Slashdot Mirror
Ransomware Compromises San Francisco's Mass Transit System (cbslocal.com)
Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC:
Inside sources say the system has been hacked for days. The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
You still have to pay for buses.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
...I don't mean running everything on OpenBSD literally, though it's an idea. I mean, "when do we get really serious about security?" Again and again, we find major hacks that are not the result of super-hackers defeating valiant protective efforts, it's script kiddies defeating idiots who kind of deserved it. The Sony hack came with many stories of multiple executives demanding the network be multiply-holed so that they could watch their favourite videos or whatever, hit their favourite sites.
I'm reading Andrew Ginter's book on SCADA security right now and reflecting on the insanity that there are SCADA systems, of all programming, being written on Windows, at all. There's one place the OpenBSD suggestion is quite serious. But even "OpenBSD" is just a buzzword unless you run your operations with security on your mind at all times. Schnier reduces this "mindfulness" argument to "read your logs", said it in three words.
Most of this stuff is not actually that *hard*...it requires *diligence* and *discipline*, but not nuclear science.
I assume you're being sarcastic. In my mind, in a story like this, who perpetrated the hack is secondary at best. If we're going to trust important infrastructure to computer systems at some point we're going to have to figure out how to engineer them in a secure fashion. Take away the ability of _any_ enemy actor to assume control. Do we even know how to do that? If we know how to do that, why wasn't it done here? Why do we keep seeing similar stories all over the place? Perhaps the cost of creating such a system is not well understood? Or maybe it's understood, but those who are charged to create such systems are underqualified? I'd love to see discussion about that. Who created this system? How exactly (as far as information is available anyways) was it comprimised? What decisions caused the opportunity for comprimise, and why were those decisions made?
disclosure: i worked as a contractor for LA Metro.
its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted"
not a hard feat to pull off. the data thats shown on these screens is either dynamically generated by track signal data thats processed through SCADA and into a windows system, or you can issue an override screen for construction/etc...removing this screen should not be hard.
and all the rides were free
there is no magic button to make all rides free centrally. This was likely done by Muni as a last ditch effort because their card transaction databases were offline or the system that handles accounting for this database was offline due to the hack. Muni simply put their turnstiles into bypass mode and sent their fare enforcement officers home for the day. it means when they run their fare-jump report for the month, theyll have to adjust for the days they had open fare points.
"The transit agency has no idea who is behind it, or what the hackers are demanding in return,"
nothing. chances are great they didnt expect to get this far. its possible the warning on muni transit screens is a side-effect of a wallpaper or start screen that machines are now forced into depending on what model of annunciation system they purchased. if thats the case, reimaging the screens will take 2-3 hours and can all be done centrally. as for the accounting database for oyster/muni cards, thats an easy restore from backup or calling transactions back from their VAN provider (value added networks, generally operated by IBM or Cisco.)
as for people worrying about getting paid, this happens a lot. ive once shut down live map systems on a handful of busses to upgrade the video drivers, and by the end of the day there was a rumor spreading that the payroll department was hacked. Drivers/operators are not brilliant minds.
Good people go to bed earlier.
I pay taxes ***OUT THE FUCKING NOSE*** in San Francisco, so the idea of **PAYING** for **PUBLIC** transportation is anathema to me.
I've been riding free for the past two days and I **salute the persons responsible for this***.
I don't endorse this sort of thing but all your IT people told you it was going to happen.
They told you the the days of living with buggy security and security through obscurity are over and that you needed to replace your equipment/system/infrastructure (which would have cost a lot of money) and you didn't do it.
I guarantee you at least one person quit or was fired.
Voila.. you get what you paid for.
BART gets pranked.
get everything off the net for starters including vpns.. even that doesn't prevent airgaps from being bridged but its a good start.
Some drink at the fountain of knowledge. Others just gargle.
This.
It's a goddam computer!
This crap about encrypting every file on board should not be allowed without two-level authentication.
A fucking computer knows when commands are coming from a program or initiated by a keyboard.
This is like burglary when there are no locks on the doors.
It little behooves the best of us to comment on the rest of us.
Hook the fare metering computers to the deadman's switch on the ICBM launch system. That way if the pesky russians hack our subway fare system, the nukes launch. They won't do that more than once!
