Stories
Slash Boxes
Comments

SoylentNews is people

Alleged San Francisco Muni ‘Hacker’ Demanded $73,000 Ransom

posted by on Tuesday November 29 2016, @05:06AM   Printer-friendly
from the all-your-fare-are-belong-to-us dept.

Phoenix666 and -- OriginalOwner_ both sent in this story:

People using San Francisco's Muni public transportation, which consists of buses, streetcars, Metro light rail and cable cars, rode for free over the holiday weekend. [...] Some of those people thought the free rides were part of a Thanksgiving gift or "Black Friday deal," but anyone who happened to glance at San Francisco Muni station computer screens knew better. On Friday and Saturday, the screens all displayed:

You Hacked, ALL Data Encrypted, Contact For Key(cryptom27@yandex.com)ID:681 ,Enter Key.

[...] SFMTA spokesman Paul Rose said the hack was discovered on Friday, but all fare machines were back to normal on Sunday. The "Muni subway fare gates were locked in an open position and could not be electronically closed;" Rose claimed the fare gates were intentionally opened to promote free Muni service.

It was not a targeted attack, according to the San Francisco Examiner. After the news outlet contacted the Yandex email address listed in the ransom note, someone going by "Andy Saolis" claimed the ransomware "infected an admin level computer after someone at SFMTA downloaded a torrented computer file, a software keycode generator."

Original Submission #1   Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Alleged San Francisco Muni ‘Hacker’ Demanded $73,000 Ransom | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by dlb on Tuesday November 29 2016, @08:23PM

    by dlb (4790) on Tuesday November 29 2016, @08:23PM (#434666)
    From the parent's link [krebsonsecurity.com]:

    Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases...answering secret questions is unavoidable.

    Allowing passwords to be reset with a question/answer isn't quite an open backdoor to your account, but it's close. Any password, even high-quality ones made of many and varied characters, is instantly nullified by offering up a simple word or phrase substitute. One that comes with a pretty good hint, no less, as demonstrated by how the hacker got hacked.

    (Sorry...felt for a rant about sites that force arbitrary restrictions on passwords, making them nearly impossible memorize, and then force their users to further remember answers to simplistic questions that undo all that random-generated security. Time to dust this thing [xkcd.com] off. It fits.)

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3