more on Diebold ATMs hit by Nachi worm (RISKS-23.04) Risks Digest 23.06

[Dave Farber <dave () farber net>]

Date: Sat, 29 Nov 2003 00:31:01 -0500
From: "Russ" <Russ.Cooper () rc on ca>
Subject: Re: Diebold ATMs hit by Nachi worm (RISKS-23.04)

Lest we forget, this is the "Risks Forum", not some weekday morning kids show.

Steve Summit is "astonished" that a commercial product running on a Windows
platform was affected by Nachi. This after how many months? This despite the
fact that I could attribute problems with an infinite number of commercial
IT products to the effect Nachi created? Oh, I'm sorry, but this is the
"Risks Forum".

Are many here surprised that Diebold sold "default installations" of its
product on a Windows platform which was improperly designed? Are many here
surprised that people bought the equivalent of the "off-the-shelf" version?

Since they affirm the ATM was "infected", that means it accepted an inbound
connection to TCP135. Now maybe some don't know, but I can see no reason why
anything should be querying an ATM, for any reason, least of all via such a
sensitive protocol. Now if you didn't know before, you may have learned from
recent discussions about the August 2003 blackout, you don't query the
endpoint. It either tells you its status, or you assume its dead. Either
way, you're in control. Do I want to control an ATM's status, or do I want
it to explain its status to me? If I'm not getting expected information from
such a front line device, I, as a backend server, am simply going to stop
listening to it and page a tech. Not sending expected info, or sending
unexpected info, denote a problem...send the technician. I can't think of a
reasonable design that involves the backend sending uninitiated queries to
the ATM, ergo, there's no reason the ATM was left listening for inbound
TCP135 queries. That's a design problem, not a problem with the OS or its
components.

That such devices are now placed on the same network as devices to which can
be attached Nachi infected systems is, well, a problem. Its one thing to
shut down ATMs because their backend servers can't be reached due to network
congestion, its another thing to have an ATM compromised directly. Diebold's
designed default installation clearly isn't intended to minimize risk, its
intended to minimize support problems from customers who attempt to
implement their product insecurely.

Imagine if they disabled inbound TCP135 attempts. During implementation
they'd get a surge of support calls from less than qualified implementers
claiming they couldn't connect to the ATM remotely in order to configure
it...;-]

Bottom line, is the risk here just not the unfortunately common risk that if
I'm stupid I can blame someone else for not telling me I was stupid? If that
isn't the risk, then the risk is that commercial vendors still allow me to
shoot myself in the foot, and the media could make such wounds fester.

Russ - NTBugtraq Editor

------------------------------

Date: Tue, 09 Dec 2003 11:00:36 -0500
From: Lillie Coney <lillie.coney () acm org>
Subject: Re: Diebold ATMs hit by Nachi worm (RISKS-23.04)

Computer security experts predicted more problems to come as Windows
migrates to critical systems consumers rely on.  Bruce Schneier is quoted:
"Specific purpose machines, like microwave ovens and until now ATM machines,
never got viruses.  Now that they are using a general purpose operating
system, Diebold should expect a lot more of this in the future."  John
Pescatore, an analyst at Gartner, agreed.  "It's a horrendous security
mistake," he said, of specific-purpose machines like ATMs running Windows,
written for general purpose computers and for which Microsoft Corp. releases
security fixes on a regular basis. "I'm a lot more worried about my money
than I was before this."  Diebold switched from using IBM's OS/2 on its ATMs
because banks were requesting Windows, said Steve Grzymkowski, senior
product marketing manager at Diebold.  [Source: Experts Worried After Worm
Hits Windows-Based ATMs, Elinor Mills Abreu, Reuters, 8 Dec 2003; PGN-ed]

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/