 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to SUMware
Re: Windows XP Cash Machines Can Steal Your PIN Well the most recent ATM "hack" (which was the first one you posted) involved physically hacking the machine: it doesn't matter that the guy replaced isadmin or did whatever else. No OS can withstand this kind of attack.
The second article addresses two points: an unencrypted IP network (which seems unrelated to Windows), and Nachi/Welchia/Slammer worm attacks on ATM networks.
Of all these points, only the last really weighs in on the issue of OS security, and it's not at all dispositive. It's obviously Microsoft's bug if they have a remotely exploitable flaw, but does this obviate any responsibility for a financial network designer to reduce attack surfaces? To turn off services you don't need? To patch issues you know are important?
In an engagement some years ago, I more or less completely penetrated the network used by Standard & Poors to distribute stock quote information to subscribers: by hacking one machine, I was able to pop my head up inside the network of some very large institutions who had no idea that they were at such risk.
The device in question ran Linux, had services enabled by default, and had not been patched recently, but never once in the years since this event did I associated the problem with Linux.
It was the people who built the devices who were simply shockingly careless, and would have made the same mistakes with any other OS.
I don't mind blaming Microsoft (or any vendor) for stuff they actually get wrong, but it's intellectually dishonest to stop the search for information once you learn that MSFT is involved and just assume it's their fault.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
|
|
SUMwarePremium
join:2002-05-21
kudos:2
2 edits | I did not post that originally. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Ok, inartful wording.
The incident to which your first quoted article referred is the same one discussed in the Security forum, and it involved a physical-access hack.
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
SUMwarePremium
join:2002-05-21
kudos:2
2 edits | reply to Steve
From TweakTown
June 5, 2009 - quote:
Flaw in XP lets malware steal PIN Numbers
There is a hack that has been put into place on ATM (Automated Teller Machines)using windows XP as an OS that allows for malicious persons to recover account and PIN numbers directly from the machine.
The hack is most likely inserted using a compromised card that when read by the ATM causes the infection to begin. Once the virus is in play it replaces the isadmin.exe file which then replaces the lass.exe file.
Once the infection has run its course another “control” card can be used to harvest the information gathered. According to the report the card can even eject the cash box on the ATM.
From TG Daily
June 04, 2009 - quote:
Windows XP-Based ATMs Targeted by Hackers
The malware contains advanced management functionality allowing the attacker to gain full control of the compromised ATM through a customized user interface built into the malware. This is accessible by inserting controller cards into the ATM’s card reader.
Analysts do not believe the malware includes networking functionality that would allow it to send harvested data to other, remote locations via the Internet, but does allow for the output of harvested card data via the ATM’s receipt printer or by writing the data to an electronic storage device inserted into the ATM’s card reader. Analysts also discovered code enabling the malware to eject the cash dispensing cassette.
"This malware is unlike any we have ever had experience with. It allows the attacker to gain complete control over the ATM to obtain track data, Pins and cash from each infected machine," said TrustWave.
"We believe the current attack vector is an early version of the malware sample, and future attacks will add functionality such as propagation via the ATM network. If an attacker can gain access to one machine, the malware will evolve and propagate automatically to other systems."
The malware is installed and activated through a dropper file called isadmin.exe. It is a Borland Delphi Rapid Application Development (RAD) executable.
Executing the dropper file produces the malware file lsass.exe within the C:\WINDOWS directory of the compromised system and does so via functionality provided by a Windows API. Once the malware is extracted, the dropper proceeds to manipulate the Protected Storage service that normally handles the legitimate lsass.exe executable, located in the C:\WINDOWS\system32 directory to point at the newly created malware.
The service is also configured to automatically restart in the event that it crashes, ensuring that the malware remains active.
From IT Pro
4 Jun 2009 - quote:
Malware allows criminals to control cash machines
Trustwave Report (pdf)
The company also said that it had collected multiple versions of the malware and felt that over time it could evolve and infect a more widespread number of ATMs.
From BankInfoSecurity
June 8, 2009 - quote:
ATM Fraud: 7 Growing Threats to Financial Institutions
#7. Malware -- That report from SpiderLabs isn't the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM's transaction application's private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.
