Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
Back in the day QNX had a strong presence on ATM machines.
My company provides vulnerability assessment and penetration testing services to financial services clients and we crack these things all the time.
:) The latest ones run either Windows 2000 or Windows XP, and have almost the same software as the Windows NT systems, just with more vulnerabilities.
The old ones run OS/2 v3.0 and a vulnerable version of sendmail, the slightly newer ones run Windows NT 4.0, with almost no patches installed and a default username and password.
Once you gain access, it is possible to directly control the hardware using the utilities already on the system, including dumping the cash drawer
At this point Diebold has not patched ANY of the RPC vulnerabilities, let alone the Messenger or Workstation bugs. Each of these ATM's is connected to an ethernet segment somewhere waiting for someone to rob it.
During the Blaster peak, a friend of mine was talking about the XP ATM's in London constantly rebooting... They put these cmd-shell-waiting-to-happen boxes directly on the Internet. Thank god for companies like Diebold and Microsoft, their problems created a market and a community that is still picking up steam.
I'm amazed that those ATMs were connected to the Internet
Maybe they weren't. You needn't be connected to the internet to catch a worm. Any LAN/WAN/VPN will do.
Trolling is a art,
There's no personal data stored in an ATM. It's just a dumb terminal.
And Nachi basically makes the machine unusable.
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.
Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.
Nostalgia isn't what it used to be.
I am no windows expert here. But I tried disabeling as many services as possible for a win2k server i built for someone. When I disabled RPC and rebooted, the machine no longer functioned. Apartently RPC is a critical service that needs to be running in order for windows to function properly.
I had to boot up in safe mode and do some registry hacking to get RPC back up and running, because everything from windows explorer to control panel, to msie would fail to load. After managed to turn RPC back on, the machine worked "perfectly". As perfect as a windows machine can operate, hah.
The goal of computer science is to build something that will last at least until we've finished building it.
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
The ATMs are not connected to the Internet. They are on an intranet, most likely with other ATMs and their database server, hopefully nothing more.
Agreed there is no firewall. The original idea was probably only to allow trusted machines onto the intranet in the first place. This follows the same logic (or lack-thereof) of people that don't use firewalls because they're behind a NAT.
The problem is allowing machines that were once on the Internet (and thus, may be tainted) onto the intranet. When some employee hooks up his laptop to work on an ATM, it probably connects to the intranet to let the database server know he's messing with it. The problem is that he was on the Internet yesterday and got infected with a worm/virus, which is now spreading itself through the intranet. The result: a tainted machine on a network that was intended only for trusted machines.
I think the idea of a Sygate firewall on every individual machine is a great idea. This will be a rather easy improvement to make (at least for new ATMs) and will give each individual ATM its own security against intranet intruders. Thus, when a tainted machine gets on the trusted network, the ATMs have (at least a little) self-defense.
Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.
Where do you get that? The only people arguing that this is ok is Diebold. And we already knew they were unethical. What Windows Expert is saying there's nothing to worry about in regards to this story?
There are no trails. There are no trees out here.
Because it is a lot easier to develop the software if it can be debugged on the developer's PC. Most embedded OS's have been based on POSIX or stripped down Win32 APIs for years now (QNX and Paradigm being two examples I've personally used over 5 years ago).
For more see Jim March's comments to the CA Secretary of State here
I work at a major financial services company as well, and he's right. The entire ATM network is being migrated over to public Internet structure, and OS/2 is being phased out for XP.
*sigh*
I believe they generally are connected via STUN to a front end processor, newer models are using data link switching without the FEP so they are likely to have greater vulnerability to bug in a box schemes.
As someone who works in a bank, I have seen a Diebold repair tech hook up his laptop directly to the ATM to do some work on it. So the laptop could have been the one that was infected.
Also you most of the program information comes from the Processing Center that is driving the ATMs which are all on a network. For example when we changed ATM Processors, the tech had to connect to the system and get a "load" from the new processing center to connect. These ATMs are connected over some form of leased line.
I am glad to know that our ATMs are running OS/2 Warp and were unaffected by this bug
Or put another way: why does an ATM need Linux?
A proprietary or even COTS RTOS would be a much, much better fit, I think. Exactly for the reasons you cite (i.e. it isn't really doing a heck of a lot).
A number of ATMs also run a stripped-down version of OS/2. Thank god. Unfortunately, Microsoft is pushing vendors to move to Windows as IBM is soon to discontinue OS/2 support.
