Oh, isn't this just peachy.

What idiot PHB/beancounter decided to use WINDOWS in a fucking ATM?

www.theregister.co.uk/content/55/34175.html

Nachi worm infected Diebold ATMs

By Kevin Poulsen, SecurityFocus
Posted: 25/11/2003 at 09:40 GMT

The Nachi worm compromised Windows-based automated teller machines at two financial institutions last August, according to ATM-maker Diebold, in the first confirmed case of malicious code penetrating cash machines.

The machines were in an advanced line of Diebold ATMs built atop Windows XP Embedded, which, like most versions of Windows, was vulnerable to the RPC DCOM security bug exploited by Nachi, and its more famous forebear, Blaster.

At both affected institutions the ATMs began aggressively scanning for other vulnerable machines, generating anomalous waves of network traffic that tripped the banks' intrusion detection systems, resulting in the infected machines being automatically cut off, Diebold executives said.

"The outbound traffic from the ATM was stopped -- limited, from a network standpoint -- and effectively isolated," said Nick Billett, Diebold's director of software engineering. "In many cases, the machines were cleaned up that day."

A patch for the critical RPC DCOM hole had been available from Microsoft for over a month at the time of the attack, but Diebold had neglected to install it in the infected machines. Billett defended the company's patching process, which he said involves testing each new bug fix, and deploying at a wide variety of institutions with a mix of network architectures. "A lot of those machines actually have to be visited by a service technician" to be patched, said Billett. "Our experience in the past is we are able to turn those around in one or two days."

In this case, the two affected financial institutions, which Diebold declined to name, somehow slipped thought the cracks, said Billett. The company would not say how many machines were knocked out by the worm.

Windows Bugs

The incident highlights new dangers for financial institutions, as legacy ATMs running OS/2 and propriety communications protocols give way to more versatile and cost effective terminals built on Microsoft Windows and TCP/IP -- with all the attendant security problems.

Though ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

January's Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn't processes customer transactions.

"I think of ATMs as a relative of SCADA systems, as those things not really being on the Internet, but being on some network," says Peter Lindstrom, an analyst with Spire Security. "In some ways, it's kind of ironic, that I think standardization across the board has created some of the issues."

In response to the problem, and to meet their customer's IT requirements, Diebold next month plans to begin shipping all new Windows-based ATMs preinstalled with a software-based firewall, made by Sygate Technologies. The company will also offer to put the Sygate product on existing machines already in the field. "We have many customers that are placing ATMs on their network, and as a result of that we have to meet certain criteria ... we haven't had to meet before," said Chuck Somers, vice president of global software development at Diebold.

Somers said he wasn't aware of Diebold ATMs being infected by earlier Windows worms, like Blaster or Slammer. "I'm not aware specifically of machines that were [comprised] as a result of previous ones," he said. "I was made aware specifically of the ones with Nachi, and that was cleaned up"

Microsoft had no immediate comment Monday.

Despite the allure of hard cash, don't expect to see a rash of made-for-Hollywood ATM hacks -- machines around the country suddenly spitting out wads of 20s at random, said Marc Maiffret, Windows expert and "chief hacking officer" at California-based eEye Digital Security.

"The actual point of service terminal itself getting infected-- that's pretty crazy," said Maiffret. "But worms are always going to be able to infect a lot more interesting machines than individual intruders are." Moreover, before reaching an ATM network, a human attacker would likely encounter more alluring high-finance targets along the way. "They're going to have to go through a lot of juicer networks first."

Cell phones are vulnerable also.

Now you know why both the US Army and the IDF are phasing out Windows based software for versions of Linux that have been customised for them by their own in-house staff.

In Isreal, there is a Knesset bill that would require the entire Israeli goverment to switch to open source software for their computers.

Unfortunaetly our legislaters want Bill Gates's money too much to do the same in this country.

if more and more people use linux then there will be more and more virus written for it.  anyone who gets a virus failed to properly maintain their system.  windows is the dominant o/s because it is better...

This is the stupidest thing I have read in a long time.  You HAVE to be kidding...

You cant write a virus for linux because there isn't ONE version of linux.

The IDF for example will start with one of the linux strains source code, and then order applications built for their use- which will then have a unique security system. Each other ministry that adopts it would hire someone to write a unique security system. Where there is need for cross-ministerial access a bridge security program would be made.

