back to article Passengers ride free on SF Muni subway after ransomware infects network, demands $73k

Hard-drive-scrambling ransomware infected hundreds of computers at San Francisco's public transit agency on Friday and demanded 100 bitcoins to unlock data, The Register has learned. Ticket machines were shut down and passengers were allowed to ride the Muni light-rail system for free on Saturday – a busy post-Thanksgiving …

Silver badge

Re: Design failure

"What makes you think they haven't[segmentd the network]? The thing with firewalls is that you always have holes for allowed traffic."

If there are holes they aren't segmented. Porous firewalls are a trading of convenience for security. How long will it take for people to wake up to the fact that in the end you lose out in a big way on security?

1
0

Re: Design failure

> ' *after* it goes wrong it's "how could you let this happen!"'

> Let's hope someone has the relevant emails backed up. Off-line naturally.

This reminds me of the Abigail Oath, whch goes:-

I am hired because I know what I am doing, not because I will do whatever I am told is a good idea. This might cost me bonuses, raises, promotions, and may even label me as “undesirable” by places I don’t want to work at anyway, but I don’t care. I will not compromise my own principles and judgement without putting up a fight. Of course, I won’t always win, and I will sometimes be forced to do things I don’t agree with, but if I am my objections will be known, and if I am shown to be right and problems later develop, I will shout “I told you so!” repeatedly, laugh hysterically, and do a small dance or jig as appropriate to my heritage.

6
0
Anonymous Coward

Re: Design failure

Because that costs more money and "there's no need to do that".

Well as a minion at Dundee University (hence AC) that is the plan for the new network - no longer IP address by department subnet with ACLs between them, but now IP address by building and all in a big pool as far as access is concerned. Maybe a few pools depending on "type", but its not clear from down here how the glorious leaders are actually going to act.

I hope somebody in charge reads El Reg and sees the SF incident as the almost inevitable consequences of not segmenting the network by-design.

2
0
Silver badge

Re: Design failure

"a minion at Dundee University"

Store those emails offline.

1
0

Re: Design failure

@Doctor Syntax :

"...Porous firewalls are a trading of convenience for security."

Those who give up computing security for a little convenience will soon have neither.

-- Mark Twain

If you want somebody to pay attention to something, tell them Mark Twain said it first.

-- Benjamin Franklin

5
0
Silver badge
Joke

Re: Design failure

Colin,

You forgot:

Throw manglement under the bus at each and every opportunity I get.

2
0
Silver badge

Re: Design failure

"f you want somebody to pay attention to something, tell them Mark Twain said it first.

-- Benjamin Franklin"

Shouldn't that be

-- Mark Twain?

0
0
Silver badge

Re: Design failure

You might be right.

"Don't believe everything you read on the Internet." -- Abraham Lincoln.

3
0
Orv
Silver badge

Re: Design failure

It sounds like they're running Microsoft Windows, which has been designed since way back with the idea that everything is in a flat network, preferably in a single broadcast domain. It gets messy in a hurry when you try to limit how clients talk to the domain controllers. Stuff breaks in mysterious ways, and unless you have a very high level contract with MS your odds of getting help fixing them are not high.

1
0

Re: Design failure

Why a bus? They've got an entire tube train system to hand.

0
0
Anonymous Coward

Re: Design failure

> Valley municipal IT are a bunch of clueless incompetent clowns

A bit quick to judge perhaps? Unless you have seen the post mortem.

Personally, when fuck-ups happen, my first thought is "there but for the grace of God¹ ...", not "everyone else don't know what they're doing".

My second thought then is "how likely is this to happen to me, what would be the consequences, and case being, how can I stop it from happening?"

¹ Technically, I'm an atheist, but "there for the grace of an essentially chaotic series of events" doesn't quite have the same ring to it.

1
0
Silver badge

Re: Design failure

'if I am shown to be right and problems later develop, I will shout “I told you so!”'

A design team that I was a member of had an informal rule that all position papers used to establish the design objectives would be printed on odd numbered pages only. Even numbered pages would be printed with "I TOLD YOU SO" in 72 point characters. In the event of the inevitable management-created cock-up the paper would be turned over.

0
1
Silver badge

Re: Design failure

"The problem with quotes on the internet is that you never know whether they are genuine or not." -- Charles Babbage

1
0
Silver badge

Re: Design failure

"You have to wonder why they have not segmented their networks with firewalls, both to alert on compromise and minimise the effects if anything were to get in."

