Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
The same Diebold that has grossly insecure voting machines? The same Diebold that is abusing copyright claims and is being sued by EFF and students.
Well ain't karma a bitch Diebold?
What I am concerned about is whether or not my bank that I use uses Embedded XP for their ATMs. If so then I might have to consider switching banks. Not just because of this but because MS based systems are so notoriously insecure. Yeah yeah mod me down if you must but I'd feel much better having embedded Linux (or some other proven secure system) watching my money thank you.
FYI if you're using Union Federal you might want to start looking around now,... hehe
Wants us to trust them to run our electorate system? Lets face it, this was a VERY easily preventable oversight. These machines should have survived without patching by installing a rudimentary port blocker of some form. There is no reason RPC should be exposed by an ATM. If they are leaving ATMs wide open, i dont know how we're supposed to expect their Voting Machines to work.
The CEO said that he would do whatever he can to deliver Ohio or some place to Bush.
The same people that build machines with no paper trail for vote auditing.
They also do not patch their ATMs.
This really gives me confidence for the upcoming elections.
ACK
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
There's 10 types of people in this world, those who understand binary and those who don't.
I am not a Windows Expert, but why is RPC important in an ATM? Is this something in embedded XP that should be disabled for certain applications like ATMs? If RPC should have been turned off then it's also the fault of Diebold not to configure the machines properly and MS for leaving it enabled by default.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Around about this time I saw an ATM in Mayfair, London, with a windows error message in the middle of the screen. It was complaining that a DHCP server couldn't be found, and was happily waiting for someone to come along and click on the OK button.
Mashing the keypad didn't seem to help. I guess sooner or later they would have realised the ATM had disappeared and would have sent a tech out to press reset or something.
Funny- I was just at the ATM today, and I glanced down and saw the Diebold tag. They're pieces of crap- barely a few years old, nobody cleans them, the screens are dim and usually require breaking your finger- and they're SLOW as molassis. Slow as in "I have only three or four things I can do but it still takes me a minute to give you cash"- and it can't all be explained away by network latency. Things like the machine sitting there locked up for 20 seconds or more after the last person leaves, before it will unlock the card slot. What is it doing, debating the meaning of life? It's a fucking ATM machine. It makes you wonder if the whole thing is written in really, really bad VB...or maybe Flash.
In any case- I agree with the parent. I could care less what the thing runs, as long as they're competent. The voting machines demonstrated that they're completely incompetent. This just goes to show that our suspicion that they're -also- probably incompetent at making secure ATMs.
Please help metamoderate.
Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.
Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."
"Believe me!" -- Donald Trump
The problem here is you actually believe that the security of an ATM is that skin deep. Well, let me just say I'd trust Microsoft more about security than someone whose idea of security is "if they manage to do something to the ATM, then that's it, we all may as well go home".
The level of infiltration here is nothing. Its vastly less penetration than, say, someone who finds your lost card and tries it in a machine. At least then, they have bypassed one level of account security. A virus like this bypasses zero levels of account security.
But, hey, don't let me stop your mindless Microsoft bashing...
Most ATM's used OS/2 until they started bloating the hell out of them for silly crap like colorful graphics, animations, etc...
the text based ATM's from the 1990's are perfectly fine, what idiot thought we need mpeg videos of how to use the damn thing in the help menu (or a help menu to begin with) needs to be beaten to death.
It's a farking ATM... leave it text based and working please!
In all honesty I'd say that Embedded XP is a pretty awful choice, you want something you can fit and forget. While it's nice to poke fun at M$ every once in a while, it gets boring, and someday the Schandenfreude is gonna backfire.
Heh! Although the picture of having a bunch of guys driving all over every Wednesday to patch a truckload of ATMs is kinda amusing...
Thinking about it that way, it'd be all to easy for them to not admit they made the wrong software choice, or to neglect patching altogether until something went wrong. As far as choice of XP goes: you have to look at why they chose it - range of development tools, range of platforms that it runs on, etc. etc. security probably wasn't (stupidly) high on their list.
I remember when the tech weenies at the post office were big Windows lovers. The post office bought the new Loral letter sorting machines that used QNX. Soon the techies were singing the praises of QNX. Never once did I see a lick of trouble with the computers. The only times the techies had to come was for upgrades and hardware troubles and periodic mandated maintenance.
photosMy Photostream
Do you KNOW otherwise? Have you read about Diebold's voting machines? The ones that store stuff in MS Access databases without even password protection? Have you seen the inner workings of the ATMs to know that they have further security?
Part of the issue is that if a random worm can get into the ATM, a worm carrying dangerous payload (like one that installs a driver to capture keypresses and data being printed to receipts) could also find its way in.
