Archive for May, 2014


A safe that dispenses cash on command.

May 30, 2014

It seems like the sophisticated ATM attacks that occur around the world (the ones not using skimmers and cameras) happen because the attackers manage to acquire or gain access to a representative ATM of the type they want to attack.

eBay has plenty of used Hyosung and Triton ATMs for sale.  Picking one up is a great investment for an attacker who wants to understand the software and hardware weaknesses of the devices.  Heck, starting up a tunrkey ATM business is probably an even better investment, since you’ll get access to the latest and greatest to experiment on.

It reminds me of the gambling industry, and how their slot machine security depended partially on “crossroaders” not being able to get a look at the internals.  This turned out as well as you’d expect.  One former casino thief named John Soares wrote an entertaining book going into some depth on the subject.

Many like to call this security by obscurity and leave it at that, but a little analysis shows the underlying risk decisions.

If you go back 40-50 years to mechanical slot machines as described in Loaded Dice, you can reconstruct the “threat profile” casinos likely constructed around people who can successfully attack slot machines:

  • They need to be technically adept to understand the inner workings of slot machines, and how to ensure payouts
  • They need to be dexterous and accurate to effect the attack in a reasonable amount of time
  • They need to gain unrestricted access to a similar machine for practice

That limits the pool of attackers.  To defend against these threat actors, some countermeasures were put in place:

  • Supply chain regulation, which makes direct acquisition of the equipment riskier and more susceptible to future investigation
  • Common casino surveillance practices extended to the slots floor that limit what actions can be taken by an attacker in the scope of time, noise, and visual detectability
  • A mix of high-payout and low-payout machines with a corresponding traffic flow that makes the desirable target machines have a correspondingly smaller window of opportunity for the attacker.

With less time, and less freedom of action, an attacker must be *extremely* dexterous and accurate to have a reasonable chance of success.  When it is hard to buy or acquire target slot machines, tracking down the perpetrators after the crime occurs can be easier.  This in turn limits the pool of threat actors.  The attackers need to be *very* good, *very* fast, and *very* careful about how they acquire their knowledge to put the risk equation in their favor.

In Loaded Dice, John Soares’ crew is very good.  The fact that casinos they hit didn’t go bust because of them and other crews manipulating machines implies that the bar was raised high enough to limit just how many people could successfully attack desirable slot machines.




’nuff said.

May 21, 2014


To be fair, the Cyber-Beltway is not known for knowledge of the field or impressive research.


Regulating vulnerability markets

May 19, 2014

Didn’t read it?  It’s about how the US should regulate the “0-day vulnerability marketplace” so that “bad guys” can’t get the “0-days”.

There is an underlying flaw in the thinking, which may be pervasive in the beltway cyber-echo-chamber, that vulnerabilities are things — things that someone invents or manufactures.  Vulnerabilities (in the 0-day or Øday or whatever sense) are not inventions.  They are facts that are discovered.  It is an important distinction.  A working exploit is the result of occasional invention on the part of the researcher, but the flaw being exploited is not.

Understanding what a security flaw is helps deconstruct the idea of a “Øday vulnerability marketplace”.  The purchasers in this market are not “buying 0-dayz”.  They are outsourcing vulnerability research and testing.  More to the point, they are outsourcing it as piece-work.  The sellers in this market are engaging in a race/lottery to get paid.

Microsoft, Google, The NSA, etc. have the capability to discover software and hardware security flaws.  In addition to this work, they offer bounties (payment) to any and all comers (or those on a procurement schedule) for usable discoveries.  There are incredible advantages to doing this.

The purchaser pays once to acquire the discovery — the fact.  The seller gets paid a decent amount that made searching for and verifying the vulnerability worthwhile.  Say Google paid $25K for a Chrome vulnerability, which the seller took 95 hours to find and a few hours to weaponize.  The seller earns $250/hr for a labor of love.

What Google isn’t paying for is the hundreds of people who each looked at the same thing and either didn’t see the vulnerability, or brought it to Google a little too late.  That is thousands and thousands of of hours of effort that doesn’t hit Google’s bottom line.  If Google could only rely on their own search for vulnerabilities, they may well have to spend all that extra time and effort themselves to get the same result.

The second conceptual flaw is that this visible market mechanism (that happens to be currently in the news) is the main method by which bad actors are acquiring their discovered facts.  Some research in the matter would show the dedicated student that this is often the exact reverse of reality.

Attempting to regulate the transfer of this kind of knowledge hasn’t worked before.  The discovery of facts happens simultaneously, and is not tied to a particular geography or people.  Regulating the outsourcing of vulnerability research with the aim of preventing your enemies from acquiring the products of research is naive.  It assumes that your enemies are in fact tied to this outsourcing marketplace, and are unable to perform their own research.

For consideration:  When some seedy beltway contractor snags a vBulletin exploit off of a Romanian hacker forum, scrubs the author information, then turns around to sell it to the NSA, there is nothing in the transaction that stops the  People’s Liberation Army (cue scary music) from finding that same exploit on that same forum, discovering the flaw themselves, or paying similar government cronies in Beijing  for the same effort.