"Hackin" ATMs isn't magic ...

Over the past few weeks, not a day passed without a news outlet or an AV vendor coming up with another post or article on ATM hacking. Today was no different.

Network World published an elaborate article that drew the attention to a "mysterious" DLL (msxfs.dll) that allowed the "hackers" to interact with the ATM's pin pad.

Analyzing the code, we started wondering how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device,” the F-Secure researchers said in a blog post, noting that Microsoft doesn’t provide any official documentation for this library’s functions. “It’s a valid question because the pin pad service name used in the code is quite unique and it is very unlikely one can figure out the service name without documentation.

Now allow me to bring us down from the lala wonderland of AV blog posts.

First things first: Microsoft does not provide any official documentation for this library's functions ... because it is not a Microsoft library. The library is a result from the CEN Workshop on eXtensions for Financial Services (WS/XFS).

The fundamental aims of the XFS Workshop are to promote a clear and unambiguous specification for both service providers and application developers. This has been achieved to date by sub groups working electronically and quarterly meetings. 

You can find their website here : http://www.cen.eu/work/areas/ict/ebusiness/pages/ws-xfs.aspx

On it you will find both the documentation of the API as well as the MSI package to install msxfs.dll on your system. Granted that most ATM vendors will integrate this into their product, it's not hard to analyze the DLL itself ... if you want to (I'm not gonna do it here for you, magazines have ads to sell and AV vendors have products to sell so I'll give them the opportunity to do just that).

Now, there is indeed little documentation available for this version of the API beyond what you need as a programmer but there is more for the Java version. To be found here : http://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-J-XFS.aspx.

The latest version of the documentation for the "base architecture" (2009has some interesting paragraphs that you can ponder on from a security point of view, specifically under point 2.17:

The access control for the device (i.e. the authorization to access a specific function in the J/XFS API) has to be controlled by the calling application and the network software. In the current CWA 12345 no support for login and user rights administration is supported. Also, it may be desirable to encrypt all data which is send over the LAN between the workstations and the server, as well as between the peer-workstations sharing a device using J/XFS. 

This is, however, also not a task defined in the CWA 12345. It is rather left to the TCP/IP installation and add-on security products to ensure that the data transfer is secure. We assume that a solution to this is or will be available for use without the necessity to change the J/XFS structure. One possible option here would be to use RMI over SSL. 

TL;DR : the main API allowing ANY application running on a box connected to an ATM machine provides NO authentication, authorization and encryption. Rather, it offloads that responsibility to the "TCP/IP installation and add-on security products".

Maybe this post can help us narrow down where the work to protect our ATMs should start and maybe ... we don't need to do weird searches on Baidu to understand what we're looking at.

Cheers,
Wim

PS : Oh, instead of vendor-specific programming guides, maybe the Kaspersky guys want to look at the official Pin Keypad Device Interface ... it's not that hard of a read once you found it ;-)

3 years flew by ... looking back and looking forward

[Note that I am speaking for myself and not for the (ISC)2 Board of Directors or (ISC)2 as an organization. I believe that 3 years after being elected, it is my responsibility to tell you what we have done and what we have achieved. Feel free to ask questions in the comments or on twitter (@wimremes). While I am restricted in what I can say, I will definitely try to answer as many questions as possible. Again, this is my personal perception and opinion.]

It's a bit more than 3 years ago that I decided to run a petition to be added to the (ISC)2 Board of Directors election slate. It's a bit more than 3 years ago that more than 500 members supported that petition and allowed me to be elected that same year. After effectively joining the board in January 2012, I went to work. After all, more than 500 members supported me on a platform of change and I was eager to follow through on that.

Today it is time to look back and see what we have done. I can't stress enough how important the "we" is in this endeavor. It isn't just me, it is me as part of a team of 13 board members. It is "we", as (ISC)2 is an organization with more than 100 employees across the globe. It is "we", as (ISC)2 has more than 100,000 members today. But it is me that made a commitment to you when I launched my petition. And it is me that owes you some feedback and reflection.

