Jul 29 2010

Hacker finds a way into ATM computers

Category: CybercrimeDISC @ 6:23 pm
Nice ATM
Image via Wikipedia

Understanding and Managing Cybercrime

by Jordan Robertson
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks demonstrated Wednesday at a security conference were done at stand-alone ATMs. But they could potentially be used against the ATMs operated by mainstream banks, the hacker said.

Criminals use many ways to tamper with ATMs, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, and even hauling the machines away with trucks in hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

In one demonstration Tuesday, Jack, director of security research for IOActive Inc. in Seattle, showed how to get ATMs to spit out money:

He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

This article appeared on page D – 6 of the San Francisco Chronicle

Tags: ATM, Automated teller machine, Barnaby Jack, BlackHat, Computer security, San Francisco Chronicle, Seattle, Silicon Valley

Jan 06 2010

Automated polls not hack-proof

Category: Information SecurityDISC @ 3:39 pm

6 machines
Image by Valerie Reneé via Flickr

By Andreo Calonzo

The system that will be used in the May 2010 automated elections is not hack-proof, but adequate safeguards are in place to protect the results from hackers, the Commission on Elections (Comelec) assured Wednesday.

“I am not saying that the system cannot be hacked. No system is 100-percent hack-proof. I am just saying that we have made sure that the system will not be hacked,” Comelec spokesperson James Jimenez said.

Jimenez gave the assurance after three government Web sites were hacked in less than two weeks, the latest of which was that of the National Disaster Coordinating Council (NDCC).

Last week, the Web sites of the Department of Health (DOH) and the Department of Social Welfare and Development (DSWD) were also victimized by hackers.

Jimenez said the system to be used in the coming automated elections would operate on a “virtual private network,” making it difficult for hackers to bypass the system’s security mechanisms.

“It’s like trying to rob a house, but you don’t even know where its exact location is,” he said in Filipino.

Jimenez also explained that the “real time” transmission of the results would make hacking more difficult.

“Our machines transmit for only two minutes. That’s too fast. In order to actually decode the data, it will take you something like three years. If you only have two minutes to do it, you do not have enough time,” he said.

But Jimenez conceded that hacking could happen at the municipal level. “The possibility of hacking is greatest at the municipal level, because it is the one most visible to the public.”

He said to prevent this, the poll body would use two other independent servers, one to a central server and another to a server assigned to media groups, accredited citizens’ arm and political parties.

“If you hack the municipal server, and if you hack the municipal server results, you are not hacking the reports of the other servers,” he said.

“If one report is hacked, this doesn’t mean that you have hacked everything. In fact, if one report is hacked, the tampering becomes more evident because there are other reports to contradict it,” he added.

An American company, Systest Laboratories in Colorado, is currently verifying the security and accuracy of the source code to be used in the automated counting machines, according to Comelec commissioner Gregorio Larrazabal. – KBK/RSJ, GMANews.TV

Tags: automated pollling machine, Colorado, Department of Health, Department of Social Welfare and Development, DSWD, hacker, Hacking, National Disaster Coordinating Council, Polling place, Seattle, United States, Voting