[ale] New worm destablized Internet

Bob Toxen bob at verysecurelinux.com
Sun Jan 26 15:28:49 EST 2003


On Sat, Jan 25, 2003 at 10:26:03PM -0500, Jim wrote:
> On Saturday 25 January 2003 06:56 pm, Transam wrote:
> > ATM security actually is rather bad.  This is the realy reason why there is
> > a limit of $300-$1000 on the amount you can withdraw daily -- to limit the
> > losses in case of a security problem.  (I worked for one of the larger
> > vendors in that market, Stratus Computer, for five years.  I don't consider
> > it appropriate for me to discuss most of the vulnerabilities.)

> There are loopholes in the law that make it possible to rip off banks through 
> ATM's all day long. And you don't need to know a thing about computer 
> security to get away with it. But in the time I worked with banks, I never 
> heard of anybody actually hacking the ATM network. Here, as in other areas of 
> computer security, the human factor plays a much larger role than the 
> technical factor. I think Kevin Mitnick would agree.

Actually, I did succeed with a minor hack of an ATM some years ago and
got several hundred dollars that it should not have given.  I didn't think
the code would be that stupid.  The next business day I sure as heck came
in, explained what I did, that it was only an experiment due to my interest
in computer security, and here is the money back.

The woman said "Yeah, we know.  It will be fixed in the next revision that
also will fix the X and Y problems."  Yup, she told me a few more tricks
that I chose not to try.

It is my understanding that obtaining money from a bank that one is
not legally entitled to is a serious crime, generally "fraud", sometimes
"embezzlement".  If data crosses state lines it becomes even more serious.
There are Federal laws about tampering with bank computers even if money
is not involved.  Even most crackers don't mess with banks.

Bob Toxen
bob at verysecurelinux.com                [Please use for email to me]
http://www.verysecurelinux.com         [Network&Linux/Unix security consulting]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list