least then, they have bypassed one level of account security. A virus like this bypas
      • by RealProgrammer ( 723725 ) on Tuesday November 25, 2003 @01:00PM (#7559933) Homepage Journal
        A virus like this bypasses zero levels of account security.

        What color is the sky in your world?

        This worm was caught because it wasn't expecting to be on an ATM. It thought it was on just another XP box on some network and started scanning. Suppose the next worm is patient, stealthily looking for ATMs?

        Malignant code could potentially monitor any device I/O it wanted. How about grabbing the bits on your ATM card swipe and saving them in an arrary with the PIN you just typed? No need to decipher anything, just send a day's worth in a batch and self-destruct.

        The attacker can then recreate your ATM card from the bits on the stripe.

        You're right, we're still safe.

      • Do you KNOW otherwise? Have you read about Diebold's voting machines? The ones that store stuff in MS Access databases without even password protection? Have you seen the inner workings of the ATMs to know that they have further security?

        Part of the issue is that if a random worm can get into the ATM, a worm carrying dangerous payload (like one that installs a driver to capture keypresses and data being printed to receipts) could also find its way in.

        The other part is that we really don't know what goe
  • Ain't karma a bitch? (Score:3, Interesting)

    by i_want_you_to_throw_ ( 559379 ) * on Tuesday November 25, 2003 @11:42AM (#7559018) Journal
    The same Diebold that has grossly insecure voting machines [slashdot.org]? The same Diebold that is abusing copyright claims and is being sued by EFF and students [slashdot.org].

    Well ain't karma a bitch Diebold?

    What I am concerned about is whether or not my bank that I use uses Embedded XP for their ATMs. If so then I might have to consider switching banks. Not just because of this but because MS based systems are so notoriously insecure. Yeah yeah mod me down if you must but I'd feel much better having embedded Linux (or some other proven secure system) watching my money thank you.

    FYI if you're using Union Federal [diebold.com] you might want to start looking around now,... hehe
    • why not OS/2 Embedded? I think that'll fall under the, "Secure-because-no-one-uses-it" model.
    • Yeah yeah mod me down if you must but I'd feel much better having embedded Linux...

      Have you forgotten where you posted this? Nobody gets modded down for picking Linux over MS.
      • by TyrranzzX ( 617713 ) on Tuesday November 25, 2003 @01:09PM (#7560042) Journal
        Screw linux. I'd rather see the banking companies running something obscure and reliable like a unix variant or some custom software. If I were a bank director I'd invest considerable capital in a decent secure standards based banking system or I'd consider unix before I'd consider linux or windows. My guess is that the banks wanted to implement the systems and new features faster than they cared about customers security which is, from my understanding, not a big deal.

        I guess their system works a lot like las vegases in the sense that if someone steals a million bucks from a casino it leaves a paper trail. They then sick the bounty hunters on you; this system is effective. I remember awhile back someone stole 7 million from a casino in las vegas and 3 days later the car was found by the cops, still running, in the wrong direction facing las vegas.

        Any hacker with sufficient knowledge of these systems isn't going to try to crash them because they will quickly realize that by destroying these systems they're screwing over and creating millions of desperate people, both people who can't access their accounts and companies who can't put out paychecks on time.

        But, the main reason I'm guessing they chose windows was for the features. Windows has lots of features and useless crap and when you hire someone to fix the system you don't have to train them as much. Plus, you get good support from microsoft and nice salesman to walk off the cliff with you.

        I'd feel a bit better if their security was better. When your bank doesn't give a shit if you loose a few hundred dollers, or next months rent, to a hack I think most people have a problem with that and they aren't going to be calling anyone accept the cops to try to catch the person who did it, especially if they continueously do it.
    • It's rediculous. (Score:4, Insightful)

      by Short Circuit ( 52384 ) <mikemol@gmail.com> on Tuesday November 25, 2003 @11:49AM (#7559102) Homepage Journal
      Every company makes mistakes. Running Windows XP is a mistake a lot of companies and people make.

