Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.
Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.
Trolling is a art,
From the article:
"The actual point of service terminal itself getting infected-- that's pretty crazy," said [Windows expert Marc] Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."
Oh, yeah, that's crazy. As I recall, we discussed this very issue in a previous Slashdot story, and all the experts told us mere geeks that we were ignorant and stupid to even worry about it. Some of the most choice comments came in reply to my own post on the subject.
Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.
Well, ok... I'm not going to worry about my own personal finances, because I'll just ask the bank to reverse any bogus transactions. But if/when some savvy hacker does figure out how to infiltrate an ATM and walks away with a few hundred bucks, someone's going to come up short on their books at the end of the day...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The same Diebold that has grossly insecure voting machines? The same Diebold that is abusing copyright claims and is being sued by EFF and students.
Well ain't karma a bitch Diebold?
What I am concerned about is whether or not my bank that I use uses Embedded XP for their ATMs. If so then I might have to consider switching banks. Not just because of this but because MS based systems are so notoriously insecure. Yeah yeah mod me down if you must but I'd feel much better having embedded Linux (or some other proven secure system) watching my money thank you.
FYI if you're using Union Federal you might want to start looking around now,... hehe
I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..
Wants us to trust them to run our electorate system? Lets face it, this was a VERY easily preventable oversight. These machines should have survived without patching by installing a rudimentary port blocker of some form. There is no reason RPC should be exposed by an ATM. If they are leaving ATMs wide open, i dont know how we're supposed to expect their Voting Machines to work.
The CEO said that he would do whatever he can to deliver Ohio or some place to Bush.
The same people that build machines with no paper trail for vote auditing.
They also do not patch their ATMs.
This really gives me confidence for the upcoming elections.
ACK
So does this mean that after each transaction, the ATM wires $20 to everyone associated with your bank account?
i know everyone always says this is a terrible mindset, but considering how many OS/2 ATM's have been hammered, there might be something to this after all.
think about the work you'd have to go through to get your hands on OS/2 code to figure out where holes might be.
then you have to write your own virus. it'll only be aimed specifically at ATM's etc.
just seems like there's a lot more legwork involved in hitting obscure OS'es.
instead, if they run XP, someone else grabs the code and distributes it. then another person writes a hack and distributes/releases that.
the end person in this case just needs to take baby steps off of the great strides of others to get a virus that can hit an ATM. sure obscurity shouldn't be a sole security measure, but it seems it would be relatively effective to me.
A new, secure, manageable BIOSwould fix their problem.
It's really Phoenix's fault.
sigs, as if you care.
And you want their equipment deciding votes, dear got if you can get a worm on the holy of holies, a cash dispensing machine. I seriously doubt that the next holy machine, a voting machine should be running Diebold systems.
Seriously people, embedded proprietary operating software (neither XP or Unix or anything widely made public) is the best way to go with these sacred machines. Worms will have a difficult (tho dare I say impossible) time working their way in. So the problems will hopefully be minimal.
In short I'm afraid, I'm very afraid
...in bed
The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.
//Information does not want to be free; it wants to breed.
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
There's 10 types of people in this world, those who understand binary and those who don't.
Today: script kiddies reads story
Tommorow: Writes worm to get people pins + number
Thur: Release worm
Fri: Rolling in cash
Just hope I'm wrong
Rus
Cheap UK and US VPS
My company provides vulnerability assessment and penetration testing services to financial services clients and we crack these things all the time.
:) The latest ones run either Windows 2000 or Windows XP, and have almost the same software as the Windows NT systems, just with more vulnerabilities.
The old ones run OS/2 v3.0 and a vulnerable version of sendmail, the slightly newer ones run Windows NT 4.0, with almost no patches installed and a default username and password.
Once you gain access, it is possible to directly control the hardware using the utilities already on the system, including dumping the cash drawer
At this point Diebold has not patched ANY of the RPC vulnerabilities, let alone the Messenger or Workstation bugs. Each of these ATM's is connected to an ethernet segment somewhere waiting for someone to rob it.
During the Blaster peak, a friend of mine was talking about the XP ATM's in London constantly rebooting... They put these cmd-shell-waiting-to-happen boxes directly on the Internet. Thank god for companies like Diebold and Microsoft, their problems created a market and a community that is still picking up steam.
1) Diebold produces ATMs with security holes to skim money
2) Diebold uses skimmed money to lobby for their electronic voting machines
3) Diebold uses code in voting machines to fix elections
4) Government by Diebold, Taxation by Diebold
5) PROFIT!
Funny that this banner ad was on the page when I loaded this article... It read: Making the right decision may save you millions... Making the wrong decision may cost your job
Every company makes mistakes. Running Windows XP is a mistake a lot of companies and people make.
The reason this is Slashdotworthy is that it is the same Diebold. The people who submit stories are hostile towards Diebold, and it's only to be expected that some of those hostile stories would make it through.
I'm sure a lot more vital-service machines than just those built by Diebold were hit. A story on the range of systems, maybe with ATMs as a highlight, would have been more appropriate.
Not ranting at you, just wasting karma, that's all.
tasks(723) drafts(105) languages(484) examples(29106)
I am not a Windows Expert, but why is RPC important in an ATM? Is this something in embedded XP that should be disabled for certain applications like ATMs? If RPC should have been turned off then it's also the fault of Diebold not to configure the machines properly and MS for leaving it enabled by default.
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm amazed that those ATMs were connected to the Internet
Maybe they weren't. You needn't be connected to the internet to catch a worm. Any LAN/WAN/VPN will do.
Trolling is a art,
Not to defend Diebold, but they wouldn't even be allowed to patch the systems. The software on those voting machines (at least in theory) all needs to be checked and double checked by this independant authority before its installed, and ONLY THAT approved softwate can be installed on the machines.
ahh, but isn't that part of the problem? isn't diebold saying that nobody should need to check and double-check their machines because diebold knows [wink wink] that the machines are secure and immune to tampering [at least under the DMCA]...
Despite the allure of hard cash, don't expect to see a rash of made-for-Hollywood ATM hacks -- machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and "chief hacking officer" at California-based eEye Digital Security.
Hey, why not? Nachi wasn't tailored for ATMs, but it still got a few. Imagine a virus/worm that _was_ meant specificly for ATMs. I bet something like that could achieve a pretty big impact.
