Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Get visitor stats for your GitHub repo with BitDeli

First look on Gitter, the chat for GitHub

How to install the mcrypt php extension (to use Laravel 4)

GitHub finally introduces repo traffic stats

[Link] Redesigning SoundCloud by Evan Simoni

What’s new in PHPStorm 9

Is there a JSFiddle for PHP ? Yes !

How to prevent PHP sessions being shared between different apache vhosts / different applications

Microsoft enters post-password era with Hello (promo video)

Stressed and unrelaxed while coding ? Try some ultra-deeply-relaxing ASMR audio clips. It will change your life. Seriously.

Learn AngularJS in 20 (or 90) minutes with Dan Wahlin

PHP’s HipHop outperforms PHP 5.5 with Zend OPCache and Nginx by 15-20 times

The first micro framework written in Hack is there: hack-mvc !

The SSL Heartbleed bug explained in 30 seconds

Redesigning Windows 8 – fantastic and clever drafts by Jay Machalani

-45% (or even 50%) off on DesignWall today

GitHub buys Easel.io, a code-free full website creator worth a look

Google I/O 2014 – HTTPS Everywhere (video)

A PHPStorm shortcuts cheat sheet (for Windows, Mac OS and Linux)

MINI2, an extremely simple barebone PHP application on top of Slim

October CMS, built on top of Laravel, is beautiful, clever and on the way to be the new #1 CMS

Composer problems ? Try full reset !

This is an experimental advertisement

How to setup a local server (in a virtual machine) with Vagrant in PHPStorm

A super-simple pre-configured Vagrant box with HipHop, Hack and Hack code examples