11:30 ATM virus post | |
| Guys, I could not resist. It now goes to ATM viruses found more than a year ago in ATM Diebold, and the basic principle of its operation. This topic is old, the peak of hysteria has long passed, but the public never knew what really happened, because of which even IT-Schnick build a lot of speculation and talk myths. About this virus has been written many articles on the technical descriptions of political education to housewives, but the most important trick we have not been disclosed. I'll try to explain simply, because it is important to understand, and not delve into the details of the specific implementation of something. Picture to attract attention: Let's start from the beginning. A year ago, the media panic: "ATM viruses!", So that all self-respecting bank managers are supported by this panic, and began to try to do something. Panic arose an ulterior motive: the world wanders a lot of fans of a freebie, so called. carders, whose aim is to get your credit card information, including PIN-code and then to make a duplicate and take all the money or anything to buy. To do this, invented various ways of cheating, but until the virus they were physical in nature. But the virus is very interesting, because basically the technology brought a new level - PIN-codes are tyrit at the software level. It should be noted that the virus is still able to give cash in an unlimited amount of spetskarte, but we as customers do not care, then the bank gets the money, not us. Now let's take a superficial insight into the ATM itself, and examine where there might be viruses. Revealed the secret: The vast majority of ATMs running on Windows XP. Quick-witted reader will understand that in this case the threat is there and should start to fear. But not as bad as it seems. First, the bona fide providers of ATM software that Windows greatly curtailed by disabling it everything he can to protect ports, block access, and so on. And secondly, the ATM never looks directly into the internet - it is or in a dedicated segment of the corporate network or connected through some Crypto, such as Cisco and Checkpoint, and the virus get there, to put it mildly, no options. Accordingly, the yield is only an insider, because from the outside to slip something into the ATM is problematic. And what is a typical ATM software? And that's what. The architecture of this software is analogous to a client-server. Server in this case can work with specific hardware (which is an ATM in bulk) and publishes the outside programming interfaces that are common to each type of iron (dispenser, card reader, printer, keyboard, etc.). Client, ie, self-business application, in turn, using these interfaces, shows us the advertisement shows the long-awaited salary, prints checks and happily flashing lights. All this economy is called the standard CEN / XFS. I think I will put a picture. Upon learning this news, we immediately start writing your ATM software with blackjack and hookers, the benefit of the secrets is not here, and all emulators and the specification of us, no one hides. Magnetic stripe card reader, we read from the client inserts the card and PIN-PIN-code from the keyboard, when a customer dials it. Here it is, as they say, profit. And with the mind, sort of like, okay. But the joy soon, waiting for us a little bummer. The fact that the PIN-code from the keyboard in its pure form can not be read. Can only be encrypted. Make a digression, for the overall development of the interest. PIN-code in its pure form is not walking anywhere, except for the keyboard and a special device HSM, which is in processing. The process of entering the PIN-code is as follows. Soft keyboard transmits the card number and click to enter your PIN-code. Further, in the entry process, the keyboard returns only the fact of keystrokes, but does not tell which. Then the keyboard generates design of double-digit PIN-code length, the most PIN-code, and then finishes up to 16 characters figure F, and makes over this "exclusive or" with the right 12-digit card number Tew, but the last check digit. For example, for PIN-code 1234 and card 4987.6543.2109.8765 we take 04.1234.FFFFFFFFFF, we make over this XOR with 0000.765432109876 and obtain 0412.42AB.CDEF.6789. And then here is the last number is encrypted with a key worker who is already in the keyboard and the code returned to the application, ordered the operation of entering the PIN-code. Now understand with encryption keys, once we started talking about them. These keys are in the keyboard and from there you can not read them. Typically, before using the ATM bank security officers to manually lead into the keyboard so-called master key (MK). Then periodically from the processing in the ATM flies a special working key (WK), encrypted, thus the master key, which besides the keyboard and a special device HSM, which was mentioned above, nobody knows (officers entered each component and its also a full key is not known) . Total we have a keyboard sitting MK and MK (WK). Begin gradually to approach the climax. In fact, the keyboard can be written many different keys. And you feed her PIN-block to get a working key to decrypt it, encrypt the other key and return the result. That is, in its pure form, we'll never get the key and is encrypted by a key - please. So why do not we write there own, obviously well-known master key and not let the keyboard command to encrypt the PIN-block to them, and not some other? We then decrypt it, since we are now the key is already known. This is precisely what makes the virus. That's the trick, folks. Nothing complicated, right? Finally tell you what's the catch. It is no coincidence virus wielded it at ATMs Diebold. The fact that some Diebold ATMs were installed the old keyboards that do not meet modern safety requirements. A modern safety requirements state that the keypad at ATMs should provide a hierarchy of keys. This means that if we give the command keys to decrypt PIN-block working key, then encrypt it and then we can only order a master key which was encrypted by a worker. This is logical, because if we were able to get a working key, then we know that the master key (we also encrypt them working) and you can trust us. But if we ask encrypted PIN-block in any key from a nearby branch, then we will not - there are signs of bad intentions. That's all. Pretty long, turned out it was not necessary about PIN-blocks to write, but oh well. I hope I have clarified the situation a bit, and various myths and interpretations in certain circles will go smaller. This is especially true for large bank managers, who dream to put on ATMs antivirus, not realizing that get hemorrhoids at times more than good. Normal guys have long benefited from the decisions a la Solidcore and live peacefully. | |
|
| |
| Total comments: 0 | |