The folks over at Matasano ( btw – great site, great information, actually provides technical details instead of the rambling nonsense most of us blog about) looked into the report of an ATM hack that was done in VA. They identified the model of the ATM, and were then able to obtain a manual, which provided the default password and other diagnostic and administrative functions. It is likely that someone had the same information and simply reprogrammed the machine – It is 2006 folks, have we learned nothing over the past decade?
The industry has become so narrowly focused on vulnerabilities resulting from coding errors that it often forgets that vulnerabilities result from mis-configured and poorly administered systems and processes as well. There is a lesson for enterprise IT security folk – vulnerability assessments (in all their forms; network, web application, wirless, VoIP, source code, etc) are still important, but they need to be augmented with other forms of assessing weaknesses, including security configuration management, penetration testing, risk and process analysis – additionally security must become an evaulation criteria rated as high as features, functions, and price. The market – you – must demand improved security through increased security functions and capabilities, and integrating security into the SDLC so that the potential for exploitable vulnerabilities are significantly reduced. Of course companies/people will still do stupid things and others will take advantage of their mistakes, or put another way you can’t stop all bad things from happening, you can only limit their potential success and when bad things happen, which they will, you can only limit their impact.