Ransomware Compromises San Francisco's Mass Transit System

Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC: Inside sources say the system has been hacked for days. The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."

One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."

All the rides are not free.

[BarbaraHudson]

You still have to pay for buses.

When do we switch to OpenBSD?

[rbrander]

...I don't mean running everything on OpenBSD literally, though it's an idea. I mean, "when do we get really serious about security?" Again and again, we find major hacks that are not the result of super-hackers defeating valiant protective efforts, it's script kiddies defeating idiots who kind of deserved it. The Sony hack came with many stories of multiple executives demanding the network be multiply-holed so that they could watch their favourite videos or whatever, hit their favourite sites.

I'm reading Andrew Ginter's book on SCADA security right now and reflecting on the insanity that there are SCADA systems, of all programming, being written on Windows, at all. There's one place the OpenBSD suggestion is quite serious. But even "OpenBSD" is just a buzzword unless you run your operations with security on your mind at all times. Schnier reduces this "mindfulness" argument to "read your logs", said it in three words.

Most of this stuff is not actually that *hard*...it requires *diligence* and *discipline*, but not nuclear science.

Re:When do we switch to OpenBSD?

[RhettLivingston]

A really smart attacker gets in, installs a piece of code that automatically activates if it senses that it has become active after a restoration, and waits a couple of months before they do anything overt so that they are sure they've infected the backups.

So, for a backup to really help, it has to carefully separate code and data so that you can wipe the system, install fresh code (not from a backup), and restore data only. Also, in this case, you don't want to lose even an hours worth of data, so the data needs to be a near live off-site backup. Few backups are this good and even fewer have actually tested the restoration process.

These attacks need to be stopped before they happen, not recovered from.