Ah well. Just my $.02
If these walls could talk they'd probly still ignore me. --MF DOOM
I really think the problem with a lot of companies like diebold are the fact that the managment does not know how to differentiate 'ok' vs 'good' employees when hiring.
At my company (large one) we hire IT guys working on very sensitive security stuff from DeVry and ITT for instance, and they don't know jack about anything beyond telnet and simple networking. Now I don't know a whole lot about it either, but i'm still in college.
I think that people with sub-par understanding of security and networking are being hired, and they are just taking a bought-somewhere-else embeded system, throwing their software on it, and jobs done! And people wonder why IT jobs are being outsourced...
I remember thinking how weird it was to have my ATM suggest an exclusive opportunity to increase the length of my penis.
Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.
You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?
And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.
And finally, for your reading convenience, here's an earlier /. story which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Around about this time I saw an ATM in Mayfair, London, with a windows error message in the middle of the screen. It was complaining that a DHCP server couldn't be found, and was happily waiting for someone to come along and click on the OK button.
Mashing the keypad didn't seem to help. I guess sooner or later they would have realised the ATM had disappeared and would have sent a tech out to press reset or something.
There's no personal data stored in an ATM. It's just a dumb terminal.
And Nachi basically makes the machine unusable.
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.
Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.
Nostalgia isn't what it used to be.
Is how the worm got to the machines in the first place. Are the ATMs on a network with laptops, desktops, or a public network connection? If not, how the hell did the worm get onto the network? This is highly disturbing.
Funny- I was just at the ATM today, and I glanced down and saw the Diebold tag. They're pieces of crap- barely a few years old, nobody cleans them, the screens are dim and usually require breaking your finger- and they're SLOW as molassis. Slow as in "I have only three or four things I can do but it still takes me a minute to give you cash"- and it can't all be explained away by network latency. Things like the machine sitting there locked up for 20 seconds or more after the last person leaves, before it will unlock the card slot. What is it doing, debating the meaning of life? It's a fucking ATM machine. It makes you wonder if the whole thing is written in really, really bad VB...or maybe Flash.
In any case- I agree with the parent. I could care less what the thing runs, as long as they're competent. The voting machines demonstrated that they're completely incompetent. This just goes to show that our suspicion that they're -also- probably incompetent at making secure ATMs.
Please help metamoderate.
you forgot: :)
6) Ruling the world
We have a new record! Someone didn't even make it all the way through the article TITLE. First, it was rtfa (the linked article). Then it was rtfa (the slashdot article). Now do we need to go to rtft (read the fucking title)? The article is about diebold ATMs, not voting machines.
====
Crudely Drawn Games
Yeah, if only things really worked that way...
In California, Diebold was able to upload uncertified patches to their DRE systems in Oakland without any prior approval by the state. This led to California decertifying these machines, and was a big factor in California deciding to require a paper audit trail by 2006.
So yeah, even though in theory they're not supposed to be able to do this, they did.
if some script kiddie hacks into the voting machines...President Jenna Jameson!!
That's not necessarily a bad thing...
I'm with you on this one...which is not to say that I agree with Diebold's business practices. However, it's not Microsoft's fault if some butthead forgot to patch their system -- the same way it's not RedHat's fault if some butthead forgot to patch their system and got owned. How can Diebold be blamed here? It's the eu's responsibility to maintain their system.
Now I don't know anything about ATM machines and associated contracts...but I assume that responsibility of maintenance either falls into the hands of the owner of the machine, or the bank issuing the cash -- not the manufacturer.
-Turkey
These machines can be infected through their internet connections, but cannot be maintained remotely?
Why are they even connected to the internet in the first place?
"Teleporting Rodents with D-Cell Battery Displacement" theory -- IgnoramusMaximus (692000)
Comment removed based on user account deletion
We're talking about a dumb terminal here, aren't we? Let the user login with his card, enter a passcode, then enter input which gets sent to a server somewhere to be processed and which sends back either output to be displayed to the user or output to be read by the machine which gives you your money.
The same criticism applies to Diebold's voting machines.
This is why Linux would be such an ideal solution. No application of Linux has impressed me more than the (now sadly defunct) Linux Router Project, simply because it demonstrated how for many tasks most of the operating system amounted to nothing more than ballast. They were able to boot a router from a floppy.
This is how I think an ATM--or a voting machine--should work. The amount of software should be kept to an absolute minimum if for no other reason than that it minimizes complexity, and in these kinds of applications, complexity is the mother of all evil.
And in the case of the voting machines, it would also greatly assist in auditing the code and making sure that what you think is executing is what's executing.
Is this truly the only Earth I can live on?
Hrrmm i believe this has been hinted at for Years now...
CHANCE! "Bank error in your favor, you collect $200 dollars."
i guess the game should have been called Life then Monopoly..
mod grandparent down, offtopic.
Were the ATMs in a domain or sharing printers or ... Why run something which isn't being used -- especially if you know you won't be able to patch it later.
So we don't have to worry about ATM's getting ripped off because crackers would "have to go through a lot of juicer (sic) networks first." I'm sure the financial institutions are relieved to know that...
When all of your wishes have been granted, many of your dreams will be destroyed - Marilyn Manson
Which begs the question - how did they audit them? A full audit has to go all the way down to the metal, otherwise someone could have hidden a backdoor that allows them to alter the results and logs. Hopefully they have fully checked the source code of the compiler used to build OS and software as well, the rumoured backdoor in an early version of Unix is a famous example of why this is necessary.
Regardless of your view on the merits of Open Source Software, it is the only safe and accountable way to build an e-voting system. If even one piece of the system is closed code then you have to assume that it's been comprimised and thus the results have been tampered with.
The democratic process is far too important for security to be left to chance. Either do it properly or don't do it at all.
The security of electronic voting is important.
Paranoid fantasies about "stealing" a national election by the CEO of the voting machine company just turn off people to the real issue.
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
The ATMs are not connected to the Internet. They are on an intranet, most likely with other ATMs and their database server, hopefully nothing more.
Agreed there is no firewall. The original idea was probably only to allow trusted machines onto the intranet in the first place. This follows the same logic (or lack-thereof) of people that don't use firewalls because they're behind a NAT.
The problem is allowing machines that were once on the Internet (and thus, may be tainted) onto the intranet. When some employee hooks up his laptop to work on an ATM, it probably connects to the intranet to let the database server know he's messing with it. The problem is that he was on the Internet yesterday and got infected with a worm/virus, which is now spreading itself through the intranet. The result: a tainted machine on a network that was intended only for trusted machines.
