Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Compromises San Francisco's Mass Transit System (cbslocal.com)

Posted by EditorDavid on from the conquering-the-cable-cars dept.

Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC: Inside sources say the system has been hacked for days. The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."

One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."

20 of 141 comments (clear)

  1. All the rides are not free. by BarbaraHudson · · Score: 3, Informative

    You still have to pay for buses.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re:All the rides are not free. by Catbeller · · Score: 2

      Rides were free yesterday.

  2. When do we switch to OpenBSD? by rbrander · · Score: 4, Informative

    ...I don't mean running everything on OpenBSD literally, though it's an idea. I mean, "when do we get really serious about security?" Again and again, we find major hacks that are not the result of super-hackers defeating valiant protective efforts, it's script kiddies defeating idiots who kind of deserved it. The Sony hack came with many stories of multiple executives demanding the network be multiply-holed so that they could watch their favourite videos or whatever, hit their favourite sites.

    I'm reading Andrew Ginter's book on SCADA security right now and reflecting on the insanity that there are SCADA systems, of all programming, being written on Windows, at all. There's one place the OpenBSD suggestion is quite serious. But even "OpenBSD" is just a buzzword unless you run your operations with security on your mind at all times. Schnier reduces this "mindfulness" argument to "read your logs", said it in three words.

    Most of this stuff is not actually that *hard*...it requires *diligence* and *discipline*, but not nuclear science.

    1. Re:When do we switch to OpenBSD? by RhettLivingston · · Score: 4, Informative

      A really smart attacker gets in, installs a piece of code that automatically activates if it senses that it has become active after a restoration, and waits a couple of months before they do anything overt so that they are sure they've infected the backups.

      So, for a backup to really help, it has to carefully separate code and data so that you can wipe the system, install fresh code (not from a backup), and restore data only. Also, in this case, you don't want to lose even an hours worth of data, so the data needs to be a near live off-site backup. Few backups are this good and even fewer have actually tested the restoration process.

      These attacks need to be stopped before they happen, not recovered from.

    2. Re:When do we switch to OpenBSD? by Dutch+Gun · · Score: 4, Insightful

      It won't help in many cases, as I think you hit upon the real problem when talking about Sony execs. The weak point is *users*, not technology. We were to switch to OpenBSD tomorrow, we'd bring the idiot users along, who would happily allow a social engineering attack to compromise their system, or who insist on policies that, for convenience, ego, laziness, costs, whatever... fatally compromise their network. The DNC lost control of a Gmail account not through some masterful OS or network-level hack, but by using some simple social engineering to capture credentials, acquired through a spearphishing attack.

      I wouldn't be surprised if this attack originated internally from a contractor or employee that was compromised, and had jack-all to do with the system's end-user-facing security itself, and will probably reveal lax or non-existent security policies internally. No system is secure when the malware has proper authentication. We really have no information yet, so it's hard to say.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:When do we switch to OpenBSD? by Z00L00K · · Score: 2

      Segmentation of networks is what's needed, I hope that companies and other organizations starts to learn that having a single internal net is a hazard.

      This is standard in the military - segmented nets, "washing" computers for USB drives etc.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:When do we switch to OpenBSD? by XparXnoiaX · · Score: 2

      It's why we need full and embarrassing disclosure, to motivate companies to take security seriously.

      When companies start failing because of lack of security, then we will see them take it seriously. Not before.

      --
      Irresponsible disclosure is responsible
    5. Re:When do we switch to OpenBSD? by Anne+Thwacks · · Score: 2
      So, for a backup to really help, it has to carefully separate code and data

      You don't backup the code anyway - its much faster to reinstall from source. I can reinstall OpenBSD and the relevant packages in under an hour. (Yes, I have tried). It helps to keep a script to reinstall all required packages. A tape restore would take 2 1/2 hours. Of course, you may need to do that anyway if the data is compromised. (I assume the disk backups are compromised - if not, obviously it would be quicker, and less data lost to restore them).

      These attacks need to be stopped before they happen, not recovered from.
      I say Redmond should be nuked from high orbit - its the only way to be sure!

      --
      Sent from my ASR33 using ASCII
  3. likely over-reaction. by nimbius · · Score: 5, Insightful

    disclosure: i worked as a contractor for LA Metro.
     
