Slashdot Mirror
ATMs Susceptible to Windows Viruses
Kernkraft400 writes "First there was Windows for Warships, now the same operating system used to power millions of home PCs is likely to be used for cash machines in the UK. I can't wait for the next Windows virus or worm to take down all the cash machines."
What an irresponsible thing to say.
http://www.busyweather.com/
Windows has been used on (at least) Natwest ATM's for a loooong time - several years at least. I've been in several situations where an ATM is displaying a Blue Screen Of Death. Interestingly enough, they show a trend for solidarity in these matters, when one of set is down, they're all down... Presumably the weakness is in the network layer, or some component that is attached to it.
Not that this means too much (apart from the annoyance factor) though, I've never lost any money due to an ATM crash - I'm pretty sure the system is designed so that the central machine does all the secure stuff, with the ATM being not much more than a calculator keypad.
Simon
Physicists get Hadrons!
The Slammer worm caused significant outages in Bank of America's ATMs.
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
Now, ATMs running Windows could very well be susceptible to viruses, but something backing that up would be nice.
There is no sig, there is only Zuul.
The title of this story is extremely misleading. It's stating something like it's a fact, although it's not even close. It's actually more of a question. But this is Slashdot, so I shouldn't expect too much.
Citibank ATMs run NT. Lots of bank ATM machines do
Don't forget the cars too. Oh well, trial by fire. If it goes horribly wrong, it won't stay that way for long. Either it'll get hardened or another OS'll get the job.
dmiessler.com -- grep understanding knowledge
The title of this post says that Windows for ATMs are "Susceptible to Windows Viruses" but as far as I can tell this is just speculation... Is there actually any proof out there that these machines would be any more (or less?) susceptible to viruses? I'm suprised this made it through, no substance and just a lot of name calling at MS.
Your mammas flamebait.
Actually, 3.51 had a reputation for being relatively bulletproof.
Remember, they hadn't moved everything into the kernel yet. Even GDI and video drivers were userland. And, of course, they hadn't yet "integrated" Insecure Exploder into the system either, I don't even think IE existed then (NT4 shipped with IE2).
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Maybe it's because I'm young and new, but why would people trust a system that has a record of failing? The blue screen of death is a big joke in the world. Why would airports, banks, the military, etc. trust Windows? I'm not trolling, this is an honest question. It's not the price. Is it because they think it is more robust, easier setup, compatibility? I was in Europe and saw the blue screen on an airport terminal and thought, wow, I hope the crucial systems on my plane or in the control tower are not running Windows!
Lets be clear here, its not viruses we worry about. Nobody is going to run Kazaa on their local ATM. Its all about possible remote exploits.
No OS is completely bug free and secure for ever. If the network the ATM's connect to is safe, the box should be safe. If they connect to the internet, I'm moving my money to another bank, no matter what OS they run!
Surur
Information is the location of things. Computation is moving things around.
This is why I go the "Linux first - Windows only if absolutely necessary" route when installing relatives' computers.
:).
:)
No virus problems. No spyware problems.
I believe the GNOME or KDE desktop is the perfect choice for absolutely computer illiterate relatives who want to surf the web, read mail and play the occasional game (my father even mentioned the best thing he liked about Linux was all the games - I didn't even knew they came with the installation!
Why? Because they can't screw something up that I can't easily fix. Because it is a rock stable solution for Web browsing and E-mail reading. Because it can be administered remotely easily over low bandwidth.
The only problem that may arise is when they need to run some special Microsoft Windows-only software that can't run in Wine.
So, yes, Linux definitely is for Grandma, although she hasn't bought a computer yet.
Any bank that puts its ATMs on the internet has a moron in charge of IT.
The best way to secure these things is to make sure that the only physical connection from the ATM is to a well secured computer under controlled by the bank.
The cake is a pie
Can someone explain to me why they didn't make the hardware for the ATMs from scratch? An ATM doesn't seem that complicated sort of a device. Could use any sort of micro-controller and write the software in assembly. Sure, getting it to communicate with the main bank-server-thingy might be harder, but I'm sure a bank could afford this.
OK, I guess maybe its just cheaper to use something that already exists (windows).
A more important, but related question: Why the hell do the diebold voting machines use windows?! Surely they could have been written from scratch using assembly, for a specialised microcontroller. I mean seriously, voting is pretty damn important! (Yes I realise it would be very hard, but when you're dealing with huge sums of money, and its organised by the government speficially for the most important part of democracy, I'm sure its doable)...Hrmm.
printf("Goodbye cruel world!\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
In order to (1) catch up with a competitor or perhaps (2) get an "easier" development environment [easier being defined as one where the programmers are commodity and the system doesn't require buidling graphical components from scratch], 'easy' choices are made.
In the end, the bank isn't doing the development, but purchasing a final product... there are tons of variables to an ATM beyond the underlying OS; and honestly, not all that many large vendors to choose from (and a large bank will almost never choose a small vendor, over concerns for longevity and support). Microsoft has made a major push for Windows in many places and makes it as easy as possible for people in different markets to use their OS. It is really the responsibility of the purchasing organization (in the case of an ATM, the bank or credit union) to choose a good solution. But it's a painful balancing act.