Some drink at the fountain of knowledge. Others just gargle.
Even beyond that, systems that can be so completely broken are typically fragile systems, systems that break in ordinary use. As an example, here's a standard SQL injection, which was present all through a system I worked on recently:
SET lastname='$FORM_LASTNAME'
Sure that can be leveraged by an attacker, but what happens when the user's last name is O'Reilly? O'Reilly can't sign up for the service.
That example is typical. Code that's easily hacked is fragile, poor quality code in general, in most cases. Fixing security isn't JUST fixing security. Code that can't be broken is code that doesn't break.
You would have to be dumb like a rock to think Russia did this. What would the Kremlin gain from making people in San Francisco ride the public transit for free? And even if there was something to gain from it, why do you assume they would do it?
No foreigner would write "You hacked", no matter how poor their English is. This is just a false-flag to whip up anger, and it works great when the target is people with tiny brains such as yourself.
I don't care how clever you all think you are, you cannot design a system that cannot be hacked.
We've gone far too far, hooking up control and command to the internet. We did it to fire people and save money, or at least divert the money once given to ticket takers to computer companies.
So, this is what the future is.
No foreigner would write "You hacked", no matter how poor their English is.
All your bus are belong to us
Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?
I think we've pushed this "anyone can grow up to be president" thing too far.
So you're saying this shouldn't happen to non-profits, governments and NGAs?
Hint: this just happened to BART. Quit knee jerking.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Which crypto-currency will they use?
I'm thinking Bitcoin.
Quite likely, the other crypto currencies don't really measure up for anything other than novelty use.
"All your bus are belong to us"
Public transport in North America is chronically underfunded. So "do it cheaper" is definitely a contributing factor.
When the secretary of state is allowed to have a private email server located in someone's closet across the country, and not only do no consequences arise but much of the computer industry says that is perfectly fine - at that point how can you possibly think that anyone will take computer security seriously from that point on?
I am not saying this to troll; I am saying this is the gloomy reality of the situation, and I have given up on the computer industry as a whole taking security seriously.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Why would we think it is targeted? It could well be just a standard ransomware email that found a soft squishy prey in the form of MUNI.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
So far, I have not seen Mormon Jihads, Mormon Caliphates and Mormon mass beheadings. So I think that you or someone your read are exagerating just a wee little bit regarding Mormons...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Actually, this is the special corner of hell where people go to be punished for being stupid enough to rely on Microsoft.
When all you have is a hammer, every problem starts to look like a thumb.
What other OS would you recommend?
Apple users, beware: First live ransomware targeting Macs found 'in the wild'
It little behooves the best of us to comment on the rest of us.
The "Inquisition" was done in self defense.
Why are you making me punch you?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
And I had to run out of mod points NOW?!
-- sigs cause cancer.
Think of the clean up overtime.
Hours, days, weeks, months of trying to find and remove every last trace of deep system alterations.
If anyone asks about the clean up budget, mention its complex, has a foreign aspect thats under investigation, and has the US gov interested.
Even "standard ransomware" might have some international code in it...
Domestic spying is now "Benign Information Gathering"
"You hacked" is rather broken English so I'd suspect it's out of our sphere of influence.
disclosure: i worked as a contractor for LA Metro
What platform does the backend system run on. What desktop application is used to access the backend system?
It's a goddam computer!
Actually you're wrong. It's not the computer's fault. It's just doing what that thing between the keyboard and the chair told it to do. You need to train people how to not open email attachments. I'm frankly shocked idiots continue to fall for this shit.
In my opinion, you actually have to be actively STUPID to find yourself a virus or ransomware. They don't just leap into your computer magically, people open malicious stuff, they're stupid. ACTIVELY stupid.
This is like burglary when there are no locks on the doors.
No it's not at all like that. It's leaving your door wide open and leaving the key for anyone to pick up. Educate end-users, period. Show them how the door and lock works.
Unlike you, I'm a user advocate.
It's our goddam computers. Our coworkers just want to do their job.
We are on the expense side of they ledger and they make the money.
Blaming users is useless as tits on a boar.
How about we geniuses do our job and block this nonsense?
It little behooves the best of us to comment on the rest of us.
