[sf-lug] MUNI hacked any information or insight.

[Rick Moen]

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Hi LUGers,
> 
>     Well I guess everyone knows that the MUNI fare and
> payroll systems have been subjected to a "ransom ware"
> sort of attack.
>     I wonder if anyone knows if their systems were net-connected
> with access from the Internet or if it had to be an inside
> job?

First of all, you're not going to see any reliable information about
Muni network security immediately following this failure.  There will be
a total blanket of no-commenting and one authorised spokescritter
(in this case, Muni spokesman Paul Rose[1]) issuing soothing but
vague statements.

Second, the exploit need not have directly involved Internet traffic.  
There are plenty of ways to screw up.   The criminals have claimed
that this was an automated attack against obsolete and vulnerable
software rather than a targeted attack, and I think this is entirely
credible.  

So, having a swiss-cheesed software infrastructure seems to have been
the one critical error, going into this situation.  That's the kerosene.
According to the _Examiner_ story, the match was lit by someone with
administrative access on his/her Muni computer torrenting a 'software
keycode generator' (whatever that is) and running it with admin
privilege.  I gather that the code in question was trojaned.
http://www.sfexaminer.com/alleged-muni-hacker-demands-73000-ransom-computers-stations-restored/


The criminals claimed, as quoted by a blogger writing for Andrew
Dudley's hoodline.com site
(http://hoodline.com/2016/11/hackers-hold-sfmta-s-computer-network-hostage-for-73k-ransom),
that they'd compromised 2,112 Muni computers (about 1/4 of the computers
Muni runs), housing 'payroll, email servers, Quickbooks, NextBus
operations, various MySQL database servers, staff training and personal
computers for hundreds of employees'.  One infers from the single-day
downtime that Muni was able to quickly rebuilt all (they hope) affected
machines' software loads and restored from (how old?) backups.[2]

The software tool used to encrypt filesystems is one called HDDCryptor
aka Mamba.  However, this says nothing about the critical question,
which was how the criminals entered and elevated privilege.  

According to _Forbes_ and _Fortune_, the criminals have more recently
threatened to publically publish Muni 'leak 30GB of both SFMTA employee
info and that of customers'.
http://www.forbes.com/sites/thomasbrewster/2016/11/28/san-francisco-muni-hacked-ransomware/
http://fortune.com/2016/11/28/muni-hack-san-francisco/


[1] Seems to be this guy, a professional PR / spokesman type:
http://blog.sfgate.com/cityinsider/2010/06/17/a-rose-is-a-rose-is-a-new-muni-spokesman/
http://blog.sfgate.com/abraham/2010/06/18/oakland-mayor-ron-dellums-aide-paul-rose-leaves-for-san-francisco/

[2] Reinforcing the important point that the very first security priority,
if you haven't yet ensured, it is veriably-good, offline, timely backups
and the ability to quickly rebuild your machines from trustworthy
software sources.  Everything else is of secondary importance.