Slashdot Mirror
Ransomware Compromises San Francisco's Mass Transit System (cbslocal.com)
Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC:
Inside sources say the system has been hacked for days. The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
Even beyond that, systems that can be so completely broken are typically fragile systems, systems that break in ordinary use. As an example, here's a standard SQL injection, which was present all through a system I worked on recently:
SET lastname='$FORM_LASTNAME'
Sure that can be leveraged by an attacker, but what happens when the user's last name is O'Reilly? O'Reilly can't sign up for the service.
That example is typical. Code that's easily hacked is fragile, poor quality code in general, in most cases. Fixing security isn't JUST fixing security. Code that can't be broken is code that doesn't break.
Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?
Yes. He insisted on doing his job to the letter to the very end and they boned him for it. Like a fish. He played Ahab and forgot to let go.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"