Security Expert Pulls Presentation After Legal Threats

Vendors want ATM crime research kept secret

  ATM vendors prevent security expert from presenting ATM crime research
Update July 19th: The researcher has since stated that there were no legal threats from ATM vendors involved in the decision to cancel the talk. Read more here.

Raoul Chiesa, a renowned European security expert, was forced to cancel his presentation at the Hack in the Box (HITB) Security Conference after legal threats from ATM vendors. He was supposed to present the results of years of research into the underground economy.

Mr. Raoul Chiesa is an Italian white hat hacker, who works with with several international crime fighting organizations. The researcher is a permanent stakeholder at the European Network & Information Security Agency (ENISA) and a senior advisor with the Global Crimes Unit of the United Nations Interregional Crime & Justice Research Institute (UNICRI).

Mr. Chiesa was scheduled to give a presentation entitled "The Underground Economy," which is based on research done by UNICRI in the past several years. Some of the research has already served as basis for ENISA report called "ATM Crime: Overview of the European situation and golden rules on how to avoid it" that was released in September 2009. According to this report ATM crimes in the European Union increased in frequency by 149 percent and resulted in losses over 485 million euros in 2008.

According to Byte Mods, Chiesa's talk was canceled at the last minute and replaced by Job de Haas' presentation called "Side Channel Analysis on Embedded Systems." The cited reason were legal threats and pressure from ATM vendors, because his presentation included info on how cybercrooks exploited vulnerabilities in ATMs.

However, to Xavier Mertens, a Belgian security consultant, the decision comes as a surprise, because, as he points out, Chiesa already gave this presentation at other security conferences and the slides are available online. Meanwhile, Byte Mods quotes Dhillon Kannabhiran, the HTIB conference organizer, as saying that all affected vendors were notified long time ago, but failed to address the problems.

This is not the first time when ATM manufacturers blocked a security researcher from presenting findings about flaws in their products. Last year, after being contacted by an ATM vendor, Juniper Networks forced one of its employees, Barnaby Jack, to cancel his talk about an ATM vulnerability at Black Hat. Fortunately, the security research returned at this year with even more findings and no Juniper employment contract.

You can follow the editor on Twitter @lconstantin

3 Comments

By    5 Jul 2010, 11:52 GMT