funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows-based cash machines 'easily hacked'

From: "Kitsune" <kitsune () sbcglobal net>
Date: Tue, 18 Mar 2008 10:18:17 -0700
"can they" the ATM, reach the internet. no, I really doubt they could, as I've said before, they are XPe. One would 
hope they didnt compile in IE into the runtime..

Yet by many vectors, other devices/desktops in the network can reach the internet, get "infected" and start what ever 
it does to try and infect everything it can find.

The number is larger than zero. As another poster said, why make it easy?

  ----- Original Message ----- 
  From: Dennis Henderson 
  To: Kitsune 
  Cc: funsec () linuxbox org 
  Sent: Tuesday, March 18, 2008 9:40 AM
  Subject: Re: [funsec] Windows-based cash machines 'easily hacked'





  On Tue, Mar 18, 2008 at 10:27 AM, Kitsune <kitsune () sbcglobal net> wrote:

    I didn't mean to imply that I could reach (ping) ATMs that were not part of the customer's network (ie STAR, MAC, 
etc). But to imply that the physical location is irrelevent. If it is the customers machine, it is on (one of) their 
networks which makes it reachable.

  Perhaps we're talking past each other. Yes our ATM's are on our company managed networks. Are they reachable by 
someone on the WAN? No. Can they talk to anything but the devices they need to talk to for transactions and monitoring? 
No. Can they reach the Internet?

  Hell no.

  :)

  But thats just one layer of the whole security model...


        Perhaps your ATM's are on your WAN. Not all banks share your strategy. Some banks have far more ATMs deployed 
at gas stations and malls than branches. Makes the isolated network strategy very easy to pull off.

        kit> I am not the bank, but a contractor. I am also in the US, YMMV. On many of my customer's networks, I can 
easily reach (ping) every ATM in every mall and gas station and branch from any other part of the network. I'm not 
trying to toot my own horn, for I have none, but my customers are quite large. and stupid.



    _______________________________________________
    Fun and Misc security discussion for OT posts.
    https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
    Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: