SlideShare una empresa de Scribd logo

Offline attacks-and-hard-disk-encription

M
malvvv

security

Tecnología
1 de 26
Descargar para leer sin conexión
LOGICAL ATTACKS SERIES : 1. Attacks and their mitigations 2. Offline Malware 3. Online Malware 4. Network Attacks 5. Blackbox Attacks
Security Attacks and Vulnerabilities in the news… 2 NCR Confidential ATM Jackpotting Attacks Hit the US ‾ US Secret Service Alert and press release warning to North America ATM Deployers and Financial Institutions to protect against :- • Black Box attacks AND • Hard Disk removed from Diebold ATM, Malware (Ploutus-D) Installed, Disk returned to ATM Spectre/Meltdown Vulnerabilities • Vulnerability found in Processor Chips from Intel, ARM, & AMD. • Speculative Execution Flaw impacts ALL modern processors
3 TotalNoofattacks Online Offline Network Unknown Mexico Mexico Guatemala Mexico Dominican Republic UK Russia Russia Russia Mayasia Cana… Germany Jordan Oman Romania Mexico Saudi Arabia Hungary Spain India India Brazil Malaysia Russia Ukraine USA India Ukraine Denmark IndiaRussia Brazil Brazil ThailandIndia Dominican Republic Philippines Peru India Dominican Republic Peru Peru USA 0 5 10 15 20 25 30 35 40 45 50 May-13 Nov-13 Jun-14 Dec-14 Jul-15 Jan-16 Aug-16 Mar-17 Sep-17 Apr-18 Logical Attacks (other than Black Box) since 2013 .
Card Scheme Networks Management (e.g. Vision) Switch Host OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Software Distribution (e.g. Vision SWD) High Level Architecture
Malware Installed on the ATM ‘Skimer’ Malware Reported by Kaspersky – but first seen in 2009 (Russia only) Backdoor.Win32.Skimer and Trojan.Win32.Patched.rb Uses standard XFS commands to communicate with card reader, EPP & Dispenser to obtain card and pin data and also to dispense cash Has been not been reported on NCR ATMs as yet ‘Ploutus/PADPIN/TYUPKIN’ Malware Security SW is disabled Malware files transferred to ATM ATM put back in service Dispense commands may be executed via external keyboard or through PINPAD ‘Sucesful’ & ‘GreenDispense’ Malware Malware discovered on Virus upload sites Uses standard XFS commands to communicate with card reader, EPP, and SIU & Dispenser Compatible with NCR and Diebold ATMs ‘Suceful’ Malware does not appear to be a ‘working’ version. Could be indicative of development in this area ‘Ripper’ Malware Thailand Malware – Jackpotting. It reads data from inserted cards, identifying when an accomplice is physically located at the ATM. Includes a self-destruct feature Can disable/enable Network; clean logs; Capable of recognizing and installing on three of NCR Confidential
High Level Architecture Card Scheme Networks Switch Host Black Box Remote SWD Spoofing Black Box Online Offline Network Unknown Online Malware OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Man in the Middle Software Distribution (e.g. Vision SWD) Management (e.g. Vision) PC Core + BIOS Antivirus (e.g. Solidcore Suite) Typical Logical Attacks Remote Desktop Access Offline Malware
Offline Malware Encrypted Hard Disk & locked down BIOS High Level ArchitectureTypical Logical AttacksMitigating Logical Attacks OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Card Scheme Networks Management (e.g. Vision) Switch Host Remote SWD Spoofing Black Box Online Offline Network Unknown Remote Desktop Access Man in the Middle Encrypted Comms (application or VPN) Enterprise Security review Secure SWD Software Distribution (e.g. Vision SWD) Black Box Level 3 Dispenser Encryption & updated Platform Online Malware Whitelisting & hardened WIN OS Hardened WIN OS
Logical Attacks Black Box ATTACK CATEGORIES NCR Confidential Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk Malware installed on the ATM hard diskWhen Malware added when ATM Hard Disk is Offline
ATM Hard Disk Offline When the ATMs hard disk’s Operating System (typically Windows) is not running This is done either by :-  Removing the ATM Hard Disk and mounting it as a secondary drive attached to a laptop or other device OR  Inserting bootable removable media (USB/DVD) into the ATM and re-booting the ATM to this media When the hard disk is Offline attackers can :-  View and modify the contents/files of the hard disk  Disable Solidcore or other anti-malware solutions  Copy malware onto the hard disk  Copy sensitive information from the hard disk NCR Confidential
Logical Attacks Black Box ATTACK CATEGORIES Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk When Malware added when ATM Hard Disk is Offline MITIGATIONS NCR Confidential
Encrypt the hard disk To read an encrypted file, you must have access to a secret (encryption) key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text. Cipher textPlain text But where can the encryption key be stored securely? Protects against Offline malware attacks by preventing malware being copied onto the hard disk when the hard disk offline/mounted as a secondary drive NCR Confidential
The encryption keys can be locally stored or derived • The secret key is stored on an unencrypted part of the ATM hard disk • Less secure • Not PCI compliant  The secret key is stored in a TPM chip in the core  Quite secure but will not protect data if the whole core is stolen • The algorithm to derive the secret key from the devices attached is stored on an unencrypted part of the ATM hard disk  Less secureNCR Confidential
NCR Secure Hard Disk Encryption Protects against offline malware and protects data on stolen hard disks • ATM software being disabled, modified or tampered with when data is at rest (offline attack) • Dispenser Encryption Keys being compromised when data is at rest • Mounting HD as secondary drive • Reverse engineering stolen HD • Data on HD being compromised • Poor disposal of HD Network Based Authentication • Keys are held at the server which is much more secure than • Keys held locally on hard disk • Keys derived from an algorithm which uses attached ATM devices • Keys held in the TPM chip Centralised Control • Authorised central management of decryption and encryption • Allows authorised decryption for support & troubleshooting • Encryption status known centrally – encrypting, encrypted, not encrypted • Centralised policy updates can be pushed to ATM Works on XP, W7 and Windows 10 Is Vendor Independent (ie Multi-vendor) PCI Compliant FIPS 140-2 certified NCR Secure Hard Disk Encryption l NCR Confidential
. Network based authentication for Encryption keys ‾ Is PCI compliant ‾ Has centralised key management, configuration and deployment ‾ Provides compliance reporting ‾ Has Audit logs ‾ Uses Pre boot networking for external authentication and key management NCR Confidential
. Network based authentication for Encryption keys The encryption package is sent down to ATMs and encryption process starts After the initial encryption the keys are then transmitted over the network in an encrypted, secure fashion to the central manager. Where they are then stored NCR Confidential
. Network based authentication for Encryption keys When the ATMs start up, they use pre-boot networking to contact the central key manager. If, and only if, they can contact the central manger AND the ATM is configured to be able to boot then the keys are provided over the network BEFORE the OS boots. NCR Confidential
. Network based authentication for Encryption keys If an ATM/Core/Hard Disk is brought offline by an attacker and they attempt to reverse engineer it, the data, OS files and software are all protected for confidentiality and against injection of malware. NCR Confidential
. If ATM is reported stolen the central key manager administrator :- • Removes it from the autoboot group • Can que up a crypto-erase So if the attacker attempts to put the machine back online :- • it will be crypto-erased via pre-boot networking and the event will be logged Network based authentication for Encryption keys NCR Confidential
 During encryption (up to 24 hours after installation):  SST performance IS affected, particularly on start-up and shutdown  Transactions may take 8% longer than normal  Start-up may take 60% longer than normal  After encryption:  Transactions are unaffected  There is some minimal impact during start-up and shutdown  Start-up displays a pre-boot screen until keys are obtained via the network  A valid network connection to the server is required only for start-up 19 Perceived Barrier – Performance Impact NCR Confidential
Logical Attacks Black Box ATTACK CATEGORIES Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk When Malware added when ATM Hard Disk is Offline MITIGATIONS NCR Confidential
Lockdown the BIOS It is still important to ensure the BIOS is locked down to only allow boot from the primary hard drive and have bios editing password protected. If the BIOS had been password protected and locked down to prevent boot from removable media then the majority of offline attacks would not have be successful This lockdown can be done manually This will help protect against future new attack techniques NCR Confidential
RBU Change Password Utility  Used to change the default password to a new secure password of your choice. No flash. No ATM reboot needed  Can also be used to update password anytime (daily/weekly/monthly etc) RBU Change Boot order utility  Used to update the boot order to USB/CD/DVD to allow for example FEs to use bootable sysapp  Can then be used to set the boot order back to Hard drive only to lock the BIOS back down/ No flash. No ATM reboot needed. RBU Check Boot order utility:  check which device is currently set to boot from RBU Check Password Set Utility:  check there is a password set RBU Flash Utility Flashes the BIOS to :- ‾ Only allow boot from primary hard drive (Disallow boot from CD/USB) ‾ Add a default BIOS password to all the ATMs in a Financial Institution's network ‾ Set up unique UUIDs per ATM ‾ Update the BIOS when vulnerabilities are found ‾ Enable no-touch password implementation and maintenance ‾ Works on NCR only Must be sent down via Software Distribution Needs an ATM reboot to take effect. NCR Secure Remote BIOS Update RBU Update Utilities NCR Confidential
Security Vulnerabilities in the news… Spectre/Meltdown Vulnerabilities • Vulnerability found in Processor Chips from Intel, ARM, & AMD. • Speculative Execution Flaw impacts ALL modern processors NCR Confidential
1. Secure your BIOS  Only allow boot from the primary hard disk  Editing of BIOS settings must be password protected 2. Establish an adequate operational password policy for all.passwords 3. Implement communications encryption  e.g. NCR Secure TLS Encrypted Communications 4. Establish a secure firewall  The ATM firewall must be configured to only allow known authorized incoming and outgoing connections necessary for an ATM environment, the connections must be configured per program rather than per port 5. Remove unused services and applications  Removing these from the system help reduce the attack surface area 6. Deploy an effective anti-malware mechanism  NCR Recommends active whitelisting applications: e.g. Solidcore Suite for APTRA 7. Establish a regular patching process for ALL software installed 8. Harden the Operating System e.g.  Ensure the application runs in a locked down account with minimum privileges required  Disable Auto play 9. Implement Rule based access control e.g.  Define different accounts for different user privileges  Restrict functionality allowed via remote desktop access to ATMs 10. Deploy a network authentication based Hard Disk Encryption Solution  NCR Secure Hard Disk Encryption 11. Ensure there is protected communications to the dispenser of the ATM 12. Perform a Penetration Test of your ATM production environment annually 13. Use a secure Remote Software Distribution that will assist in maintaining the Confidentiality; Integrity and Availability of your ATMs  Required to meet rule 7 and allows for timely distribution of updated malware signature files if malware is found 14. Consider the physical environment of ATM deployment  e.g. Through the Wall ATMS may be more suitable for unattended environments 15. Consult a security enterprise specialist to deploy industry best-practice security controls within your enterprise Security Requirements to Protect against Logical Attacks Summary
response.ncr.com/security-alerts
Questions?

Recomendados

Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...Suradet Sriangkoon
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Ethical hacking - Footprinting.pptx
Ethical hacking - Footprinting.pptxEthical hacking - Footprinting.pptx
Ethical hacking - Footprinting.pptxNargis Parveen
 
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...SlideTeam
 
Ethelhub - Introducción a OSINT
Ethelhub - Introducción a OSINTEthelhub - Introducción a OSINT
Ethelhub - Introducción a OSINTCarlos Crisóstomo Vals
 

Recomendados

Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019Priyanka Aash
 
Web Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageWeb Application Penetration Tests - Information Gathering Stage
Web Application Penetration Tests - Information Gathering StageNetsparker
 
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...
แนวปฏิบัติด้านความปลอดภัยของผู้ปฏิบัติในระบบการแพทย์ฉุกเฉิน Safety โดยสถาบัน...Suradet Sriangkoon
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Ethical hacking - Footprinting.pptx
Ethical hacking - Footprinting.pptxEthical hacking - Footprinting.pptx
Ethical hacking - Footprinting.pptxNargis Parveen
 
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...
Coronavirus Impact Assessment And Mitigation Strategies On Technology Sector ...SlideTeam
 
Ethelhub - Introducción a OSINT
Ethelhub - Introducción a OSINTEthelhub - Introducción a OSINT
Ethelhub - Introducción a OSINTCarlos Crisóstomo Vals
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingNamrata Raiyani
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Shubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.pptShubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.pptShubhrat Mishra
 
Presentación virus informaticos
Presentación virus informaticosPresentación virus informaticos
Presentación virus informaticosasmeth27
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber TerrorismShivam Lohiya
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelKen Tulegenov
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 

Más contenido relacionado

La actualidad más candente

An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hackingchakrekevin
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Shubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.pptShubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.pptShubhrat Mishra
 
Presentación virus informaticos
Presentación virus informaticosPresentación virus informaticos
Presentación virus informaticosasmeth27
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Sudhanshu Chauhan
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityFranklin Mosley
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorJames Krusic
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?RONIKMEHRA
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Futurekaranwayne
 

La actualidad más candente (20)

An Underground education
An Underground educationAn Underground education
An Underground education
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Shubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.pptShubhrat.presentationfor cybercrime.ppt
Shubhrat.presentationfor cybercrime.ppt
 
Presentación virus informaticos
Presentación virus informaticosPresentación virus informaticos
Presentación virus informaticos
 
Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)Tools for Open Source Intelligence (OSINT)
Tools for Open Source Intelligence (OSINT)
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Social engineering-Attack of the Human Behavior
Social engineering-Attack of the Human BehaviorSocial engineering-Attack of the Human Behavior
Social engineering-Attack of the Human Behavior
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?CYBERSECURITY | Why it is important?
CYBERSECURITY | Why it is important?
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 

Similar a Offline attacks-and-hard-disk-encription

Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and crackingHarshil Barot
 
Cassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraCassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraAnant Corporation
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionageMuts Byte
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sOlga Kochetova
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSoumitra Bhattacharyya
 
Securing embedded systems
Securing embedded systemsSecuring embedded systems
Securing embedded systemsaissa benyahya
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableRay Potter
 

Similar a Offline attacks-and-hard-disk-encription (20)

Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Introduction of hacking and cracking
Introduction of hacking and crackingIntroduction of hacking and cracking
Introduction of hacking and cracking
 
Cassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache CassandraCassandra Lunch #90: Securing Apache Cassandra
Cassandra Lunch #90: Securing Apache Cassandra
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
Idps technology starter v2.0
Idps technology starter v2.0Idps technology starter v2.0
Idps technology starter v2.0
 
BackDoors Seminar
BackDoors SeminarBackDoors Seminar
BackDoors Seminar
 
Embedded government espionage
Embedded government espionageEmbedded government espionage
Embedded government espionage
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Revisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’sRevisiting atm vulnerabilities for our fun and vendor’s
Revisiting atm vulnerabilities for our fun and vendor’s
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devices
 
Securing embedded systems
Securing embedded systemsSecuring embedded systems
Securing embedded systems
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Más de malvvv

12 vzor
12 vzor 12 vzor
12 vzor malvvv
 
10 isbc
10 isbc 10 isbc
10 isbc malvvv
 
09 assaabloy
09 assaabloy 09 assaabloy
09 assaabloy malvvv
 
08 dormakaba
08 dormakaba 08 dormakaba
08 dormakaba malvvv
 
07 parsec
07 parsec 07 parsec
07 parsec malvvv
 
06 videomax
06 videomax 06 videomax
06 videomax malvvv
 
05 sigur
05 sigur 05 sigur
05 sigur malvvv
 
04 perco
04 perco 04 perco
04 perco malvvv
 
02 itrium
02 itrium02 itrium
02 itriummalvvv
 
01 hid
01 hid 01 hid
01 hid malvvv
 
En 50132-7
En 50132-7En 50132-7
En 50132-7malvvv
 
2018 ic3 report
2018 ic3 report2018 ic3 report
2018 ic3 reportmalvvv
 
threats
threatsthreats
threatsmalvvv
 
Google android security_2018_report
Google android security_2018_reportGoogle android security_2018_report
Google android security_2018_reportmalvvv
 
Owasp top-10 proactive controls-2018
Owasp top-10 proactive controls-2018Owasp top-10 proactive controls-2018
Owasp top-10 proactive controls-2018malvvv
 
Web vulnerabilities-2018
Web vulnerabilities-2018Web vulnerabilities-2018
Web vulnerabilities-2018malvvv
 
Testirovanie parolnyh politik
Testirovanie parolnyh politikTestirovanie parolnyh politik
Testirovanie parolnyh politikmalvvv
 

Más de malvvv (20)

12 vzor
12 vzor 12 vzor
12 vzor
 
11
11 11
11
 
10 isbc
10 isbc 10 isbc
10 isbc
 
09 assaabloy
09 assaabloy 09 assaabloy
09 assaabloy
 
08 dormakaba
08 dormakaba 08 dormakaba
08 dormakaba
 
07 parsec
07 parsec 07 parsec
07 parsec
 
06 videomax
06 videomax 06 videomax
06 videomax
 
05 sigur
05 sigur 05 sigur
05 sigur
 
04 perco
04 perco 04 perco
04 perco
 
02 itrium
02 itrium02 itrium
02 itrium
 
01 hid
01 hid 01 hid
01 hid
 
En 50132-7
En 50132-7En 50132-7
En 50132-7
 
01
0101
01
 
2018 ic3 report
2018 ic3 report2018 ic3 report
2018 ic3 report
 
threats
threatsthreats
threats
 
Google android security_2018_report
Google android security_2018_reportGoogle android security_2018_report
Google android security_2018_report
 
Owasp top-10 proactive controls-2018
Owasp top-10 proactive controls-2018Owasp top-10 proactive controls-2018
Owasp top-10 proactive controls-2018
 
Web vulnerabilities-2018
Web vulnerabilities-2018Web vulnerabilities-2018
Web vulnerabilities-2018
 
Kpsn
Kpsn Kpsn
Kpsn
 
Testirovanie parolnyh politik
Testirovanie parolnyh politikTestirovanie parolnyh politik
Testirovanie parolnyh politik
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 

Último (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Offline attacks-and-hard-disk-encription

  • 1. LOGICAL ATTACKS SERIES : 1. Attacks and their mitigations 2. Offline Malware 3. Online Malware 4. Network Attacks 5. Blackbox Attacks
  • 2. Security Attacks and Vulnerabilities in the news… 2 NCR Confidential ATM Jackpotting Attacks Hit the US ‾ US Secret Service Alert and press release warning to North America ATM Deployers and Financial Institutions to protect against :- • Black Box attacks AND • Hard Disk removed from Diebold ATM, Malware (Ploutus-D) Installed, Disk returned to ATM Spectre/Meltdown Vulnerabilities • Vulnerability found in Processor Chips from Intel, ARM, & AMD. • Speculative Execution Flaw impacts ALL modern processors
  • 3. 3 TotalNoofattacks Online Offline Network Unknown Mexico Mexico Guatemala Mexico Dominican Republic UK Russia Russia Russia Mayasia Cana… Germany Jordan Oman Romania Mexico Saudi Arabia Hungary Spain India India Brazil Malaysia Russia Ukraine USA India Ukraine Denmark IndiaRussia Brazil Brazil ThailandIndia Dominican Republic Philippines Peru India Dominican Republic Peru Peru USA 0 5 10 15 20 25 30 35 40 45 50 May-13 Nov-13 Jun-14 Dec-14 Jul-15 Jan-16 Aug-16 Mar-17 Sep-17 Apr-18 Logical Attacks (other than Black Box) since 2013 .
  • 4. Card Scheme Networks Management (e.g. Vision) Switch Host OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Software Distribution (e.g. Vision SWD) High Level Architecture
  • 5. Malware Installed on the ATM ‘Skimer’ Malware Reported by Kaspersky – but first seen in 2009 (Russia only) Backdoor.Win32.Skimer and Trojan.Win32.Patched.rb Uses standard XFS commands to communicate with card reader, EPP & Dispenser to obtain card and pin data and also to dispense cash Has been not been reported on NCR ATMs as yet ‘Ploutus/PADPIN/TYUPKIN’ Malware Security SW is disabled Malware files transferred to ATM ATM put back in service Dispense commands may be executed via external keyboard or through PINPAD ‘Sucesful’ & ‘GreenDispense’ Malware Malware discovered on Virus upload sites Uses standard XFS commands to communicate with card reader, EPP, and SIU & Dispenser Compatible with NCR and Diebold ATMs ‘Suceful’ Malware does not appear to be a ‘working’ version. Could be indicative of development in this area ‘Ripper’ Malware Thailand Malware – Jackpotting. It reads data from inserted cards, identifying when an accomplice is physically located at the ATM. Includes a self-destruct feature Can disable/enable Network; clean logs; Capable of recognizing and installing on three of NCR Confidential
  • 6. High Level Architecture Card Scheme Networks Switch Host Black Box Remote SWD Spoofing Black Box Online Offline Network Unknown Online Malware OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Man in the Middle Software Distribution (e.g. Vision SWD) Management (e.g. Vision) PC Core + BIOS Antivirus (e.g. Solidcore Suite) Typical Logical Attacks Remote Desktop Access Offline Malware
  • 7. Offline Malware Encrypted Hard Disk & locked down BIOS High Level ArchitectureTypical Logical AttacksMitigating Logical Attacks OS – Windows (e.g. WIN7) PC Core + BIOS Platform – APTRA XFS (e.g. 6.1) Application (e.g. Activate) Mgmt. Agents Antivirus (e.g. Solidcore Suite) Card Scheme Networks Management (e.g. Vision) Switch Host Remote SWD Spoofing Black Box Online Offline Network Unknown Remote Desktop Access Man in the Middle Encrypted Comms (application or VPN) Enterprise Security review Secure SWD Software Distribution (e.g. Vision SWD) Black Box Level 3 Dispenser Encryption & updated Platform Online Malware Whitelisting & hardened WIN OS Hardened WIN OS
  • 8. Logical Attacks Black Box ATTACK CATEGORIES NCR Confidential Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk Malware installed on the ATM hard diskWhen Malware added when ATM Hard Disk is Offline
  • 9. ATM Hard Disk Offline When the ATMs hard disk’s Operating System (typically Windows) is not running This is done either by :-  Removing the ATM Hard Disk and mounting it as a secondary drive attached to a laptop or other device OR  Inserting bootable removable media (USB/DVD) into the ATM and re-booting the ATM to this media When the hard disk is Offline attackers can :-  View and modify the contents/files of the hard disk  Disable Solidcore or other anti-malware solutions  Copy malware onto the hard disk  Copy sensitive information from the hard disk NCR Confidential
  • 10. Logical Attacks Black Box ATTACK CATEGORIES Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk When Malware added when ATM Hard Disk is Offline MITIGATIONS NCR Confidential
  • 11. Encrypt the hard disk To read an encrypted file, you must have access to a secret (encryption) key or password that enables you to decrypt it. Unencrypted data is called plain text ; encrypted data is referred to as cipher text. Cipher textPlain text But where can the encryption key be stored securely? Protects against Offline malware attacks by preventing malware being copied onto the hard disk when the hard disk offline/mounted as a secondary drive NCR Confidential
  • 12. The encryption keys can be locally stored or derived • The secret key is stored on an unencrypted part of the ATM hard disk • Less secure • Not PCI compliant  The secret key is stored in a TPM chip in the core  Quite secure but will not protect data if the whole core is stolen • The algorithm to derive the secret key from the devices attached is stored on an unencrypted part of the ATM hard disk  Less secureNCR Confidential
  • 13. NCR Secure Hard Disk Encryption Protects against offline malware and protects data on stolen hard disks • ATM software being disabled, modified or tampered with when data is at rest (offline attack) • Dispenser Encryption Keys being compromised when data is at rest • Mounting HD as secondary drive • Reverse engineering stolen HD • Data on HD being compromised • Poor disposal of HD Network Based Authentication • Keys are held at the server which is much more secure than • Keys held locally on hard disk • Keys derived from an algorithm which uses attached ATM devices • Keys held in the TPM chip Centralised Control • Authorised central management of decryption and encryption • Allows authorised decryption for support & troubleshooting • Encryption status known centrally – encrypting, encrypted, not encrypted • Centralised policy updates can be pushed to ATM Works on XP, W7 and Windows 10 Is Vendor Independent (ie Multi-vendor) PCI Compliant FIPS 140-2 certified NCR Secure Hard Disk Encryption l NCR Confidential
