
Cyber Attackers Crash Muni Computer System Across SF - pain_perdu
http://sanfrancisco.cbslocal.com/2016/11/26/you-hacked-cyber-attackers-crash-muni-computer-system-across-sf/
======
pdx6
I am on the Citizen's Advisory Council for the SFMTA. I also happen to be
specialize in computer security! I have asked SFMTA staff to have this item
put on a committee agenda so we can get a full post mortem of what happened.
It will likely be a few months before we get any real details.

Since people are asking...

The ticket kiosks run Win2k, the subway display screens run Flash (on Win2k I
imagine), and the SFMuniCentral display is DOS under OS/2\. For the latter, it
might be running Linux now. The subway system is in the middle of a major
modernization project since SF is going to open a new subway line with new
cars in the next 18 months.

~~~
dkarapetyan
Why is the response so slow? I mean why can't they just replace everything in
the ticket kiosks and then restore the central system from a backup on new
machines?

100% secure systems I understand are pipe dreams but at least the mitigation
and response in case of failures and hacks should not be so long.

~~~
cft
>Why is the response so slow?

Socialism. Not Swedish post capitalism, but the Soviet style, intolerant to
dissent. Do you know that San Francisco has 10 billion dollar budget and over
30,000 city employees? And they want more.

~~~
nickthemagicman
It's fixed. It took the Red Army one day. Not bad.

[http://www.sfchronicle.com/news/article/Muni-back-to-
normal-...](http://www.sfchronicle.com/news/article/Muni-back-to-normal-after-
apparent-computer-hack-10638550.php)

------
kaiku
Fix the SFMTA would be a great hackathon project. I'm sure there's more than a
few willing and talented people in the city to lend their skills to solving
this immediate problem...

~~~
pdx6
I think this is a good idea, but there isn't much in the way of API access or
documentation for SFMTA systems. Beyond Nextbus, there is no API to poll for
data. Nearly everything requires a request for information or Sunshine
request, where a staff member stops what they are doing, goes to an internal
system (Trapeze, for example), does a C&P, removes HR info, and passes it
along.

That being said, some of the newer SFMTA projects do have a data stream to at
least scrape, like road construction schedules, Muni Forward, and Vision Zero
collision data. There is a whole lot more data available, most of it released
quarterly, I could help get access too as well.

------
Animats
The live track map of Muni has been frozen for two days now.

[1]
[http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/...](http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/Muni_Subway_Snapshot.html)

~~~
Animats
Now it's down semi-permanently.[1]

[1]
[http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/...](http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/Muni_Subway_Snapshot.html)

------
i336_
Did a bit of quick digging, this article shows an actual (potato) photo:
[http://www.sfexaminer.com/hacked-appears-muni-stations-
fare-...](http://www.sfexaminer.com/hacked-appears-muni-stations-fare-payment-
system-crashes/)

Looks like it tinkered with the MBR, but I'm very curious as to why it's
_also_ saying "Missing operating system" _under_ the message. Maybe the string
is part of the replaced MBR for added effect?

Also, dupe thread with more comments:
[https://news.ycombinator.com/item?id=13050262](https://news.ycombinator.com/item?id=13050262)
\- maybe those comments could be moved over here.

------
yarou
I've always been curious about the type of embedded OS that ATMs and ticket
kiosks use. Most of the time, it seems to be an unpatched version of Windows.

Does anyone know what the SFMTA runs on their kiosks?

~~~
web007
Not sure about SFMTA but I know BART at Fremont is running Windows9x for its
pay machines. Once I clicked the "add fare" button too fast and somehow
dropped to desktop.

------
Animats
Message is:

“You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681
,Enter.”

~~~
s_q_b
From the text, it is pretty clear he wants people to think he's from Russia.
From this I conclude two things:

1\. He's not Russian.

2\. This a good hacker but an amateur at OPSEC.

~~~
eridius
Just because you think the message looks like it suggestions a Russian hacker
doesn't mean that it isn't in fact Russian. Sometimes a cigar is just a cigar.

~~~
s_q_b
This is a personal opinion based on experience, speaking for myself alone,
made with access only to public information.

Take it for what you will.

~~~
ryanlol
I'm not sure how you could legitimately come to those conclusions based on on
the publicly available information.

There's very little indicating the author is Russian, but considering that's
legitimately how most eastern European and Russian hackers type it wouldn't be
much of a stretch.

However I can't see how that leads to the conclusion that the author is trying
to pretend to be Russian, as opposed to just being from Ukraine, Romania or
Russia.

And unless I'm missing something, there's even less information about his
OPSEC practices.

~~~
s_q_b
A few hints that tickle my spider sense:

1\. Yandex is an email provider that is almost exclusively to the new Russian
sphere of influence.

This is a the first thing that would jump out to an attribution analyst.
Combined with the non-native language mistakes, a first pass analysis would
indicate Russia.

But the name of the game is deception.

2\. The "mistakes" in the text are not those which a Russian-speaker would
make. The most obvious signal is leading space before the comma.

------
jrspence
Just in time for watch_dogs 2 to come out for PC...

~~~
AgentME
Has viral advertising gone too far? /s

------
tedunangst
If the fare machines are all out of order, opening the gates is not a
"precaution".

------
iask
Win2k...not surprised. I often see this. If it ain't broken why fix it.
O'boy,tomorrow is cyber Monday.