The US Army version of Linux is being modified by programmers hired by the Soldier Systems Laboratory at Natek, Maryland and has unique security software written for it.

While the uniformity offered by Windows looks good from a ACCOUNTANTs point of view, hacking has become so previlant that it can no longer be considered a economic asset to have a common computer language or to live off of over the counter components. Real security can only come from having semi-custom software.

And even with paying people to cusotmize it for you, Linux may be still be cheeper than the license fees Microsoft demands.

wow that is one of the dumbest things I've heard in a while.

Honestly though, why the fuck does an ATM MACHINE need an OS? It seems much smarter to use something custom that just does the functions needed, don't you think?

It can and will be done. There is no "can't" in the computer virus field. And I don't care what OS it is. Someone [b]will[/b] bust it.




[devil]

Yes, they will crack that ONE version used by that ONE branch of goverment. And the goverment can counter by patching that ONE branches software. Thus the damage will be contained. No different from what is already done with signals encryption technology in communications.

Money talks, and it is cheaper for someone to use or modify something that is already available rather than build something new.

Eventually you either run into a problem such as this, or a system that is so obfuscated that improving or maintaining it costs more than maintainence of the inital custom solution.

And someone will make one to overcome that hurdle. There is [b]no[/b] end to this.




[devil]
[i]Edited cuz I cannt spell![/i]

Most drive-up ATMs are either Windows NT or OS/2.    And the OS/2 ones are being replaced with NT.  Many of the small-footprint ones are WinCE.


It was actually a selling point to use commodity *ware (i.e. pc's and pc os's) because it's cheaper than building from the ground up. Not to mention it would be easier to find people to work on them.  If you think that these problems were not forseen, not to mention the problems with Diebold's election machines, think again.  
-Former employee in that industry

heh The voice of logic and reason often seem to lose to convenience and cheapness.

Kinda like when I knew I should buy that extractor tool for my FAL, and now I'm going to have bloody knuckles getting the *@#% thing back on.

No.  Windows is the dominant o/s in the desktop sector because Microsoft engaged in monopoly taticts to lock computer manufacturers into including -and charging for- a copy of their o/s with every computer purchased.  They were found guilty of this and other competition stifling practices in a federal court.  For the record, *nix still owns the web+data server sector.
As for security, any improperly maintained o/s is insecure but MS goes out of their way to make Windows insecure.  For example, Outlook runs with Administrator rights AND opens attachments by default so it is the perfect vector for malicious code.  *nix applications launched by the user share the user's privledges, so even if you do screw yourself, you aren't taking down the whole system (and you sure as hell aren't installing sobig).  For the record, I use both *nix and Windows at work and at home, and I see first hand what each does well and not so well.

There is much less damage if one version of linux has a vulnerabilty, rather than the single OS than runs the vast majority of systems.

Also linux is more secure than windows in many ways. Not to say that it can't be broken, it has been, but it is much harder, due the kernel/userspace methods used in linux. Windows typically is much more open in terms of memory access, at least the desktop versions. You do NOT want everyone running root all the time like windows does. That way when a user DLs and runs a virus it is limited to that users space, and doesn't have access to the entire system.

The server windows do this pretty well, but it seems MS is of the opinion that consumers don't need that kind of security.. :/

It's gotten to the point that I just drop the cash for whatever tools it takes.  My time an't cheap, and the savings in time and aggrivation more than pays for the tool.  Plus it gives me an excuse to purchase a toy. . .

Linux isn't really the solution either.  It's a very powerful sledgehammer when all you need is something much smaller and simpler.  QNX is an example of one good solution.  You just need a TCP/IP stack to communicate over their network (since unfortunately many banks are now using IP networks and/or the Internet!), a display driver (it's mostly text with a few logos), a few I/O ports to control the money dispenser and card reader, a small amount of NVRAM (or something like it) for persistent storage, a time of day clock, and a simple 4x4 keyboard controller.  In the mid-80's I worked for a company that built an ATM for a local bank.  I built the controller board, wrote the software, and interfaced to the hardware.  Someone else built the physical front to the thing and a third person found all of the other hardware to use including the mag card reader and money counter.  It worked very well, but after we installed a six of them and the customer still hadn't paid us a penny, we gave-up on that business.  The local bank used those six for years until they were bought-out by someone that replaced them with ATM's with color screens.