  • 14. . Network based authentication for Encryption keys ‾ Is PCI compliant ‾ Has centralised key management, configuration and deployment ‾ Provides compliance reporting ‾ Has Audit logs ‾ Uses Pre boot networking for external authentication and key management NCR Confidential
  • 15. . Network based authentication for Encryption keys The encryption package is sent down to ATMs and encryption process starts After the initial encryption the keys are then transmitted over the network in an encrypted, secure fashion to the central manager. Where they are then stored NCR Confidential
  • 16. . Network based authentication for Encryption keys When the ATMs start up, they use pre-boot networking to contact the central key manager. If, and only if, they can contact the central manger AND the ATM is configured to be able to boot then the keys are provided over the network BEFORE the OS boots. NCR Confidential
  • 17. . Network based authentication for Encryption keys If an ATM/Core/Hard Disk is brought offline by an attacker and they attempt to reverse engineer it, the data, OS files and software are all protected for confidentiality and against injection of malware. NCR Confidential
  • 18. . If ATM is reported stolen the central key manager administrator :- • Removes it from the autoboot group • Can que up a crypto-erase So if the attacker attempts to put the machine back online :- • it will be crypto-erased via pre-boot networking and the event will be logged Network based authentication for Encryption keys NCR Confidential
  • 19.  During encryption (up to 24 hours after installation):  SST performance IS affected, particularly on start-up and shutdown  Transactions may take 8% longer than normal  Start-up may take 60% longer than normal  After encryption:  Transactions are unaffected  There is some minimal impact during start-up and shutdown  Start-up displays a pre-boot screen until keys are obtained via the network  A valid network connection to the server is required only for start-up 19 Perceived Barrier – Performance Impact NCR Confidential
  • 20. Logical Attacks Black Box ATTACK CATEGORIES Network Attacks Black Box Online Offline Network Unknown When HD is Offline When HD is Online Malware installed on the ATM hard disk When Malware added when ATM Hard Disk is Offline MITIGATIONS NCR Confidential
  • 21. Lockdown the BIOS It is still important to ensure the BIOS is locked down to only allow boot from the primary hard drive and have bios editing password protected. If the BIOS had been password protected and locked down to prevent boot from removable media then the majority of offline attacks would not have be successful This lockdown can be done manually This will help protect against future new attack techniques NCR Confidential
  • 22. RBU Change Password Utility  Used to change the default password to a new secure password of your choice. No flash. No ATM reboot needed  Can also be used to update password anytime (daily/weekly/monthly etc) RBU Change Boot order utility  Used to update the boot order to USB/CD/DVD to allow for example FEs to use bootable sysapp  Can then be used to set the boot order back to Hard drive only to lock the BIOS back down/ No flash. No ATM reboot needed. RBU Check Boot order utility:  check which device is currently set to boot from RBU Check Password Set Utility:  check there is a password set RBU Flash Utility Flashes the BIOS to :- ‾ Only allow boot from primary hard drive (Disallow boot from CD/USB) ‾ Add a default BIOS password to all the ATMs in a Financial Institution's network ‾ Set up unique UUIDs per ATM ‾ Update the BIOS when vulnerabilities are found ‾ Enable no-touch password implementation and maintenance ‾ Works on NCR only Must be sent down via Software Distribution Needs an ATM reboot to take effect. NCR Secure Remote BIOS Update RBU Update Utilities NCR Confidential
  • 23. Security Vulnerabilities in the news… Spectre/Meltdown Vulnerabilities • Vulnerability found in Processor Chips from Intel, ARM, & AMD. • Speculative Execution Flaw impacts ALL modern processors NCR Confidential
  • 24. 1. Secure your BIOS  Only allow boot from the primary hard disk  Editing of BIOS settings must be password protected 2. Establish an adequate operational password policy for all.passwords 3. Implement communications encryption  e.g. NCR Secure TLS Encrypted Communications 4. Establish a secure firewall  The ATM firewall must be configured to only allow known authorized incoming and outgoing connections necessary for an ATM environment, the connections must be configured per program rather than per port 5. Remove unused services and applications  Removing these from the system help reduce the attack surface area 6. Deploy an effective anti-malware mechanism  NCR Recommends active whitelisting applications: e.g. Solidcore Suite for APTRA 7. Establish a regular patching process for ALL software installed 8. Harden the Operating System e.g.  Ensure the application runs in a locked down account with minimum privileges required  Disable Auto play 9. Implement Rule based access control e.g.  Define different accounts for different user privileges  Restrict functionality allowed via remote desktop access to ATMs 10. Deploy a network authentication based Hard Disk Encryption Solution  NCR Secure Hard Disk Encryption 11. Ensure there is protected communications to the dispenser of the ATM 12. Perform a Penetration Test of your ATM production environment annually 13. Use a secure Remote Software Distribution that will assist in maintaining the Confidentiality; Integrity and Availability of your ATMs  Required to meet rule 7 and allows for timely distribution of updated malware signature files if malware is found 14. Consider the physical environment of ATM deployment  e.g. Through the Wall ATMS may be more suitable for unattended environments 15. Consult a security enterprise specialist to deploy industry best-practice security controls within your enterprise Security Requirements to Protect against Logical Attacks Summary