      The reason this is Slashdotworthy is that it is the same Diebold. The people who submit stories are hostile towards Diebold, and it's only to be expected that some of those hostile stories would make it through.

      I'm sure a lot more vital-service machines than just those built by Diebold were hit. A story on the range of systems, maybe with ATMs as a highlight, would have been more appropriate.

      Not ranting at you, just wasting karma, that's all.
    • I dunno about you, but for thing that require more security, I'm all for separate proprietary protocols and/or networks. Sure, embedded Linux would beat any M$ stuff anyday, but I'd rather use a company that creates their own method of communicating the transactions.

      If these machines used XP and a non-standard internet protocol (read: not TCP/IP, UDP, IPX, whatever) that the worm didn't have access to, this may not have even affected them. Am I right? Or is windows too standardized as to allow anything to

      • "If these machines used XP and a non-standard internet protocol (read: not TCP/IP, UDP, IPX, whatever) that the worm didn't have access to, this may not have even affected them. Am I right? Or is windows too standardized as to allow anything to use any system-level network protocol?"

        I think you're right. This is a fine example of a need for a proprietary system for security. I'm not saying that obfuscating it makes it more secure, but adding to the learning curve of such a system might discourage some cra

    • by SuperBanana ( 662181 ) on Tuesday November 25, 2003 @11:57AM (#7559193)
      The same Diebold that has grossly insecure voting machines [slashdot.org]?

      Funny- I was just at the ATM today, and I glanced down and saw the Diebold tag. They're pieces of crap- barely a few years old, nobody cleans them, the screens are dim and usually require breaking your finger- and they're SLOW as molassis. Slow as in "I have only three or four things I can do but it still takes me a minute to give you cash"- and it can't all be explained away by network latency. Things like the machine sitting there locked up for 20 seconds or more after the last person leaves, before it will unlock the card slot. What is it doing, debating the meaning of life? It's a fucking ATM machine. It makes you wonder if the whole thing is written in really, really bad VB...or maybe Flash.

      In any case- I agree with the parent. I could care less what the thing runs, as long as they're competent. The voting machines demonstrated that they're completely incompetent. This just goes to show that our suspicion that they're -also- probably incompetent at making secure ATMs.

    • Proven secure? (Score:3, Insightful)

      by kylef ( 196302 )
      Yeah yeah mod me down if you must but I'd feel much better having embedded Linux (or some other proven secure system) watching my money thank you.

      When you find a "proven secure" operating system, make sure you let everyone know about it. As of the 25th of November 2003, they are as common as the Unicorn and the Free Lunch. That is to say, they don't exist.

  • by iantri ( 687643 ) <.iantri. .at. .gmx.net.> on Tuesday November 25, 2003 @11:42AM (#7559019) Homepage
    I think this just goes to show that consumer operating systems are a bad idea to put on important machines that need to be reliable.

    I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..

    • by iii_rjm ( 551978 )
      Back in the day QNX had a strong presence on ATM machines.
      • I remember when the tech weenies at the post office were big Windows lovers. The post office bought the new Loral letter sorting machines that used QNX. Soon the techies were singing the praises of QNX. Never once did I see a lick of trouble with the computers. The only times the techies had to come was for upgrades and hardware troubles and periodic mandated maintenance.
    • by psyconaut ( 228947 ) on Tuesday November 25, 2003 @11:46AM (#7559065)
      Ahhh....but if you used a proper embedded operating system for an embedded device, you wouldn't be able to hire programmers who have completed a 6-week Visial Basic/.NET programming course at their local community college to write your business critical applications ;-)

      -psy
  • And this company... (Score:4, Interesting)

    by j0keralpha ( 713423 ) * on Tuesday November 25, 2003 @11:43AM (#7559027)
    Wants us to trust them to run our electorate system? Lets face it, this was a VERY easily preventable oversight. These machines should have survived without patching by installing a rudimentary port blocker of some form. There is no reason RPC should be exposed by an ATM. If they are leaving ATMs wide open, i dont know how we're supposed to expect their Voting Machines to work.
    • I wonder why they even bother using TCP/IP at all. It would make sense to have some kind of proprietary protocol in this matter, since we don't want to have all the security issues that are present on the net present in the ATM machine.

