Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.
Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.
Trolling is a art,
From the article:
"The actual point of service terminal itself getting infected-- that's pretty crazy," said [Windows expert Marc] Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."
Oh, yeah, that's crazy. As I recall, we discussed this very issue in a previous Slashdot story, and all the experts told us mere geeks that we were ignorant and stupid to even worry about it. Some of the most choice comments came in reply to my own post on the subject.
Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.
Well, ok... I'm not going to worry about my own personal finances, because I'll just ask the bank to reverse any bogus transactions. But if/when some savvy hacker does figure out how to infiltrate an ATM and walks away with a few hundred bucks, someone's going to come up short on their books at the end of the day...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..
i know everyone always says this is a terrible mindset, but considering how many OS/2 ATM's have been hammered, there might be something to this after all.
think about the work you'd have to go through to get your hands on OS/2 code to figure out where holes might be.
then you have to write your own virus. it'll only be aimed specifically at ATM's etc.
just seems like there's a lot more legwork involved in hitting obscure OS'es.
instead, if they run XP, someone else grabs the code and distributes it. then another person writes a hack and distributes/releases that.
the end person in this case just needs to take baby steps off of the great strides of others to get a virus that can hit an ATM. sure obscurity shouldn't be a sole security measure, but it seems it would be relatively effective to me.
And you want their equipment deciding votes, dear got if you can get a worm on the holy of holies, a cash dispensing machine. I seriously doubt that the next holy machine, a voting machine should be running Diebold systems.
Seriously people, embedded proprietary operating software (neither XP or Unix or anything widely made public) is the best way to go with these sacred machines. Worms will have a difficult (tho dare I say impossible) time working their way in. So the problems will hopefully be minimal.
In short I'm afraid, I'm very afraid
...in bed
The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.
//Information does not want to be free; it wants to breed.
Every company makes mistakes. Running Windows XP is a mistake a lot of companies and people make.
The reason this is Slashdotworthy is that it is the same Diebold. The people who submit stories are hostile towards Diebold, and it's only to be expected that some of those hostile stories would make it through.
I'm sure a lot more vital-service machines than just those built by Diebold were hit. A story on the range of systems, maybe with ATMs as a highlight, would have been more appropriate.
Not ranting at you, just wasting karma, that's all.
tasks(723) drafts(105) languages(484) examples(29106)
Despite the allure of hard cash, don't expect to see a rash of made-for-Hollywood ATM hacks -- machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and "chief hacking officer" at California-based eEye Digital Security.
Hey, why not? Nachi wasn't tailored for ATMs, but it still got a few. Imagine a virus/worm that _was_ meant specificly for ATMs. I bet something like that could achieve a pretty big impact.
Ah well. Just my $.02
If these walls could talk they'd probly still ignore me. --MF DOOM
Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.
You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?
And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.
And finally, for your reading convenience, here's an earlier /. story which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I'm with you on this one...which is not to say that I agree with Diebold's business practices. However, it's not Microsoft's fault if some butthead forgot to patch their system -- the same way it's not RedHat's fault if some butthead forgot to patch their system and got owned. How can Diebold be blamed here? It's the eu's responsibility to maintain their system.
Now I don't know anything about ATM machines and associated contracts...but I assume that responsibility of maintenance either falls into the hands of the owner of the machine, or the bank issuing the cash -- not the manufacturer.
-Turkey
We're talking about a dumb terminal here, aren't we? Let the user login with his card, enter a passcode, then enter input which gets sent to a server somewhere to be processed and which sends back either output to be displayed to the user or output to be read by the machine which gives you your money.
The same criticism applies to Diebold's voting machines.
This is why Linux would be such an ideal solution. No application of Linux has impressed me more than the (now sadly defunct) Linux Router Project, simply because it demonstrated how for many tasks most of the operating system amounted to nothing more than ballast. They were able to boot a router from a floppy.
This is how I think an ATM--or a voting machine--should work. The amount of software should be kept to an absolute minimum if for no other reason than that it minimizes complexity, and in these kinds of applications, complexity is the mother of all evil.
And in the case of the voting machines, it would also greatly assist in auditing the code and making sure that what you think is executing is what's executing.
Is this truly the only Earth I can live on?
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device. ...
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen
How do you know something serious didn't happen?
So the Nachi worm hit these machines, and its big and obvious, and it breaks the machines. But the Nachi worm moves by brute force; it hit these ATMs by accident. How do we know that during the time before the ATMs were hit, someone with actual, targetted, malicious intent didn't at some point hit a few of the ATMs using the same exploit Nachi did?
If someone doing it on purpose had hit the ATMs, they could have done something much more subtle. Something that wouldn't have been noticed the way the Nachi worm was, something that (given how unconcerned everyone seems about this) probably wouldn't be noticed at all, even after the Nachi incident. Something like a small patch to the ATM UI that quietly records the ATM card number, personal information, and PIN# of everyone who uses that ATM, then quietly dumps that somewhere on the internet later. It wouldn't be that difficult, and the Nachi thing simply proves its possible.
It's not a big step at all to get to the point where something serious could happen. It's barely even a step at all, as it's just a step of exactly the distance between a worm hitting an ATM at random and someone with a little bit of intent, knowledge, and time sitting down and deciding they're going to hack an ATM.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I understand some transactions have to go over the network, and it's not at all obvious when that happens...for example, your PIN is not confirmed when you type it in, it's sent with any tranaction you request, as you will discover if you mistype it. The machine will let you in and you can pretend to do things, and then it will talk to the bank and kick you out.
But there are things that cannot, under any circumstances, be explained by network delays.
