6 posts • joined Wednesday 18th March 2009 19:56 GMT
Lack of Daily Physical Access Doesn't Mean Safe for Windows
I've noticed in several different industries that run ATMs or PoS devices on Windows based systems that their administrators seem to perceive these devices differently, as they would a laptop. Evidently, they seem to regard them as considerably more secure because they are not physically accessible to ordinary people (I hope you know what I mean in the case of ATMs) or used for general purpose computing (at least, not supposed to be). Like a laptop, these systems need to be locked down, and they need to be protected by more than just a signature-based product using technology invented over a decade ago. Below are older posts that make the rest of my point:
Any Breach Found is Only Tip of Iceberg
So somebody finds malware on a PC known for stealing information and for possessing some sophistication for multiple attack vectors and remote controls. Determining what damage has been done is a staggering challenge. I opined on it some in this blog post below:
PC Malware Driven Security Breach Disclosures—A Case of Worms http://www.securitynowblog.com/endpoint_security/pc-malware-costly-security-breach-disclosures
Whenever I'm in a doctor's office or some other medical facility, I'm now in the habit of looking at their information technology. This usually results in my dwelling more on their lack of security than my case of the flu, re injured knee, or whatever brought me there.
My last visit left me alone in a room for about half an hour with a WinXP machine hanging from a wall. Later, when someone arrived to use it, I was quite distracted while talking with her as I kept thinking how easily one could compromise the records of everyone associated with their practice.
Another Week, Another Exploit
Any software running on a PC that consumes files or communications from the outside world, even from trusted friends and colleagues, is a target. Every PC needs two forms of protection. One is the old familiar Anti-Virus/Spyware software that stops known virus, worms, Trojans, and other malware. The other tool is needed to stop the unknown or zero-day malware.
I've opined before, so..."Your Software Applications Cannot be Trusted":
How many weeks ago was Excel similarly in the news?
Protect the PCs Better
I'm not much of a network wonk anymore. I'm into endpoint security issues these days. So, in addition to the network remedies suggested above (oh and I would like to see digitally signed DNS), we need to do a better job of protecting PCs, which are far too vulnerable with their typical defenses. I seem to rant a lot about this on www.securitynowblog.com If interested, a couple of posts:
We cannot trust the software that runs on our PCs: http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal
And this one about signature-based defense limitations:
In smaller organizations, PCs are disturbingly vulnerable.
More Info Would be Nice
I'm curious about the operating system (s) used for these ATMs and what privileges the typical technicians have on them. With such relatively static configurations, it would seem quite straightforward to lock these machines down and perform regular audits to counter these risks, even if the techs have admin rights.