Interesting People mailing list archives
more on Diebold ATMs hit by Nachi worm (RISKS-23.04) Risks Digest 23.06
From: Dave Farber <dave () farber net>
Date: Tue, 09 Dec 2003 18:27:44 -0500
Date: Sat, 29 Nov 2003 00:31:01 -0500 From: "Russ" <Russ.Cooper () rc on ca> Subject: Re: Diebold ATMs hit by Nachi worm (RISKS-23.04) Lest we forget, this is the "Risks Forum", not some weekday morning kids show. Steve Summit is "astonished" that a commercial product running on a Windows platform was affected by Nachi. This after how many months? This despite the fact that I could attribute problems with an infinite number of commercial IT products to the effect Nachi created? Oh, I'm sorry, but this is the "Risks Forum". Are many here surprised that Diebold sold "default installations" of its product on a Windows platform which was improperly designed? Are many here surprised that people bought the equivalent of the "off-the-shelf" version? Since they affirm the ATM was "infected", that means it accepted an inbound connection to TCP135. Now maybe some don't know, but I can see no reason why anything should be querying an ATM, for any reason, least of all via such a sensitive protocol. Now if you didn't know before, you may have learned from recent discussions about the August 2003 blackout, you don't query the endpoint. It either tells you its status, or you assume its dead. Either way, you're in control. Do I want to control an ATM's status, or do I want it to explain its status to me? If I'm not getting expected information from such a front line device, I, as a backend server, am simply going to stop listening to it and page a tech. Not sending expected info, or sending unexpected info, denote a problem...send the technician. I can't think of a reasonable design that involves the backend sending uninitiated queries to the ATM, ergo, there's no reason the ATM was left listening for inbound TCP135 queries. That's a design problem, not a problem with the OS or its components. That such devices are now placed on the same network as devices to which can be attached Nachi infected systems is, well, a problem. Its one thing to shut down ATMs because their backend servers can't be reached due to network congestion, its another thing to have an ATM compromised directly. Diebold's designed default installation clearly isn't intended to minimize risk, its intended to minimize support problems from customers who attempt to implement their product insecurely. Imagine if they disabled inbound TCP135 attempts. During implementation they'd get a surge of support calls from less than qualified implementers claiming they couldn't connect to the ATM remotely in order to configure it...;-] Bottom line, is the risk here just not the unfortunately common risk that if I'm stupid I can blame someone else for not telling me I was stupid? If that isn't the risk, then the risk is that commercial vendors still allow me to shoot myself in the foot, and the media could make such wounds fester. Russ - NTBugtraq Editor ------------------------------ Date: Tue, 09 Dec 2003 11:00:36 -0500 From: Lillie Coney <lillie.coney () acm org> Subject: Re: Diebold ATMs hit by Nachi worm (RISKS-23.04) Computer security experts predicted more problems to come as Windows migrates to critical systems consumers rely on. Bruce Schneier is quoted: "Specific purpose machines, like microwave ovens and until now ATM machines, never got viruses. Now that they are using a general purpose operating system, Diebold should expect a lot more of this in the future." John Pescatore, an analyst at Gartner, agreed. "It's a horrendous security mistake," he said, of specific-purpose machines like ATMs running Windows, written for general purpose computers and for which Microsoft Corp. releases security fixes on a regular basis. "I'm a lot more worried about my money than I was before this." Diebold switched from using IBM's OS/2 on its ATMs because banks were requesting Windows, said Steve Grzymkowski, senior product marketing manager at Diebold. [Source: Experts Worried After Worm Hits Windows-Based ATMs, Elinor Mills Abreu, Reuters, 8 Dec 2003; PGN-ed] ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Diebold ATMs hit by Nachi worm (RISKS-23.04) Risks Digest 23.06 Dave Farber (Dec 09)