      ATM machines shouldn't be connected to the internet, which means TCP/IP is optional. This would be security through obscurity at it's finest. Eliminate ports altogether.

  • by ACK!! ( 10229 ) on Tuesday November 25, 2003 @11:43AM (#7559033) Journal
    The CEO said that he would do whatever he can to deliver Ohio or some place to Bush.

    The same people that build machines with no paper trail for vote auditing.

    They also do not patch their ATMs.

    This really gives me confidence for the upcoming elections.

  • i know everyone always says this is a terrible mindset, but considering how many OS/2 ATM's have been hammered, there might be something to this after all.

    think about the work you'd have to go through to get your hands on OS/2 code to figure out where holes might be.

    then you have to write your own virus. it'll only be aimed specifically at ATM's etc.

    just seems like there's a lot more legwork involved in hitting obscure OS'es.

    instead, if they run XP, someone else grabs the code and distributes it. then
  • by RealProgrammer ( 723725 ) on Tuesday November 25, 2003 @11:45AM (#7559048) Homepage Journal

    A new, secure, manageable BIOS [slashdot.org]would fix their problem.

    It's really Phoenix's fault.

  • Uh-huh... (Score:2, Insightful)

    by tekiegreg ( 674773 ) *
    And you want their equipment deciding votes, dear got if you can get a worm on the holy of holies, a cash dispensing machine. I seriously doubt that the next holy machine, a voting machine should be running Diebold systems.

    Seriously people, embedded proprietary operating software (neither XP or Unix or anything widely made public) is the best way to go with these sacred machines. Worms will have a difficult (tho dare I say impossible) time working their way in. So the problems will hopefully be mini
  • by Ryu2 ( 89645 ) on Tuesday November 25, 2003 @11:46AM (#7559077) Homepage Journal
    I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.

    • I'm amazed that those ATMs were connected to the Internet

      Maybe they weren't. You needn't be connected to the internet to catch a worm. Any LAN/WAN/VPN will do.
    • I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.

      The ATMs are not connected to the Internet. They are on an intranet, most likely with other ATMs and their database server, hopefully nothing more.

      Agreed there is no firewall. The original idea was probably only to allow trusted machines onto the intranet in the first place. This follows the same logic (or lack-thereof) of people that don't use firewalls because they're be
      • As someone who works in a bank, I have seen a Diebold repair tech hook up his laptop directly to the ATM to do some work on it. So the laptop could have been the one that was infected.

        Also you most of the program information comes from the Processing Center that is driving the ATMs which are all on a network. For example when we changed ATM Processors, the tech had to connect to the system and get a "load" from the new processing center to connect. These ATMs are connected over some form of leased lin

    • They may not of been. It can happen like this: Idiot manager brings laptop home. Idiot manager plugs his laptop into the DSL line. Idiot manager gets hit by a worm, and his laptop is infected. Idiot manager takes his laptop to work and plugs it into the private network. Worm starts infecting machines on the private network.

      A lot of infections happen like this. It's one reason why firewalls are not a complete solution.
  • by Anonymous Coward on Tuesday November 25, 2003 @11:48AM (#7559089)
    My company provides vulnerability assessment and penetration testing services to financial services clients and we crack these things all the time.

    The old ones run OS/2 v3.0 and a vulnerable version of sendmail, the slightly newer ones run Windows NT 4.0, with almost no patches installed and a default username and password.

