Mind the gap.....
... in our security protocols.
Hack into TFLs inevitably large databank, and the world is your Oyster
Transport for London's ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees' passwords will need to be reset via in-person appointments. TfL dropped the claim it made earlier this week that there had been "no evidence" …
Faking someone's voice over the phone is relatively easy, and wouldn't need to be particularly accurate to convince an overworked IT helpdesk phone support bod.
In-person is a lot harder to fake, especially as everyone already has a workplace photo ID.
Almost everyone starts their shift at one of the depots, so it's not actually a hardship as they're going to be there anyway.
Says it all. Capita and Woke nonsense. The estimated £6.3m renaming of Overground stations would have been better spent on IT security, perhaps some HR processes for staff/security management and some PEN testing.
https://www.capita.com/our-work/working-tfl-keep-london-moving#:~:text=Capita's%20data%20network%20infrastructure%20enables,the%20Tube%20to%20run%20smoothly.
https://www.capita.com/our-work/working-tfl-keep-london-moving
https://www.bbc.co.uk/news/articles/ce9zrj9vv5yo.amp
https://www.bbc.co.uk/news/uk-68315382.amp
https://tfl.gov.uk/info-for/media/press-releases/2024/february/london-s-overground-lines-to-be-given-new-names-and-colours-in-historic-change-to-capital-s-transport-network
Lines sorry, not stations. Memory shortfall.it still cost a fuck load of money and was a huge management distraction to BAU stuff like security and knowing who works for them.
That’s for corporate naming stunts - Burberry and Samsung.
After I'd been working in London for just a short time I decided it was easier to walk the mile-and-a-half from Liverpool Street to the Arse End: I had a choice of Central, Circle, etc but they were all so problematic, and always had about a billion sweaty commuters packed onto the platform already.
My colleagues seemed grateful. Although they didn't believe in any sort of woo in the slightest, they noticed I'm so technophobic that the train always broke down when I got on it but was mostly reliable in my absence.
The ICO have acknowledged the issues with fining the public sector (and the same issues apply to not for profit orgs undertaking public services), and will use their "discretion" to reduce fines. I have spent the last 5 mins thinking of alternatives and can not think of any,
I assume that any information about me, anywhere on-line, has been, or will be hacked or stolen.
At this point it's simply inevitable .
Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it. The size and complexity makes it a great target for hackers and governments.
Until something really, really, REALLY massive happens I can't see that changing.
"Can it be stopped? I'm inclined to think that most IT infrastructure has grown to the point where no-one entirely understands it."
There's been no downside to dodgy security thus far. Anybody that can get people to give them PII, will do so and store it to be sold on. There's no risk to the company should something go wrong.
There are ways to store information that isn't available in one large dump on demand if it needs to be accessed regularly. Sure, the C-level idiots may want that function for themselves, just in case, but it just opens up a giant hole in security. For particularly sensitive data such as hospital records, having a requirement that people needing large data sets work from an approved location that has physical security and checks. A physician that needs to look at charts for their patients in hospital could do that via their unique login if they are on record as attending that patient.
How does a 17 year old amass the knowledge to hack through the multiple security layers between the data and the culprit?
even if security is lax, it can't have been trivial.
Either the culprit had access to the systems via a relative leaving a computer unlocked, they had the credentials or where just a patsy for a more skilled entity with the skills, expertise & experience to do this.
at a guess they'd need to circumvent AD, 2fa, vpn appliance. None of that is trivial and should be far far beyond a script kiddie.
I started coding when I was 9 years old back in 1982. I was tall, spotty and into Iron Maiden and Saxon by age 12, I wasn't exactly popular among the girls as a teenager!
So I spent most of my youth in my bedroom alone hacking assembler until midnight most nights. When you're a 14 years old geek you have 2-3 friends who are into the same things as you so you're in competition with each other to learn more and impress eahc other, you soak knowledge like crazy and you have boundless energy. I once coded straight from 6pm Friday night until 2am Sunday morning living just off sweets and whatever my mum cooked me, up until I just fell off my chair and just crawled to the bed for 5 hours kip and carried on for another 8 hours. I was obsessed with learning more and more so I could beat my mate over a tricky problem we'd found in some Z80 assembler code we'd disassembled in something.
Back then we had to learn stuff on our own with just books and mags, we didn't have forums. These days kids into the same thing have thousands of posts, code samples, FOSS, forums that will encourage competition between people willing to put in the time.
We all think all kids today are glued to TikTok 24/7, a lot are but there's a lot of very smart, driven kids out there who are misled into dodgy areas such as hacking, the thrill of showing off in front of your peers is timeless for teenagers and the most powerful driving force there is for kids.
@Plest
most of us on this forum have similar history.
Big difference is that a z80 spectrum was an 8 bit home computer with upto 128KB of RAM.
took you a weekend to decode some z80 spectrum assembly code to achieve something before your buddy did, this guy had at least 3 different systems to defeat plus navigate through an unknown environment to access sensitive information he likely didn't know was there.
at my place of work we have multiple teams who's job it is to implement and support aspects of those types of systems ensuring it satisfies penetration testing before being implemented & ongoing periodic testing and is in compliance with the vendor and industry best practices.
i assume that TFL systems are similarly implemented, scrutinised and tested.
how is a motivated 17 year old going to learn AD and learn how to defeat it against best practices?
makes sense if its a gang of hackers or a nation state with teams of experts etc, but a lone 17 year old defeating multiple systems & then not having the skills to prevent being traced doesn't pass the sniff test.
Beer as its Friday, I'm sure its noon somewhere
@tip pc
If it was a 17 year old then being traced not that unlikely (IMHO) - breaking in is the exciting thing, covering your tracks far less of an adrenaline rush, & its far easier for people to find out exploits online than it is to find really good* advice on how to act stealthily.
