http://www.flickr.com/photos/martineian/485029758/
A presentation of research on an ATM vulnerability has been pulled from the Blackhat conference. This is too bad as I will be attending and love listening to security research of this calibre. What is more disappointing is what it says about software and systems design and development. Companies are going to have to get their heads around the fact that security design and testing has to be put into the product from the beginning. Most vendors will say they do this, but the fact of the matter is that many do not. Those that do often have good intentions, but then costs, timelines, delivery to market and other conditions cause them to drop the level of testing. Security just isn’t a priority. Personally, I feel the answer is simple. Make the vendors legally and financially responsible for the software they design and create. As soon as money is on the line, it will force the right thing. This idea is not mine either, a great write up on this concept can be found here. I think this is important.
This research was stopped because the ATM vendors do not have things fixed even after being told about it 8 months ago. But what about the bad guy? The guy that discovers a vulnerability such as this and rather then choose to present it at a conference, he just sells it to organized crime? Some would call this spreading FUD (fear, uncertanty and doubt), maybe, but I think it is easy to see it happening more and more if nothing is fixed.
