Security researcher demonstrates ATM hacking

Security researcher Barnaby Jack demonstrates how he bypassed the security of two ATMs.

(Credit: Declan McCullagh/CNET)

LAS VEGAS--Hacking into an ATM isn't impossible, a security researcher showed Wednesday. With the right software, it's actually pretty easy.

Barnaby Jack, director of security testing at Seattle-based IOActive, hauled two ATMs onto the Black Hat conference stage and demonstrated to a rapt audience the fond daydream of teenage hackers everywhere: pressing a button and having an automated teller machine spew out its cash until a pile of paper lay on the ground.

"I hope to change the way people look at devices that from the outside are seemingly impenetrable," said Jack, a New Zealand native who lives in the San Jose area. One vulnerability he demonstrated even allows a hacker to connect to the ATM through a telephone modem and, without knowing a password, instantly force it to disgorge its entire supply of cash.

Jack said he bought the pair of standalone ATMs--one manufactured by Tranax Technologies and the other by Triton--over the Internet and then spent years poring over the code. The vulnerabilities and programming errors he unearthed during that process, Jack said, let him gain complete access to those machines and learn techniques that can be used to open the built-in safes of many others made by the same companies.

"Every ATM I've looked at, I've found a game-over vulnerability that allows an attacker to get cash from the machine," Jack said. "I've looked at four ATMs. I'm four for four." (He said he has not evaluated built-in ATMs like those used by banks and credit unions.)

He said both Tranax and Triton had patched the security vulnerabilities since he brought them to the companies' attention a year ago. If a customer with an ATM such as a convenience store or a restaurant doesn't apply the fix, though, the machines remain vulnerable.

Hacking into ATMs is not exactly a new idea: It was immortalized by a young John Connor in the "Terminator 2" movie, and techniques like "card skimming" and "card trapping" are well-known by police.

Some enterprising thieves have even seized on ways to use a little-known configuration menu to trick ATMs into thinking that they're dispensing $1 bills instead of $20 ones. (Traditional methods of stealing an ATM, ramming it, cutting into its safe, or blowing it up still work too.)

But those other electronic cash-extraction techniques were limited because they didn't rely on a deep analysis of an ATM's code. Many run Windows CE with an ARM processor and an Internet connection or a dialup modem, all of which controls access to the armored safe through a serial port connection. Jack said he used standard debugging techniques to interrupt the normal boot process and instead start Internet Explorer, giving him access to the file system and allowing him to copy off the files for analysis.

In the case of Tranax, a Hayward, Calif.-based company, Jack said he found a remote access vulnerability that allows full access to an unpatched machine without a password needed. He wrote two pieces of software to exploit that programming error: a utility called Dillinger, which attacks an ATM remotely, and one called Scrooge, a rootkit that inserts a backdoor and then conceals itself from discovery.

Scrooge "hides itself from the process list, hides itself from the operating system," Jack said. "There's a hidden pop-up menu that can be activated by a special key sequence or a custom card."

Triton's ATMs didn't have an obvious remote access vulnerability. And the built-in vaults were well-armored. But the PC motherboard that dispenses cash from the vault was protected only by a standard (not unique) key that could be purchased over the Internet for about $10. So Jack did, and found he could force the machine to accept his backdoor-enabled software as a legitimate update.

Bob Douglas, Triton's vice president of engineering, showed up at the conference to stress to reporters that the vulnerability has been fixed. "We have developed a defense against that attack," he said. "We released it in November of last year."

In addition, Douglas said: "We have an optional kit available to replace the lock with a unique key. It's a high-security lock as well. I think it's a Medeco lock." But he said because some companies that service ATM machines might own 3,000 of them and visit dozens or hundreds a day, not all customers choose to upgrade.

Tranax did not respond to queries from CNET on Wednesday.

Jack was scheduled to present a similar talk at Black Hat last year, but it was pulled at the last minute after an ATM vendor complained to Juniper Networks, his then-employer.