What scares me more is why they're using Windows.  One of the justifications I've seen quoted from some of Diebold's management is that they can use non-college graduate VisualBasic programmers on their embedded system.  That's scary.  Some guy that's completed a six-week course on VisualBasic at a local tech school with no experience could be the person that's writing financial software or voting machine software.z

No there is no end to this, just like with cyphers, thus having each each branch of the service and each branch of goverment having a semi-custom OS isolates problems into that one area.

Just like in WWII, the Germans used Enigma Machines. Even though Enigma was a commercial system in use since the 1920's it still was a effective encoding system with very slight changes. BUT, once we broke the diplomatic service Enigma, it was very easy to break the Weremacht and Luftwaffe versions in a short amount of time. The Kriegsmarine though had comissioned a special Enigma just for its use that had 4 encyrption disks. Breaking it, even with intimate knowledge of the 3 disk Enigma machine, required another 3 years of work by several Nobel lauriate mathmaticians on both sides of the Atlantic AND the invention of the first digital computer "Cyclops" to accomplish.

And then it only worked because the Germans were so arregant that they never considered that their codes were broken. They became obsessed instead with hunting non-existant spies inside the Navy and the inteligance service. A very minor modification with Enigma would have rendered all the work to crack the Navy machine moot for months or even years. Much less a more extreme replacement like a five or six disk version

Shhh!  The "Natek,MD" lab is a secret.  So secret, they banned the whole city from being listed by Mapquest.

But I know where the real lab is.......BWAHAHAHAHAHA

The idea that Linux will suddenly start sprouting viruses if it's deployed by govt/business is laughable...

1) Virus writers NORMALLY target home users (both at home and on their 'home-ified' work PCs)... Exceptions include the Morris Worm (which was an accident) and Code Red (which was not)... But BugBear, Klez, ILOVEYOU, MS.Blast, and such were ALL targeted at home users...

2) If 'alternate device' prevalence was a factor, how come there are no Apache viruses (since a majority of websites run this system) - but there are IIS (MS webserver) viruses? How about a Cisco IOS (router OS) virus - that could wreak serious havoc on networks around the world, but no one's written one?

The fact is that some OS designs are more secure than others, and some are more convenient than others.

3) UNIX has had a few worms, but even back when there were more UNIX machines online than Windows ones, UNIX viruses could still be counted one one hand...

Basically, Windows is a consumer OS that has been crammed into all manner of other spots because (a) non-computer people like the convenience and the illusion that they know what the 'computer guys' are doing, (b) Microsoft needs continuing revenue (not complaining, just stating a fact), and (c) it takes less training to learn, so the 'I wanna be a computer tech' crowd all went to MS (cheap labor)...

The problem is that MS never really gave a rip about security until recently (it helps them sell upgrades), since they focused on (a) consumer sales (Win95, 'Start Me Up', people buying it who didn't have PCs), and (b) nerdy 'kewl' features like the ability to manipulate every part of the OS and every application with BASIC. It's just like a swiss army kife: the gadgets may be cool, but sometimes you just need a KNIFE (not a bottle-opener, cork screw, tweezers, but a KNIFE)...

The other problem with Windows is that all Windows machines are PCs (ex PocketPCs, and the almost-unused 'Embedded Windows'... Windows only runs on PCs, so you have PC ATMs, PC video game consoles (700mhz and a GF3... Heck, the full computer sells for as much as the game console), PC-PCs, PC web servers, and so on... Thus, a PC virus can run on any of the other devices it can access.

P.S. When Xbox Live gets popular enough, expect a slew of Xbox virii. They WILL be written (see above, it's a PC), and we'll have a lot of dead Xboxes (since your average games console kid will just go 'Mommy, it's broken)... I wouldn't be suprised if a PC virus infects the Xbox too, after all, Xbox is a PC.


4) The advantage to Linux in the types of applications discussed above is the very one that makes some of our members' skin crawl (paging BenDover, the professional programmer)... No one owns it, so anyone can tinker with it, and make their own specailized, incompatible version that won't accept viruses from the 'greater' installed base.

