Of Greed and Girls | Stealing the Network. How to Own a Continent

Later that evening, Matthew returned to the mall, this time dressed as a normal guy. The NBSA branch near the closet he had violated just hours before was now closed. He approached the ATM, inserted his NBSA card, and withdrew 100 rand.

This ATM was one of the lift-and-grab-yo-money types. His cash, dispensed in five 20 rand bills, lay in the tray waiting for him to pick it up. The graphics were pretty good on this box, the spinning bank logo bright on the screen. Too bad they don t have a decent background on this thing, he thought. You d think they would couple with Victoria s Secret next door and put Gisele on the damn thing as an advertisement. Of course, most of the snotty customers would cry holy hell thinking it was porn or something.

That thought stuck in his head. Again, a grin appeared on his face ”that had been happening a lot lately. He cached that idea, deciding to revisit it later that night.

He made his way around the mall, found two more NBSA ATMs, and withdrew another 200 and 50 rand, respectively. He noted the exact time of the transaction in each instance. These ATMs were a bit different. Not only were they a bit smaller than the branch ATM, they had the auto-feed tray that spit the bills out consecutively. He laughed out loud at the image of crazed customers gathering around the machine as it vomited out money like a child who had just swallowed a piggy bank.

He passed by Victoria s Secret again, but this time turned into the store for a little diversion . There were a couple of items he decided to buy for Capri, eager to see what they looked like on the floor next to his bed.

Outside, he pulled into his chosen parking spot from which to access his private bank network, and horked the day s worth of packet dumps over to his laptop. He headed home.

Tracing packets through Ethereal, he noticed there was quite a bit more traffic than he anticipated for what he thought was just a remote branch. This was a windfall. He most certainly would have to come back to this when he had time. It was all here: logon credentials, POP3 passwords, HTTP logons , even some LM authentication. Morons, he thought. But as much as he wanted to pore over that data, he needed to hone in on the ATMs. Searching through timestamps he found the first TCP stream he needed ”it was the first transaction where he withdrew 100 rand. He was not surprised at all to see most of the transaction actually was made in the clear. The last two days of research into NCR s APTRA development platform revealed that most application developments encrypted only the user s PIN number. It was not worth trying to break that ”the key was physically built into the keypad on most of these systems, and he wasn t interested in horking transactions anyway.

He pulled out his receipts, and checked them out. Each had a location indicator: the first transaction was Location 2554. He traced back through the dump ”there it was, 2554 as part of the stream. The other receipts indicated locations 2569 and 2572, respectively. He wasn t sure why the numbers skipped , but he didn t really care. He was interested in the source IP addresses. Hopefully there was some way he could isolate the ATMs from the other machines so that his worm code could be more efficient.

Wait, he thought. This indicates that I actually can identify the machine itself, not just the fact that it is an ATM. Matthew went back to his Tcpdump data and looked for DNS queries. In each transaction, the ATM looked up the IP address for 390LB.border.nbsa.co.za. This must be the transaction warehousing system, the main frame as it were. All three looked up that data from the same server ”DNS was being resolved by 172.15.11.1. That was the only activity he saw from his ATMs to that IP address, but he saw many DNS updates to the same IP ”these must be from regular hosts in the branch booting up and registering themselves with the domain controller for automatic DNS updates. These ATMs might just be members of a domain, he thought, getting more and more excited. He jotted down the ATM IP addresses: 172.15.9.55, 172.15.9.6, and 172.15.9.142- in order of usage.

Armed with that information, Matthew packed up his laptop and headed back to the mall. It was late now, so he d have to make sure he didn t draw any attention to himself while sitting out in his car. He d be paying attention.

Nestled back in the seat, he associated to his NETGEAR. He hated having to generate traffic on the bank s network, but this would be minimal. At a command prompt, he attached to the 172.15.11.1 DNS server with NSLOOKUP, receiving the expected > prompt after successfully connecting. He typed in the IP address of the first ATM he used. He stared at the output for only a moment before testing the second IP address:

 > 172.15.9.55 Server:  dc1.border.nbsa.co.za Address:  172.15.11.1 Name:    ATM-2554.nbsa.co.za Address:  172.15.9.55

He entered the IP address for the second ATM:

 > 172.15.9.6 Server:  dc1.border.nbsa.co.za Address:  172.15.11.1 Name:    ATM-2569.nbsa.co.za Address:  172.15.9.6

Pulling the receipts out of his pocket, he checked the one from the last ATM: Location 2572. If this worked, it would be a valuable realization.

Rather than the IP, he tried what the hostname might be based on the other units hostnames:

 > ATM-2572.nbsa.co.za  Server:  dc1.border.nbsa.co.za Address:  172.15.11.1 Name:    ATM-2572.nbsa.co.za Address:  172.15.9.142

He checked it against the IP he had written down: 172.15.9.142. It matched. This meant that not only could he identify which units were ATMs, but he could actually determine the individual IP address for any particular ATM location.

Putting his laptop in hibernation, he closed it up, cranked up his car, and headed out. He decided to take the long way home.

Things were coming together now. His plan, up to this point, was to write a worm (or hork the exploit code from the Internet somewhere) that would take out the ATM network. He had a call into NCR tech support to see if he could engineer a copy of the API reference for APTRA, but given how much data he was getting from alternate sources, he may not even need it. The dispense cash call was a simple API call, and he already had several references to it. Gotta love Google, he thought. Once he owned the box, making it spit out cash would be a cinch. Within minutes after launch, ATMs around the country would be randomly spitting out cash. It would be beautiful.

Being able to identify ATM assets from the rest of the network would have made the worm far more efficient, but this new information changed things around a bit. He could now identify specific ATMs based on location. All he would have to do is to hand-pick a few ATMs within the area, withdraw a little money, and use the receipt to uniquely identify that particular box.

Then it hit him. It was the perfect cover. It was a perfect plan.

He would launch two sets of code, separated by mere minutes. The first set of code would infect his hand-picked ATM units. They would sit and wait for a short period of time. The second code-launch would be the actual worm code that would send the country into a feeding frenzy! Machines, possibly in the thousands, would be spitting out money randomly. Or not so randomly, as the case may be.

This he couldn t do by himself. He would need 10, possibly 15 people, all in the right place at the right time. In fact, each could be positioned for optimum coverage to hit multiple machines within say, a half- hour period. They simply would be a few of the lucky thousands of other people throughout the country. Even if the authorities were to show up, there would be no way of knowing that they weren t just random people on the street. In fact, a well-placed media call 15 minutes into the outbreak would assure that total chaos would ensue!

His mind drifted back to Victoria s Secret, and the background image. To add insult to injury , Matthew decided that a few compromising fake photos of certain parliament members getting it on with a donkey might be a nice touch. Let NBSA explain that one to the public.

In fact, he would not have to limit the attack to ATMs! A more current vulnerability would probably infect untold numbers of NBSA workstations as well. Porn for everyone! Matthew shouted out loud.