    Once you gain access, it is possible to directly control the hardware using the utilities already on the system, including dumping the cash drawer :) The latest ones run either Windows 2000 or Windows XP, and have almost the same software as the Windows NT systems, just with more vulnerabilities.

    At this point Diebold has not patched ANY of the RPC vulnerabilities, let alone the Messenger or Workstation bugs. Each of these ATM's is connected to an ethernet segment somewhere waiting for someone to rob it.

    During the Blaster peak, a friend of mine was talking about the XP ATM's in London constantly rebooting... They put these cmd-shell-waiting-to-happen boxes directly on the Internet. Thank god for companies like Diebold and Microsoft, their problems created a market and a community that is still picking up steam.
    • I work at a major financial services company as well, and he's right. The entire ATM network is being migrated over to public Internet structure, and OS/2 is being phased out for XP.

      *sigh*
    • Oooh... My Machiavellian little mind can't help but suggest:

      1. Root a Diebold corporate server. Access their customer's VPNs for ATMs. If they don't patch their cash machines, you can bet their file-sharing is equally vulnerable.
      2. Insert a worm into the ATMs.
      3. Worm executes simultaneously worldwide. Diebold machines all dump their cash simultaneously.
      4. Worm displays a message on the screen: This hack made possible by vulnerability X that MS patched on Y but Diebold didn't bother to apply. Think
  • 1) Diebold produces ATMs with security holes to skim money
    2) Diebold uses skimmed money to lobby for their electronic voting machines
    3) Diebold uses code in voting machines to fix elections
    4) Government by Diebold, Taxation by Diebold
    5) PROFIT!
  • by gd23ka ( 324741 ) on Tuesday November 25, 2003 @11:48AM (#7559093) Homepage
    Funny that this banner ad [osdn.com] was on the page when I loaded this article... It read: Making the right decision may save you millions... Making the wrong decision may cost your job
  • RPC vulnerability (Score:5, Interesting)

    by UnknowingFool ( 672806 ) on Tuesday November 25, 2003 @11:49AM (#7559105)
    I am not a Windows Expert, but why is RPC important in an ATM? Is this something in embedded XP that should be disabled for certain applications like ATMs? If RPC should have been turned off then it's also the fault of Diebold not to configure the machines properly and MS for leaving it enabled by default.
    • Re:RPC vulnerability (Score:5, Informative)

      by kobaz ( 107760 ) on Tuesday November 25, 2003 @11:56AM (#7559184)
      I am no windows expert here. But I tried disabeling as many services as possible for a win2k server i built for someone. When I disabled RPC and rebooted, the machine no longer functioned. Apartently RPC is a critical service that needs to be running in order for windows to function properly.

      I had to boot up in safe mode and do some registry hacking to get RPC back up and running, because everything from windows explorer to control panel, to msie would fail to load. After managed to turn RPC back on, the machine worked "perfectly". As perfect as a windows machine can operate, hah.
    • and MS for leaving it enabled by default.

      Not defending anyone here, but would you blame red hat if Diebold installed onto an ATM a stock off the shelf red hat distribution with none of the security holes patched? Would it be red hat's fault if someone used the ssh exploit and got their jollies off of rooting an ATM?
      • My question: is RPC critical to embedded XP operations? Yes, Diebold should have patched it, but if RPC is not critical then should it have been enabled by default? For example, on XP, the Personal Web Server is enabled by default. But how many people actually use their home computers as a web server? Wouldn't PWS represent an inherent security risk especially if users are not aware of it running.
        • For example, on XP, the Personal Web Server is enabled by default

          No, it's not. I'd suggest you stop getting your Windows information from a hippie on a bicycle ;)
  • Why not? (Score:3, Insightful)

    by devross ( 524605 ) on Tuesday November 25, 2003 @11:50AM (#7559120) Homepage
    Despite the allure of hard cash, don't expect to see a rash of made-for-Hollywood ATM hacks -- machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and "chief hacking officer" at California-based eEye Digital Security.