I think the idea of a Sygate firewall on every individual machine is a great idea. This will be a rather easy improvement to make (at least for new ATMs) and will give each individual ATM its own security against intranet intruders. Thus, when a tainted machine gets on the trusted network, the ATMs have (at least a little) self-defense.
Still, this just emphasizes the need to block all unnecessary ports or services, which was apparently not done in this case.
There's 10 types of people in this world, those who understand binary and those who don't.
Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.
Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."
"Believe me!" -- Donald Trump
For more see Jim March's comments to the CA Secretary of State here
which is a crippling inherent flaw in the whole idea. If you allow patching then the system would be vulnerable to arbitrary patching. If you don't allow patching you can't fix any other security holes you might find. Whether or not you allow patching the system is unacceptably insecure.
Conclusion: electronic voting boxes are a bad idea.
I work at a major financial services company as well, and he's right. The entire ATM network is being migrated over to public Internet structure, and OS/2 is being phased out for XP.
*sigh*
Wired ran an article about embedded XP back in September. At the time I wrote a Letter to the Editor, which was not posted (so very un-slashdot-like), stating how insane it is that banks would be willing to risk their front end machines when their back end machines have been slammed repeatedly by Microsoft issues. That goes for windows and MS SQL.
"Ain't I a stinka..." - Bugs
They may not of been. It can happen like this: Idiot manager brings laptop home. Idiot manager plugs his laptop into the DSL line. Idiot manager gets hit by a worm, and his laptop is infected. Idiot manager takes his laptop to work and plugs it into the private network. Worm starts infecting machines on the private network.
A lot of infections happen like this. It's one reason why firewalls are not a complete solution.
The cake is a pie
Yeah, they did it in Superman 3.
Right.
Underrated movie, actually....
"To lead the people, you must walk behind them"
As someone who works in a bank, I have seen a Diebold repair tech hook up his laptop directly to the ATM to do some work on it. So the laptop could have been the one that was infected.
Also you most of the program information comes from the Processing Center that is driving the ATMs which are all on a network. For example when we changed ATM Processors, the tech had to connect to the system and get a "load" from the new processing center to connect. These ATMs are connected over some form of leased line.
I am glad to know that our ATMs are running OS/2 Warp and were unaffected by this bug
IS anyone else concerned that Diebold is a big player in the voting machine business, as well? Man, this nation is going to the dogs: all homeland, no security. Smoke and mirrors. Ack.
Mmmmmm... Bold, yet refreshing!
moderators on crack, how did this get to +5?
Diebold voting machines are renowned for their stability and reliability . What does this imply could happen to them, especially, say, on November 7, 2004?
-- haaz.
Okay, here's my question: These ATMs were in some way linked to external machines that have Internet access, and if not directly, then through a route to those machines that did.
Question: Why?
Question: Why weren't the routers configured to block everything but the required ports to the ATMs?
Also note that according to the article, Diebold neglected to apply the DCOM vulnerability patches even though it had been a month since Blaster disabled thousands of machines.
Question: Why do we continue to trust this company? That's two strikes if you include the electronic voting machines (I've yet to hear an explanation of why those e-voting machines in certain areas of my state were crashing on election night).
Fred
"A fool and his freedom are soon parted"
-RMS
Diebold: Insecure by default!
/.-crowd:
Maresi
PS: Question to the
Should I hire a lawer (for criticising Diebold)
[ ] Yes, definetely
[ ] No, why?
[ ] Yes, hire Cowboy Neal!
The checkbox said "Requires Windows 98, NT, or better. And so I installed Linux
Not true. Software design is very important. Compare the design of sendmail vs qmail. qmail is better designed from a security stand point than sendmail and sendmail has payed dearly for it's design choices. Software really needs to grow up and it won't until vendors bear some of the liability beyond PR implications on sales.
I remember when the tech weenies at the post office were big Windows lovers. The post office bought the new Loral letter sorting machines that used QNX. Soon the techies were singing the praises of QNX. Never once did I see a lick of trouble with the computers. The only times the techies had to come was for upgrades and hardware troubles and periodic mandated maintenance.
photosMy Photostream
can we please change the subject name to
Diebold ATMs hit by NAZI Worm
banks are so damn conservative with updating their technology.
the ATMs from the 80's are so well patched now that tehy are much safer than the crap being released now a days.
I am the Alpha and the Omega-3
Not only that, but at least three others considered it worthy of mod points.
In all matters of opinion, our adversaries are insane. -Oscar Wilde
But why the hell these machines were on any kind of a network with any type of connection to the Internet is another question altogether.
The nothing says it was attached directly to the Internet. A machine can be on a LAN--even temporarily--and still get this worm from another infected machine.
The other day I was visiting someone in a hospital ICU. Before I left, I noticed they were getting drugs from a cabinet that popped open the proper drawer after they entered a bunch of information, and it was running Windows CE when the screen saver kicked in ... I decided not to joke to the patient about BSOD having a new meaning!
In all fairness, I didn't see them BSOD, just worried what would happen in a crisis if they did or they opened the wrong drug drawer.
How did they get infected? They're not on the Internet, surely?! Please, please someone tell me that we don't have ATMs on the net. ;)
Suddenly I have an urge to keep my money in a matress
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
All they would need to do is document the failure with the associated problem level( i would make it critical).
It would be up to the configuration control board to determine what to do with it.
For criticals, the CCB would probably authorize an emergency patch/fix.
The problem is this action would make Diebold look like they don't know what they are doing. Bad for marketing and keeping customers.
But getting your machines infected with know virii is bad for business also.
Sir, is it just me, or are you completely illiterate?
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device. ...
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen
How do you know something serious didn't happen?
So the Nachi worm hit these machines, and its big and obvious, and it breaks the machines. But the Nachi worm moves by brute force; it hit these ATMs by accident. How do we know that during the time before the ATMs were hit, someone with actual, targetted, malicious intent didn't at some point hit a few of the ATMs using the same exploit Nachi did?
If someone doing it on purpose had hit the ATMs, they could have done something much more subtle. Something that wouldn't have been noticed the way the Nachi worm was, something that (given how unconcerned everyone seems about this) probably wouldn't be noticed at all, even after the Nachi incident. Something like a small patch to the ATM UI that quietly records the ATM card number, personal information, and PIN# of everyone who uses that ATM, then quietly dumps that somewhere on the internet later. It wouldn't be that difficult, and the Nachi thing simply proves its possible.