Also, because it runs on multiple hardware platforms, additional security is available by running on a non-Intel (PC) platform... You see, even though the OS is the same, an ARM, SPARC, Power, or MIPS hardware platform cannot run code compiled for an Intel (or any other foreign) platform... That means PC-linux viruses, if they existed in quantity, wouldn't affect ATMs, or other devices that have no business running on a PC platform...

As Muselix has pointed out the ATM industry is working at switching over to NT as a platform - having worked for Fujitsu on their ATMs I discovered this at the time the move was originally being planned.

One of the reasons I quit was because I didn't want to be involved in opening up the ATM network to NT with VB and it's security holes (at that time - about 5 years ago or so).

Still, I haven't seen many NT based machines  - yet.  I'm sure it will be simply a matter of time.  I'm not sure I understand fully the reason to switch from OS/2 to WinNT, but I guess in part it's the money issues.

When I can't find an OS/2 machine anymore, I'll have to go back to getting my cash directly from the back again.

wrong...  businesses and networks are the targets.  the method of delivery is email so letters are written to appeal to "average" people and infect individual machines...

by the way i have been employeed for many years as a network/computer technican...  linux does have it's strengths and uses but it is a niche o/s.  windows has it's weaknesses but it is on top, worldwide, due to natural selection...  windows machines become infected due to incompetency.

Your assesment would seem to be right on.  I found this comment over at Slashdot.



Do you ever get the feeling that one morning we're going to wake up and NOTHING that is based on a microprocessor is going to work?

If people don't start putting the stomp on microsoft, that could happen.

ATMs used to be firmware based but as consumers started demanding ATMs do more and cost less, the move to PC processor based machines was the only economically viable way to go. When ATMs began migrating from firmware based machines to OS/2 some years ago, everyone thought then that OS/2 would be the up and coming platform.  Obviously that was a wrong call.

IBM has announced that their support for OS/2 will end by, I think, 2005.  

The move to Windows based systems was strictly a market driven decision.  Think about it, have you ever tried to maintain a system that is proprietary and try to keep competent staff around to keep it going without your costs going through the roof?  The article mentions Diebold, think what if they went proprietary on their system and Fujitsu and NCR went with the lesser expensive Windows systems.  Diebold would die a quick death in the market now that many ATMs are being replaced due to the mandated Triple-DES PIN encryption (yes, I do know my ATM stuff).

The issue with viruses and worms is due to ATM drivers not adequately safeguarding their networks.  This is serious business and any firms that don't do that, are in big trouble.

Now, lets get back to talking AR-15s.

Respect for being having the credentials.
Diebold's managment is an interesting contradiction.  They aren't after community college folk.  They want serious brain power and will pay the price to get it.  But the software engineers are overruled by managers who have their first (and only) circuit board framed on the wall, and they are managed by guys who sold safes for a living.  They have no conception of the myriad of threats that an ATM in the wild face.  The salesman from Microsoft said their software was 'secure' that's good enough!

Corect me if I am wrong but Linux is an open operating system.  So if you start selling versions of Linux over the cost to produce it then you are in violation of internation law.  Or am I missing some thing.

I know of no such law. Linux is open source because the man who created it has refused to enforce any copyright.

None of these organizations or goverments who would take Linux as the basis for their own custom OS would ever SELL that. That would defeat the purpose. If you start selling it you go right back to the trap your in buying Microsoft over the counter. Instead they are just going to knuckle down and keep a staff programmer to modify Linux to their needs and KEEP modifiying it as the hackers try to get through it.

The license the Linux kernel and many of the utilities that run on it are made available under is the GNU General Public License (GPL) [url]http://www.gnu.org/licenses/licenses.html#TOCGPL[/url]
It states, in brief, that you are welcome to use the software, alter it to your own purposes, and even sell it, provided that when you do, you make the source code available.  Now, since everyone knows that Linux is freely available it is difficult to sell plain Linux, so companies like RedHat sell support.  

Just to clarify, the license Linux is released under, GNU General Public License, states that the copyright of the work remains with the author.  Even after altering the software, the original copyright holds.  You just own the changes.  There are other licenses, notably the BSD license, that do not enforce copyright.  That's why the Windows NT-2000 TCP/IP stack is remarkably similar to the one originally appearing in BSD's implementation of *nix.