----- Original Message -----
From: Dennis Henderson
To: Kitsune
Cc: [email protected]
Sent: Tuesday, March 18, 2008 7:59 AM
Subject: [Bulk] Re: [funsec] Windows-based cash machines 'easily hacked'
On Tue, Mar 18, 2008 at 6:58 AM, Kitsune <[EMAIL PROTECTED]> wrote:
----- Original Message -----
From: "Dennis Henderson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "der Mouse" <[EMAIL PROTECTED]>;
<[email protected]>
Sent: Tuesday, March 18, 2008 4:28 AM
Subject: Re: [funsec] Windows-based cash machines 'easily hacked'
> and lives on an isolated network,
"All of your slightly informed ranting on ATMs is very amusing."
Which isolated netwok are you speaking of? They are part of the branch's
network, connected to the same switch, router and cloud as all of the other
branch IT infrastructure.
Perhaps your ATM's are on your WAN. Not all banks share your strategy. Some
banks have far more ATMs deployed at gas stations and malls than branches.
Makes the isolated network strategy very easy to pull off.
kit> I am not the bank, but a contractor. I am also in the US, YMMV. On many
of my customer's networks, I can easily reach (ping) every ATM in every mall
and gas station and branch from any other part of the network. I'm not trying
to toot my own horn, for I have none, but my customers are quite large. and
stupid.
There are a several ways to deploy ATM technology. There are also other
vendors than NCR that have different priorities about ATM security.
kit> Neither NCR, Diebold, Fujitsu or any ATM vendor delegates the ATM
security of the customer. They are also but a contractor.
Since the ATM is a potential external entrance point into a network, it
should be treated as untrusted or semi trusted and deployed in a manner
consistent with the networking trust model. If you're not doing that, then you
should be. Securing the money is not the only priority here.
If you're simply letting your vendor make all the decisions about your ATM's
then you're not really doing everything you can to make them as secure as they
can be.
kit> it is the bank that is letting this go. They make plans with no
understanding. Seen it in action. Daily.
Vendors can and will partner with you on security strategy and it is possible
to reasonably secure these devices. Not pefectly, but commercially reasonably.
You can push the threat vectors and the threat probabilities down into levels
that are manageable.
Many of those desktops can reach the internet with ease. can you say
'vector'? I knew you could.
Read above.
The days of multi-drop SDLC and bisync isolated ATM networks are long gone.
That is true, nevertheless, read above.
Dennis_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