By the way, if you really want to be disturbed by how liability for bad software isn't an issue, think about this: the US Federal Aviation Administration requires that every component put into an aircraft must not fail during the life of the aircraft. The next sentence then exempts software from this limitation.
An ATM need not be much fancier than a gas pump.
It needs:
A card reader.
A cash dispenser.
A video display.
A keyboard input.
A communications channel to HQ.
A printer.
Most run "semi-locally" rather than as completely-dumb terminals.
Most have an "administrator mode" and keep additional local state. For example, they know how much of what kinds of bills they have left.
Most have security cameras, but these need not be "logically" part of the ATM, they can be standalone devices.
Banks have used full-featured ATMs for years. In the early-mid 1990s, OS/2 was the major player. These days it's MS-Windows. 10 years from now, it will probably be something else.
The key security issues with ATMs are:
1) physical security and local encryption of sensitive data in case physical security is compromised, e.g. someone steals the whole ATM.
2) network security - all communications are encrypted
3) isolated network - no direct access to or from the Internet
4) audit trail, e.g. local encrypted recording of all transactions, preferably to write-once media.
I'm sure I left out some things. Please feel free to add.
So, anyone know of any in-use Linux-based ATMs? Even better, anyone know of any totally-Free-and-open-source-software ATMs?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
A couple years ago, the hospital where I work replaced its medication dispensing machines (where the nurses get the medications for their patients) with new ones. The new machines run on Win2k -- not a stripped down, embedded version, but the full she-bang. About a week after the new machines were installed, they became infected with the latest exploit-de-jour (don't remember exactly which anymore) and became unusable. It was not pretty. Granted, this probably could have been avoided if things like IIS, Active-X, and such like had been disabled on the machines, but still it points to the danger in implementing a one-size-fits-all solution like Windows on a dedicated-purpose machine like these medication machines -- or ATMs for that matter.
All it takes is one technician carrying a virus on his notebook working on an ATM behind the firewall. What is the contingency plan for when(not if)a virus gets behind the firewall?
--Gentoo Baby!
just cuz you can't figure out how to don't mean it can't be done
I'm not debating the ability of large corporations to be successful licensing Linux and related software, but I don't fully understand why the romantic aspects of becoming a skilled developer for Linux seem to outweigh the financial benefits of being a skilled developer for Windows, within this community at least.
Yes, these companies are successful, but it is much more difficult for a small business, or individual to draw success in the same way.
Slashdot's team of ms-bashers, need to learn a few things.
1) Don't make up stories.
2) Don't tell lies.
3) Offer constructive critisism.
4) If you think linux would be better, show some damned links with a PRODUCTION released application that can replace it for the same price if not lower.
5) Get off the hate-wagon and actualy read the specs of how things work before sticking your foot in mouth.
6) Any group that relies on lies and trash talk, fails due to people not being able to TRUST THE SOURCE.
7) Behaving like little babies and banning entire ip-blocks because the editors cant take the truth, will not encourage visitors to return, not will it help the "word of mouth" effect concerning your credibility.
Stop acting like politicians slinging mud because you have nothing constructive to offer!!
Show me a Linux system that can be dropped into the system to replace the current devices...or just go whine and cry in the corner over the big bad evil MS OS yet again...(while there, RTFM on how to actualy secure the OS, or is that too much to ask of a group that is more than happy to read all the MAN pages and heaps of Linux docs...)
Ummmm....actually that's not the problem.
Mission-critical apps should not be run on crappy, not-meant-for-that-purpose software. It's not a question of how many firewalls you use. ATMs should NOT run windows.
Firewalls are not a "magic fix" for shitty design. Hell the company I work at has a good firewall and they get viruses all the time. A firewall should be a "just in case" security measure, especially for something THAT important.
We're talking about people's money here, it should take more than one guy plugging an infected laptop into the wrong ethernet jack to take it down.
Stuff like this demands a multi-tiered security approach. We're talking encryption of encrypted communications here (with different algorithms), and if they're going to send ANY of this across the internet they better do it right. Otherwise, guess where the next 0-day exploit is going to get tested first?
As long as banks follow these security precautions (and I've worked at a UK bank before now -- they're pretty hot on security, as a rule) they should not be susceptible to virus/worm infection,
Wrong. You can't turn off the ALL the OS services or your custom software can't communicate with anything else. You NEED at least some of the windows code running and that bit of code just may turn out to be the next target of the latest, greatest worm.
except by a custom-written worm that exploits security flaws in the custom ATM software... and at this point it doesn't matter what OS you're using.
Sure it does. A better OS is going to be harder to code an exploit for. What you're saying is that underlying system arcitecture doesn't matter. That's silly.
If it was my call, I would have two boxes running completely different software and hardware, designed by two completely independent teams. I would keep the existence of each team seperate from the other.
One box does the normal ATM stuff, on X86 hardware running something custom and minimalist, communication only via an RSA-encrypted data link.
The second box contains an OS-less processing unit whos purpose is two-fold:
This would make it much harder of a zero-day exploit OR a funamental math breakthrough to wreck the security AND harder for any of the programmers to leave themselves a little backdoor (Office Space).
Using a firewall in this application would be like using aluminum foil as a bullet-proof vest.
Life is too short to proofread.