All it takes is one moron to click a phishing email link, executing the malware. Apparently, someone with privileges clicked the link. As in someone with enough access to production systems to infect the entire network. An IT worker got infected and using that IT workers user account the entire system was infected.
This is why those who are serious about security do annoying things like make IT workers use a different account with admin privileges that cannot actually be logged on directly but can execute processes with privilege. Needing to checkout a new password for that account daily and logging all usage of that account. Also removing local admin rights from the IT workers primary logon account. Because outsourced and low paid staff are morons. You know who gets infected the most in corporate America? It's those H1B1 Visa workers who can't afford their own computers so they take the work laptop home and surf sites back in India and Pakistan where many systems are infected.
Serious security means many layers of protection, deep packet analysis, cloud proxy that can decrypt SSL, endpoint analysis, etc., etc. Disaster Recovery is very important, there needs to be a DR SAN/NAS that is mirrored and switchable. Once you get the infection under control and confirm no more ransomware is spreading you flip from production to DR and thereby recover your data instantly. Backup critical systems as well. All this is not enough if you don't train your employees to not do stupid things like click phishing emails, download unapproved software, plug in a USB drive found in the parking lot, and give their password to a total stranger for a chocolate bar.
So an inside job?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
So far, I have not seen Mormon Jihads, Mormon Caliphates and Mormon mass beheadings.
No, but there was at least one Mormon Massacre. Presumably they haven't organized one of those in some time.
To be honest though, I have no more problem with Mormons than with any other large, illogically-named group of people who think they get a free pass on bad behavior. Some of them are quite nice. They are pretty much completely patriarchal and do have a distinct problem with misogyny, which does not make them unique among the religious but which is a bit troubling.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Read "A Study in Scarlet".
I have. Both parts are works of fiction. Arthur Conan Doyle became quite famous for his fiction. His fictional story about a bunch of mis-named religious people -- people who had an extermination order for practicing religion in a country that prides itself on freedom of religion -- was an interesting read, but it was clearly fiction just as much as Holmes was fiction.
(Although to be fair, I imagine some people think Sherlock Holmes was a real life character and perhaps may think Doyle's other fiction works are factual, too.)
//TODO: Think of witty sig statement
It's a goddam computer!
Actually you're wrong. It's not the computer's fault. It's just doing what that thing between the keyboard and the chair told it to do. You need to train people how to not open email attachments. I'm frankly shocked idiots continue to fall for this shit.
Rather than making it more difficult for humans to use computers, why isn't the right thing to do: Train computers to stop being infected by someone opening attachments? Sandboxes have been around for years, and with hardware VM support, sandboxes can be entirely virtualized with little effect on performance.
I send and receive documents and spreadsheets with external users all the time - are you saying that I should just go back to 1990 era plain text emails because computers can't be trusted?
if your computer is responsible for billing of the entire san fransisco transit system, yeah perhaps you should go back to 1990 era plain text emails.
world was created 5 seconds before this post as it is.
So, since around the last time these systems were updated then?
I am TheRaven on Soylent News
The fact that you'd even consider Apple to be an alternative in the embedded space lets us know that you have no idea what you're talking about. There are half a dozen players here that would make sense, but a consumer hardware vendor shouldn't be anywhere near the list.
I am TheRaven on Soylent News
Interesting.
I've administered a full house of server-based Apple shit.
#AppleLivesMatter
It little behooves the best of us to comment on the rest of us.
When will this world ever learn that you just don't rely on one system. You have a backup system, consisting of paper, people, and phones. Our single dependency on the Web is showing again!!
Well, I know how to do it. I just can't get anyone to believe me, because much higher-paid corporations (Oracle, IBM, Microsoft) regularly fail at it even when paid millions.
OpenBSD is pretty good. Way fewer default security holes historically, as well as fewer fundamentally-insecure features that the design of the system's basic functionality relies on.
I actually agree. If it was written "Your hacked" though I wouldn't be so sure.
OpenBSD is useless as tits on a boar to people who don't know what the simple Sam Hill you're talking about.
Windows or Mac.
That's all consumers/workforce know anything about.
Where's OpenBSD here?
[graph of market share]
It little behooves the best of us to comment on the rest of us.