As much fun as Android is, I don't _think_ there's any public RCEs that recent, while I can think of a couple of recent Windows XP+ RCEs that are probably also doable-but-unpatched on Win2k:
(Those were just the ones I quickly found that allow RCE on XP SP2 (the oldest thing that they still provided patches for, so most likely to be shared code with Win2k) without requiring active interaction on the target's behalf, e.g. not including "convince target to open X malformed file, receive payload")
Well, the most common voting machines are iVotronics from ten years ago, which are pretty laughable. Dr. Appel at Princeton already hacked these systems back in 2006. There's even a flash card on the top of the machine, which even the state's hand-picked pen tester had to admit could be accessed even with a tamper-proof lock in place.
It's starting to bother me that the PA election officials keep saying that the voting machines aren't connected networked together, and that one would need 4,500 cards to compromise an election. It's just flatly false, since every county feeds into a central system such as Unity or GEMS, which themselves are provably insecure, and can be infected via the compact flash cards when they're collected. You would only need a few people in key counties to swing an entire election.
What I would give for the days of hanging chads...
Just because you think the message looks like it suggestions a Russian hacker doesn't mean that it isn't in fact Russian. Sometimes a cigar is just a cigar.
I'm not sure how you could legitimately come to those conclusions based on on the publicly available information.
There's very little indicating the author is Russian, but considering that's legitimately how most eastern European and Russian hackers type it wouldn't be much of a stretch.
However I can't see how that leads to the conclusion that the author is trying to pretend to be Russian, as opposed to just being from Ukraine, Romania or Russia.
And unless I'm missing something, there's even less information about his OPSEC practices.
1. Yandex is an email provider that is almost exclusively to the new Russian sphere of influence.
This is a the first thing that would jump out to an attribution analyst. Combined with the non-native language mistakes, a first pass analysis would indicate Russia.
But the name of the game is deception.
2. The "mistakes" in the text are not those which a Russian-speaker would make. The most obvious signal is leading space before the comma.
Googling the email address shows a few hits with other IDs, so at the very least this has gotten around a bit. (I haven't chased down the search hits, there may/may not be some leads as to what it is out there)
I've always been curious about the type of embedded OS that ATMs and ticket kiosks use. Most of the time, it seems to be an unpatched version of Windows.
Does anyone know what the SFMTA runs on their kiosks?
Not sure about SFMTA but I know BART at Fremont is running Windows9x for its pay machines. Once I clicked the "add fare" button too fast and somehow dropped to desktop.
I made software for a few museum exhibitions with multiple interactive terminals (sometimes up to 30). At first we used WinXP/Flash, and later moved to Linux/Opera (to cut licensing fees and shorten development time). That was 6 years ago.
I am on the Citizen's Advisory Council for the SFMTA. I also happen to be specialize in computer security! I have asked SFMTA staff to have this item put on a committee agenda so we can get a full post mortem of what happened. It will likely be a few months before we get any real details.
Since people are asking...
The ticket kiosks run Win2k, the subway display screens run Flash (on Win2k I imagine), and the SFMuniCentral display is DOS under OS/2. For the latter, it might be running Linux now. The subway system is in the middle of a major modernization project since SF is going to open a new subway line with new cars in the next 18 months.
Why is the response so slow? I mean why can't they just replace everything in the ticket kiosks and then restore the central system from a backup on new machines?
100% secure systems I understand are pipe dreams but at least the mitigation and response in case of failures and hacks should not be so long.
Socialism. Not Swedish post capitalism, but the Soviet style, intolerant to dissent. Do you know that San Francisco has 10 billion dollar budget and over 30,000 city employees? And they want more.
Perhaps technically correct, but totally lacking in any explanatory power. It's one step short of explaining it as "because of physics." True, but not useful.
The response is only slow from my side because this is a public meeting that has notification requirements. I have to set agendas about a month in advance and allow time for staff to create a presentation.
Internally, the SFMTA staff will do whatever their immediate work is to fix the hack.
It's been what, 2 days, over a holiday weekend? Where do they get that many new computers and what does it cost, is that in the budget? Are they insured? Do they have the staff on hand to fix it? Do they even know what the fix actually is? If they rolled out a bunch of new hardware how would they know it wouldn't just get re-infected?
Are you going to stomach a fare hike or increased taxes for a computer system swap over to do an emergency computer replacement for the whole system (if it was even possible)?
You really expect MUNI to handle a breach better and faster than tech savvy organizations like Yahoo, LinkedIn, etc (in comparison to MUNI) who had breaches and didn't even let us know for months or years.
Sony, for example, had PSN down for almost 2 MONTHS while they determined the extent of the hack and fixed it back in 2011.
My understanding is that the SFMTA has contractors on call to fix this. The machines are probably contracted out to a third party. I'll get to find out soon enough for sure!
My point is that none of this is instant. I'd be very impressed if it was all back up by Monday, next Monday if it required the hardware to all be swapped. We're dealing with real physical items here, not spinning up cloud instances.
Yes, I don't see why you equate MUNI with less technical competence than Yahoo, LinkedIn, etc. Yahoo and friends are not critical infrastructure. I expect more from critical infrastructure in terms of preparedness and response times to such failure modes.