    Hey, why not? Nachi wasn't tailored for ATMs, but it still got a few. Imagine a virus/worm that _was_ meant specificly for ATMs. I bet something like that could achieve a pretty big impact.

    Ah well. Just my $.02
  • by Anonymous Coward on Tuesday November 25, 2003 @11:51AM (#7559130)
    I remember thinking how weird it was to have my ATM suggest an exclusive opportunity to increase the length of my penis.
  • Just lame (Score:5, Insightful)

    by GillBates0 ( 664202 ) on Tuesday November 25, 2003 @11:55AM (#7559173) Homepage Journal
    "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

    Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.

    You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?

    And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.

    And finally, for your reading convenience, here's an earlier /. story [slashdot.org] which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.

    • This isn't security by obscurity, it's security by distraction!

      Yes, yessss, we'll get them to ignore the ATM machines by getting them to attack the whole network! We'll save the leaves by cutting down the whole tree! Yes, yes, brilliant!

  • DHCP errors (Score:5, Interesting)

    by jbrw ( 520 ) on Tuesday November 25, 2003 @11:55AM (#7559174) Homepage
    Around about this time I saw an ATM in Mayfair, London, with a windows error message in the middle of the screen. It was complaining that a DHCP server couldn't be found, and was happily waiting for someone to come along and click on the OK button.

    Mashing the keypad didn't seem to help. I guess sooner or later they would have realised the ATM had disappeared and would have sent a tech out to press reset or something.
  • There's no personal data stored in an ATM. It's just a dumb terminal.

    And Nachi [nai.com] basically makes the machine unusable.

    Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.

    Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.

    Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.
    • How do we know? (Score:5, Insightful)

      by mcc ( 14761 ) <amcclure@purdue.edu> on Tuesday November 25, 2003 @12:37PM (#7559639) Homepage
      Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device. ...
      Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen


      How do you know something serious didn't happen?

      So the Nachi worm hit these machines, and its big and obvious, and it breaks the machines. But the Nachi worm moves by brute force; it hit these ATMs by accident. How do we know that during the time before the ATMs were hit, someone with actual, targetted, malicious intent didn't at some point hit a few of the ATMs using the same exploit Nachi did?

      If someone doing it on purpose had hit the ATMs, they could have done something much more subtle. Something that wouldn't have been noticed the way the Nachi worm was, something that (given how unconcerned everyone seems about this) probably wouldn't be noticed at all, even after the Nachi incident. Something like a small patch to the ATM UI that quietly records the ATM card number, personal information, and PIN# of everyone who uses that ATM, then quietly dumps that somewhere on the internet later. It wouldn't be that difficult, and the Nachi thing simply proves its possible.

      It's not a big step at all to get to the point where something serious could happen. It's barely even a step at all, as it's just a step of exactly the distance between a worm hitting an ATM at random and someone with a little bit of intent, knowledge, and time sitting down and deciding they're going to hack an ATM.
  • by corebreech ( 469871 ) on Tuesday November 25, 2003 @12:00PM (#7559231) Journal
    We're talking about a dumb terminal here, aren't we? Let the user login with his card, enter a passcode, then enter input which gets sent to a server somewhere to be processed and which sends back either output to be displayed to the user or output to be read by the machine which gives you your money.

    The same criticism applies to Diebold's voting machines.

    This is why Linux would be such an ideal solution. No application of Linux has impressed me more than the (now sadly defunct) Linux Router Project [linuxrouter.org], simply because it demonstrated how for many tasks most of the operating system amounted to nothing more than ballast. They were able to boot a router from a floppy.

    This is how I think an ATM--or a voting machine--should work. The amount of software should be kept to an absolute minimum if for no other reason than that it minimizes complexity, and in these kinds of applications, complexity is the mother of all evil.

