|
Title: Juniper Pulls Researcher's Black Hat ATM Talk Post by: don on July 03, 2009, 11:49:43 AM Quote It's not very often in Las Vegas that the money stays inside the ATM. But that's exactly what will happen at the upcoming Black Hat conference after Juniper Networks decided to scrap a presentation by one of its researchers who was set to show how a cash machine software vulnerability could be used to spew twenty-dollar bills. The planned talk by Barnaby Jack, titled "Jackpotting Automated Teller Machines," was pulled after the affected ATM maker raised concerns that it would not be able to fix the flaw in time. Juniper did not identify the ATM vendor but said in a statement that others may also be affected by this issue. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research," Steve Manzuik, Juniper's senior manager of security research, said in a statement. "As always, Juniper is committed to the responsible disclosure of security vulnerabilities. It is unclear exactly what Jack planned to unveil in his presentation, but cash machine issues have made the news in recent months. In March, Diebold revealed that it issued a security update for its Windows-based ATMs after a number of its machines in Russia were infected with customized trojans. "We are reaching out to other ATM vendors with the offer to assist them with promptly and diligently addressing the security risks and vulnerabilities uncovered in Jack's research," Manzuik said. This is not the first time a Black Hat presentation was deemed too controversial to see the light of day. In 2005, Cisco and Internet Security Systems (ISS), now owned by IBM, threatened to sue researcher Michael Lynn just hours before he was to deliver a talk about vulnerabilities in the Cisco IOS. Lynn quit his job at ISS and proceeded anyway. Soon after, he settled with the two companies, essentially promising not to further discuss the exploit. In 2007, security services consultant IOActive bowed to pressure from HID Global to withdraw its presentation. IOActive's director of research and development, Chris Paget, had planned to demonstrate security weaknesses in HID's RFID technology. And last year, a judge in Boston issued a temporary restraining order against three Massachusetts Institute of Technology students who had planned to present their findings on vulnerabilities in the Massachusetts Bay Transportation Authority's subway fare collection system. The MBTA later dropped its lawsuit, but the talk never happened. Original story: http://www.scmagazineus.com/Juniper-pulls-researchers-Black-Hat-ATM-talk/article/139402/ Don Title: Re: Juniper Pulls Researcher's Black Hat ATM Talk Post by: former33t on July 05, 2009, 09:38:14 PM This of course is just a gut reaction since none of us know the full details about the vulnerability and timelines given to the companies to fix the problem, but I think this is garbage.
If Jack (and/or Juniper) contacted ATM vendors at any time prior to the presentation, they did their due diligence (I mean Black Hat is still more than 3 weeks away still). As vulnerabilities go, managers often have to sit around in a room and justify how quickly they need to implement a fix. They do some cost benefit analysis and make a determination on how much overtime to pay vs loss of reputation when the vulnerability is disclosed. If this is for real, its a no brainer. If vulnerable ATM's will spit out $20's, seems like there's an immediate loss scenario if I've ever seen one. What is stopping the vendor from getting a fix out on the street in the next three weeks (assuming they were only notified on the 3rd)? I personally think that while they could use more time (vendors always want more time), this is more about the vulnerability not being released at Black Hat, THE premier security conference. I think vendors in general think "anywhere but Black Hat." Just my $.02, but that's what I think is going on here. Title: Re: Juniper Pulls Researcher's Black Hat ATM Talk Post by: dalepearson on July 07, 2009, 09:20:38 AM Its always frustrating when this sort of information sharing gets pulled, and it does seem to be occuring more often.
Personally I think this is a tricky one. I am sure the researchers have given appropriate disclosure, but its not clear if the vendor has got a fix (perhaps Jack made a recommendation) or if a fix has been identified, but its just going to take them to long to get a fix out through the impacted networks. Like all these things, we dont have the full story, I just hope either way they do get it resolved and make use of the excellent work the security community provide. Title: Re: Juniper Pulls Researcher's Black Hat ATM Talk Post by: Ketchup on July 07, 2009, 10:03:49 AM Personally, I can't wait to see what the vulnerability is/was when it does get released. I am also curious what the attack vector will be considering the restricted input controls on an ATM.
Title: Re: Juniper Pulls Researcher's Black Hat ATM Talk Post by: dalepearson on July 07, 2009, 10:16:06 AM I wonder if its related to the issue that we have heard about before at the manufacturing process.
Powered by SMF 1.1.16 |
SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com |