I thought I’d done my last post on Diebold except as an object of fun – but no.
Back when there was controversy about whether we voting machine alarmists were wearing tinfoil hats or not, one thing I frequently heard was the claim that “They make ATM’s and those are secure…”
Diebold has released a security fix for its Opteva automated teller machines after cyber criminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.
Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program.
“Criminals gained physical access to the inside of the affected ATMs,” Diebold said in its security update. “This criminal activity resulted in the operation of unauthorized software and devices on the ATMs, which was used to intercept sensitive information.”
The break-in occurred in Russia and affected “a number” of machines, said DeAnn Zackeroff, a company spokeswoman. “The incident was a low-tech break-in to the ATM, but they had a high-tech knowledge of how to install the virus,” she said.
THEIR ATMS USE THE WINDOWS-FREAKING-OPERATING SYSTEM? The biggest virus and hack-magnet on the planet? What genius made that architectural decision, and how in the Wide, Wide World of Sports did any sane bank IT risk manager sign off on it?
That’s just … insanely stupid. Look I use Windows on my home machines, I work with clients who use windows, we’ve even used Windows for nontransactional kiosks. But it’s damn risky to put Windows out on remote transactional systems, period.
And, as a last fillip…when we argued about whether the Diebold machines were awful or criminally awful?
From the California Secretary of State (pdf):
The attached California Secretary of State Debra Bowen’s Report to the Election Assistance Commission Concerning Errors and Deficiencies in Diebold/Premier GEMS Version 1.18.19 (“Report”) identifies software flaws in the GEMS version 1.18.19 software that led Humboldt County to initially inaccurately certify results (which were subsequently corrected) for the November 4, 2008, General Election. The flaws also led to inaccurate or missing audit trail information that was pertinent to the investigation into the cause of the inaccurate results. The Secretary of State’s investigation identified the following errors and deficiencies in GEMS version 1.18.19, all of which are discussed in the Report:
1. The “Deck 0” software error caused the deletion of 197 tallied ballots.
2. GEMS version 1.18.19 audit logs fail to record important events.
3. “Clear” buttons on the GEMS Poster Log and Central Count Log permit deletion of important audit records.
4. Date and time stamp on audit trail entries are inaccurate.
“Clear” buttons delete audit logs? Who knew? I wonder if my bank’s accounting software has a feature like that…a big button that says “clear”. Hmmm.
Per a Higher Authority, corrected my Slim Pickens quote above…
–
I designed and implemented field kiosk systems with Ticketmaster and a few other groups in the late 90’s early 2000’s and we utilized Windows OS and there are ways of significantly hardening the OS, modification of the shell and locking the systems down to be just as restrictive as a modified Linux system.
My reasons for wanting to use Linux would be primarily born out of cost savings. Why anyone would want use Windows when it has to be licensed, instead of Linux when it can be had nearly free is the bigger question I would have.
I have been on the inside of a Diebold ATM (running OS warp less then 2 years ago). Looks like a bit of miss direction going on. Once they had physical access it didn’t matter what OS was running. Looks like they are reducing the public relations damage by blaming MS knowing people will accept it uncritically.