Slashdot Mirror
Diebold ATMs hit by Nachi Worm
red floyd writes "The Register is reporting confirmation that Diebold ATMs were hit by the Nachi worm back in August. Apparently some Diebold ATMs run XP Embedded, and got hit with a variant of the RPC DCOM worm. Seems that they hadn't yet applied the available patch."
A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines.
Nice spin, Diebold. I highly doubt these were the only unpatched machines. It's likely more accurate to say "these unpatched machines, of which there are many more, weren't well protected on their respective VPNs". Think about it: the infection had to come from somewhere, right? Other unpatched machines are probably much better protected on their respective private networks.
Trolling is a art,
From the article:
"The actual point of service terminal itself getting infected-- that's pretty crazy," said [Windows expert Marc] Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."
Oh, yeah, that's crazy. As I recall, we discussed this very issue in a previous Slashdot story, and all the experts told us mere geeks that we were ignorant and stupid to even worry about it. Some of the most choice comments came in reply to my own post on the subject.
Now, even *after* a worm has found its way into an ATM, the "Windows Experts" say there's *still* nothing to worry about.
Well, ok... I'm not going to worry about my own personal finances, because I'll just ask the bank to reverse any bogus transactions. But if/when some savvy hacker does figure out how to infiltrate an ATM and walks away with a few hundred bucks, someone's going to come up short on their books at the end of the day...
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I'd think QNX or something else very simple and reliable would be a much better choice to rnu on ATM machines..
Wants us to trust them to run our electorate system? Lets face it, this was a VERY easily preventable oversight. These machines should have survived without patching by installing a rudimentary port blocker of some form. There is no reason RPC should be exposed by an ATM. If they are leaving ATMs wide open, i dont know how we're supposed to expect their Voting Machines to work.
The CEO said that he would do whatever he can to deliver Ohio or some place to Bush.
The same people that build machines with no paper trail for vote auditing.
They also do not patch their ATMs.
This really gives me confidence for the upcoming elections.
ACK
A new, secure, manageable BIOSwould fix their problem.
It's really Phoenix's fault.
sigs, as if you care.
The customers at large will; it will most likely be reflected in higher account/ATM fees. Banks will likely pass on the cost of theft just like merchants do the cost of shoplifting. Which sucks for the honest folk out there... all seventy-two of them.
//Information does not want to be free; it wants to breed.
My company provides vulnerability assessment and penetration testing services to financial services clients and we crack these things all the time.
:) The latest ones run either Windows 2000 or Windows XP, and have almost the same software as the Windows NT systems, just with more vulnerabilities.
The old ones run OS/2 v3.0 and a vulnerable version of sendmail, the slightly newer ones run Windows NT 4.0, with almost no patches installed and a default username and password.
Once you gain access, it is possible to directly control the hardware using the utilities already on the system, including dumping the cash drawer
At this point Diebold has not patched ANY of the RPC vulnerabilities, let alone the Messenger or Workstation bugs. Each of these ATM's is connected to an ethernet segment somewhere waiting for someone to rob it.
During the Blaster peak, a friend of mine was talking about the XP ATM's in London constantly rebooting... They put these cmd-shell-waiting-to-happen boxes directly on the Internet. Thank god for companies like Diebold and Microsoft, their problems created a market and a community that is still picking up steam.
Every company makes mistakes. Running Windows XP is a mistake a lot of companies and people make.
The reason this is Slashdotworthy is that it is the same Diebold. The people who submit stories are hostile towards Diebold, and it's only to be expected that some of those hostile stories would make it through.
I'm sure a lot more vital-service machines than just those built by Diebold were hit. A story on the range of systems, maybe with ATMs as a highlight, would have been more appropriate.
Not ranting at you, just wasting karma, that's all.
tasks(723) drafts(105) languages(484) examples(29106)
I am not a Windows Expert, but why is RPC important in an ATM? Is this something in embedded XP that should be disabled for certain applications like ATMs? If RPC should have been turned off then it's also the fault of Diebold not to configure the machines properly and MS for leaving it enabled by default.