     

    its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted"

    not a hard feat to pull off. the data thats shown on these screens is either dynamically generated by track signal data thats processed through SCADA and into a windows system, or you can issue an override screen for construction/etc...removing this screen should not be hard.

    and all the rides were free

    there is no magic button to make all rides free centrally. This was likely done by Muni as a last ditch effort because their card transaction databases were offline or the system that handles accounting for this database was offline due to the hack. Muni simply put their turnstiles into bypass mode and sent their fare enforcement officers home for the day. it means when they run their fare-jump report for the month, theyll have to adjust for the days they had open fare points.

    "The transit agency has no idea who is behind it, or what the hackers are demanding in return,"

    nothing. chances are great they didnt expect to get this far. its possible the warning on muni transit screens is a side-effect of a wallpaper or start screen that machines are now forced into depending on what model of annunciation system they purchased. if thats the case, reimaging the screens will take 2-3 hours and can all be done centrally. as for the accounting database for oyster/muni cards, thats an easy restore from backup or calling transactions back from their VAN provider (value added networks, generally operated by IBM or Cisco.)

    as for people worrying about getting paid, this happens a lot. ive once shut down live map systems on a handful of busses to upgrade the video drivers, and by the end of the day there was a rumor spreading that the payroll department was hacked. Drivers/operators are not brilliant minds.

    --
    Good people go to bed earlier.
  4. In Soviet Springfield... by SeaFox · · Score: 2

    BART gets pranked.

  5. Re:Enough! by CaptainDork · · Score: 2

    This.

    It's a goddam computer!

    This crap about encrypting every file on board should not be allowed without two-level authentication.

    A fucking computer knows when commands are coming from a program or initiated by a keyboard.

    This is like burglary when there are no locks on the doors.

    --
    It little behooves the best of us to comment on the rest of us.
  6. Beyond that, fragile overall by raymorris · · Score: 4, Interesting

    Even beyond that, systems that can be so completely broken are typically fragile systems, systems that break in ordinary use. As an example, here's a standard SQL injection, which was present all through a system I worked on recently:

    SET lastname='$FORM_LASTNAME'

    Sure that can be leveraged by an attacker, but what happens when the user's last name is O'Reilly? O'Reilly can't sign up for the service.

    That example is typical. Code that's easily hacked is fragile, poor quality code in general, in most cases. Fixing security isn't JUST fixing security. Code that can't be broken is code that doesn't break.

  7. Exposed our jugular veins to predators by Catbeller · · Score: 2

    I don't care how clever you all think you are, you cannot design a system that cannot be hacked.
    We've gone far too far, hooking up control and command to the internet. We did it to fire people and save money, or at least divert the money once given to ticket takers to computer companies.
    So, this is what the future is.

    1. Re:Exposed our jugular veins to predators by Stonefish · · Score: 3, Insightful

      You're flat out wrong. Provably secure system exist and have existed for decades. Go to, or go back to Uni and learn a little. The fact that it's much cheaper to develop systems which aren't is a design choice. The people making those design choices should be held accountable for the decisions, no ifs, no buts.
      Heads on sticks is the answer, who was responsible for implementing this system on Windows? Who was responsible for not patching the system? and who was the clown that provided vectors from the Internet to this system?

  8. Re:Enough! by Anonymous Coward · · Score: 5, Funny

    No foreigner would write "You hacked", no matter how poor their English is.

    All your bus are belong to us

  9. SF...hmmm by HiThere · · Score: 2, Insightful

    Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
    1. Re:SF...hmmm by drinkypoo · · Score: 4, Interesting

      Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?

      Yes. He insisted on doing his job to the letter to the very end and they boned him for it. Like a fish. He played Ahab and forgot to let go.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. hacked screens should have read by Anonymous Coward · · Score: 3, Funny

    "All your bus are belong to us"

  11. Re:Enough! by ZenShadow · · Score: 3

    And I had to run out of mod points NOW?!

    --
    -- sigs cause cancer.
  12. Re:Enough! by CaptainDork · · Score: 2

    Unlike you, I'm a user advocate.

    It's our goddam computers. Our coworkers just want to do their job.

    We are on the expense side of they ledger and they make the money.

    Blaming users is useless as tits on a boar.

    How about we geniuses do our job and block this nonsense?

    --
    It little behooves the best of us to comment on the rest of us.