It's not a big step at all to get to the point where something serious could happen. It's barely even a step at all, as it's just a step of exactly the distance between a worm hitting an ATM at random and someone with a little bit of intent, knowledge, and time sitting down and deciding they're going to hack an ATM.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Yes, but ports open on an OS should be optional. It shouldn't **require** certain ports to be open, a la 135-139.
Get your own free personal location tracker
does anyone have any insight as to how this would happen? i would assume that atm machines are open on the net if anything they would be connected to some sort of a private network of the companies - did the atm become infected though one of the host computers on the private networK? one would hope that even having the cute little "windows update" annoyance popup that the sys admin would update a machine that has access to the atm network.? right? scares me.
uidzer0.org
Greer, Pfleeger, Schneier, Metzger and the rest of the contributing authors of CyberInsecurity: The Cost of Monopoly were right. This incident proves it . The most likely source of the infection is an infected laptop being plugged into the protected network. Had the ATM's been running a different operating system - even the ancient OS/2 - they would not have been infected.
It is also very interesting to note that they only found the worm because the infected machines tripped the IDS with excessive network traffic. From this we can infer:
1. A worm that was less aggressive with it's scans would probably not have been detected and could possibly still be operating today.
2. They probably don't have any host-based intrusion detection systems in place. No automated file integrity checking, no authorized process lists.
It's a good thing for us that the worm and virus writers (thus far) have been gifted programmers, but otherwise dumber than a bag of hammers. A well-written subtle worm could probably cripple most of the developed world.
If they patch their voting machines they get blasted for it, now there getting flack for not patching their ATM's
uh, that's the same diebold doing the voting machines ???
Not sure if you are aware of this, but sometimes a comment will be in response to a previous comment rather than based entirely on the Slashdot article. In these cases, OTHER RELATED TOPICS might be brought up. For instance--If a company can't keep an ATM secured, we might not want to trust them with our election results.
I think Slashdot has something called "Threaded mode" that might help demonstrate this concept.
I had also added a parenthetical to the story when I submitted it, namely, "And these are the guys who want us to 'trust them' with our voting?"
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Firewalls are an insanely stupid idea, or at least using them to protect shitty-ass computers that can be tricked into executing programs over a network is an insanely stupid idea.
You simply should not be running such machines in the first place. You cannot magically protect a network from worms that way.
In fact, I have problems thinking of any legit uses of firewalls that wouldn't be better served than just fixing the damn thing you're firewalling off. Maybe if someone is trying to DoS you, you can use it to reduce bandwidth on your internal network...but pretty much everyone has more bandwidth internally than externally, and if it's causing a problem internally you're basically completely off the net anyway, and might as well physically pull the plug. (And, yes, I was assuming you weren't using NAT in that example, mainly because NAT is an equally stupid idea.)
If corporations are people, aren't stockholders guilty of slavery?
Next time make the ATM dispense endless amounts of cash.
How would you get them to display Chinese characters? Almost all the ATMs in Toronto have this option, as well as Spanish, French and Italian in certain neighbourhoods.
It doesn't mean much now, it's built for the future.
Hell, they don't come easier than that:
phb to techie How quick can you get me a demo of the new embedded project?
techie to phb I can do you a really crap one in 1 hour with Visual Basic, but we will need to code the proper one in C, and that will take 3 months
phb to client The system will be ready tomorrow
Sent from my ASR33 using ASCII
A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.
Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.
Oh - how young I was.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Yeah, but remember, sendmail was designed in the "good old days", when there were maybe a few hundred hosts, and people on the Net trusted each other!
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
There aren't that many comments for this story yet... this is because everyone is busy hacking their local ATMs, no?
How long do you think it will take before a hacker writes a virus that specifically targets ATM's, cash registers, or vending machines running embedded windows?
To work, the virus would need to spread by infecting any machine (but not be "malicious" so as not to attract attention). However, as soon as it detects that it is running on an ATM, gets down to business: sending your credit card / pin to an IRC channel, spamming random people with your grocery purchases, or (gulp) transferring your funds to 2600 magazine.
If they can't even bother to patch Windows on ATMs, which is a much more competitive market, why would they secure our voting machines? The Federal Election Commission (FEC) should require an ISO9001-style process certification for all voting equipment vendors, but with more security criteria. Diebold's bank customers can fire them and recover the money, but the botched 2004 election will be an unrecoverable error.
--
make install -not war
We had a similar problem when the Nachi worm got loose on our network... After scurrying about and patching all of our desktops and servers, we still had Nachi hiding out on our network. Every time I built a new computer with an unpatched image, it got infected. In the end, the culprit was an Iomega NAS device (for those who are unfamiliar with it, this is a network storage appliance... think RAID array with a NIC.) We have two on our network. The older one, running FreeBSD kernel, had no problems, but the newer "Windows Powered" unit needed patching. For anyone dealing with this problem, nmap will be your savior. Scan your network and look for machines with TCP port 707 open running an "unknown" service. Those are your infected computers.
-- Halfabee
1. Create Nachi variation that makes diebold machines all vote republican (or only a few percent extra), including the paper ticket the voter doesn't see.
:)
2. Wait
3. World Domination.
Don't even need access to the machine, zero accountability, to the paper trail, to diebold, to the republican party, etc.
Fight it like the plague
"I don't know that atheists should be considered citizens, nor should they be considered patriots." George HW Bush
Sure firewalls work.
If there's a firewall on each ATM only allowing connections on a specific port (for communication to the database server), then they` ATM will be unaffected by the RPC exploit.
Blocking inbound ports 135, 139, and 445 will effectively eliminate RPC exploits, including the Nachi worm that apparently infected these ATMs.
Sure, the best way to fix the patch is probably to install the MS patch. But what about the vulnerabilities that aren't known yet? If you're not using all the wonderful MS services, there's no reason you shouldn't block all these ports. They're potential vulnerabilities.
particularly wrt the unfortunate comments of the Diebold president...
considering the (what should be) massive security on bank machines, does this give any further pause to the added "safety" of "trusted computing"? Given that you can't secure critical applications to users, what makes me think that TCP will be able to secure my computer from anything but me?
