Re: Windows-based cash machines 'easily hacked'

["Kitsune" <kitsune () sbcglobal net>]

  ----- Original Message ----- 
  From: Dennis Henderson 
  To: Kitsune 
  Cc: funsec () linuxbox org 
  Sent: Tuesday, March 18, 2008 7:59 AM
  Subject: [Bulk] Re: [funsec] Windows-based cash machines 'easily hacked'





  On Tue, Mar 18, 2008 at 6:58 AM, Kitsune <kitsune () sbcglobal net> wrote:

    ----- Original Message -----
    From: "Dennis Henderson" <hendomatic () gmail com>

    To: <Valdis.Kletnieks () vt edu>; "der Mouse" <mouse () rodents montreal qc ca>;
    <funsec () linuxbox org>
    Sent: Tuesday, March 18, 2008 4:28 AM
    Subject: Re: [funsec] Windows-based cash machines 'easily hacked'


    > and lives on an isolated network,


    "All of your slightly informed ranting on ATMs is very amusing."


    Which isolated netwok are you speaking of? They are part of the branch's
    network, connected to the same switch, router and cloud as all of the other
    branch IT infrastructure.


  Perhaps your ATM's are on your WAN. Not all banks share your strategy. Some banks have far more ATMs deployed at gas 
stations and malls than branches. Makes the isolated network strategy very easy to pull off.

  kit> I am not the bank, but a contractor. I am also in the US, YMMV. On many of my customer's networks, I can easily 
reach (ping) every ATM in every mall and gas station and branch from any other part of the network. I'm not trying to 
toot my own horn, for I have none, but my customers are quite large. and stupid.

  There are a several ways to deploy ATM technology. There are also other vendors than NCR that have different 
priorities about ATM security.

  kit> Neither NCR, Diebold, Fujitsu or any ATM vendor delegates the ATM security of the customer. They are also but a 
contractor.

  Since the ATM is a potential external entrance point into a network, it should be treated as untrusted or semi 
trusted and deployed in a manner consistent with the networking trust model. If you're not doing that, then you should 
be. Securing the money is not the only priority here.

  If you're simply letting your vendor make all the decisions about your ATM's then you're not really doing everything 
you can to make them as secure as they can be.

  kit> it is the bank that is letting this go. They make plans with no understanding. Seen it in action. Daily.

  Vendors can and will partner with you on security strategy and it is possible to reasonably secure these devices. Not 
pefectly, but commercially reasonably. You can push the threat vectors and the threat probabilities down into levels 
that are manageable. 




    Many of those desktops can reach the internet with ease. can you say
    'vector'? I knew you could.



  Read above.


    The days of multi-drop SDLC and bisync isolated ATM networks are long gone.


  That is true, nevertheless, read above.

  Dennis

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.