funsec mailing list archives
Re: Windows-based cash machines 'easily hacked'
From: "Dennis Henderson" <hendomatic () gmail com>
Date: Tue, 18 Mar 2008 09:59:58 -0500
On Tue, Mar 18, 2008 at 6:58 AM, Kitsune <kitsune () sbcglobal net> wrote:
----- Original Message ----- From: "Dennis Henderson" <hendomatic () gmail com> To: <Valdis.Kletnieks () vt edu>; "der Mouse" <mouse () rodents montreal qc ca>; <funsec () linuxbox org> Sent: Tuesday, March 18, 2008 4:28 AM Subject: Re: [funsec] Windows-based cash machines 'easily hacked'and lives on an isolated network,"All of your slightly informed ranting on ATMs is very amusing." Which isolated netwok are you speaking of? They are part of the branch's network, connected to the same switch, router and cloud as all of the other branch IT infrastructure.
Perhaps your ATM's are on your WAN. Not all banks share your strategy. Some banks have far more ATMs deployed at gas stations and malls than branches. Makes the isolated network strategy very easy to pull off. There are a several ways to deploy ATM technology. There are also other vendors than NCR that have different priorities about ATM security. Since the ATM is a potential external entrance point into a network, it should be treated as untrusted or semi trusted and deployed in a manner consistent with the networking trust model. If you're not doing that, then you should be. Securing the money is not the only priority here. If you're simply letting your vendor make all the decisions about your ATM's then you're not really doing everything you can to make them as secure as they can be. Vendors can and will partner with you on security strategy and it is possible to reasonably secure these devices. Not pefectly, but commercially reasonably. You can push the threat vectors and the threat probabilities down into levels that are manageable.
Many of those desktops can reach the internet with ease. can you say 'vector'? I knew you could.
Read above.
The days of multi-drop SDLC and bisync isolated ATM networks are long gone.
That is true, nevertheless, read above. Dennis
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Windows-based cash machines 'easily hacked', (continued)
- Re: Windows-based cash machines 'easily hacked' Larry Seltzer (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Andy Sutton (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Nick FitzGerald (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Chris Buechler (Mar 17)
- Re: Windows-based cash machines 'easily hacked' der Mouse (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Valdis . Kletnieks (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Kitsune (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Kitsune (Mar 18)
- Re: Windows-based cash machines 'easily hacked' der Mouse (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Rich Kulawiec (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Larry Seltzer (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Valdis . Kletnieks (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Kitsune (Mar 17)
- Re: Windows-based cash machines 'easily hacked' Dennis Henderson (Mar 18)
- Re: Windows-based cash machines 'easily hacked' Kitsune (Mar 18)