Hacker Develops ATM Rootkit

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

Lawsuit?

[_PimpDaddy7_]

Can the banks file a lawsuit at him?

I can't stand companies not taking security seriously.

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Re:Lawsuit?

[Ubergrendle]

It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.

Re:Lawsuit?

[evilandi]

Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

Re:Lawsuit?

[Lumpy]

No it doesnt, you point out the flaws without any info about you attached. I.E. Publish all the info outside the country.

Honestly it blows my mind that any Computer nerd tries to do the white hat thing and tell a company about a problem. Simply send it in a letter that is untraced and say, "I'm publishing this in 90 days. you are getting a heads up because I'm a nice guy"

Then in 90 put it on the net.

They cant sue you if they have no idea who you are. Problem is most of these white hats are looking more for street "cred" and getting their name out than actually being a good guy.

Re:Lawsuit?

[Bakkster]

The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

Re:Lawsuit?

[Legion303]

"There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."

Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.

Great way to get money out of ATMS

[Rogerborg]

Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.