By Chris Reed.
Six weeks after some 900 computers used by the San Francisco Municipal Railroad were hacked with ransomware, many concerns remain about the incident — especially as coverage of U.S. cyber vulnerabilities has become more extensive than ever.
San Francisco’s light-rail system, known as Muni, faced an emailed demand from an unknown hacker that he be paid about $73,000 in bitcoins if it wanted to regain control of the computers. Apparently in fear that more computers had been hacked than the ones displaying a message, “You Hacked, ALL Data Encrypted,” the transit agency shut off ticket machines and fare gates at rail stations from the morning of Friday, Nov. 25, through Sunday, Nov. 27, allowing passengers free rides that weekend.
The following Monday, Muni officials announced that not only had they not paid the ransom, they never even considered paying it, confident in their tech prowess. Many targeted companies and organizations feel they have no choice. Last April, the Hollywood Presbyterian Medical Center in Los Angeles paid nearly $17,000 in bitcoins to recover access to data that had been encrypted by hackers.
What was found after ‘hacker got hacked’
Federal and state security officials have kept mum about the attack since it happened. Conventional news accounts accepted the simple narrative of a hacker being bested by Muni information technology experts.
But niche media specializing in tech issues had a less reassuring point of view. The Krebs On Security tech website, run by former Washington Post national security reporter Brian Krebs, offered an in-depth analysis with an unusual advantage: Krebs worked with an unnamed security expert who “hacked the hacker” by cracking one of his email accounts. Krebs made two points of particular note.
The first point suggests that San Francisco Municipal Railroad officials shouldn’t be too quick to crow about fighting off the attack. Initial attacks are often probes meant to find out the sophistication of cyber defenses. Kreb reported security expert Alex Holden believed that “the attack server [used by the Muni hacker] appears to have been used as a staging ground to compromise new systems.” Presumably, the transit agency is aware of this possibility and has brought in experts to look for other malware on all its computer systems.
The second point is that some of the most popular software made by one of California’s richest, most high-profile companies — Redwood Shores-based Oracle Corp. — seems very vulnerable to hacker attacks of the type faced by Muni. The worst problems appear to be with Oracle’s Primavera project portfolio management software, which Muni uses.
Krebs followed the visible online tracks of the hacker and concluded he was operating from somewhere where Farsi or Persian were regularly used, perhaps Iran. He said evidence indicated the hacker had in recent months extorted at least $140,000 in Bitcoin, with the primary target being U.S. manufacturing and construction firms that used Oracle software. The week before the hacking in San Francisco, the hacker was paid $45,000 in a ransom by a U.S. manufacturer.
Is criticism of CA tech giant’s software fair?
Oracle says the problems it faces with cybersecurity and vulnerable software are no different that those faced by rival high-profile software companies in an era in which cybercriminals harvest billions of dollars. Krebs’ reporting suggested that it was users’ failure to keep software updated that made them vulnerable, not Oracle’s flawed programs.
The hacker’s negotiations with targeted companies often included an offer to provide tips on how to avoid new attacks in return for a few more bitcoins, Krebs wrote.
The main tip? A link to an Oracle security patch released in November 2015.
“Read this and install patch before you connect your server to internet again,” the attacker wrote in an email that Krebs obtained.
Nevertheless, the company has found itself open to criticism for its security lapses and policies. In October 2015, Business Insider reported that six interns working for a cybersecurity firm were able to quickly hack a version of Oracle’s E-Business Suite that had just been upgraded. That came after an Oracle security official had ridiculed such cybersecurity bug hunting, leading founder Larry Ellison to do damage control in a speech in which he suggested everyone should work together to keep the internet safe.
Oracle, which employs more than 136,000 people around the world, had revenue of $37 billion and net income of $8.9 billion in its last fiscal year.