We used it in an application that treated faxs like email. We sold 'fax mailboxes' that came with a phone number that connected to your mailbox. Using the buttons on your phone you could delete the fax, move it to a 'folder', forward it to another number, forward it to a set of numbers( yeah, sounds like spam to me too), forward it to the number you were calling from etc. It could call or page you when you got a fax. Fun project. I still have the worthless stock optiosn in a box somewhere.
We really need a secure microkernel OS for applications like this. There's nothing available. Windows CE is a mess. Linux and the UNIX variants are too bloated. QNX isn't designed to be secure. NSA Secure Linux has no applications. The Hurd crowd can't get their act together. And Multics is dead.
1. What's the authentication procedure for ATMs and can an 0wn3d machine bypass the procedure?
2. Is the pin # verified against the card or the account?
Hmm... so, for example if it had a parent link, much like this one doesn't, it would be a reply, correct? So what, exactly, is your point?
====
Crudely Drawn Games
Security by obscurity does not work. I'd find the voting machines much more trustworthy if their code was open source.
Your amazement is well founded, and I'd bet any Diebold engineers reading these threads are too embarassed to reply. If they do reply, it would be because they are too stupid to be embarrassed.
Healthcare article at Kuro5hin
I'm surprised Diebold chose to use the embedded XP system in their ATMs instead of the far more widely used (and certainly more secure) OS/2. I understand from IBM sources that while OS/2 on the desktop never really took off that well (even though it was the first OS I installed on my first home-built PC back in, oh gee, 1994), it really does hold the lion's share of the ATM market. Makes me even more suspicious of the Diebold AccuTouch voting machines now. What happens if someone unleashes a similar worm around November 1, 2004 that spreads like wildfire in every precinct just before the General Election?
... that I read that the Bank of America will migrate all their ATMs from OS/2 to Windows. The reason for that, according to the spokeswoman, was that "Windows made it easier to secure the ATMs". I hope they know what they're doing, but if I were a BofA customer, that sure would be a reason to switch banks (my current bank -fortunately- still uses OS/2) until the security of Windows ATMs were thoroughly proven.
It's the dorky wanna-be-ganster geek from Office Space! Hide your dot-matrix printers!
For the love of $DEITY, loose != not win!!!!!
At least it's better than ATMs being bulldozed by rabid Taco Chihuahuas.
"The election you have reached is not in service.
Please check the election, and try again."
-kgj
-kgj
Indeed, design is of critical importance. However, it is naive to believe that just because one has a well designed application, that it is bug free. Bug-free code does not exist in reality.
To expand on your example, I use qmail in a number of installations. I still read bugtraq (among others) and look for new patches. It's part of my responsibility as an admin, and I'd be remiss in my duties if I depended on the reputation of my software instead of actually watching for new vulnerabilities (and [local] vulnerabilities have been found in qmail). The point is that it's still the end user's responsibility to ensure that their software is properly patched -- not MS', not Red Hat, not even DJB. Sure -- secure, bug-free code is nice, but in the real world, I know that this is not a reality and try to weigh out the risks, while constantly trying to keep informed of new risks.
What's alarming for me is not that there was a vulnerability in the ATM machines -- this does not come as a shock. But in this case, there was a longstanding published vulnerability with exploits in the wild, as well as a highly available patch. Nothing was done, and the ATM machine was exploited. Maybe the vendor needed to contact the owner of the machine...maybe they had a service contract -- I don't know the details beyond what's in the article. However, I'm not sure that it's fair to blame Diebold for anything more than their use of an MS OS...and although I'm a *nix professional, I'm still willing to admit that depending on what needs to be accomplished, there can be some very compelling reasons to use MS software.
-Turkey
Diebold don't consider printed logs necessary when delivering your votes to the republicans.
When you find a "proven secure" operating system, make sure you let everyone know about it. As of the 25th of November 2003, they are as common as the Unicorn and the Free Lunch. That is to say, they don't exist.
Ok, I happen to work for a fairly large financial institution that has several Diebold ATMs, although ours all run OS/2 and therefore aren't vulnerable.
That being said, and after actually RTFA, I'd say Diebold played their cards pretty close to their chest on this one, because they didn't give a lot of detail. For all intents and purposes, these machines are very "dumb". They have just enough information to operate the machinery and communicate with the host. Everything actually involving getting account information, adjusting balances for withdrawals/deposits, etc. gets done remotely. All the ATMs are "driven" by a controller that acually handles the account information.
As a result, these machines have to be in constant communication over a network with the host. In our case, this is a private network over leased lines that never gets anywhere near "The Internet". However, like I said, they are still in constant communication with the host (a.k.a. "server"), which has to be tied in to the bank's network in order to pass messages back and forth regarding user's accounts. This host runs Windows NT/2000/whatever.
Ok try to keep up now...
So, (1)the Nachi worm comes in through the Internet and infects any random machine on the network. (2) That machine starts spreading to the rest of the network, eventually (3) getting to the ATM host ("server") machine. (4) The host, through it's own private network with the ATM machines now infects all the ATMs. Before you know it, Bob's your uncle, and your totally removed from the Internet ATM machines are now infected because of one PC workstation with an opening.
Now I'm not defending Diebold here. What they did was stupid, and is exactly why we're still running an ancient OS on our machines. I'm just trying to enlighten those that seem to think their every transaction is buzzing through the open 'Net.
One only needs two tools in life: WD-40 to make things go, and duck tape to make them stop. ~G.M. Weilacher
I know it would be nice to have everything similar in nature and to be able to re-use the same OS in many different areas.
However, I have always thought that certain applications (like this) should have a dedicated OS (created specifically for the purpose at hand). ATM's, automobiles, medical equipment, etc. really need a hardened/limited OS.
I just think there is *something* to be said for security through obscurity. For instance, we still run a number of financial/etc. software on VMS machines. Back in the day, these machines were far more vulnerable to attack. Now, with the limited availability of these OS's it seems that fewer attacks are designed for them.
When you can use something like this. Write the whole thing in C (not quite standard) or buy the realtime OS for it. Then you'd have only what you need and no other stuff that is a possible exploit.
Pigs don't really use their eyes to find food so much as their sense of smell.
Jaysyn
There is a war going on for your mind.
Used to be that American money was real honest-to-God GREENBACKS, not some funny, furrin looking fruit color with corporate logos on it.
