Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

JavaScript ECMAScript6 – A short video introduction (5min)

PHP 5.7 gets refactored core, is 10%-30% faster than PHP 5.5! Wow!

Creator of Slim framework and “PHP – The right way” writes book: “Modern PHP”, available 2015

How to debug code on a remote server (or in vagrant box) with PHPStorm

Debug PDO with this one-line function. Yeah!

PHP 6.0 will be PHP 7

Only today: $50 coupon for DigitalOcean SSD VPS / hosting

Dangerous Performance Myths in the Web (video talk by Thomas Lohner, PHPUG Latvia)

[RePost] Goodbye LAMP: Going Nginx, NoSQL, HHVM (41min conference talk with Arne Blankerts)

Tim Sweeney talks about the future of game graphics (and which hardware we need to “clone” reality)

A list of downloadable Vagrant boxes (CentOS 5.9 / 6.4, Ubuntu 12 / 13, Debian 6 / 7 / 7.1 / 7.2)

How to install / setup PHP 5.5.x on Ubuntu 12.04 LTS

[Link] Improving Smashing Magazine’s Performance: A Case Study

Material Design – How Google designed Android L (7min video)

HipHop VM reaches 100% green Unit Tests in Laravel, Drupal, Slim, CodeIgniter etc.

How to professionally test on old Internet Explorer versions

Killer-feature in PHPStorm: Search everywhere

Meet the developers behind Ableton (14min video)

How to enable mod_rewrite in Ubuntu 12.04 LTS

Install MINI in 30 seconds inside Ubuntu 14.04 LTS

Adobe offers Photoshop for $9.99 per month (limited deal)

PHP 5.6 announced, statically typed (!) “new” PHP announced by Facebook devs

The architecture of StackOverflow

Symfony devs: Creator of Symfony framework is hiring (Cologne, Germany)!