Jul 29 2010

Hacker finds a way into ATM computers

Category: CybercrimeDISC @ 6:23 pm
Nice ATM
Image via Wikipedia

Understanding and Managing Cybercrime

by Jordan Robertson
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks demonstrated Wednesday at a security conference were done at stand-alone ATMs. But they could potentially be used against the ATMs operated by mainstream banks, the hacker said.

Criminals use many ways to tamper with ATMs, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, and even hauling the machines away with trucks in hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

In one demonstration Tuesday, Jack, director of security research for IOActive Inc. in Seattle, showed how to get ATMs to spit out money:

He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

This article appeared on page D – 6 of the San Francisco Chronicle

Tags: ATM, Automated teller machine, Barnaby Jack, BlackHat, Computer security, San Francisco Chronicle, Seattle, Silicon Valley

Mar 17 2009

Congressional data mining and security

Category: Information SecurityDISC @ 12:42 am

Data mining
Image by moonhouse via Flickr
“By slipping a simple, three-sentence provision into the gargantuan spending bill passed by the House of Representatives last week, a congressman from Silicon Valley is trying to nudge Congress into the 21st Century. Rep. Mike Honda (D-Calif.) placed a measure in the bill directing Congress and its affiliated organs — including the Library of Congress and the Government Printing Office — to make its data available to the public in raw form. This will enable members of the public and watchdog groups to craft websites and databases showcasing government data that are more user-friendly than the government’s own.”

Would be great if this passes BUT, Government would have to have security provisions so hackers could not manipulate databases in this case raw data. Without proper controls, databases can be easily modified and stolen, so before making the raw data available to public, Congress might need a comprehensive legislation to protect the confidentiality, integrity and availability of the data.

Security principles and controls which should be considered in database legislation?
• Principles of least privilege
• Separation of duties
• Defense in depth at every level
• Strong auditing and monitoring controls
• Security risk assessment to assess risks based on ISO 27002 and NIST 800-53
• Comprehensive risk management program to manage risks

Congressional Data Mining: Coming Soon? (Mother Jones)


Reblog this post [with Zemanta]

Tags: Business, Data mining, database, defense in depth, iso 27002, Mike Honda, National Institute of Standards and Technology, Risk Assessment, Risk management, Security, separation of duities, Silicon Valley