Ransomware Compromises San Francisco's Mass Transit System (cbslocal.com) 141
Buses and light rail cars make San Francisco's "Muni" fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message "You Hacked, ALL Data Encrypted" -- and all the rides were free, according to a local CBS report shared by RAYinNYC:
Inside sources say the system has been hacked for days. The San Francisco Municipal Transportation Agency has officially confirmed the hack, but says it has not affected any service... The hack affects employees, as well. According to sources, SFMTA workers are not sure if they will get paid this week. Cyber attackers also hit Muni's email systems.
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
Though the article claims "The transit agency has no idea who is behind it, or what the hackers are demanding in return," Business Insider reports "The attack seems to be an example of ransomware, where a computer system is taken over and the users are locked out until a certain amount of money is sent to the attacker." In addition, they're reporting the attack "reportedly included an email address where Muni officials could ask for the key to unlock its systems."
One San Francisco local told CBS, "I think it is terrifying. I really do I think if they can start doing this here, we're not safe anywhere."
All the rides are not free. (Score:4, Informative)
Re: (Score:3)
Rides were free yesterday.
Re: (Score:2)
You still have to pay for buses.
Hey, don't get all "facty" on us, okay?
Re: (Score:1)
Re: (Score:3)
This.
It's a goddam computer!
This crap about encrypting every file on board should not be allowed without two-level authentication.
A fucking computer knows when commands are coming from a program or initiated by a keyboard.
This is like burglary when there are no locks on the doors.
Re: (Score:2)
Re: (Score:2)
Actually, this is the special corner of hell where people go to be punished for being stupid enough to rely on Microsoft.
Re: (Score:2)
What other OS would you recommend?
Apple users, beware: First live ransomware targeting Macs found 'in the wild' [cnet.com]
Re: (Score:2)
Re: (Score:2)
Interesting.
I've administered a full house of server-based Apple shit.
#AppleLivesMatter
Re: (Score:1)
OpenBSD is pretty good. Way fewer default security holes historically, as well as fewer fundamentally-insecure features that the design of the system's basic functionality relies on.
Re: (Score:2)
OpenBSD is useless as tits on a boar to people who don't know what the simple Sam Hill you're talking about.
Windows or Mac.
That's all consumers/workforce know anything about.
Where's OpenBSD here [wikipedia.org]?
[graph of market share]
Re: (Score:2)
It's a goddam computer!
Actually you're wrong. It's not the computer's fault. It's just doing what that thing between the keyboard and the chair told it to do. You need to train people how to not open email attachments. I'm frankly shocked idiots continue to fall for this shit.
In my opinion, you actually have to be actively STUPID to find yourself a virus or ransomware. They don't just leap into your computer magically, people open malicious stuff, they're stupid. ACTIVELY stupid.
This is like burglary when there are no locks on the doors.
No it's not at all like that. It's leaving y
Re: (Score:3)
Unlike you, I'm a user advocate.
It's our goddam computers. Our coworkers just want to do their job.
We are on the expense side of they ledger and they make the money.
Blaming users is useless as tits on a boar.
How about we geniuses do our job and block this nonsense?
Re: (Score:2)
It's a goddam computer!
Actually you're wrong. It's not the computer's fault. It's just doing what that thing between the keyboard and the chair told it to do. You need to train people how to not open email attachments. I'm frankly shocked idiots continue to fall for this shit.
Rather than making it more difficult for humans to use computers, why isn't the right thing to do: Train computers to stop being infected by someone opening attachments? Sandboxes have been around for years, and with hardware VM support, sandboxes can be entirely virtualized with little effect on performance.
I send and receive documents and spreadsheets with external users all the time - are you saying that I should just go back to 1990 era plain text emails because computers can't be trusted?
Re: (Score:2)
if your computer is responsible for billing of the entire san fransisco transit system, yeah perhaps you should go back to 1990 era plain text emails.
Beyond that, fragile overall (Score:5, Interesting)
Even beyond that, systems that can be so completely broken are typically fragile systems, systems that break in ordinary use. As an example, here's a standard SQL injection, which was present all through a system I worked on recently:
SET lastname='$FORM_LASTNAME'
Sure that can be leveraged by an attacker, but what happens when the user's last name is O'Reilly? O'Reilly can't sign up for the service.
That example is typical. Code that's easily hacked is fragile, poor quality code in general, in most cases. Fixing security isn't JUST fixing security. Code that can't be broken is code that doesn't break.
Re: (Score:2)
Re: (Score:2)
Code like that would work if the language was designed in a way to keep data as data and language as language.