Well, there's spam egg sausage and spam, that's not got much spam in it.
This means that after each 'correct' vote, the voting machine wires $20 to your bank account.
there's no place like ~
I remember thinking how weird it was to have my ATM suggest an exclusive opportunity to increase the length of my penis.
Just the fact that ATM machines are reachable from the public Internet is a huge cause of concern to me. A VPN connection without an intervening firewall at the ATM machine itself (which they claim they are installing now) is plain ridiculous.
You are then just hoping that none of the insiders will try to sabotage the machines, either knowingly, or unknowingly because of an infected laptop etc. They have to realize that VPN is a VIRTUAL PRIVATE network, and NOT a dedicated line, and hence, security measures have to be MUCH more stronger than if it was a REAL private connection. Does it take rocket science to figure that out?
And then there's that quote from the " Windows expert and "chief hacking officer" that malocious hackers will probably not go for ATM machines, even though they are reachable/hackable, because of other "jucier targets", presumably the bank network itself. Most malicious hackers would do it just for the fun of making an ATM machine spew out cash, if they figure out they can make it do that. That is a very lame assumption from a security expert.
And finally, for your reading convenience, here's an earlier /. story which mentions that 65% of the ATMs will be running a stripped down version of Windows by 2005.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Around about this time I saw an ATM in Mayfair, London, with a windows error message in the middle of the screen. It was complaining that a DHCP server couldn't be found, and was happily waiting for someone to come along and click on the OK button.
Mashing the keypad didn't seem to help. I guess sooner or later they would have realised the ATM had disappeared and would have sent a tech out to press reset or something.
There's no personal data stored in an ATM. It's just a dumb terminal.
And Nachi basically makes the machine unusable.
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device.
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen.
Hopefully those responsible have been sacked, and the new security llamas won't make the same mistakes.
Nostalgia isn't what it used to be.
Funny- I was just at the ATM today, and I glanced down and saw the Diebold tag. They're pieces of crap- barely a few years old, nobody cleans them, the screens are dim and usually require breaking your finger- and they're SLOW as molassis. Slow as in "I have only three or four things I can do but it still takes me a minute to give you cash"- and it can't all be explained away by network latency. Things like the machine sitting there locked up for 20 seconds or more after the last person leaves, before it will unlock the card slot. What is it doing, debating the meaning of life? It's a fucking ATM machine. It makes you wonder if the whole thing is written in really, really bad VB...or maybe Flash.
In any case- I agree with the parent. I could care less what the thing runs, as long as they're competent. The voting machines demonstrated that they're completely incompetent. This just goes to show that our suspicion that they're -also- probably incompetent at making secure ATMs.
Please help metamoderate.
We have a new record! Someone didn't even make it all the way through the article TITLE. First, it was rtfa (the linked article). Then it was rtfa (the slashdot article). Now do we need to go to rtft (read the fucking title)? The article is about diebold ATMs, not voting machines.
====
Crudely Drawn Games
We're talking about a dumb terminal here, aren't we? Let the user login with his card, enter a passcode, then enter input which gets sent to a server somewhere to be processed and which sends back either output to be displayed to the user or output to be read by the machine which gives you your money.
The same criticism applies to Diebold's voting machines.
This is why Linux would be such an ideal solution. No application of Linux has impressed me more than the (now sadly defunct) Linux Router Project, simply because it demonstrated how for many tasks most of the operating system amounted to nothing more than ballast. They were able to boot a router from a floppy.
This is how I think an ATM--or a voting machine--should work. The amount of software should be kept to an absolute minimum if for no other reason than that it minimizes complexity, and in these kinds of applications, complexity is the mother of all evil.
And in the case of the voting machines, it would also greatly assist in auditing the code and making sure that what you think is executing is what's executing.