    And in the case of the voting machines, it would also greatly assist in auditing the code and making sure that what you think is executing is what's executing.
  • by Cajun Hell ( 725246 ) on Tuesday November 25, 2003 @12:06PM (#7559289) Homepage Journal
    WTF goes through somebody's head when they decide to use MS Windows for an embedded project?!

    Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.

    Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."

    • WTF goes through somebody's head when they decide to use MS Windows for an embedded project?!
      Hell, they don't come easier than that:
      phb to techie How quick can you get me a demo of the new embedded project?
      techie to phb I can do you a really crap one in 1 hour with Visual Basic, but we will need to code the proper one in C, and that will take 3 months
      phb to client The system will be ready tomorrow

  • by joebeone ( 620917 ) on Tuesday November 25, 2003 @12:08PM (#7559311) Homepage
    Diebold voting machines run Windows CE... a properly tailored worm could take advantage of their code (especially if it is as poorly written as the rest of their elections software) and bring an election day to a halt. Also note that they don't have to get the drivers and CE software certified by states and feds. as they claim it is COTS (commercial off the shelf) eventhough they write tons of code in house for CE.

    For more see Jim March's comments to the CA Secretary of State here [equalccw.com]

  • Yeah, they did it in Superman 3.

    Right.

    Underrated movie, actually....
  • IS anyone else concerned that Diebold is a big player in the voting machine business, as well? Man, this nation is going to the dogs: all homeland, no security. Smoke and mirrors. Ack.
  • Greer, Pfleeger, Schneier, Metzger and the rest of the contributing authors of CyberInsecurity: The Cost of Monopoly were right. This incident proves it . The most likely source of the infection is an infected laptop being plugged into the protected network. Had the ATM's been running a different operating system - even the ancient OS/2 - they would not have been infected.

    It is also very interesting to note that they only found the worm because the infected machines tripped the IDS with excessive network traffic. From this we can infer:
    1. A worm that was less aggressive with it's scans would probably not have been detected and could possibly still be operating today.
    2. They probably don't have any host-based intrusion detection systems in place. No automated file integrity checking, no authorized process lists.

    It's a good thing for us that the worm and virus writers (thus far) have been gifted programmers, but otherwise dumber than a bag of hammers. A well-written subtle worm could probably cripple most of the developed world.
  • by halfabee ( 685633 ) on Tuesday November 25, 2003 @01:11PM (#7560068) Homepage
    We had a similar problem when the Nachi worm got loose on our network... After scurrying about and patching all of our desktops and servers, we still had Nachi hiding out on our network. Every time I built a new computer with an unpatched image, it got infected. In the end, the culprit was an Iomega NAS device (for those who are unfamiliar with it, this is a network storage appliance... think RAID array with a NIC.) We have two on our network. The older one, running FreeBSD kernel, had no problems, but the newer "Windows Powered" unit needed patching. For anyone dealing with this problem, nmap [insecure.org] will be your savior. Scan your network and look for machines with TCP port 707 open running an "unknown" service. Those are your infected computers.
  • diebold, diebold. (Score:3, Insightful)

    by Mad Quacker ( 3327 ) on Tuesday November 25, 2003 @01:12PM (#7560078) Homepage
    1. Create Nachi variation that makes diebold machines all vote republican (or only a few percent extra), including the paper ticket the voter doesn't see.

    2. Wait

    3. World Domination.

    Don't even need access to the machine, zero accountability, to the paper trail, to diebold, to the republican party, etc.

    Fight it like the plague :)

  • by justsomenick ( 714215 ) on Tuesday November 25, 2003 @01:40PM (#7560355)
    ... that I read that the Bank of America will migrate all their ATMs from OS/2 to Windows. The reason for that, according to the spokeswoman, was that "Windows made it easier to secure the ATMs". I hope they know what they're doing, but if I were a BofA customer, that sure would be a reason to switch banks (my current bank -fortunately- still uses OS/2) until the security of Windows ATMs were thoroughly proven.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...