Juniper pulls ATM hacking presentation from Black Hat

By Robert Westervelt, News Editor 30 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A Juniper Networks Inc. security researcher who planned to demonstrate a way to hack the software of an ATM at the Black Hat Briefings in Las Vegas had his presentation pulled at the request of the ATM vendor.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Barnaby Jack's"Jackpotting Automated Teller Machines," presentation, which was to take place on July 30, was pulled from the schedule on Monday. Juniper Networks confirmed the cancellation. In a statement the vendor said it received a request to pull the presentation from an ATM vendor.

"Juniper believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected," Juniper said. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research."

Black Hat: Kaminsky interview: DNSSEC addresses cross-organizational trust and security: A year since his serious DNS cache poisoning bug was made public, security researcher Dan Kaminsky advocates for widespread DNSSEC deployments. Black Hat Las Vegas 2008: News, podcasts and videos: The annual Black Hat conference is never boring. Check out the latest news, podcasts and videos direct from Caesars Palace in Las Vegas.

Jack would have demonstrated a way to attack the underlying software of a line of popular new model ATMs. The presentation would have addressed local and remote attack vectors and finished with a live demonstration on an unmodified stock ATM.

"We are reaching out to other ATM vendors with the offer to assist them with promptly and diligently addressing the security risks and vulnerabilities uncovered in Jack's research," Juniper said.

The hacking technique is unique. Traditional methods to bilk ATMs involve card skimmers or the physical theft of the ATM.

ATM makers have been under increased pressure to lock down their models after several high-profile attacks on machines. Last December, RBS WorldPay, the U.S.-based payment processing division of the Royal Bank of Scotland Group plc, disclosed a security breach in which hackers used millions of stolen cardholder data in a coordinated ATM scam, making off with $9 million. The thieves used stolen and cloned payroll debit cards and reloadable gift cards.

SearchSecurity radio:

Malware was used in several ATM breaches in Eastern Europe. Earlier this month, security vendor Trustwave Corp. said its researchers uncovered the malware while investigating ATM breaches in Russia and Ukraine over the past few months. Trustwave said 20 ATMs were infected with sophisticated malware that allowed attackers to not only steal and track data and PINs, but also cash. A specialized card could allow an attacker to bilk up to $600,000 on large ATMs.

Tags: Hacker Tools and Techniques: Underground Sites and Hacking Groups,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Hacker Tools and Techniques: Underground Sites and Hacking Groups Chinese hacker says most are not skilled coders Security researchers continue hunt for Conficker authors Verizon report goes deep inside data breach investigations Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary black hat  (SearchSecurity.com) cracker  (SearchSecurity.com) cyberextortion  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) Echelon  (SearchSecurity.com) hacker  (SearchSecurity.com) man in the middle attack  (SearchSecurity.com) van Eck phreaking  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary