Watching The Drone Watchers

I smell China, or maybe Russia. The fact that the virus keeps resisting efforts to remove it shows that there’s some sophistication involved.

U.S. Military Drones Infected With Mysterious Computer Virus

A fleet of U.S. military drones on a Nevada Air Force base has been infected by a keylogger virus that tracks every key and button their pilots press, Wired.com reported Friday — and top Air Force sources strongly contested.

The virus was first noticed by officials at Creech Air Force Base nearly two weeks ago using the base’s security system. It logged every keystroke of the pilots in the control room on the base as they remotely flew Predator and Reaper drones on missions over Afghanistan and other battle zones.

There has been no confirmation of information being lost or sent to an outside source, but the virus has been resistant to military efforts to clear it from the system.

“We keep wiping it off, and it keeps coming back,” a source told Wired.

See also:
Exclusive: Computer Virus Hits U.S. Drone Fleet
Computers Controlling Military Drones Reportedly Infected with Virus
Computer Virus Attacks U.S. Military Drones: Wired
Keylogger virus hits US drone operations
Combat drones’ computer systems reportedly infected with virus
Computer virus hits US’ Predator drone fleet
US war drones keep flying despite computer virus
America’s Drones Have Been Infected by a Virus
Virus infects Pentagon drones’ computers
U.S. Drone Controllers Said To Be Infected By Computer Virus
US drones hit by virus
U.S. Military Facing a Battle Unlike Any Other
Cyberwar: a Whole New Quagmire – When the Drones Come To Roost
Creech Air Force Base

Theses computers didn’t just infect themselves, they were almost surely infected by someone, either deliberately or unwittingly, connecting a malware infected memory stick or other portable media storage device to the network. This has been a known attack vector for a long time now and it’s easily preventable, simply don’t allow portable media storage devices anywhere near classified computer networks!

/search all personnel coming and going if that’s what it takes, it’s a small price to pay for avoiding potentially catastrophic security breaches like this

Advertisements

Let’s Play ATM Or Slot Machine?

Barnaby Jack is at it again.

Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference

In a city filled with slot machines spilling jackpots, it was a “jackpotted” ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.

The demonstration was greeted with hoots and applause.

In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs — the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn’t yet examined them.

The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system’s remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.

Tranax’s remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.

To conduct the remote hack, an attacker would need to know an ATM’s Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.

The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.

Both the Triton and Tranax ATMs run on Windows CE.

Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax’s remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.

Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways — either through a touch-sequence entered on the ATM’s keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.

To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word “Jackpot!” as the bills came flying out the front.

To hack the Triton, he used a key to open the machine’s front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems — the kind used on filing cabinets — that can opened with a $10 key available on the web. The same key opens every Triton ATM.

Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it — the upgraded lock is a Medeco pick-resistant, high-security lock.

. . .

Jack said that so far he’s examined ATMs made by four manufacturers and all of them have vulnerabilities. “Every ATM I’ve looked at allows that ‘game over.’ I’m four for four,” he said at the press conference. He wouldn’t discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.

Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.

See also:
Bunker-busting ATM attacks show security holes
Hacker breaks into ATMs, dispenses cash remotely
Security researcher demonstrates ATM hacking
Black Hat: Hacker Tricks ATMs Into Raining Cash
Researcher shows how to hack ATMs with “Dillinger” tool
Armed with exploits, ATM hacker hits the jackpot
Powered By Microsoft Windows
IOActive Labs
Tranax Technologies
Triton Systems

All your ATMs are belong to Barnaby Jack!

/I’ll bet Barnaby is really well paid and gets plenty of job offers from the Black Hats as well as the White Hats