In Soviet Russia, sig types you!
nope. atms are equipped with secure IBM-manufactured crypto cards, and check the pin themselves with a complicated algorithm involving the card number and an offset stored on the magnetic stripe
Ok, I happen to work for a fairly large financial institution that has several Diebold ATMs, although ours all run OS/2 and therefore aren't vulnerable.
That being said, and after actually RTFA, I'd say Diebold played their cards pretty close to their chest on this one, because they didn't give a lot of detail. For all intents and purposes, these machines are very "dumb". They have just enough information to operate the machinery and communicate with the host. Everything actually involving getting account information, adjusting balances for withdrawals/deposits, etc. gets done remotely. All the ATMs are "driven" by a controller that acually handles the account information.
As a result, these machines have to be in constant communication over a network with the host. In our case, this is a private network over leased lines that never gets anywhere near "The Internet". However, like I said, they are still in constant communication with the host (a.k.a. "server"), which has to be tied in to the bank's network in order to pass messages back and forth regarding user's accounts. This host runs Windows NT/2000/whatever.
Ok try to keep up now...
So, (1)the Nachi worm comes in through the Internet and infects any random machine on the network. (2) That machine starts spreading to the rest of the network, eventually (3) getting to the ATM host ("server") machine. (4) The host, through it's own private network with the ATM machines now infects all the ATMs. Before you know it, Bob's your uncle, and your totally removed from the Internet ATM machines are now infected because of one PC workstation with an opening.
Now I'm not defending Diebold here. What they did was stupid, and is exactly why we're still running an ancient OS on our machines. I'm just trying to enlighten those that seem to think their every transaction is buzzing through the open 'Net.
One only needs two tools in life: WD-40 to make things go, and duck tape to make them stop. ~G.M. Weilacher
QNX runs aircraft, missiles, and satellites. I would dare say that security IS a design consideration.
Linux and BSD scale down to PDA's and data recorders. You just pick your flavor and go. And first you claim Linux is bloated, and then that SELinux has no apps.
As far as a microkernel OS, I'm not sure what you are talking about. Microkernel is design feature for future expansion and development. Performance and security are on par with everything else. I think Linux has done a pretty good job of showing how a monolithic kernel can run everything from a wristwatch to a supercomputer.
Our problem is not that we have NO embedded OS's. One has to simply select the best on for the application.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
The timing on this is perfect, as I just read an article yesterday (in InfoWeek, I believe) about the effect of IBM's plan to discontinue OS/2 support on ATM manufacturers. The article was a couple of months old, but focused on them suggesting that financial institutions migrate their ATMs to Linux instead of Windows. It seems that the big ATM manufacturers (including Diebold, which featured heavily in the article) are leaning heavily toward Windows despite IBM's recommendation that they go with Linux. Their attitude is that they're running Windows on the back end, so they want it in the ATMs as well.
Well, now they're getting what they wanted, and I doubt that they'll learn from this. Large banks seem to have a monolithic mindset that's averse to anything new. They're also decidedly pro-Microsoft.
IBM offers some very effective solutions for integrating Linux-based ATMs with both UNIX and Windows-based back end systems. That companies like Diebold insist on going with insecure, unstable (I've seen an ATM stuck with a BSOD!) software for such sensitive systems is asinine.
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
The Navy does use Windows NT. See here.
Choice quote: The Navy selected NT 4.0 as the standard operating system aboard the Yorktown for its reliability, functionality, low cost and ease of integration, said Lt. Danny Bethel, Yorktown's electronics material officer. NT runs the Yorktown's integrated bridge, engineering, condition assessment and damage control systems.
Yes.
It was a divide-by-zero error in the application which subsequently took down the entire operating system. At the time, MS pointed out that the divide-by-zero was the application's fault, not theirs. Smart people pointed out that any operating system that can't handle a common application fault like divide by zero is complete shit.
The enemies of Democracy are
Trivial. You could modify the Linux ELF loader to do this right now.
The problem is in proving that the signed code is not flawed. For example, the Xbox was compromised despite only executing signed code because Goldeneye had an overflow bug. Also you might remember the ActiveX signing was ridiculed when somebody managed to get Microsoft's signature on a program that simply rebooted your machine.
And there are always bugs in the design of the program, not just the implementation. For example, any program that has a scripting language with RW access to data is a potential security hole. Or something more stupid like an e-mail client that trusted any attachments it received. The e-mail program might be signed but if the payload is dangerous (and isn't an executable) then you are still screwed.
Also you need to prove that the OS itself does not have any vulnerabilities.
It's not so simple as "we're secure because we only execute signed code".