I do a fast cash, okay? The ATM has to do several things...it sends the request over the network, confirming I am me. This happens in a reasonable amount of time, and I get a nice message on the screen.
Next the machine does three things: Print a reciept, eject my card, and kick out my money. How the fuck does that part take fifteen seconds? And it's not some poorly designed money sorter, as my money comes out first. Then a five second pause, then it ejects my card, and then a five second pause, and it starts printing.
It's completely absurd for a computer now. Hell, it would be absurd for a computer 30 years ago.
It should be starting all those operations at the same time, this is the year 2003, we have multitasking. It should take maybe four seconds total as your receipt prints and the money sorter does its work.
If corporations are people, aren't stockholders guilty of slavery?
Greer, Pfleeger, Schneier, Metzger and the rest of the contributing authors of CyberInsecurity: The Cost of Monopoly were right. This incident proves it . The most likely source of the infection is an infected laptop being plugged into the protected network. Had the ATM's been running a different operating system - even the ancient OS/2 - they would not have been infected.
It is also very interesting to note that they only found the worm because the infected machines tripped the IDS with excessive network traffic. From this we can infer:
1. A worm that was less aggressive with it's scans would probably not have been detected and could possibly still be operating today.
2. They probably don't have any host-based intrusion detection systems in place. No automated file integrity checking, no authorized process lists.
It's a good thing for us that the worm and virus writers (thus far) have been gifted programmers, but otherwise dumber than a bag of hammers. A well-written subtle worm could probably cripple most of the developed world.
Hell, they don't come easier than that:
phb to techie How quick can you get me a demo of the new embedded project?
techie to phb I can do you a really crap one in 1 hour with Visual Basic, but we will need to code the proper one in C, and that will take 3 months
phb to client The system will be ready tomorrow
Sent from my ASR33 using ASCII
Yeah, but remember, sendmail was designed in the "good old days", when there were maybe a few hundred hosts, and people on the Net trusted each other!
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Screw linux. I'd rather see the banking companies running something obscure and reliable like a unix variant or some custom software. If I were a bank director I'd invest considerable capital in a decent secure standards based banking system or I'd consider unix before I'd consider linux or windows. My guess is that the banks wanted to implement the systems and new features faster than they cared about customers security which is, from my understanding, not a big deal.
I guess their system works a lot like las vegases in the sense that if someone steals a million bucks from a casino it leaves a paper trail. They then sick the bounty hunters on you; this system is effective. I remember awhile back someone stole 7 million from a casino in las vegas and 3 days later the car was found by the cops, still running, in the wrong direction facing las vegas.
Any hacker with sufficient knowledge of these systems isn't going to try to crash them because they will quickly realize that by destroying these systems they're screwing over and creating millions of desperate people, both people who can't access their accounts and companies who can't put out paychecks on time.
But, the main reason I'm guessing they chose windows was for the features. Windows has lots of features and useless crap and when you hire someone to fix the system you don't have to train them as much. Plus, you get good support from microsoft and nice salesman to walk off the cliff with you.
I'd feel a bit better if their security was better. When your bank doesn't give a shit if you loose a few hundred dollers, or next months rent, to a hack I think most people have a problem with that and they aren't going to be calling anyone accept the cops to try to catch the person who did it, especially if they continueously do it.
Candy-Coated Knowledge
We had a similar problem when the Nachi worm got loose on our network... After scurrying about and patching all of our desktops and servers, we still had Nachi hiding out on our network. Every time I built a new computer with an unpatched image, it got infected. In the end, the culprit was an Iomega NAS device (for those who are unfamiliar with it, this is a network storage appliance... think RAID array with a NIC.) We have two on our network. The older one, running FreeBSD kernel, had no problems, but the newer "Windows Powered" unit needed patching. For anyone dealing with this problem, nmap will be your savior. Scan your network and look for machines with TCP port 707 open running an "unknown" service. Those are your infected computers.
-- Halfabee
1. Create Nachi variation that makes diebold machines all vote republican (or only a few percent extra), including the paper ticket the voter doesn't see.
:)
2. Wait
3. World Domination.
Don't even need access to the machine, zero accountability, to the paper trail, to diebold, to the republican party, etc.
Fight it like the plague
"I don't know that atheists should be considered citizens, nor should they be considered patriots." George HW Bush
I wonder why they even bother using TCP/IP at all. It would make sense to have some kind of proprietary protocol in this matter, since we don't want to have all the security issues that are present on the net present in the ATM machine.
ATM machines shouldn't be connected to the internet, which means TCP/IP is optional. This would be security through obscurity at it's finest. Eliminate ports altogether.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
atms are equipped with secure IBM-manufactured crypto cards, and check the pin themselves with a complicated algorithm involving the card number and an offset stored on the magnetic stripe
That doesn't make sense, seeing as I can walk into the bank and have them change my PIN to something mnemonic. Is this stripe getting overwritten each time? Because I know they don't give you a new card to change that PIN...
When you find a "proven secure" operating system, make sure you let everyone know about it. As of the 25th of November 2003, they are as common as the Unicorn and the Free Lunch. That is to say, they don't exist.
What worries me is that Diebold is one of the leading makers of voting machines. Are these machines also subject to such hacking?
The "Diebold Memos" circulating on the web document the insecurity of their voting machines. Also food for conspiracy theorists: Diebold CEO is a close friend of Dubya, Diebold contributed $300,000 to Dubya's last campaign, and they promised to "deliver Ohio" to Bush in the next election -- a state that has a large majority of Diebold voting machines.
: What Constitution?