Diebold ATMs hit by Nachi Worm

red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."

Diebold spins it.

[grub]

A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.

Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.

Re:Diebold spins it.

I watched guy patch an ATM once.

It was done from a laptop.

My guess is that an infected laptop managed to screw things up (but no-one would admit to that). If it were because of a network connection, it would have been an 'all or nothing' infection and would've spread like wildfire. I'm not sure how exactly ATMs are connected, but they have to be networked in the grander scale of things for the system to work properly.

Anyways, my bet is an unsecure laptop - that's how most RPC hole attacks I've seen have spread recently. Having said that, we'll see lots of posts of an anti-MS nature in response to this story, when in actual fact, it's down to user bad practise, patch deployment and the fact that some people get a kick out of writing this stuff in the first place...

Re:Diebold spins it.

[SatanicPuppy]

It's just as likely to be a scrap of code inloaded off the back of a credit card. Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines? Are ATMs so complex that you need a whole operating system running on the damn things? I seriously doubt it.

The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.

Diebold should go back to making safes and padlocks, because they sure as hell don't know crap about ATMs and Voting Machines.

Re:Diebold spins it.

[pmz]

Why in Gods name would anyone use a proven insecure operating system as the base for a series of teller machines?

Because their executives are idiots and their engineers are sheep.

False sense of security still in effect

[RobertB-DC]

From the article:
"The actual point of service terminal itself getting infected-- that's pretty crazy," said [Windows expert Marc] Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

Oh, yeah, that's crazy. As I recall, we discussed this very issue in a previous Slashdot story, and all the experts told us mere geeks that we were ignorant and stupid to even worry about it. Some of the most choice comments came in reply to my own post on the subject.

Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.

Well, ok... I'm not going to worry about my own personal finances, because I'll just ask the bank to reverse any bogus transactions. But if/when some savvy hacker does figure out how to infiltrate an ATM and walks away with a few hundred bucks, someone's going to come up short on their books at the end of the day...

Re:False sense of security still in effect

[Angstroem]

I still don't see any reason why a ATM machine must run a bloated operating system. That thing needs:

(1) A display driver; any text console is sufficient, but if the banks prefer to show logos and useless graphics, fine, make it a simple framebuffer device.

(2) A rudimentary keyboard controller; any 4x4 matrix will easily do the job. Make it 8x8 and you have more keys you'll ever need.

(3) Some additional hardware controls to perform currency selection and output, and receipt printing.

(4) A network driver to hook the ATM machine into the banking network plus the relevant service applications including mandatory security services. Shouldn't be much different from setting up credit card terminals, BTDT.

So why does anyone need anything like a striped down consumer OS, no matter if it is Windows Embedded or some embedded Linux for that?

But if I decide to use it, then I better hurry and apply any goddamn bugfix meant to close wide-open security holes. Plus, I keep my networks strictly separated and eventual gateway points heavily firewalled. How could Nachi enter the money transfer network anyway?

Somebody obviously did not make their homework, both on ATM and network infrastructure design.

Re:False sense of security still in effect

[RealProgrammer]

A virus like this bypasses zero levels of account security.

What color is the sky in your world?

This worm was caught because it wasn't expecting to be on an ATM. It thought it was on just another XP box on some network and started scanning. Suppose the next worm is patient, stealthily looking for ATMs?

Malignant code could potentially monitor any device I/O it wanted. How about grabbing the bits on your ATM card swipe and saving them in an arrary with the PIN you just typed? No need to decipher anything, just send a day's worth in a batch and self-destruct.

The attacker can then recreate your ATM card from the bits on the stripe.

You're right, we're still safe.

Just goes to show..

[iantri]

I think this just goes to show that consumer operating systems are a bad idea to put on important machines that need to be reliable.

I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..

Someone's going to come up short...

[abb3w]

The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.

It's rediculous.

[Short+Circuit]

Every company makes mistakes. Running Windows XP is a mistake a lot of companies and people make.

The reason this is Slashdotworthy is that it is the same Diebold. The people who submit stories are hostile towards Diebold, and it's only to be expected that some of those hostile stories would make it through.

I'm sure a lot more vital-service machines than just those built by Diebold were hit. A story on the range of systems, maybe with ATMs as a highlight, would have been more appropriate.

Not ranting at you, just wasting karma, that's all.

Just lame

[GillBates0]

"But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.

You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?

And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.

And finally, for your reading convenience, here's an earlier /. story which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.

Why does an ATM need XP?

[corebreech]

We're talking about a dumb terminal here, aren't we? Let the user login with his card, enter a passcode, then enter input which gets sent to a server somewhere to be processed and which sends back either output to be displayed to the user or output to be read by the machine which gives you your money.

The same criticism applies to Diebold's voting machines.

This is why Linux would be such an ideal solution. No application of Linux has impressed me more than the (now sadly defunct) Linux Router Project, simply because it demonstrated how for many tasks most of the operating system amounted to nothing more than ballast. They were able to boot a router from a floppy.

This is how I think an ATM--or a voting machine--should work. The amount of software should be kept to an absolute minimum if for no other reason than that it minimizes complexity, and in these kinds of applications, complexity is the mother of all evil.

And in the case of the voting machines, it would also greatly assist in auditing the code and making sure that what you think is executing is what's executing.

How do we know?

[mcc]

Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device. ...
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen

How do you know something serious didn't happen?

So the Nachi worm hit these machines, and its big and obvious, and it breaks the machines. But the Nachi worm moves by brute force; it hit these ATMs by accident. How do we know that during the time before the ATMs were hit, someone with actual, targetted, malicious intent didn't at some point hit a few of the ATMs using the same exploit Nachi did?

If someone doing it on purpose had hit the ATMs, they could have done something much more subtle. Something that wouldn't have been noticed the way the Nachi worm was, something that (given how unconcerned everyone seems about this) probably wouldn't be noticed at all, even after the Nachi incident. Something like a small patch to the ATM UI that quietly records the ATM card number, personal information, and PIN# of everyone who uses that ATM, then quietly dumps that somewhere on the internet later. It wouldn't be that difficult, and the Nachi thing simply proves its possible.

It's not a big step at all to get to the point where something serious could happen. It's barely even a step at all, as it's just a step of exactly the distance between a worm hitting an ATM at random and someone with a little bit of intent, knowledge, and time sitting down and deciding they're going to hack an ATM.

Greer, Pfleeger, Schneier et. al. were right ...

[JonKatzIsAnIdiot]

Greer, Pfleeger, Schneier, Metzger and the rest of the contributing authors of CyberInsecurity: The Cost of Monopoly were right. This incident proves it . The most likely source of the infection is an infected laptop being plugged into the protected network. Had the ATM's been running a different operating system - even the ancient OS/2 - they would not have been infected.

It is also very interesting to note that they only found the worm because the infected machines tripped the IDS with excessive network traffic. From this we can infer:
1. A worm that was less aggressive with it's scans would probably not have been detected and could possibly still be operating today.
2. They probably don't have any host-based intrusion detection systems in place. No automated file integrity checking, no authorized process lists.

It's a good thing for us that the worm and virus writers (thus far) have been gifted programmers, but otherwise dumber than a bag of hammers. A well-written subtle worm could probably cripple most of the developed world.