Use to be that banks were always built, well, like banks, heavy, solid, safe looking hulking stone fortesses.
That's what the 80's green mono monitor always said to me. "We're interested in what's known and safe and secure, not flashy video ads to sell you stamps while you wait for your cash."
Now it's all "Did you see this week's twenty? It's got Jessica Lynch and a coupon for Chik-Fil-A on it!"
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
What worries me is that Diebold is one of the leading makers of voting machines. Are these machines also subject to such hacking?
The "Diebold Memos" circulating on the web document the insecurity of their voting machines. Also food for conspiracy theorists: Diebold CEO is a close friend of Dubya, Diebold contributed $300,000 to Dubya's last campaign, and they promised to "deliver Ohio" to Bush in the next election -- a state that has a large majority of Diebold voting machines.
: What Constitution?
Okay, let's review.
The election proceedings in 2000 were superceded by the unprecendented and legally questionable opinion of a far-right supreme court justice (even though there was no reason for him to step into the Florida court case).
Bush & Co stifled the investigation into possible (read, known) election fraud in Florida.
Bush & Co stifled the investigation into 9/11, i.e., why fighters were not scrambled, even after the first plane hit, even though fighters were scrambled an amazing *67* times earlier that year. Why on 9/12, when every american was stuck on the ground, taxpayers paid for free tickets to Saudi Arabia for every bin Laden in the US (the bin Ladens and the Bushes have a long and favorable history), why we refused the Taliban's offer to GIVE us Osama bin Laden, etc, etc...
There has been a media current which goes beyond the realm of war propaganda... the TV networks could be easily mistaken for a part of the White House PR team.
Every week there's a news story about Bush appointing ex corporate workers to regulate their old industries, absurd policy decisions, and all the while keeping up a facade of spin and anti-dissent bluster.
Bush even lied in his state of the union, blamed the CIA director and then forgave him (how convenient!) Meanwhile, Bush and Blair still keep up the unbelieved pretense that Iraq was an imminent threat or at least worth attacking for *some* reason, but as for the specifics they each point to each other. "You'd have to ask England." "Oh, we heard that from the US." And of course, the "liberal" media (in the US) is there right along ignoring all the inconsistencies, playing sound bites from Bush Spinners and rabid ultra-conservatives, and generally filling the average American with unsubstantiated bull.
Anyone who points out facts which imply fault with or even outright damn the Bush administration is labeled a "rad-lib", "conspiracy nut", or sometimes even "unamerican". The pentagon, the CIA, the FBI all have made protesting noises about the way Bush is running his administration.
Meanwhile, in near total ignorage by the TV networks, massive financial crimes are destroying jobs and destroying people's hard-won pensions. Massive tax cuts to the uber-wealthy, pittances to the rest.
Now HAVA (Help America Vote Act) comes along.
Bush appears to have stolen the election in 2000.. Now he looks to be gearing up to make sure he keeps the office another term.
Bush, the fact that you didn't die when you choked on that pretzel is all the proof I need that God does not exist. Go back to Dallas and OD on blow you waste of skin.
No, the people who rely entirely on firewalls for their protection are insanely stupid. Firewalls should only be a small part of your security system. You start with well-patched, secure operating systems. You run secure applications. You disable all unnecessary network traffic. And then you put in a firewall just in case. This is just like relying on the "safety" on a gun. Anybody who does this is an idiot. To make a gun as safe as possible, you unload it, turn the safety on, and then make sure it doesn't get pointed at anybody.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
The timing on this is perfect, as I just read an article yesterday (in InfoWeek, I believe) about the effect of IBM's plan to discontinue OS/2 support on ATM manufacturers. The article was a couple of months old, but focused on them suggesting that financial institutions migrate their ATMs to Linux instead of Windows. It seems that the big ATM manufacturers (including Diebold, which featured heavily in the article) are leaning heavily toward Windows despite IBM's recommendation that they go with Linux. Their attitude is that they're running Windows on the back end, so they want it in the ATMs as well.
Well, now they're getting what they wanted, and I doubt that they'll learn from this. Large banks seem to have a monolithic mindset that's averse to anything new. They're also decidedly pro-Microsoft.
IBM offers some very effective solutions for integrating Linux-based ATMs with both UNIX and Windows-based back end systems. That companies like Diebold insist on going with insecure, unstable (I've seen an ATM stuck with a BSOD!) software for such sensitive systems is asinine.
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
Sleep is for the Weak
If you know you don't need RPC, go to http://www.grc.com/dcom/ I don't use windows myself anymore, aside from an occasional counterstrike binge, but this seems to remove/deactivate the DCOM services without breaking anything major in win2k.
I used to work for Siemens Nixdorf. Their ATMs had a 286 inside and ran on msdos at that time. I'd imagine the logical upgrade cycle would be Windows 2000/XP, so I wouldn't be suprised if most of the ATMs are the same. Though publicity like this may change the trend.
Clearly a conspiracy against an honest, upstanding American corporate icon. It's just sad how you folks will twist the facts.
Is it just my observation, or are there way too many stupid people in the world?
Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.
The responsible party will not be fired, the poor dude who actually implemented the dumb decision will be. Chances are the person who implemented these new Windoze machines also complained that they would not be secure. "It was your job to tell me so!" they will tell the poor devil and that will be that. The dumb ass who decided to "standardize" his platform on M$ will continue to make bad decisions that drive the company into the ground. As soon as "something serious" is noticed, those parties responsible might have to answer. It must suck to work for a company dumb enough to trust money to the world's least secure OS.
Friends don't help friends install M$ junk.
So that's how Bill Gates got so rich.
The concept is idiotic. Most vunerabilities that exist are pull vunerabilities. You go and download an email message or a web page, run it through MS software, and, bang, you're dead. Firewalls can't help that at all.
Yes, there is amazingly shitty software out there that is vunerable to push exploits, the only kind a firewall can protect again. You should not be running that software, period, or it should have no connection to the internet at all, because if it manages to have push vunerabilities, than you know it's got to have dozens of pull ones.
Firewalls are like taping fire-retardent insulation around a clothes dryer so it won't set the house on fire...it will interfere with the proper operation of a dryer, and you shouldn't be running such a dangerous dryer in the first place, it's just going to catch the house on fire eventually, no matter how much insulation you place.
If corporations are people, aren't stockholders guilty of slavery?
I guess they were too busy not "fixing" their voting machines to worry about that little MS patch...