If someone's name was Johnny;); drop table munidata;-- that is what should end up in last name. The language should be smart enough to not get confused about this. There are many libraries that float around to address this very problem through elaborate quoting or sanitation but really it's the adherence to SQL and non type safe languages and APIs that is to blame.
Re: (Score:2)
Going on further, the query language would not be Turing complete. It would have formally decidable behavior and it would be possible to formally (and easily) show that the only operations expressible over the channel are in a permitted set.
I developed a CA request protocol along those lines. So the attack surface of the CA interface was greatly reduced and inconsistencies could be easily detected.
Re: (Score:1)
It's always been easier to break something rather than create something. Nobody has created a mass produced and implemented system of any type that is immune to hacking. The most popular OS's such as Windows, OSX, and Android are still all vulnerable to malicious hacking. Of course the biggest attack vector in these OS's are the users with poor system administrators coming in a close second. You can make a pretty secure system and then have all that security bypassed by poor firewall management, system admi
Re: (Score:2)
Even beyond that, systems that can be so completely broken are typically fragile systems, systems that break in ordinary use. As an example, here's a standard SQL injection, which was present all through a system I worked on recently:
SET lastname='$FORM_LASTNAME'
Sure that can be leveraged by an attacker, but what happens when the user's last name is O'Reilly? O'Reilly can't sign up for the service.
That example is typical. Code that's easily hacked is fragile, poor quality code in general, in most cases. Fixing security isn't JUST fixing security. Code that can't be broken is code that doesn't break.
Even worse, what if his name was "Robert'); DROP TABLE Students; --"?
Re: (Score:1)
Little Bobby Tables!!
Re: (Score:1)
Likewise a UK major supermarket cannot take two part names, e.g de Gan or van Holst or mac Donald or O'Reilly. After much correspondence. I just did not sign up equals lost customer
Eion Mac Donald (English form) [ I just forget the possibility of Gaelic spelling in the system!]
Re: (Score:1)
Well, I know how to do it. I just can't get anyone to believe me, because much higher-paid corporations (Oracle, IBM, Microsoft) regularly fail at it even when paid millions.
Simple solution (Score:2)
Hook the fare metering computers to the deadman's switch on the ICBM launch system. That way if the pesky russians hack our subway fare system, the nukes launch. They won't do that more than once!
Re: (Score:1)
You would have to be dumb like a rock to think Russia did this. What would the Kremlin gain from making people in San Francisco ride the public transit for free? And even if there was something to gain from it, why do you assume they would do it?
No foreigner would write "You hacked", no matter how poor their English is. This is just a false-flag to whip up anger, and it works great when the target is people with tiny brains such as yourself.
Re:Enough! (Score:5, Funny)
No foreigner would write "You hacked", no matter how poor their English is.
All your bus are belong to us
Re:Enough! (Score:4)
And I had to run out of mod points NOW?!
Re: (Score:2)
Why would we think it is targeted? It could well be just a standard ransomware email that found a soft squishy prey in the form of MUNI.
Re: (Score:2)
Hours, days, weeks, months of trying to find and remove every last trace of deep system alterations.
If anyone asks about the clean up budget, mention its complex, has a foreign aspect thats under investigation, and has the US gov interested.
Even "standard ransomware" might have some international code in it...
Re: (Score:2)
So an inside job?
When do we switch to OpenBSD? (Score:5, Informative)
...I don't mean running everything on OpenBSD literally, though it's an idea. I mean, "when do we get really serious about security?" Again and again, we find major hacks that are not the result of super-hackers defeating valiant protective efforts, it's script kiddies defeating idiots who kind of deserved it. The Sony hack came with many stories of multiple executives demanding the network be multiply-holed so that they could watch their favourite videos or whatever, hit their favourite sites.
I'm reading Andrew Ginter's book on SCADA security right now and reflecting on the insanity that there are SCADA systems, of all programming, being written on Windows, at all. There's one place the OpenBSD suggestion is quite serious. But even "OpenBSD" is just a buzzword unless you run your operations with security on your mind at all times. Schnier reduces this "mindfulness" argument to "read your logs", said it in three words.
Most of this stuff is not actually that *hard*...it requires *diligence* and *discipline*, but not nuclear science.
Re: (Score:2)
Pretty much any systems failure (including ransomware attacks) can be mitigated with proper backups.
Re:When do we switch to OpenBSD? (Score:5, Informative)
A really smart attacker gets in, installs a piece of code that automatically activates if it senses that it has become active after a restoration, and waits a couple of months before they do anything overt so that they are sure they've infected the backups.
So, for a backup to really help, it has to carefully separate code and data so that you can wipe the system, install fresh code (not from a backup), and restore data only. Also, in this case, you don't want to lose even an hours worth of data, so the data needs to be a near live off-site backup. Few backups are this good and even fewer have actually tested the restoration process.
These attacks need to be stopped before they happen, not recovered from.
Re: (Score:3)
You don't backup the code anyway - its much faster to reinstall from source. I can reinstall OpenBSD and the relevant packages in under an hour. (Yes, I have tried). It helps to keep a script to reinstall all required packages. A tape restore would take 2 1/2 hours. Of course, you may need to do that anyway if the data is compromised. (I assume the disk backups are compromised - if not, obviously it would be quicker, and less dat
Re: (Score:2)
How about if we disallow this kind of hack?
Hunert dollas to a donut it was a click on a link in an email.
Computers can be predictive and examine code and "think" through the consequences.
So, no massive encryption.
And, any attempt to do so should be halted until we get a "double vote yes" from two phones via text message.
Re: (Score:2)
This isn't about what OS you're using. All OSes are vulnerable given enough access. That's the key,,, access. Don't just lock the doors, eliminate them.
It isn't reasonable to have all of these devices fully air-gapped from the public internet infrastructure, but it is very reasonable to have the entire system on its own VPN with NO other ports open. That combined with heavily limited access to the main servers that the devices connect to and NO installation of user tools like email clients on the servers st
Re: (Score:3)
Segmentation of networks is what's needed, I hope that companies and other organizations starts to learn that having a single internal net is a hazard.
This is standard in the military - segmented nets, "washing" computers for USB drives etc.
Re: (Score:2)
Re: (Score:2)
The idea of all this remote automation was to remove the need for layers of staff at every location.
A few skilled engineers can keep a networked system working all day with another set of workers for repairs.
If too many new staff are hired to watch computers or run the network when the computers fail they might unionise.
Think of all the wages and over time, extra pay and holidays that will have to be covere
calling commander adama (Score:2)
get everything off the net for starters including vpns.. even that doesn't prevent airgaps from being bridged but its a good start.
Re: (Score:2)
yee haw
Re:When do we switch to OpenBSD? (Score:5, Insightful)
It won't help in many cases, as I think you hit upon the real problem when talking about Sony execs. The weak point is *users*, not technology. We were to switch to OpenBSD tomorrow, we'd bring the idiot users along, who would happily allow a social engineering attack to compromise their system, or who insist on policies that, for convenience, ego, laziness, costs, whatever... fatally compromise their network. The DNC lost control of a Gmail account not through some masterful OS or network-level hack, but by using some simple social engineering to capture credentials, acquired through a spearphishing attack.
I wouldn't be surprised if this attack originated internally from a contractor or employee that was compromised, and had jack-all to do with the system's end-user-facing security itself, and will probably reveal lax or non-existent security policies internally. No system is secure when the malware has proper authentication. We really have no information yet, so it's hard to say.
Re: (Score:2)
...or who insist on policies that, for convenience, ego, laziness, costs, whatever... fatally compromise their network.
Imagine that. Making the computer serve its users, rather than the other way around. What kind of subversive thinking is this?
Re: (Score:2)
The computer doesn't know or care who its users are - you're just a username and password. If you don't mind security, sooner or later, some hacker will be its user, not you.
Re: (Score:2)
For a "closed-world" system like some city transport, running a defined set of programs that doesn't change all the time, one could feasibly get some actual security with a little hardware support, TPMish.
Re: (Score:2)
The issue is not the technology, it's humanity. No matter how many warnings you give people, no matter how many times you tell them "THIS IS REALLY BAD, DO NOT ALLOW THIS!" they will just click OK, and in most cases after not even reading the warning.
The problem is software has been crying wolf with inconsequential security warnings: Yeah, I get it, the SSL cert I'm using is self signed. User Account Control, and the MacOS password prompt, pops up for every little OS change, I really do trust the RDP/SSH co
Sad answer: never, and it's getting worse (Score:1)
When the secretary of state is allowed to have a private email server located in someone's closet across the country, and not only do no consequences arise but much of the computer industry says that is perfectly fine - at that point how can you possibly think that anyone will take computer security seriously from that point on?
I am not saying this to troll; I am saying this is the gloomy reality of the situation, and I have given up on the computer industry as a whole taking security seriously.
Re: (Score:2)
When companies start failing because of lack of security, then we will see them take it seriously. Not before.