I'm actually making no statement of technical competence but playing into the assumption of the GP. If he thinks muni is incompetent then they should take way longer than Y/L. In fact e's expecting them to be faster. In general GP wanted more than just about anyone who had expected this type of failure and had an active response with required 1-day SLA would be able to provide.
As another random fact, the screens in BART stations showing upcoming departures are ASP.Net websites. I once saw the generic error config page (At least I hope I am remembering correctly that it was the generic user facing error page).
Fix the SFMTA would be a great hackathon project. I'm sure there's more than a few willing and talented people in the city to lend their skills to solving this immediate problem...
I think this is a good idea, but there isn't much in the way of API access or documentation for SFMTA systems. Beyond Nextbus, there is no API to poll for data. Nearly everything requires a request for information or Sunshine request, where a staff member stops what they are doing, goes to an internal system (Trapeze, for example), does a C&P, removes HR info, and passes it along.
That being said, some of the newer SFMTA projects do have a data stream to at least scrape, like road construction schedules, Muni Forward, and Vision Zero collision data. There is a whole lot more data available, most of it released quarterly, I could help get access too as well.
Looks like it tinkered with the MBR, but I'm very curious as to why it's also saying "Missing operating system" under the message. Maybe the string is part of the replaced MBR for added effect?
42 comments
[ 3.6 ms ] story [ 137 ms ] thread“You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.”
1. He's not Russian.
2. This a good hacker but an amateur at OPSEC.
[1] - https://news.ycombinator.com/item?id=13051310
[1] - https://www.cvedetails.com/cve/CVE-2013-3175/
[2] - https://www.cvedetails.com/cve/CVE-2012-1852/
[3] - https://www.cvedetails.com/cve/CVE-2012-0173/
[4] - https://www.cvedetails.com/cve/CVE-2012-0002/
(Those were just the ones I quickly found that allow RCE on XP SP2 (the oldest thing that they still provided patches for, so most likely to be shared code with Win2k) without requiring active interaction on the target's behalf, e.g. not including "convince target to open X malformed file, receive payload")
It's starting to bother me that the PA election officials keep saying that the voting machines aren't connected networked together, and that one would need 4,500 cards to compromise an election. It's just flatly false, since every county feeds into a central system such as Unity or GEMS, which themselves are provably insecure, and can be infected via the compact flash cards when they're collected. You would only need a few people in key counties to swing an entire election.
What I would give for the days of hanging chads...
Take it for what you will.
There's very little indicating the author is Russian, but considering that's legitimately how most eastern European and Russian hackers type it wouldn't be much of a stretch.
However I can't see how that leads to the conclusion that the author is trying to pretend to be Russian, as opposed to just being from Ukraine, Romania or Russia.
And unless I'm missing something, there's even less information about his OPSEC practices.
1. Yandex is an email provider that is almost exclusively to the new Russian sphere of influence.
This is a the first thing that would jump out to an attribution analyst. Combined with the non-native language mistakes, a first pass analysis would indicate Russia.
But the name of the game is deception.
2. The "mistakes" in the text are not those which a Russian-speaker would make. The most obvious signal is leading space before the comma.
http://www.sfexaminer.com/hacked-appears-muni-stations-fare-...
Does anyone know what the SFMTA runs on their kiosks?
Making life worse through technology, welcome to the future!
[1] http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/...
[1] http://www.sfmunicentral.com/sfmunicentral_Snapshot_Objects/...
Since people are asking...
The ticket kiosks run Win2k, the subway display screens run Flash (on Win2k I imagine), and the SFMuniCentral display is DOS under OS/2. For the latter, it might be running Linux now. The subway system is in the middle of a major modernization project since SF is going to open a new subway line with new cars in the next 18 months.
100% secure systems I understand are pipe dreams but at least the mitigation and response in case of failures and hacks should not be so long.
Socialism. Not Swedish post capitalism, but the Soviet style, intolerant to dissent. Do you know that San Francisco has 10 billion dollar budget and over 30,000 city employees? And they want more.
http://www.sfchronicle.com/news/article/Muni-back-to-normal-...
Internally, the SFMTA staff will do whatever their immediate work is to fix the hack.
Are you going to stomach a fare hike or increased taxes for a computer system swap over to do an emergency computer replacement for the whole system (if it was even possible)?
You really expect MUNI to handle a breach better and faster than tech savvy organizations like Yahoo, LinkedIn, etc (in comparison to MUNI) who had breaches and didn't even let us know for months or years.
Sony, for example, had PSN down for almost 2 MONTHS while they determined the extent of the hack and fixed it back in 2011.
Also sounds like it's back up so I call myself impressed.
That being said, some of the newer SFMTA projects do have a data stream to at least scrape, like road construction schedules, Muni Forward, and Vision Zero collision data. There is a whole lot more data available, most of it released quarterly, I could help get access too as well.
Looks like it tinkered with the MBR, but I'm very curious as to why it's also saying "Missing operating system" under the message. Maybe the string is part of the replaced MBR for added effect?
Also, dupe thread with more comments: https://news.ycombinator.com/item?id=13050262 - maybe those comments could be moved over here.