Thursday, July 2, 2009

The day before yesterday, in a post entitled: "How to Hack an ATM Live Onstage, Pulled from Black Hat Event" I talked about the decision by Juniper to postpone the presentation.  The talk, which would have revealed flaws in theautomated teller machines (ATM) of an undisclosed vendors, will bepostponed until the vulnerabilities are fixed, Juniper said in astatement. The original description of the presentation stated that theresearcher, Barnaby Jack, would "retrace the steps I took to interfacewith, analyze, and find a vulnerability in a line of popular new modelATMs," and would "explore both local and remote attack vectors, andfinish with a live demonstration of an attack on an unmodified, stockATM."

Here's more directly from  Juniper's Blog


Juniper’s Decision To Postpone “Jackpotting Automated Teller Machines”

Yesterday, Juniper postponed a scheduled Blackhat USA 2009 presentation by one of our employees, Barnaby Jack, entitled "Jackpotting Automated Teller Machines." This decision has grabbed the attention of the press, the Twittersphere and Blogosphere, and understandably so.

The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and - ultimately - the public. To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen.

Therefore, we felt it our responsibility to delay the presentation until all those protection measures were put into place. Unfortunately, there isn't enough time before Blackhat to make that happen.

We did not arrive at this decision easily. Indeed, we feel that Barnaby's research is important, vital to the advancement of the state of security and should be discussed in an open forum. However, Juniper is also committed to the responsible disclosure of security vulnerabilities, and to protecting the public from them.

We look forward to sharing our findings with the security community in time and, rest assured, we will.
Reblog this post [with Zemanta]

Disqus for ePayment News