5

As in what OS you use, it's version .. etc.

Every time I go to the bank and I get greeted with the ATM in the following photo, this question comes to my mind.. Oh and it's still Windows XP till last week at least

enter image description here

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • Again, it depends on your threat model. ATMs handle their threat model of a physically present person by restricting access to the computer, and restricting the available inputs it presents to the user. – Riking Oct 09 '14 at 21:20
  • Aren't ATMs connected to the Internet? – Ulkoma Oct 09 '14 at 21:21
  • I believe ATMs use a private network set up by the bank. Or at least a hardware-based VPN over the internet. Using the internet by itself on a Windows XP machine is now a security risk and I don't think banks would risk that... Would they? – ADTC Oct 10 '14 at 01:31
  • 1
    1. What research have you done? I expect you to [do a significant amount of research before asking](http://meta.stackoverflow.com/q/261592/781723), and show it in the question. There's lots written about this subject. Remember, [our help center says](http://security.stackexchange.com/help/dont-ask) "You should only ask practical, answerable questions based on actual problems that you face. Chatty, open-ended questions diminish the usefulness of our site and push other questions off the front page." If you care about it, you should have done some research before asking. – D.W. Oct 10 '14 at 01:43
  • 1
    2. This question is too broad, and pretty subjective. You have a one-sentence question. Well, the answer is likely to be "it depends". So, tell us the specific context. If this is an "actual problem that you face", you should be able to tell us what kind of system you are dealing with, what kind of risk you are concerned about, and provide additional context to help provide a detailed answer. Are you asking specifically about ATMs? If so, you should edit your question to say so. etc. – D.W. Oct 10 '14 at 01:45
  • 2
    Possible duplicate of [Hiding version - valuable or just security by obscurity?](http://security.stackexchange.com/q/14709/971). (See also http://security.stackexchange.com/q/16133/971, http://security.stackexchange.com/q/4940/971, http://security.stackexchange.com/q/53061/971, http://security.stackexchange.com/q/2430/971.) – D.W. Oct 10 '14 at 01:49
  • 1
    There are tons of articles on this subject out there, e.g., http://www.americanbanker.com/issues/179_18/sunsetting-of-windows-xp-raises-atm-security-concerns-1065198-1.html. I encourage you to do more research before posting a question, show us what research you've done, and use that research to frame a more specific/informed question. – D.W. Oct 10 '14 at 01:51

6 Answers6

7

Generally speaking, it is not safer to reveal information than to keep it by yourself (but this has exceptions). But "not safer" does not mean "unsafe". If it so happens that revealing information about your OS and software is positively unsafe (i.e. significantly increases risks), then:

  1. You have a problem, because your software has known holes (otherwise it would not be risky).
  2. You have a problem, because your security relies on the attacker not guessing what software you are using, i.e. the attacker not being competent at being an attacker.

If everything is well, then it should not matter whether you reveal information on your OS and software or not. In fact, it has been argued that revealing all the details is better because it allows for more people to contribute to the improvement of the system (that's the open-source mantra, at least). A variant of that theme is that the prospect of the source code being ultimately published and shown to the world at large helps the developer focus on his task. (This last one tends to fail because, as it turns out, many developers lack all sense of dignity and sense of self-worth, and thereby have no compulsion to write better code when external scrutiny is expected.)

In the case of an ATM running XP, the fact that it runs XP matters only for an attacker who can do network connections to that XP machine, and if he can, then he can normally obtain that information himself. Showing the XP login screen still demonstrates a lack of care of the fine details on the part of the system developer, which is worrying (in a general way).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
5

I think a better question to ask would be whether it is unsafe for you to reveal that information as opposed to whether it is safe. With the ATM example, ATMs use very specific installations of Windows XP that are very resilient, and the computer itself is generally protected extremely well with various layers of physical security that need to be compromised before you can gain access. So even if the machine is running an OS that can be attacked with known vulnerabilities, it may still be safe. While the XP issue is not a problem (yet), I would imagine it to be one later down the road, when more and more vulnerabilities begin to surface themselves. This is an article on the specific ATM subject: http://www.esecurityplanet.com/windows-security/atms-on-windows-xp-how-risky-is-it.html