It was no secret that I joined the (ISC)2 board on a platform of change. All joking aside, it isn't easy to walk into a boardroom with a "here I am, let's change things!" attitude. I didn't do that. My first task was to understand what the board did, what the organization did and how I could help to make that better, taking into account that platform and the continuous feedback from (ISC)2 members around the globe. Today I look back and I see that I moved from being that "rogue element" to getting elected as Chairperson of the board earlier this year. This, to me, confirms that I've managed to build the bridge between the opposing voices (including my own) that supported my petition and all other walks of life and opinions within the organization and the membership. It's an incredible honor to me to lead the board and I can't be more proud of the team we are currently working with.

Since I joined the board, we truly have come a long way. We have built on what was already in the works and worked diligently to do even more. To me it started with ratifying our new member-focused strategy in April 2012. Since then, (ISC)2 has further engaged with it's membership and the security community.

A first example is found in the (ISC)2 chapters. Varying in size between more than 4000 members (South Korea) and less than 15 members (Ethiopia) they have become a platform where members (and non-members) can exchange experience and knowledge. Maybe more importantly, they have become an important source of feedback for the organization and the board. They allow us to better understand the needs of our membership and their regional intricacies. Empowering our regional offices in The UK, Hong Kong and China has, in my opinion, resulted in a better regional integration and an ability to adapt to the needs and differences.

A second example is found in the CPE opportunities. (ISC)2 has worked with several non-profit events and conferences to enable them to submit CPEs for attending members. Where it was mostly up to the member to submit CPEs manually and only large and commercial events would auto-submit, there are now Security B-Sides events that auto-submit CPEs. I believe this brings more diversity into the CPE opportunities. Additionally, we have worked with different organizations to offer even more CPE opportunities to our members. One such example, which is near and dear to my heart, is BugCrowd. If an (ISC)2 member becomes a member of BugCrowd, they will get CPEs for every bug they submit through the BugCrowd Bug Bounties. While still in an early stage, I think this is a prime example of where we are going with CPE opportunities.

A third example comes in the form of community outreach. I fondly remember taking part of the (ISC)2 team to their first 44Cafe (hat tip to Steve Lord and his amazing crew) and DC4420 (DEFCON London chapter) meeting in April 2012. Since then the organization has supported B-Sides events and other community efforts around the globe. Being there and keeping a finger on the pulse of the community once again is an incredibly valuable source of information for the organization and for the board. This too allowed us to better understand the membership and the community.

Then come our credentials. (ISC)2 has diligently worked to review and keep their credentials up to date. This will be very clear in 2015 when the reviewed versions of the CISSP and SCCP are launched. At the same time, we have launched the HCISPP (healthcare) credential and the CCFP (Forensics). The latter being the first credential that is rolled out regionally as local laws are elementary to the practice. Are we done yet? No! Are we on the right track? I certainly believe so.

Lastly I must talk about the (ISC)2 Foundation, which is effectively a seperate 501c3 organization. The Foundation grants scholarships globally to students who are focusing on information security. With the scholarships alone, we have allowed people who would otherwise not be able to fund it themselves, pursue their dream and join the information security workforce. On the same token, The Foundation allows our members to give back to their communities and society through the Safe and Secure Online (SSO) program. This program provides learning materials to teach children, teachers and parents about online security and safe use of social networks. This is possible through the donations and effort of individuals and the support of bigger organizations. You can find out more about the Foundation here : https://www.isc2cares.org/Default.aspx.

Now obviously I will be up for re-election come December. I wouldn't be more grateful if I'm allowed to continue the work we have done in the past 3 years and I'd welcome your support to make that happen. I truly believe that (ISC)2 is well-positioned to keep going on its current momentum. While the subtle tweaks on the underlying machinery are difficult to quantify and their effect only visible further down the path, I am convinced that this organization is going nowhere but up.

I come to realize that I could easily write a book about the past 3 years of being involved with this organization. I can only hope it would be the first chapter of an even longer book.

Cheers,
Wim