Computer security experts of all types--from hackers, crackers, and phreaks to security researchers and law enforcement officials--descended on Las Vegas last week for the annual Black Hat and DefCon security conferences. It is probably no coincidence that an attacker also chose last week to plant phony ATM machines around Las Vegas in an attempt to capture account and PIN information and extract money from compromised accounts.
Perhaps the attacker saw it as a personal challenge to “hack the hackers” and test whether or not these security hobbyists and experts could detect an attempt to pull the wool over their eyes. The ironic part is that there was a presentation scheduled to be delivered at Blackhat by Juniper’s Barnaby Jack related to exploiting a flaw in certain ATM machines, but the presentation was canceled at the request of an ATM vendor.
The presentation focused on exploiting vulnerabilities in devices running the Windows CE operating system. Many ATM machines rely on the Windows CE operating system so divulging the hack publicly could have had dire consequences. Juniper’s director of corporate social media relations, Brendan Lewis, wrote a post on Juniper’s official blog stating “To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
That seems very altruistic on the part of Juniper and Barnaby Jack considering that Juniper notified the vendor of the vulnerability more than eight months ago. It wasn’t as if it was a zero-day exploit or sudden shock to the vendor. Canceling the presentation prevents the flaw from becoming public knowledge, but the fact that they were able to find it and that affected systems have been vulnerable for more than eight months suggests that it is also possible that others with more questionable moral fiber may have stumbled upon the flaw as well and be actively exploiting it.
Sadly, the vulnerability is probably not an isolated or unique incident either. In a recent interview an executive of Trustwave, a security and compliance services vendor that assesses ATM, kiosk, and point-of-sale (POS) terminals for security, was quoted as saying “It is very, very rare that a device comes to our labs--in fact, I don't think that it has happened--that we don't find a vulnerability.”
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com .