You would have to wonder why anyone in this day and age would think that segmenting a network with firewalls would be the way to do it. Segmented networks, yes. Firewalls yes. But the firewalls are not really how we segment networks, that's largely done via the switches and by the use of other security devices. Unfortunately this does take planning and investment which is why most organisations don't do it. Another reason is that good people cost a lot and companies bizarrely think that three cheap bodies are more effective than one expert.

1
0

Relevant?

http://www.infoworld.com/article/2653004/misadventures/why-san-francisco-s-network-admin-went-rogue.html

7
0
Anonymous Coward

What a nightmare...

Yet another wake up call for senior execs (weakest link in any org will screw you). What was the attack vector. Underpaid / badly trained staff clicked on poison link?

4
0
Silver badge
Headmaster

Re: What a nightmare...

"Underpaid / badly trained staff clicked on poison link?"

More like OVERpaid / Completely untrained PHB clicked on poisoned link.

12
0
Anonymous Coward

Re: What a nightmare...

Somebody will *always* click on a link! If your system relies on no one ever making a mistake you are as big a fool as the user, in fact more so because you are paid to stop this.

In fact there are always vulnerabilities in every system, and everyone sooner or later will do something dumb, so you need multiple layers of protection:

- Try and stop spam coming in by severe email filtering and quarantine of any suspect attachment

- Educate users to be vigilant so they don't fall for it (too often)

- Disable as far as possible the ability for spam to run when it does (noexec ACLs on user-writable areas for Windows, equivalent mount option for /home, /tmp and so on in Linux, blocking macros in document readers like Office, Adobe Reader (if you are that unlucky as to have to use it), etc)

- Limit what successfully run spam can do in terms of access to other machines (network segmentation, file systems mounted read-only if at all possible, etc)

- Have a tested backup and restore system that can't be modified by the target PCs no matter what account privileges they have (also use of frequent snapshots to reduce the window of unrecoverable damage, etc)

3
0
Silver badge
FAIL

Re: What a nightmare...

"Somebody will *always* click on a link!"

I don't believe that's true. If it were people would be able to misdirect individuals over and over again. There's no evidence to support your claim - see this paper which gives a detailed statistical analysis of the root causes of security breaches. It does not mention clicking on a link as a significant issue.

0
0
Silver badge

Talk To Me

"The extortionists behind the malware have complained that no one at the agency has so far spoken to them let alone offered to pay."

Never dealt with local government bureaucrats before?

11
0
Holmes

Re: Talk To Me

Perhaps the extortionist doesn't know that he needs a Business License before he can collect.

5
0

Woot - Free Travel Indeed

If this had happened in London the nations capitol would probably be walking to work.

4
2
Silver badge

Re: Woot - Free Travel Indeed

If they opened the gate and left out a bucket for donations then I would pay to support not funding the next generation of ransomware.

9
0
Anonymous Coward

Re: Woot - Free Travel Indeed

"nations capitol"

Just because the spell checker doesn't highlight them it doesn't mean the words are correct for the context !!

9
0
hmv

Re: Woot - Free Travel Indeed

Do you mean to say London isn't the world's _capital_ ?

1
0
Silver badge

Re: Woot - Free Travel Indeed

Well, a big chunk of the nations capitol is London based.... so a play on words cannot be discounted.

0
2
Bronze badge
Headmaster

Nations capitol ^W^W Nation's capital

That is all.

2
0
Anonymous Coward

Re: Woot - Free Travel Indeed

> If this had happened in London the nations capitol would probably be walking to work.

Out of consideration for your readers, please mind your spelling.

0
0
Anonymous Coward

Re: Woot - Free Travel Indeed

> If they opened the gate and left out a bucket for donations then I would pay to support not funding the next generation of ransomware.

Where I live there are no gates. People pay just because that's the deal, not because there is a gate to open.

0
0
Anonymous Coward

Mind the air-gap

What?

6
0
MJI
Silver badge

Spam them?

They give an email address, fill their inbox with spam

3
0
Silver badge

Re: Spam them?

Why SPAM? Send ransomware back. Most of us get 2-3 samples a day so getting a kit to send back should not be an issue.

5
0

Master File Table

I read that Talos blog on protecting the MBR, and being ignorant about NTFS, I have a question: if some malware simply encrypts the Master File Table, couldn't you regularly snapshot it (and the MBR too, why not?) and be able to restore them?

0
0
WTF?

I am surprised at the moderate level of ire at the perpetrators in the comments.

