Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

October CMS, built on top of Laravel, is beautiful, clever and on the way to be the new #1 CMS

How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)

All new features of WordPress 3.9 in this 2 minute video

A list of downloadable Vagrant boxes (CentOS 5.9 / 6.4, Ubuntu 12 / 13, Debian 6 / 7 / 7.1 / 7.2)

PHPStorm 8 (early access version) released – for free

Microsoft announces “holographic” 3D interfaces (promo video)

[Link] Excellent PHP best practices, 2014 style

How to enable mod_rewrite in Ubuntu 14.04 LTS

PHP Caching Best Practices by Eli White (video from PHP UK Conference 2014)

SASSmeister is a real-time JSfiddle for SASS / CSS. Awesome!

O’Reilly’s Learning JavaScript Design Patterns by Addy Osmani for free

JavaScript Testing Tactics (21min video by Justin Searls)

First view on Zend Framework 3 by Matthew O’Phinney

Get visitor stats for your GitHub repo with BitDeli

How to install the mcrypt php extension (to use Laravel 4)

GitHub finally introduces repo traffic stats

Microsoft announces “holographic” 3D interfaces (promo video)

Dangerous Performance Myths in the Web (video talk by Thomas Lohner, PHPUG Latvia)

Sitepoint asks for your favourite PHP IDE – take part!

The first micro framework written in Hack is there: hack-mvc !

Symfony devs: Creator of Symfony framework is hiring (Cologne, Germany)!

SensioLabs, creator of Symfony and Silex PHP frameworks, gets $7 million capital

How to debug code on a remote server (or in vagrant box) with PHPStorm

The Times talks about Times New Roman (3min video)

MINI2, an extremely simple barebone PHP application on top of Slim