![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Security Concerns
Sep. 28th, 2006 08:04 amI have recently seen two "hacks" that scare the bejeezus out of me.
The first is the ATM hack. It seems that ATM machines can be put into a "maintenance" or "supervisory" mode, by pressing certain keys in a given order on an ATM machine. Now, this might not be so bad if the passwords on the ATMs were changed during installation to something reasonably secure, but more often than not, the passwords on the machines are left to their default factory-installed passwords.
The default-factory passwords and the method used to get the machines into "maintenance" or "supervisory" modes were available from reading the ATM manuals, which were available from multiple sources on the web.
Recently, someone with a pre-paid ATM card accessed an ATM machine and told the machine that the bin that was holding the $20's was actually holding $5's. They then asked the machine for money, and the ATM dispensed $20 bills, thinking they were $5's.
The second hack was even more serious. A group of college students got access to a Diebold TS electronic voting machine and using a commonly available key, accessed the machine's input ports. They replaced the machine's PCMCIA flash memory card with a different card, containing a modified version of the software. Once the card was in place, they rebooted the machine to install the new software and then, swapped the PCMCIA cards a second time.
The machine ran the doctored software until the machine was rebooted, which erased the evidence.
The doctored software was smart enough to realize when the machine being tested and gave the correct answers during testing, but in "real life" operation, the election results were skewed.
The first is the ATM hack. It seems that ATM machines can be put into a "maintenance" or "supervisory" mode, by pressing certain keys in a given order on an ATM machine. Now, this might not be so bad if the passwords on the ATMs were changed during installation to something reasonably secure, but more often than not, the passwords on the machines are left to their default factory-installed passwords.
The default-factory passwords and the method used to get the machines into "maintenance" or "supervisory" modes were available from reading the ATM manuals, which were available from multiple sources on the web.
Recently, someone with a pre-paid ATM card accessed an ATM machine and told the machine that the bin that was holding the $20's was actually holding $5's. They then asked the machine for money, and the ATM dispensed $20 bills, thinking they were $5's.
The second hack was even more serious. A group of college students got access to a Diebold TS electronic voting machine and using a commonly available key, accessed the machine's input ports. They replaced the machine's PCMCIA flash memory card with a different card, containing a modified version of the software. Once the card was in place, they rebooted the machine to install the new software and then, swapped the PCMCIA cards a second time.
The machine ran the doctored software until the machine was rebooted, which erased the evidence.
The doctored software was smart enough to realize when the machine being tested and gave the correct answers during testing, but in "real life" operation, the election results were skewed.