I know, yes, that the systems should be better locked down. But that doesn't justify people just shrugging and saying "Well, what do you expect?"

By their own admission, they are just trying to break any systems they can get into, and asking for significant amounts of money to repair the damage they have caused. They seem almost upset that no-one is talking to them. They are loathsome blackmailing scum of the earth, and I for one would like to see them captured and put into jail for a very long time.

11
0

" I for one would like to see them captured and put into jail for a very long time."

Or forced to ride public transport 24 hours a day 7 days a week.

3
0
Silver badge

A distinction without a difference

" I for one would like to see them captured and put into jail for a very long time."

Or forced to ride public transport 24 hours a day 7 days a week.

0
0
Silver badge
Stop

Or forced to ride public transport 24 hours a day 7 days a week.

Please have some degree of appropriateness about the level of punishment. These are only low live malware inflicting scum out to make a (dis)honest living, it's not as if they are mass murderers or politicians who would be more deserving of such a punishment.

3
0
pxd

Re: A distinction without a difference

I think we should distinguish between the punishment of being forced to perpetually ride the London Underground, which has, by and large, not been too painful of late (sorry Piccadilly Line passengers today), and the truly medieval Spanish Inquisition-esque torture that is the lot of the poor Southern Rail user. So far, the SF mob strike me as deserving the former; I would reserve the latter for those holding hospitals to ransom. pxd

3
0
Bronze badge

Re: A distinction without a difference

"No one expects a Southern Rail train"?

8
0
Silver badge

"I am surprised at the moderate level of ire at the perpetrators in the comments."

I'm not.

About a decade ago the domain name registration service used by a company I worked for fouled up and failed to renew one of the domains - they invoiced and were paid for the renewal, they just didn't do it. It was instantly snapped up by Russian cyber squatters who demanded $CASHLOTS to hand it back. I got voted in as the person to talk to them about it. I made it clear that the domain name wasn't one that was important to us. It was handy to have but not essential and it wasn't associated with business comms (the only email accounts for that domain were postmaster and hostmaster) so we didn't care about losing it. I asked them nicely if they would hand it back since we weren't going to put ourselves out to recover the domain name and certainly weren't going to be paying even $1 ransom money. I also pointed out that they would have to pay the registration fees so it was costing them money for nothing.

I got the same outraged response. How dare I not want to pay ransom money? They had gone to some effort to grab the registration and I should be grateful to them that they only wanted hundreds of thousands of dollars to hand it back.

I check from time to time, they still have the domain, no one wants it.

2
0
Anonymous Coward

> I am surprised at the moderate level of ire at the perpetrators in the comments.

What use would that be?

0
0
Silver badge

Cheaper?

It would be interesting to see how much would actually be lost if all of the systems and functions that are currently broken were just switched off, and the staff let go. Maybe free riding would not be as expensive as all that?

1
0
Silver badge

Re: Cheaper?

Ahh Thing work better if we keep our hands off as much as possible?. Kind of like the phenomenon of the mortality rate going down when doctors go on strike?

0
0
Joke

Free Charlie Now

Maybe the perpetrators could be persuaded to target Boston MTA so that it's free to ride for a few hours. A chap called Charlie has apparently been stuck there for decades because he didn't realise that a fare increase had been imposed.

See: Charlie on the MTA

https://www.youtube.com/watch?v=S7Jw_v3F_Q0

0
0
Anonymous Coward

SFMTA

Is hardly an underfunded IT organization, It is big and buys lots and lots of Dell hardware...one very senior IT person is a big fan of Compellant. Pity that MTA didn't apparently work out how to use snapshots as a form of risk mitigation against exactly this scenario, despite having seen exactly this scenario and mitigation in product demonstrations of several other products delivered to same Compellant bigot, who just kept on buying more of the same.

I think it is amusing that the Ramsomware minions are surprised that they have not received ransom yet...they should be aware that they will be needed to be listed as an approved vendor before the city can pay for software. I believe that the city is not currently accepting applications so they may just have to wait, or go through the Dell team to make that sale.

AC because ...well...

I think it is amusing the ransom writers

0
0

Why don't people protect their systems?

One simple Group Policy to prevent users from running executables in the Temp folder and you instantly stop 90% of ransomware - Simples!

For the other 10%, regular backups, decent A/V and educating users.

I have to do this to SMB's - why don't larger organisations do this?

Sorry, not too much sympathy when there are ways to prevent this sort of thing..........

1
0

> Windows

Lol.

0
0
Silver badge

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017