It's ironic that since Diebold is controlled by the repubicans, they will be unable to run an open-source OS because that would be communism.
Unfortunately for them, Microsoft operating systems, as we all know, are swiss cheese. It may be that Bill Gates is the last defender of democracy!
Intolerance for ambiguity is the mark of the authoritarian personality.
If an engineer wants to make it clear to a banker why they shouldn't use Embedded XP on an ATM, he has to learn to speak in a language that a banker understands. There is common ground here, it's called security. Bankers are usually keen to listen to suggestions about security.
Here's a suggested analogy, ask a banker if he will publish detailed blueprints of the bank, and it's security systems. Using an off the shelf OS with default ports open is equivalent to this. Security through obscurity isn't true security, but it sure cuts down on script-kiddie hacks and common internet worms.
I used to wonder what was so holy about a silent night, now I have a child.
Oh yeah. Microsoft consists of complete morons who wouldn't know computer security if it walked up and asked to be put in their products.
If corporations are people, aren't stockholders guilty of slavery?
Like I always said, When companies are born plain and live underscored, they die bold.
See what happens when you embrace Microsoft's shoddy technologies? What more proof do you need that Microsoft must be done away with?
Oh sure... Diebold couldn't manage to apply the RPC patch to WinXP, but did manage to apply an unauthorized patch to the voting machines used in the gubernatorial election in Georgia after the machines had been inspected by elections officials, and the election had a somewhat fishy outcome. Specifically, the candidate who won had been trailing significantly in ALL polls, including media-sponsored third party polls, Democratic AND Republican internal tracking polls, and even exit polls on the day of the election...
Diebold is capable of applying an unauthorized patch to a lot of machines in a very short time to permit political hanky-panky, but can't manage to apply the patch to prevent some security problems. Funny that.
--Mark
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
My sentiments exactly!
The weird part is though, why in the world would you be required to depend on RPC (Remote procedure call) capabilities to manage local configuration of your box? Sure sure, no one could possibly ever think of interfering with our own client/server conversation done over a real (as in physically connected and exposed) interface?
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
For several months now ive actually started to get a phobia of cash machines. Every time im using one im scared that maybe it will process my transaction, but crash before it deals out the money, so i never take out large amounts. Ive seen several crashed ATM's or those with some other windows message it really pisses me off, but theres no point going into the bank and complaining because they have nothing to do with it and wont even know what your talking about. In fact one customer complaining means jack to them at any level. I don't even understand why an ATM would be on a network that was open like that, let alone why ANY ATM would need to run windows XP. Let me re iterate that: the machine has pretty much 2 functions: 1 give you cash, 2 give you a receipt. Just like voting machines they have totally over complicated it for no apparent reason, it doesn't even need multi tasking thats how simple it is. The fact is unquestionable and i challenge anyone to dispute this: Diebold are incompetent.
This comment does not represent the views or opinions of the user.
You're right, it wasn't a threading issue, my bad.
However, It was fairly obvious that the "not allowed to patch" was in response to one of the many, many previous comments saying that if Diebold can't do an ATM, they shouldn't be trusted with votes. Rather than flaming for RTF, flame for clicking the wrong button for a reply.
Gifted programmers? Bah! I've seen the source of the worms. It's not very impressive. When one of them hit back in... 2000 or so, a bunch of my co-workers gathered around to figure the thing out. It was really simple and even though none of us really knew VB script we saw exactly what it was doing in minutes, and then spent a few minutes gleefully thinking of all the improvements we could make to the program to actually make it effective. Then, we went right back to work.
I have yet to see a modern worm/virus/whatever that had any real technical sophistication at all. The fact that there hasn't been a really, uber-nasty worm in the news yet is either because:
Your money is protected by the FDIC and various banking laws. I think the FDIC insures upto $150,000 or so. If you have more than that in an account accessible by ATM then you must be very rich!
And Hillary shot Vince Foster in the head as he performed cunnilingus on her as part of an initiation rite into a super-secret-society of ugly lesbians who actually control the world.
Many kiosk systems run on Windows, and many of them were badly affected by the same virus, including the JobCentre Plus "JobPoints" (9000 or so of them, used by the unemployed to find work) in the UK.
Again, the problem was lack of timely upgrades, and the poor decision to use Microsoft in the first place.
Why people use a Windows OS to run a kiosk when kiosks running DRDOS, Linux, or a proprietary ROM OS, are more secure, cheaper, easier to maintain, have all the same features, and in fact have it all over Windows-based kisoks in every respect, is one of the great mysteries of the modern age.
Actually I'm surprised there weren't more reported, it's probably just embarrasement making people keep quiet.
And that's the scariest part of all...imagine this nightmare scenario. General Election, USA, 2004. The latest worm hits and attacks every Diebold XP-based voting terminal. Everything grinds to a screeching halt as the voting terminals need to be deloused.
But it's ok, because Diebold gave tons of $$$ to the RNC and to Bush The Younger's reelection campaign. Right????
Knowledge is power. Knowledge shared is power multiplied.
For the most part, you are right. In fact, I remember doing the same thing when Melissa came out. For a bit of an eye-opener, give this a read: http://www.peterszor.com/zmist.pdf. It's an analysis of the W95/Zmist virus. Zombie (the guy who wrote it) was very creative in coming up with ways to integrate his virus into existing files (creative in a sad and destructive kind of way). I agree that most virus writers lack any real skills or imagination (hence the bag-of-hammers crack in the original posting), but there are a few out there, and Zombie seems to be one of them.
All the women at Enron just had to suck dick for their "job" thats why it fell apart oh and to make a cool 100 million for Terry MaCauliffe and other Clinton Cronies.
Why on earth would someone buy ATMs based on Windows?
..
..
Many readers, and average ATM users do not know much about the ATM machines and their operations. And surely banking institutions prefer it that way.
First of all, there was a revolution in the banking industries about a decade ago. Back then, most of the big banks owned their own little companies to produce their own ATM machines. Those who couldn't afford to design and build their own ordered out, prayed for lucks. The old machines are proprietary, special pieces of hardware to perform a mediocre job over and over again. Every time a bank needs a new feature, it would take forever to fix or change the design. Therefore the industry moved to a generic design, generic OS and specialized software, similar to the IBM compatible model. Hence design cost, development and maintenance cost were all lowered.