Since knowledge of your OS can provide insight as to the vulnerabilities your PC possesses, restricting that information can provide a level of "security through obscurity." Though keeping that information private may be exceptionally difficult depending on what kind of an environment you are in. Generally speaking, it is going to be better to secure your system through other methods: encryption, strong passwords on rotation, good physical security so devices can't walk out the door or be compromised on-site, patch updating, anti-malware, as well as other various best-practices, not opening random attachments in your E-mail or navigating to phishing sites, etc.

So take it with a grain of salt when people say it is risky or unsafe, since the risk varies greatly depending on those factors. What is "safe" enough is really up to you.

Desthro
  • 1,007
  • 5
  • 5
2

This depends on where the system is, how it is connected, etc. There are tons of ways you can determine an OS, every time you visit a website, use the internet, browser type & version as well as other software can be tracked to an OS as can TCP options, timing, along with a multitude of other behaviors all the way down to tracking the MAC address of the device to vendor and making guesses based on that. Some passively, some interactively and detectable probes, but almost always a way to figure it out if you know what you are doing.

I think too much argument goes into the Freudian disputes over my OS is superior to your OS. There are some obvious pros and cons to almost everything, but threat mitigation is not always about locking the door, it is about what you leave behind the door.

Example, a thief may break my window to get into my home, but he will do little to my valuables because they are in a 900# safe.

So he may get my TV, but he will not get my wife's jewelry or my guns.

The same logic should be applied to computer security, in which case an attacker may KNOW ahead of time I have this safe, come prepared to break into it, but the sophistication of that sort of attack means they came prepared and skilled, so doing something like hiding the safe would have been largely irrelevant.

With reasonable due diligence, one could find a way into almost anything if they want to, have the skills and resources. But old OSs are not always bad in that regard. They are battle hardened, extremely well tested, and very well known internally. IE, more understood by the good guys too :)

Would I trust an ATM to a stock install of windows XP, not on your life, but can I make an embedded windows XP image I would trust, sure.

would I deploy either of them openly without IPS and IDS system between them and anything remotely connected, unquestionably NO!

Then at that point would a casual walkerby have any advantage because they saw the boot screen? Very very little if any.

Sabre
  • 289
  • 1
  • 2
  • 7
2

Hiding this information would be "security by obscurity". While making information harder to find, it doesn't make it impossible.

There is likely no value to presenting this information on the ATM screen to customers, and is more of a UX concern. As a banking customer, I only care about fraud protections and guarantees. In terms of the ATM itself, I don't think they are showing this so customers will say "I trust windows". Good factors for trusting an ATM would be location, difficulty to add skimmers, etc.

From the attacker's perspective: They likely have a large toolbox of exploits for multiple types of ATMs or they are targeting specific ATMs. If they are targeting specific ATMS, its more likely they will determine what OS a particular bank, vendor, or network uses and then find those ATMs then to try to go ATM-to-ATM to make their target list.

In short: there is little value in showing this info, and hiding it will not have a major impact in reducing attacks.

Eric G
  • 9,691
  • 4
  • 31
  • 58
2

Any information you provide to a third party could potentially be used against you in some way, which is not the same as saying that providing the information necessarily makes you unsafe or less safe.

When designing systems you should never rely on secrets to keep you safe. A truly safe system is safe even when all secrets are revealed, except for the keys (digital or analog).

David Baucum
  • 163
  • 6
1

It's generally unsafe to do so. If any attacker knows exactly the software versions are you are using, it's easir to find a exploit against you.

This is more problematic on public access systems, like the ATM you refered to. Using a outdated OS, without security updates, is risky at least.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142