Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
The same Diebold that has grossly insecure voting machines? The same Diebold that is abusing copyright claims and is being sued by EFF and students.
Well ain't karma a bitch Diebold?
What I am concerned about is whether or not my bank that I use uses Embedded XP for their ATMs. If so then I might have to consider switching banks. Not just because of this but because MS based systems are so notoriously insecure. Yeah yeah mod me down if you must but I'd feel much better having embedded Linux (or some other proven secure system) watching my money thank you.
FYI if you're using Union Federal you might want to start looking around now,... hehe
Wants us to trust them to run our electorate system? Lets face it, this was a VERY easily preventable oversight. These machines should have survived without patching by installing a rudimentary port blocker of some form. There is no reason RPC should be exposed by an ATM. If they are leaving ATMs wide open, i dont know how we're supposed to expect their Voting Machines to work.
The CEO said that he would do whatever he can to deliver Ohio or some place to Bush.
The same people that build machines with no paper trail for vote auditing.
They also do not patch their ATMs.
This really gives me confidence for the upcoming elections.
ACK
I'm amazed that those ATMs were connected to the Internet, without apparently even a firewall to block all but necessary ports.
There's 10 types of people in this world, those who understand binary and those who don't.
I am not a Windows Expert, but why is RPC important in an ATM? Is this something in embedded XP that should be disabled for certain applications like ATMs? If RPC should have been turned off then it's also the fault of Diebold not to configure the machines properly and MS for leaving it enabled by default.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Around about this time I saw an ATM in Mayfair, London, with a windows error message in the middle of the screen. It was complaining that a DHCP server couldn't be found, and was happily waiting for someone to come along and click on the OK button.
Mashing the keypad didn't seem to help. I guess sooner or later they would have realised the ATM had disappeared and would have sent a tech out to press reset or something.
Funny- I was just at the ATM today, and I glanced down and saw the Diebold tag. They're pieces of crap- barely a few years old, nobody cleans them, the screens are dim and usually require breaking your finger- and they're SLOW as molassis. Slow as in "I have only three or four things I can do but it still takes me a minute to give you cash"- and it can't all be explained away by network latency. Things like the machine sitting there locked up for 20 seconds or more after the last person leaves, before it will unlock the card slot. What is it doing, debating the meaning of life? It's a fucking ATM machine. It makes you wonder if the whole thing is written in really, really bad VB...or maybe Flash.
In any case- I agree with the parent. I could care less what the thing runs, as long as they're competent. The voting machines demonstrated that they're completely incompetent. This just goes to show that our suspicion that they're -also- probably incompetent at making secure ATMs.
Please help metamoderate.
Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.
Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."
"Believe me!" -- Donald Trump
The problem here is you actually believe that the security of an ATM is that skin deep. Well, let me just say I'd trust Microsoft more about security than someone whose idea of security is "if they manage to do something to the ATM, then that's it, we all may as well go home".
The level of infiltration here is nothing. Its vastly less penetration than, say, someone who finds your lost card and tries it in a machine. At least then, they have bypassed one level of account security. A virus like this bypasses zero levels of account security.
But, hey, don't let me stop your mindless Microsoft bashing...
In all honesty I'd say that Embedded XP is a pretty awful choice, you want something you can fit and forget. While it's nice to poke fun at M$ every once in a while, it gets boring, and someday the Schandenfreude is gonna backfire.
Heh! Although the picture of having a bunch of guys driving all over every Wednesday to patch a truckload of ATMs is kinda amusing...
Thinking about it that way, it'd be all to easy for them to not admit they made the wrong software choice, or to neglect patching altogether until something went wrong. As far as choice of XP goes: you have to look at why they chose it - range of development tools, range of platforms that it runs on, etc. etc. security probably wasn't (stupidly) high on their list.
A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.
Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.
Oh - how young I was.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
... that I read that the Bank of America will migrate all their ATMs from OS/2 to Windows. The reason for that, according to the spokeswoman, was that "Windows made it easier to secure the ATMs". I hope they know what they're doing, but if I were a BofA customer, that sure would be a reason to switch banks (my current bank -fortunately- still uses OS/2) until the security of Windows ATMs were thoroughly proven.
ATMs aren't mission critical, like a respirator or guidance system in a plane. I.E. you aren't going to be able to sue a bank if their ATM network goes down. (Not that I agree on using Win-anything on a kiosk type device)
Jaysyn
There is a war going on for your mind.
Most Diebold ATM's run OS/2. But there's a push from some banks for them to install windows on them, even though the banks don't manage them. I used to work for a company that had ATM's with Diebold, and the engineer I talked to was unhappy that they were putting windows on them, but it's customer demand. It's simply some jackass that works for a bank and thinking they should run windows, when he has no idea how an ATM even works.
As far as VPN's go, for the most part, the ATM's either dial up, or are connected to a LAN that has some sort of WAN connection back to its respective bank. I don't know of any that use VPN's, although it is entirely possible. Keep in mind that Diebold simply provides the machines and fixes them when they break, it's up to the bank or whoever to provide the connectivity and other supporting servers/equipment.
Need Free Juniper/NetScreen Support? JuniperForum