Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Develops ATM Rootkit

Posted by CmdrTaco on from the well-that-doesn't-make-me-feel-better dept.

alphadogg writes "One year after his Black Hat talk on automated teller machine security vulnerabilities was yanked by his employer, security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference. He plans to give the talk, entitled "Jackpotting Automated Teller Machines," at the Black Hat Las Vegas conference, held July 28 and 29. Jack will demonstrate several ways of attacking ATMs, including remote, network-based attacks."

5 of 181 comments (clear)

  1. Re:Lawsuit? by Ubergrendle · · Score: 4, Interesting

    It would depend upon the nature of hte hack. The promotional materials for his speech are light on details. Is this a top end ATM from NCR, or a white label generic ATM which are little more than PCs with a cash handler attached? What level of physical access does he need to the cabinet? Is this an internal exploit (implying you get your software/rootkit installed as part of a distribution) or he looking an something more subtle?

    I'll reserve judgement on his expose until i read of the details; i understand why he wouldn't want to advertise the juicy details before his presentaiton, but on the other hand I'm skeptical around what he's implying.

    --
    John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
  2. Great way to get money out of ATMS by Rogerborg · · Score: 4, Interesting

    Threaten to disclose the vulnerabilities, get paid hush money to pull your presentation (again). Rinse, repeat.

    --
    If you were blocking sigs, you wouldn't have to read this.
  3. Re:Lawsuit? by evilandi · · Score: 5, Interesting

    Remember when ATMs first came out? The data being sent from ATM to the bank's systems had NO encryption.

    Dude, it was the 1950s.How were they supposed to encrypt punch cards? Colour them in?

    The data was "sent" using the secure process of having a burly security guard open the little door at the back and carry the deposits, punch cards and microfilm (they took a photo of all deposits) over to the back office.

    --
    Andrew Oakley - www.aoakley.com
  4. Re:Lawsuit? by Bakkster · · Score: 4, Interesting

    The problem is that it's a catch-22: usually the only way to find these vulnerabilities is to exploit them in the first place. And companies often don't grant access to white-hats because they think their systems are secure (or at least want to believe so), which can't be disproven until said hackers show them wrong.

    One would hope that a company wouldn't press charges unless there was malicious intent (he dispensed and pocketed several hundred dollar for himself to 'test' the system). Of course, this is America, and I have nowhere near that much faith in our corporations or justice system...

    --
    Write your representatives! Repeal the 2nd Law of Thermodynamics!
  5. Re:Lawsuit? by Legion303 · · Score: 4, Interesting

    "There's a difference between pointing out that a lock can be picked and demonstrating in detail how to do it. Especially when the audience isn't limited to the owner of the lock."

    Not legally, there isn't. I'll be giving a talk on exactly this subject in 6 weeks. Marc Tobias, a lawyer, has co-authored an extremely detailed book on picking, bypassing, and completely ignoring the security of Medeco Biaxial locks. Find a better analogy.