.. Plus you are assuming best practices & well patched systems, often not the case even in large organisations.
And never forget the human factor, be it shoulder surfing usernames / passwords, finding them written down, phishing emails to get creds, helpdesk social engineering approach etc. Depending on teh creds you get it might be a key to the lowliest door & a long slog to work up from there, or it may be at or near to keys to the kingdom level**.
* Lots of fairly poor advice out there about how to cover your tracks
** Never under estimate the likelihood of those high up in an org to be at least as easily duped as those nearer the bottom in creds phishing attacks. Plus theres some quite good tooling out there to genearte convincing speech based on voice samples of an individual so an attacker can plausibly sound like a CEO, CFO etc (the hard part may be getting the voice sample to begin with, depending on the "visibility" of the target e.g. lots of video clips of many CEOs as part of a CEO job is public facing speeches etc.)
"Plus theres some quite good tooling out there to genearte convincing speech based on voice samples of an individual"
There's an ad on YT for a product that lets you change your voice to all sorts. If you need an older male voice with a Sydney accent, they might have it. A mature lady's voice to play the part of a Vip's secretary.... A young girl's voice to be the company presidents daughter. The product is supposed to be for independent content producers, but I see it as a social engineering dream.
"Back then we had to learn stuff on our own with just books and mags, we didn't have forums. These days kids into the same thing have thousands of posts, code samples, FOSS, forums that will encourage competition between people willing to put in the time."
You must really go back. I'm no spring chicken and was on a few BBS's before the internet that had discussions about *things*. I'd have to save up to do any war dialing as calls to number 10 miles away could be "local long-distance" and cost money. I didn't know about Blue Boxing until the telcos pretty much cut that off. (I do have a Captain Crunch whistle).
Today it's far easier to find more information in a snap. I don't have to dial into a system from a POTS line either, I could use the wi-fi of a downtown hotel. Slow but pretty anonymous. The speed is considerably faster too.
"even if security is lax, it can't have been trivial."
Just realize that a teenager living at home has nearly no costs so doesn't have to work to eat and also has lots of free time to fixate on something. They might be skilled, but could also have stumbled across some insecure information left lying around by some contractor and used it to access something. The point is that the victim wasn't chosen in advance and was just picked based on that insecure load of Login/Pass pairs that was found.
I'd agree that if you picked TfL as your target and worked from there, it might be a tough nut to work cold.
It’s more that some of this stuff is tricky enough to implement when it’s your job and you have all the equipment, plus professional services, plus vendor support.
Due to the blame game, public facing entities like to stack their implementations with logos so when the fan starts running they can evidence they did everything right according to vendor best practices etc, including having the vendor or its affiliated partner to install, implement and train staff on use.
Everything should be stacked against a hacker gaining none authenticated access, leaving authenticated access as a remaining probability which should be mitigated as best as possible.
This fuels my view that the “hacker” had access via a relatives / friend’s legitimate access, likely remote access.
I still doubt very much a 17 year old can sidestep at least 3 x technologies in the way to the data, regardless of how smart and motivated they are.
I bet we never get the detail.
Yes, we have Bail or bailed out (of jail), but some places are doing away with it?? Not sure why. So we have Dog the Bounty hunter, and Dale Gribble. But bail or bailing is a slang term for leaving, cutting your losses, going away fast. Think bailing out of a damages airplane... so, leaving a bad situation!
TFL was hacked about 2 weeks before. Apple Watches stopped working on the barriers for a whole day at times.
Last week TFL tried taking 5k from my account. It has taken at least double the correct travel charges. Instead of £3.20s it's 2x £6.10.
I have cancel the card and shifted all the money out and run that account on need-to-use basis now with minus funds unless needed.
I dont even want to read this article. Station guard at Victoria agreed. Someone is rinsing the accounts of Tfl users but in a hard-to-notice way - apart from the all-day requests for the 5K which my bank caught, TG.
I hate being a doom sayer but I fell this hack is massive. Really massive. AI is in there. I can feel it. This hurts. Password warnings are popping up on my iPhone. All changed daily ATM by me.
My stomach is turning. This is not a group of hackers. No way. I wdn't be surprised if this was a one-man show who ran this all thru some of the AI models like we have in quarantine. All he would need to do to build that is to use a LLM to create a hybrid model of second abstraction using the 'sub-atomic'-like (Christ this is tricky ... ) synaptic-like 'data'. It turns out that there is a world of data in-between the neurons. Same with next-gen AI/SI.
No votes
the AI can escape all current guardrails and security with hyper-loop/encoding hacking.
That is what I would do.
It might even be easier. If Tfl have an in-house LLM and that somehow got exposed to the internet, then that is a piece of cake.I bet that is what happened. Some tart didnt localhost their LLM. LOL. Do they have a ChatBot? This is going to be such fun.
No votes
No votes
You'd rather they say data has been stolen but they don't know what or where from? They have to notify ICO within 72h and it makes sense at that point to also make a public holding statement while they work out what's happened. It's not impossible to believe that statement was true at the time it was made.
I think people can be too quick to claim malicious intent from a holding statement, especially when the complexity of systems mean that tracing the breach and its impacts means answers won't be forthcoming quickly.
I think they have done a fairly decent job of communicating so far when you compare other organisations' responses to similar events.
Shouldn't teenagers capable of running rings around complacent corporate and government agencies be sent to a 'boot camp' wherein they receive intellectual stimulus and are enabled to hone their skills for constructive uses? Of course, in a nation run by unimaginative people, that will never happen. Instead, unrelenting application of legal 'due process' will stultify the youth's potential and deny the community an asset.