There are several generic ATM makers. NCR, Siemens, Diebolds, etc... They all make generic ATM boxes consisting of cash dispenser, card reader, generic display AND a typical AT/ATX box with normal PCI slots, CD-ROM, standard NIC, etc. Each major bank then set their development teams to work on the hardware platform. After OS/2 's demise, the logical choice and the only choice would be running Microsoft Windows NT.
There are several advantages:
. Generic drivers are always plentiful.
. Special drivers to control specialized hw are supported by the manufacturers, not the banks = less cost.
. basically one single standard operating environment = quick change, fix, update = easy management.
That's said. NO bank would trust any 3rd party to develop and maintain their ATMs. They all do it themselves. That means:
. Developing their own NT environments, no stock OS install, limited install (no games, no std apps)
. Developing their own platform and applications that talk to the legacy banking networks.
. Appending complicate encryption using hardware security module (HSM) via PCI slots.
. Setting up their own automated patching and updating system (not SMS) for thousand of machines located across the country.
Hence, Diebold ATM mentioned in the article is all hogwash. The banking institution was not named, and I doubt that it would be any big ones. I believe that the machines could have been running stock OS and generic ATM apps had they belongs to those shady ATM operators that set up machines in 7/11 store and other convenient stores.
For almost all of us out there, we all have put our hard-earned money into some decent banking institutions. Right?
This whole story and thread contain a lot of FUDs.
. Diebold manufactures generic ATMs.
. Banks buy them, erase everything, put in their own customized and limited OS (used to be OS/2, now Windows NT/2K)
. Banks also put in their in-house software to run the ATM. They want the OS that would support the latest and better encryption hardware module out there. Hence the choice of Windows for its plethora support of almost every piece of hardware.
. Banks also use their own intranet, secured and accessed only by approved IPs.
. Banks maintain and update the OS/drivers/apps themselves, usually after rigorous testing and certification. It is not likely they would just apply right away any patch-of-the-week from Redmond. Patches would be applied remotely, with encryption.
I do not see any reputable bank in the US would use stocked Diebold provided OS and application. Therefore the blame on Diebold is unfounded.
Despite their shady dealing with the voting machines, Diebold-made ATMs are very stable and solid, hardware-wise. Software problems are the banks' own problems.
Disclaimer:
I am not working with/for Diebold. I used to work with ATMs.
Therefore, I Crash
OK, I can see a VPN or a private network to hook up from ATM's to Mainframes. But WHY would they be on the same network as ANY of the other internal PCs? It sounds like a machine from the internal network, possibly a laptop that went home and back, got infected, and in turn infected the LAN.
This is just scary. This time it was a mindless worm, next time, what if it's a black-hat?
You are correct.
Diebold sells the hardware and driver supports. Anything else needs to be customized and supported by the banks.
I suspect though, that those machines mentioned in the article might be from some of the newer ATM operators. They are the companies that put up ATMs at 7/11 and other convinient stores. They might have bought generic ATM from Diebold and run stock applciations.
As another post in this thread indicates, they surely weren't - the virus most probably entered via an accidentally infected laptop connected directly to the ATM by a maintenance technician.
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
1) If you don't open ports in the first place, they don't have to be blocked either.
2) An ATM has no business accepting connections from anything but the bank's computer, just block everyone with an exception for that one.
What are these things programmed by? MSCE's?
Did common sense go out the window?
It seems unbelievable that ATM's would be connected to the Internet or to a network that is not totally locked down with no access to/from the Internet.
I didn't read the article, so now you can make fun of me for being a fool but it seems ridiculous to have ATM's connected to a network that could possibly have a worm worming around it.
LoRider
In fairness and respectability, and not to break your mind set of conspiracy, neopotism, fascism and republicanism, but:
The voting machines in question are not networked. Things don't happen in a networked way with them - basically data transfer is done manually.
In fairness then, if you are looking for a platform for a non-networked kiosk, XPE isnt probably that bad of choice. Clearly better exisit, but in terms of cost and time of development it doesn't really seem that it's a hideous choice.
At least the last time I was working for an Avionics company (Collins), they hadn't accepted the idea that things like comms and navs should have windows on them...
Baaaaaaaaaaa.
Need Mercedes parts ?
I wrote embedded software for 25 years, in assembler with no O/S. This is one of the scariest things I've ever heard, and about the stupidest.
Literally, the LAST thing ATM firmware needs is Windows.
From this day on I will not use a Diebold ATM machine again, ever. They are not, in my opinion, safe to use.
Need Mercedes parts ?
True enough, but a -true- techie would never even offer the VB alternative as a solution..."I can get you a demo in 3 months" Period.
But then again, I work for a smaller, more progressive company and might have a warped perspective. PHBs aren't a part of my world
The older I get, the less I like everyone else.
The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code
You mean the ATM can't run advertisements remotely loaded anymore? But we need the advertising revenue! We need consumers to buy online from our ATM advertisements.
The truth shall set you free!
Well, I've driven past it once; does that count? The mirrored windows hide that there is actually a stable inside complete with hay piles, manure shovels, and a shearing booth.
Healthcare article at Kuro5hin
Don't those voting machines have Wireless NICs? Wasn't that one of the things that was pointed out as a serious security flaw?
1) Blame the terrorists. 2) Declare military something or other. 3) Amerika Lives!
You say,
"... the new security llamas won't make the same mistakes."
How about security camels... wait... Security Rottweilers. I got it.
Cool ...
www.opednews.com is linking directly into slashdot. Great to see political progressives uniting with geeks.
-------- -------- Support Wesley Clark for president!!!
Having said that, we'll see lots of posts of an anti-MS nature in response to this story, when in actual fact, it's down to user bad practise, patch deployment and the fact that some people get a kick out of writing this stuff in the first place...
Partly true here.
But come on! Why does a dedicated piece of equipment like an ATM need Microsoft RPC? Part of the problem here is bad system design-- if you ensure that the vulnerable systems are doing as little as possible, then you can ensure that they are as secure as possible. Plain and simple.
Honestly, having worked with XP Embedded, I would tell you that it is NOT a good choice for the ATM market. I can see it being used in certain server appliances, but not for single-purpose systems like this. It is too general-purpose and not quite as modular as, say, Linux or NetBSD (both of which would have been better choices), though I am sure that there are many better proprietary alternatives as well.
LedgerSMB: Open source Accounting/ERP