The difficult part in hacking the ATMs was evaluating the software for vulnerabilities--but the Dilligner and Scrooge utilities Jack created as a result are easy enough for a child to use.

And will he release them? Teenage hackers, random criminals, and the Mob would surely be interested. "I'm not going to," Jack said in response to a question from CNET after his talk.

Mozilla's Tab Candy is the first step to sweeter browsing

Tabbed browsing has arguably had a significant impact on the way that people use the Web, but the feature hasn't really scaled to accommodate the increasing complexity of the average surfing session. The existing tab management and overflow handling mechanisms that are present in modern browsers are dated and suffer from some fundamental limitations that significantly detract from user productivity.
As more software shifts into the cloud and users increase their reliance on the browser for daily computing tasks, browser tabs will have to evolve from a primitive mechanism for switching between documents into a full-blown task management system. The mainstream browser vendors have been slow to address this issue and haven't applied much innovation to the problem over the past few years. Mozilla has stepped up to plate and is aiming to hit the ball out of the park with some unique and truly compelling improvements to the tab concept.
Mozilla's experimental Tab Candy project, which is led by talented designer Aza Raskin, offers a simple and intuitive new twist on tab management. It allows users to visually manage tabs by organizing them into spatial groups. It's far from being a complete solution to tab overflow, but it's a very good step in the right direction.
Mozilla has made available some experimental prerelease builds of Firefox 4 that have the Tab Candy enabled. We tested this preview version ourselves to get a hands-on look at the new feature. On the surface, the only major noticeable difference is an icon with black squares that appears in the tab bar. When you click the icon, the Tab Candy mode will be activated. The browser will show you a thumbnail view of all of your tabs in rectangles that represent groups. You can drag a tab from one group to another or drag it out into the field to create a new group.

Mozilla's Tab Candy user interface

When you click a thumbnail, the browser will activate that tab and close the Tab Candy view. During regular browsing, the tab bar in the window will only show the tabs from the group that is currently active. This makes it easy to treat tab groups like projects and easily switch from one tab context to another.
These features are just the start of what Mozilla has planned for Tab Candy. In a demo video that highlights some ideas for future features, Raskin discusses the possibility of enabling simple tab sharing through the Tab Candy interface and providing extensibility hooks that would enable third-party add-ons to augment Tab Candy with their own contextually relevant features.

Tab tree

Tab Candy is an impressive first step, but there are still a lot of unsolved tab management challenges that need to be addressed. The Tab Candy interface won't fully resolve the problem of an overflowing tab bar, because there are still likely to be cases where individual tab groups have more items than the regular tab bar can cleanly accommodate. Having to scroll back and forth to find a tab is frustrating.
Tab Candy's spatial view will help to simplify high-level tab management, but the downside is that it fragments the user experience by disconnecting the tab management interface from the regular browsing interface. It would be good to have a separate way for users to optionally view the complete stack of tabs from all groups alongside the actual content of the active page.
Mozilla has reduced the challenge of finding a specific tab by introducing a switch-to-tab feature in the AwesomeBar, but that doesn't help unless you remember the title of the page that you are looking for. The popular Tree Style Tabs add-on offers an elegant way to further simplify tab management—one that could potentially work well with the Tab Candy concepts and shore up some of the weak points.
The Tree Style Tab add-on allows users to see all of their tabs in a nested hierarchy in a sidebar. It presents tabs as a tree of collapsible nodes, which makes it easy to hide and show sets of nested tabs based on which ones are relevant to your current activity.

The Tree Style Tabs add-on

I think that something like Tree Style Tabs should be added as a sidebar, giving the user the ability to toggle between the regular horizontal tab bar and the richer tree view when the tab count becomes overwhelming. It could also potentially be adapted with a filtering mechanism so that the user can decide if it should show tabs from all of their Tab Candy groups or just the active group. The groups could be presented as tree nodes.
I think that a vertical interface is really the key to bringing saner overflow handling to the tab bar. Raskin is no stranger to this notion, and experimented with the idea of a vertical sidebar in some mockups last year.

