Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Re: Sign of the times

Reminds me of the early days of auto-pilot ---

A friendly voice comes over the airliner's PA system:

"This plane is being piloted by an automated navigation system. This system has been thoroughly tested and there are no reasons to worry, no reasons to worry, no reasons to worry, ........."

Re: Sign of the times

> One day a few hundred people might see a message like that on the seat back displays on an aircraft

It'd just make for bored passengers. Probably increase duty-free sales.

> I am fairly sure the inflight entertainment system is air gapped from the flight control system

It is, although there were reports circulating a few years ago about stuff jumping the gap, but never known to occur in the wild, intentionally or otherwise. There isn't such as thing as "the flight control system" anyway, but dozens of systems that operate more or less independently of each other, each with its own redundancy.

> on today's modern airliners.

By design, they are made to be inherently flyable. By far the major risk electronics pose is the corresponding fire hazard. In the event of a complete electrical power failure, you're essentially back to flying a C-172. As long as there is no fire, it's just an interesting day at the office.

Re: Sign of the times

"An entire mass transit system's IT gets badly mauled for money and the headline here is "Woot - free travel"."

Obviously concerns and priorities will vary, but to a certain demographic this could be perceived as a Robin Hood action.

Re: Sign of the times

An entire mass transit system's IT gets badly mauled for money and the headline here is "Woot - free travel".

A non-life threatening IT incident occurred and was reported by El Reg - an IT news website known for a heavy dose of sarcasm and humour, especially in its sub-heads.

Move along, nothing to see here.

Well this was completely avoidable

I mean it's just extremely risky to put a system that can easily run code from any e-mail and doesn't even show "file extensions" by default into the hands of untrained workers.

If they would have just been a bit more cautious and, for example, provided their users with simpler systems where they cannot easily make such fatal errors. If everything fails, give them terminals for the business end of things.

Re: Sign of the times

I am fairly sure the inflight entertainment system is air gapped from the flight control system on today's modern airliners.

I can tell you don't work in security; it's the touchingly naive faith in people to not make the most stupid mistake possible...

https://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/

Re: Sign of the times

" I am fairly sure the inflight entertainment system is air gapped from the flight control system on today's modern airliners."

I'm fairly sure, no certain, that you are wrong.

Re: Sign of the times

I guess I'm jealous considering the ransom I pay everyday to National Rail services in to London and then TFL, just to not get a seat, and to be squashed on the Sardintral (Central) Line which is an aluminium can full of red face passenger meat.

Re: These infections seem almost inadvertent

elDog>>Like the perpbots don't know what they're infecting and what the possible payoff might be.

I'm surprised they don't use a "Dutch auction" Those organizations with the right combination of the urgency and the resources might pay a high price immediately. Eventually the price will drop to the point where even a home user might say, well, I'll pay a few quid to not have to say goodbye to all those photographs.

Re: Design failure

Because that costs more money and "there's no need to do that". (At least, thats what management says *before* it goes wrong, *after* it goes wrong it's "how could you let this happen!")

Re: Design failure

Simply due to some domain admins still thinking that it's fine to put everything in the same domain. Face palm

Re: Design failure

It sounds like they're running Microsoft Windows, which has been designed since way back with the idea that everything is in a flat network, preferably in a single broadcast domain. It gets messy in a hurry when you try to limit how clients talk to the domain controllers. Stuff breaks in mysterious ways, and unless you have a very high level contract with MS your odds of getting help fixing them are not high.

Re: Design failure

"You have to wonder why they have not segmented their networks with firewalls, both to alert on compromise and minimise the effects if anything were to get in."

You would have to wonder why anyone in this day and age would think that segmenting a network with firewalls would be the way to do it. Segmented networks, yes. Firewalls yes. But the firewalls are not really how we segment networks, that's largely done via the switches and by the use of other security devices. Unfortunately this does take planning and investment which is why most organisations don't do it. Another reason is that good people cost a lot and companies bizarrely think that three cheap bodies are more effective than one expert.

Re: What a nightmare...

Somebody will *always* click on a link! If your system relies on no one ever making a mistake you are as big a fool as the user, in fact more so because you are paid to stop this.

In fact there are always vulnerabilities in every system, and everyone sooner or later will do something dumb, so you need multiple layers of protection:

- Try and stop spam coming in by severe email filtering and quarantine of any suspect attachment

- Educate users to be vigilant so they don't fall for it (too often)

- Disable as far as possible the ability for spam to run when it does (noexec ACLs on user-writable areas for Windows, equivalent mount option for /home, /tmp and so on in Linux, blocking macros in document readers like Office, Adobe Reader (if you are that unlucky as to have to use it), etc)

- Limit what successfully run spam can do in terms of access to other machines (network segmentation, file systems mounted read-only if at all possible, etc)

- Have a tested backup and restore system that can't be modified by the target PCs no matter what account privileges they have (also use of frequent snapshots to reduce the window of unrecoverable damage, etc)

Re: Woot - Free Travel Indeed

If they opened the gate and left out a bucket for donations then I would pay to support not funding the next generation of ransomware.

Re: Woot - Free Travel Indeed

"nations capitol"

Just because the spell checker doesn't highlight them it doesn't mean the words are correct for the context !!

Re: Woot - Free Travel Indeed

> If this had happened in London the nations capitol would probably be walking to work.

Out of consideration for your readers, please mind your spelling.

Re: Spam them?

Why SPAM? Send ransomware back. Most of us get 2-3 samples a day so getting a kit to send back should not be an issue.

" I for one would like to see them captured and put into jail for a very long time."

Or forced to ride public transport 24 hours a day 7 days a week.

"I am surprised at the moderate level of ire at the perpetrators in the comments."

I'm not.

About a decade ago the domain name registration service used by a company I worked for fouled up and failed to renew one of the domains - they invoiced and were paid for the renewal, they just didn't do it. It was instantly snapped up by Russian cyber squatters who demanded $CASHLOTS to hand it back. I got voted in as the person to talk to them about it. I made it clear that the domain name wasn't one that was important to us. It was handy to have but not essential and it wasn't associated with business comms (the only email accounts for that domain were postmaster and hostmaster) so we didn't care about losing it. I asked them nicely if they would hand it back since we weren't going to put ourselves out to recover the domain name and certainly weren't going to be paying even $1 ransom money. I also pointed out that they would have to pay the registration fees so it was costing them money for nothing.

I got the same outraged response. How dare I not want to pay ransom money? They had gone to some effort to grab the registration and I should be grateful to them that they only wanted hundreds of thousands of dollars to hand it back.

I check from time to time, they still have the domain, no one wants it.

> I am surprised at the moderate level of ire at the perpetrators in the comments.

What use would that be?

Re: Cheaper?

Ahh Thing work better if we keep our hands off as much as possible?. Kind of like the phenomenon of the mortality rate going down when doctors go on strike?