Re: (Score:2)
I'm reading Andrew Ginter's book on SCADA security right now and reflecting on the insanity that there are SCADA systems, of all programming, being written on Windows, at all. There's one place the OpenBSD suggestion is quite serious. But even "OpenBSD" is just a buzzword unless you run your operations with security on your mind at all times. Schnier reduces this "mindfulness" argument to "read your logs", said it in three words.
I think it is interesting the "lessons" people chose to extract from events.
Re: (Score:2)
Re: (Score:2)
So you're saying this shouldn't happen to non-profits, governments and NGAs?
Hint: this just happened to BART. Quit knee jerking.
Re: The stockholders wouldn't like it. (Score:2)
Public transport in North America is chronically underfunded. So "do it cheaper" is definitely a contributing factor.
Re: (Score:2)
"You hacked" is rather broken English so I'd suspect it's out of our sphere of influence.
Comment removed (Score:5, Insightful)
disclosure: i worked as a contractor for LA Metro. (Score:2)
What platform does the backend system run on. What desktop application is used to access the backend system?
They're heroes (Score:1)
I pay taxes ***OUT THE FUCKING NOSE*** in San Francisco, so the idea of **PAYING** for **PUBLIC** transportation is anathema to me.
I've been riding free for the past two days and I **salute the persons responsible for this***.
Re: (Score:2)
The real crime (Score:2)
I don't endorse this sort of thing but all your IT people told you it was going to happen.
They told you the the days of living with buggy security and security through obscurity are over and that you needed to replace your equipment/system/infrastructure (which would have cost a lot of money) and you didn't do it.
I guarantee you at least one person quit or was fired.
Voila.. you get what you paid for.
In Soviet Springfield... (Score:3)
BART gets pranked.
Re: (Score:2)
Which crypto-currency will they use?
I'm thinking Bitcoin.
Quite likely, the other crypto currencies don't really measure up for anything other than novelty use.
Exposed our jugular veins to predators (Score:3)
I don't care how clever you all think you are, you cannot design a system that cannot be hacked.
We've gone far too far, hooking up control and command to the internet. We did it to fire people and save money, or at least divert the money once given to ticket takers to computer companies.
So, this is what the future is.
Re:Exposed our jugular veins to predators (Score:4, Insightful)
You're flat out wrong. Provably secure system exist and have existed for decades. Go to, or go back to Uni and learn a little. The fact that it's much cheaper to develop systems which aren't is a design choice. The people making those design choices should be held accountable for the decisions, no ifs, no buts.
Heads on sticks is the answer, who was responsible for implementing this system on Windows? Who was responsible for not patching the system? and who was the clown that provided vectors from the Internet to this system?
Re: (Score:2)
Not necessarily bad things.
But, things like online banking will destroy us.
SF...hmmm (Score:3, Insightful)
Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?
Re:SF...hmmm (Score:5, Interesting)
Isn't this the place that arrested its systems administrator because he wanted to keep the system password secret?
Yes. He insisted on doing his job to the letter to the very end and they boned him for it. Like a fish. He played Ahab and forgot to let go.
hacked screens should have read (Score:3, Funny)
"All your bus are belong to us"
All it takes... (Score:2)
All it takes is one moron to click a phishing email link, executing the malware. Apparently, someone with privileges clicked the link. As in someone with enough access to production systems to infect the entire network. An IT worker got infected and using that IT workers user account the entire system was infected.
This is why those who are serious about security do annoying things like make IT workers use a different account with admin privileges that cannot actually be logged on directly but can execute
"Putting all your eggs in one basket." (Score:1)
Re: (Score:2)
Re: (Score:2)
So far, I have not seen Mormon Jihads, Mormon Caliphates and Mormon mass beheadings.
No, but there was at least one Mormon Massacre [wikipedia.org]. Presumably they haven't organized one of those in some time.
To be honest though, I have no more problem with Mormons than with any other large, illogically-named group of people who think they get a free pass on bad behavior. Some of them are quite nice. They are pretty much completely patriarchal and do have a distinct problem with misogyny, which does not make them unique among the religious but which is a bit troubling.
Re: (Score:2)
The "Inquisition" was done in self defense.
Why are you making me punch you?
Re: (Score:2)
Read "A Study in Scarlet".
I have. Both parts are works of fiction. Arthur Conan Doyle became quite famous for his fiction. His fictional story about a bunch of mis-named religious people -- people who had an extermination order for practicing religion in a country that prides itself on freedom of religion -- was an interesting read, but it was clearly fiction just as much as Holmes was fiction.
(Although to be fair, I imagine some people think Sherlock Holmes was a real life character and perhaps may think Doyle's other fiction wo
Re: (Score:1)
I actually agree. If it was written "Your hacked" though I wouldn't be so sure.