An Army of One | Stealing the Network. How to Own a Continent

He sat back, finished his beer, and began to think. NBSA, he knew, was one of the largest banks in South Africa ”a financial powerhouse. Johannesburg alone was home to almost two million people. NBSA probably handled the finances of 100,000 of them, if not more; he really had no idea. It is just too big, he thought. Too many branches to attack. Too many offices to take down. I would have to automate the entire process, he thought. If there were only some automatic method I could use to His thought process stopped . He bolted straight up as the idea hit him. to take over something the public saw. Something the public used. Something the public needed.

Automatic Teller Machines.

Before his mind could silently articulate the entire phrase, he had already pictured an army of machines, standing at attention, ready to carry out his every command.

Don t be so dramatic, he said to himself. But it was difficult not to be. He figured that NBSA must have thousands of ATMs in service throughout the country. An army of Automatic Teller Machines, eh? No, they will be Automatic Terror Machines, and I will make them thus!!

It was so simple that it was perfect. NBSA had made what almost amounted to a media campaign regarding the deployment of their new ATM machines. It was a new era for the personal services one could enroll in from NBSA s new ATMs. Enhanced graphics showed video clips of local shows to which one could purchase tickets right from the ATM with drafted funds. Portfolio information could be pulled from linked stock accounts. Even weather and travel data was available now that these boxes had a distant Internet connection.

NBSA had been upgrading to these new systems for the last couple of years , along with institutions in other countries like China and Canada. But in light of the new capabilities of these machines and the enhanced product offerings made to members of the bank s financial family, one aspect of these machines stood out more than any other: they were running the Microsoft Windows XP embedded operating system.

XP, though it has had a few issues, was pretty solid for the most part. The wildcard in this scenario was dealt by the vendor of these systems ”NCR. And this is where Matthew knew he could leverage an ignorant policy imposed by said vendor, as if they were Moses descending from Mount Sinai with tablets inscribed by God, but with only one commandment:

Thou Shalt Not Apply Any Service Pack or HotFix Not Ordained By Us, Lest Thine Warranty Be Void.

Not many people knew it, but many institutions around the world were bound by the same sort of policy. The whole business was regulated ”and if a vendor did not certify another software vendor s service pack or patch, it could not be applied to the system, even if it meant leaving it vulnerable to exploitation. And this did not apply only to ATM machines ”it was the case for many financial packages and systems deployed worldwide.

And this is how Matthew would breech the system.

He knew that NBSA would still have a high number of the older, proprietary-style ATMs in service (probably running OS/2), but the new ATMs were everywhere. Even if they numbered only a thousand or so, that would be more than enough to cause a little havoc. Heh ˜little havoc my ass, he thought. He knew that the possible damage a thousand machines on a high speed network could cause was limited only by his imagination .

He needed to get on the bank network somehow and perform some recon. He couldn t just go on the assumption that these XP-embedded boxes were default installs . He had to make certain. If unpatched, Matthew would have his pick of exploits he could use to bust root on the ATMs once on the bank network. There was a strong possibility that he may even be able to get inside from an attack point on the Internet itself, but he didn t have time for that. Besides, he already had a plan of how to get on the bank s net.

Hacking ATMs wasn t a new idea by any stretch of the imagination ”many a chat room conversation has taken place regarding sniffing ATM traffic, trying to decode PIN numbers in transit, man-in-the-middle attacks, and other standard IRC fodder. But this would be a bit different ”stepping outside of the OS2/SNA model and into commodity hardware running XP offered many more possibilities. Matthew was actually a bit surprised that a mass attack against ATM machines had not already occurred, particularly after the report came out outlining the compromise of multiple Diebold XP-embedded ATMs at several banking institutions by the Nachi worm. Such an occurrence was a testament to the fact that these institutions still did not get system security. Matthew just shook his head when he considered how those ATMs not only had to be unpatched, but how they also had to be accessible by infected users on the bank network.

First things first: Matthew concentrated on the public humiliation stage of his stated goals, and drew up a plan. He had heard of the fervor created when an ATM machine would malfunction and dispense more money than it should. There was a case where the police had to be called in to control near-riot conditions created by such an event, and that was just a single ATM. Matthew smiled when he thought about what would happen when 1000 ATMs started exhibiting the same behavior.

There was far too much that Matthew still did not know, and though his plans had already begun to take shape, it was time to get some hard data. He had only a few days ”he had to move quickly.

He walked to his closet, mussed about a bit in some shelves in the back, and produced a knit cotton shirt embroidered with JBurg Tech Services. He inspected the shirt, holding it at arms length. It should fit just fine, he thought to himself. Grabbing a crumpled pair of khakis from a drawer long unopened, he collected a few other articles of clothing and headed for the Laundromat.