Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

A few days ago the 30th edition of Germany’s Chaos Communication Congress took place, a high-profile event for IT-security and net-culture related topics. Started 30 years ago (!), this once-tiny super-nerd event has reached (positive) mainstream (media) popularity, and as usual the talks are really really good. Did I mention Julian Assange (Wikileaks) and Sarah Harrison (who made Snowden’s escape possible) took part ? But more on that in another post.

The most interesting talk I’ve currently seen is this one: “Electronic Bank Robberies – Stealing Money from ATMs with Malware” by two anonymous speakers. The topic and the way the criminals take is not new, and that’s the point: Even in late 2013 most ATMs use Windows XP (!) as the host operating system [1][2][3][4]. Yes, casual Windows XP (not a special version or something), which will officially reach End of Life on April 8th 2014. No more bugfixes, even for possible hard security bugs. It’s okay, as XP is now 14 years old, and people who still use a 14 years old Windows version (in IT-years, that’s like 100 years) in 2014 are simply a little bit retarted and have obviously absolutly no IT skills, but changing the OS of 100.000s+ ATMs all over the globe might be a little bit more difficult. In fact that’s a big topic in the bank scene.

Anyway, the talk shows how easy it is to break into a Windows XP by cutting into the ATM and plugging an USB stick onto the printer port, which holds a special software giving the attackers full control over the ATM’s system (and that’s possible on up-to-date Windows XPs !). To be fair, we have to realize that this is not possible for the average guy. The attackers need to have very detailed insights on the way ATM software works, and so it’s an inside-job.

By the way, there’s a nice explaination for this: The costs of updating and security-improving ATMs is much much higher than replacing stolen funds by criminal takeovers. So for banks, the risk is calculateable. As there are only a few hacks per year, this is a clear optimization of costs vs. benefits.

http://www.youtube.com/watch?v=0c08EYv4N5A

Hacking ATMs – A conference talk about the current security state of Windows XP driven cash machines

Experimenting with HHVM at Etsy (Link)

Adobe offers Photoshop for $9.99 per month (limited deal)

Composer problems ? Try full reset !

Free $10 coupon for DigitalOcean SSD cloud VPS hosting

PHP 5.6 announced, statically typed (!) “new” PHP announced by Facebook devs

Soundcloud’s “VP of Engineering” about using SSDs

Hacked french TV channel exposed passwords in TV interview (video, screenshots, links)

Interesting stats on SONY’s hacked passwords

How to install/setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1/7.2 (and how to fix the GPG key error)

[Link] How To Install October CMS on a VPS running Ubuntu 14.04

You made a mess with Git ? Here’s a flowchart guideline on how to fix

[Link] How To Install October CMS on a VPS running Ubuntu 14.04

Postmodern PHP: appserver.io, a multithreaded application server for PHP, written in PHP

JavaScript ECMAScript6 – A short video introduction (5min)

[Link] Improving Smashing Magazine’s Performance: A Case Study

What’s new in PHPStorm 9

Extremely easy SASS in Laravel (with pure PHP)

Profiling PHP Applications by Bastian Hofmann (video from PHP UK Conference 2014)

PHP’s HipHop outperforms PHP 5.5 with Zend OPCache and Nginx by 15-20 times

Useful basic linux stuff: Show kernel version, distribution name and distribution version on Ubuntu systems

Switching from Java to PHP. Seriously. A very interesting and pre-judice-free talk with Ph.D. Aris Zakinthinos

Adobe offers Photoshop for $9.99 per month (limited deal)

A super-simple introduction into PHP namespaces (7min video)

Preview-release of (my) “php-mvc” project (a simple php mvc barebone)