The other part is that we really don't know what goes on inside an ATM. We know we enter a PIN, and money comes out the little slot, but really its a black box. We don't know that there are many levels of security. We don't know if our accounts are safe, even if the underlying operating system is compromised.
We do know that some new ATMs which run on Windows XP were compromised. So what will Diebold and Microsoft and our banks do to convince us that everything is still OK?
blog
A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.
Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.
Oh - how young I was.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
If they can't even bother to patch Windows on ATMs, which is a much more competitive market, why would they secure our voting machines? The Federal Election Commission (FEC) should require an ISO9001-style process certification for all voting equipment vendors, but with more security criteria. Diebold's bank customers can fire them and recover the money, but the botched 2004 election will be an unrecoverable error.
--
make install -not war
The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting.
Yet another cost to society for the widespread use of Microsoft software.
I'll see your senator, and I'll raise you two judges.
... that I read that the Bank of America will migrate all their ATMs from OS/2 to Windows. The reason for that, according to the spokeswoman, was that "Windows made it easier to secure the ATMs". I hope they know what they're doing, but if I were a BofA customer, that sure would be a reason to switch banks (my current bank -fortunately- still uses OS/2) until the security of Windows ATMs were thoroughly proven.
When you can use something like this. Write the whole thing in C (not quite standard) or buy the realtime OS for it. Then you'd have only what you need and no other stuff that is a possible exploit.
ATMs aren't mission critical, like a respirator or guidance system in a plane. I.E. you aren't going to be able to sue a bank if their ATM network goes down. (Not that I agree on using Win-anything on a kiosk type device)
Jaysyn
There is a war going on for your mind.
The answer to this is to make a simple, purpose built program, which is INCAPABLE of running externally introduced code. You need to patch? Run the software off a CD/DVD, and when you need to change the code, change the CD. Nothing to get cracked, nothign to get corrupted, nothing but hardwired code. Burn an extended BIOS on a rom chip to run the physical end. Then lock the whole thing up in a metal box, and BAM its as secure as you can make it.
Just a thought... how hard would it be to make an operating system that only executed signed code?
"A mind is a terrible thing to taste."
Most Diebold ATM's run OS/2. But there's a push from some banks for them to install windows on them, even though the banks don't manage them. I used to work for a company that had ATM's with Diebold, and the engineer I talked to was unhappy that they were putting windows on them, but it's customer demand. It's simply some jackass that works for a bank and thinking they should run windows, when he has no idea how an ATM even works.
As far as VPN's go, for the most part, the ATM's either dial up, or are connected to a LAN that has some sort of WAN connection back to its respective bank. I don't know of any that use VPN's, although it is entirely possible. Keep in mind that Diebold simply provides the machines and fixes them when they break, it's up to the bank or whoever to provide the connectivity and other supporting servers/equipment.
Need Free Juniper/NetScreen Support? JuniperForum
Why on earth would someone buy ATMs based on Windows?
..
..
Many readers, and average ATM users do not know much about the ATM machines and their operations. And surely banking institutions prefer it that way.
First of all, there was a revolution in the banking industries about a decade ago. Back then, most of the big banks owned their own little companies to produce their own ATM machines. Those who couldn't afford to design and build their own ordered out, prayed for lucks. The old machines are proprietary, special pieces of hardware to perform a mediocre job over and over again. Every time a bank needs a new feature, it would take forever to fix or change the design. Therefore the industry moved to a generic design, generic OS and specialized software, similar to the IBM compatible model. Hence design cost, development and maintenance cost were all lowered.
There are several generic ATM makers. NCR, Siemens, Diebolds, etc... They all make generic ATM boxes consisting of cash dispenser, card reader, generic display AND a typical AT/ATX box with normal PCI slots, CD-ROM, standard NIC, etc. Each major bank then set their development teams to work on the hardware platform. After OS/2 's demise, the logical choice and the only choice would be running Microsoft Windows NT.
There are several advantages:
. Generic drivers are always plentiful.
. Special drivers to control specialized hw are supported by the manufacturers, not the banks = less cost.
. basically one single standard operating environment = quick change, fix, update = easy management.
That's said. NO bank would trust any 3rd party to develop and maintain their ATMs. They all do it themselves. That means:
. Developing their own NT environments, no stock OS install, limited install (no games, no std apps)
. Developing their own platform and applications that talk to the legacy banking networks.
. Appending complicate encryption using hardware security module (HSM) via PCI slots.
. Setting up their own automated patching and updating system (not SMS) for thousand of machines located across the country.
Hence, Diebold ATM mentioned in the article is all hogwash. The banking institution was not named, and I doubt that it would be any big ones. I believe that the machines could have been running stock OS and generic ATM apps had they belongs to those shady ATM operators that set up machines in 7/11 store and other convenient stores.
For almost all of us out there, we all have put our hard-earned money into some decent banking institutions. Right?