Reading list

In the demo video, Raskin suggests that Tab Candy users might want to rely on groups to manage the tabs that they intend to read later. This approach makes sense, but it might not be sustainable in the long term. I know that I'd end up with a ton of groups that I haven't looked at in a while cluttering up my Tab Candy space and I'd have one enormous group of unrelated pages for future reading.
An obvious solution is to offer some kind of bridge between tabs and bookmarks, but I think that it might be more advantageous to make it feel more like the Read It Later add-on, a wrapper for Firefox's bookmark system that allows users to easily create and maintain a chronological stack of unread items.
It would be great to have something like that, but with a more elaborate timeline view that would allow you to explore other browsing history that transpired around items that you saved for later reading. Similarly, it would be useful to be able to have tab groups "expire" and shift collectively into the reading list stack after a certain amount of idle time. This could have some kind of Weave sync capability so that users would be able to easily work through their reading list from a mobile phone.
Taken together, the underlying concepts behind Tab Candy, Tree Style Tabs, and Read It Later hold the potential to revolutionize Web browsing and solve a wide range of the tab management and information overload problems that are faced by users.

Students finally wake up to Facebook privacy issues

Students care about Facebook privacy more than the world thinks, and their use of privacy controls has skyrocketed recently, according to two researchers. Eszter Hargittai, Associate Professor of Northwestern University, and Danah Boyd, Research Associate at Harvard’s Berkman Center for Internet & Society published their findings in the online peer-reviewed journal First Monday, noting that young people are very engaged with the privacy settings on Facebook, contrary to the popular belief that their age group is reckless with what they post publicly.
The researchers surveyed first-year writing students at the University of Illinois-Chicago during the 2008-2009 academic year, and then followed up with them again in 2010. The large majority—87 percent—said they used Facebook in 2009, which went up to 90 percent in 2010. Among frequent and occasional users, more than half posted their own status updates in addition to checking up (and leaving comments) on those of friends.
Among those who took the survey in both years, nine percent said they never touched Facebook's privacy settings in 2009, a figure that fell to a paltry two percent the next year. Similarly, nine percent said they had adjusted the settings just once in 2010, down from 28 percent in 2009. In contrast, the percentage of students who changed their privacy settings four or more times more than doubled from 24 to 51 percent over that period of time. The researchers noted that those who regularly contribute to activities on Facebook may be more conscious of their audience than those who use it less frequently, hence their motivation to modify their settings.
Hargittai and Boyd noted that there was little variation between men and women who were frequent Facebook users when it came to engagement with privacy controls. They say this is notable "given that in most other domains that require active online engagement (e.g., posting videos, editing Wikipedia entries), women report lower levels of involvement."
There was, however, a much higher likelihood of occasional-Facebook-using women changing their settings than occasional male users. Unsurprisingly, users who were "highly skilled" in Internet-related things were much more likely to have tweaked their privacy settings, though the researchers acknowledged that this could be either due to knowledge levels or simple unawareness of the importance of changing them.
The one thing the researchers were unsure of was why so many Facebook users started tweaking their privacy controls so much between 2009 and 2010. One theory was that there was an increase in public attention on Facebook privacy just before and during that time—indeed, Facebook's Beacon screw-up started in 2008 and got the ball rolling for a litany of complaints that have extended well into 2010. Facebook also greatly simplified its privacy controls recently, which may have led to an increase in awareness.
The important takeaway, according to Hargittai and Boyd, is that students do care about their privacy on Facebook, and a large number of them are now making regular changes to their settings. "Our results challenge widespread assumptions that youth do not care about and are not engaged with navigating privacy," they wrote. Their findings, combined with those from the Pew Internet & American Life Project from earlier this year, show that the young 'uns aren't so willing to show their drunken photos to the world as many of us thought.