[some emphasis added] |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | You seem positively determined to make this about Microsoft, but it's not. I wrote about this in the Security forum, and the speculation: said by your quoted article :
The hack is most likely inserted using a compromised card that when read by the ATM causes the infection to begin. is almost certainly not true.
A magstripe card can hold at best 200 bytes of data, so getting 11k or so bytes of isadmin.exe onto the machine that way seems like a serious stretch.
But later we learn that this hack did indeed involve physically breaking into the machine - that's how the bad stuff got installed into the OS. Once it's on the machine, no other details really matter.
Now I'm sympathetic to disbelieving anything Diebold says (shall we take a vote on that?), but I'm really, really skeptical how this could be done with a cardswipe.
---
The larger point here is that properly determining culpability is important, and it certainly has nothing to do with keeping a good image on the face of a favored vendor, or maintaining bragging rights in Linux versus Windows.
If you mis-assess the reason for a security compromise, you are less likely to take steps to protect yourself properly in the future by spending time on stuff that doesn't matter.
In the case of the ATM hack, it involved physical access and expertise in how the particular machines operated. Does anybody really believe that changing the OS to Linux would have made any difference to the skilled bad guys?
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Orange County, California USA | my web site |
|
 MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by Steve:You seem positively determined to make this about Microsoft, but it's not. That sounds positively shilly there Steve 
Personally, I think Sumware and Matunga are the same guy. They are both equally zealous if a bit misguided -- a ying and yang if you will. 
As to the original article, that's neat. Linux does a lot of neat things and is perfect for most embedded applications. |
|
| said by Matt:Personally, I think Sumware and Matunga are the same guy. They are both equally zealous if a bit misguided -- a ying and yang if you will. Now that's a low blow, no matter how you look at it.
SUMware  may be an unabashed Linux advocate, but he will always engage in discussions of his posts, which are usually informative at least, and legitimate. Matunga's 'smear-and-run' posts are quite a different animal.
I think you owe SUMware an apology for that comparison.
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Lurkarooski : I think you owe SUMware an apology for that comparison. As do I; this is not even close. |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by Steve:said by Lurkarooski : I think you owe SUMware an apology for that comparison. As do I; this is not even close. From what I have seen of both, neither are open minded to dissenting opinions. I was merely attempting to illustrate that Matunga is as anti-Linux as Sumware is anti-Microsoft. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Matt: From what I have seen of both, neither are open minded to dissenting opinions. I was merely attempting to illustrate that Matunga is as anti-Linux as Sumware is anti-Microsoft. No: SUMware has a strident view, but he sticks around to at least attempt to defend his position.
matunga engages in drive-by shillery. |
|
MattAll noise, no signal.Premium
join:2003-07-20
Jamestown, NC
kudos:12 | said by Steve:said by Matt: From what I have seen of both, neither are open minded to dissenting opinions. I was merely attempting to illustrate that Matunga is as anti-Linux as Sumware is anti-Microsoft. No: SUMware has a strident view, but he sticks around to at least attempt to defend his position. matunga engages in drive-by shillery. I agree with that. Although I think both methods are disingenuous.
Regardless, it was tongue in cheek as I don't actually think they are the same person. So if I offended anyone, I apologize. |
|
SUMwarePremium
join:2002-05-21
kudos:2
1 edit | reply to Steve
I AM NOT, NOR HAVE I EVER BEEN, matunga. I promise! Geez!
Yes, I strongly support FOSS. Guilty.
Yes, I find many of MS' well documented tactics unappealing and frequently skirting legality, if not plunging overboard. Groklaw and numerous others have published the sordid details over the years.
said by Steve:said by Lurkarooski : I think you owe SUMware an apology for that comparison. As do I; this is not even close. Thank you, you are gentlemen. Sorry about being strident, Steve.
said by Matt:Although I think both methods are disingenuous. strident - loud, harsh, grating, or shrill; discordant. See Synonyms at loud, vociferous.
vociferous - loud and forceful
disingenuous - not straightforward or candid; insincere or calculating
Disingenuous? I strive to be accurate and clear.
said by Matt:So if I offended anyone, I apologize. Anyone in particular? |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to Matt
Never mind. Forget it.
matunga, really. geez. |
|