Is this truly the only Earth I can live on?
Windows' strength, pretty much its only strength, is legacy compatability. But an ATM doesn't need to run Excel or some 8-year-old custom Visual Basic application that an irresponsible manager got the company locked into. Really, it's ok to use decent software for embedded projects, nothing should hold you back.
Using Windows in an ATM, sounds like a classic application of the saying: "When the only tool you have is a hammer, every problem looks like a nail."
"Believe me!" -- Donald Trump
Without specific code that target's ATMs, this is merely a generic nuisance that happened to hit what some consider a sensitive device. ...
Scary when you think what could happen, and frustrating when you think of the loss of trust in the security admins. But let's keep this in perspective. Nothing serious happened and it's a big step to get to where something serious will happen
How do you know something serious didn't happen?
So the Nachi worm hit these machines, and its big and obvious, and it breaks the machines. But the Nachi worm moves by brute force; it hit these ATMs by accident. How do we know that during the time before the ATMs were hit, someone with actual, targetted, malicious intent didn't at some point hit a few of the ATMs using the same exploit Nachi did?
If someone doing it on purpose had hit the ATMs, they could have done something much more subtle. Something that wouldn't have been noticed the way the Nachi worm was, something that (given how unconcerned everyone seems about this) probably wouldn't be noticed at all, even after the Nachi incident. Something like a small patch to the ATM UI that quietly records the ATM card number, personal information, and PIN# of everyone who uses that ATM, then quietly dumps that somewhere on the internet later. It wouldn't be that difficult, and the Nachi thing simply proves its possible.
It's not a big step at all to get to the point where something serious could happen. It's barely even a step at all, as it's just a step of exactly the distance between a worm hitting an ATM at random and someone with a little bit of intent, knowledge, and time sitting down and deciding they're going to hack an ATM.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Greer, Pfleeger, Schneier, Metzger and the rest of the contributing authors of CyberInsecurity: The Cost of Monopoly were right. This incident proves it . The most likely source of the infection is an infected laptop being plugged into the protected network. Had the ATM's been running a different operating system - even the ancient OS/2 - they would not have been infected.
It is also very interesting to note that they only found the worm because the infected machines tripped the IDS with excessive network traffic. From this we can infer:
1. A worm that was less aggressive with it's scans would probably not have been detected and could possibly still be operating today.
2. They probably don't have any host-based intrusion detection systems in place. No automated file integrity checking, no authorized process lists.
It's a good thing for us that the worm and virus writers (thus far) have been gifted programmers, but otherwise dumber than a bag of hammers. A well-written subtle worm could probably cripple most of the developed world.
A few years ago when I was a naive young UNIX programmer I came to the cash machine and got the firght of my life. There, floating over the blocky PIN login screen was a windows Illegal Error box.
Up until that moment I had always assumed the cash machines were running some specially written firmware on specially made hardware. This was a massively important and widespread system after all.
Oh - how young I was.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
The timing on this is perfect, as I just read an article yesterday (in InfoWeek, I believe) about the effect of IBM's plan to discontinue OS/2 support on ATM manufacturers. The article was a couple of months old, but focused on them suggesting that financial institutions migrate their ATMs to Linux instead of Windows. It seems that the big ATM manufacturers (including Diebold, which featured heavily in the article) are leaning heavily toward Windows despite IBM's recommendation that they go with Linux. Their attitude is that they're running Windows on the back end, so they want it in the ATMs as well.
Well, now they're getting what they wanted, and I doubt that they'll learn from this. Large banks seem to have a monolithic mindset that's averse to anything new. They're also decidedly pro-Microsoft.
IBM offers some very effective solutions for integrating Linux-based ATMs with both UNIX and Windows-based back end systems. That companies like Diebold insist on going with insecure, unstable (I've seen an ATM stuck with a BSOD!) software for such sensitive systems is asinine.
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!