Off The Rails

at

Top: The Luas homepage this morning; a threat which appeared on the homepage earlier today; and tweets from the Luas account

RTE reports:

The website of Dublin’s tram service is offline with a message claiming it has been hacked.

Users trying to access luas.ie are seeing a message which threatens to “publish all data and send emails to your users” unless “1 bitcoin” is paid in five days.

One bitcoin is currently valued at €3,385.

Luas said on Twitter that it has technicians working on the issue and travel updates will be made on its Twitter account.

Anyone?

Luas website offline after being compromised; message threatens release of data (RTE)

44 thoughts on “Off The Rails

    1. Anomanomanom

      Believe me any one buying bitcoin now will definitely not lose money. Hold it for a year and you’ll make money.

      1. Starina

        that’s what I was told a year and a half ago. My 50 euro of Lithium and Bitcoin is now worth about a fiver.

        1. Cian

          Invest in sterling. It is totally undervalued at the moment. It will skyrocket in value in March.

        2. Anomanomanom

          Well if it was 18months then you should be still up cash, also you got greedy because it went way back but you didn’t sell.

      1. Ron

        Cian, you are the lead commentard and your so oblivious to your own stupidity that you don’t even realise you are the lead..

  1. Martco

    reckon this crisis will pass when we build a new metro system by 2100AD or something ;)

    letmein123

    1. J Dizzle

      That’s flipping terrible, fupp them who cares if ppl know your browsing habits. Was this long ago?

    2. Plops

      Did that really happen to you? Don’t give them a shilling. low life scum.
      Unless you were looking at something Illigal, who cares what you’ve looked at on the internet.

    3. Eoin

      Hiya Daisy, just in case that is a real email that you or anyone else has received, if you Google “porn ransom”, it will reveal the background to the email which, because it includes a password you have actually used in the past, gives an impression of authenticity.

      In short, a whole bunch of websites like LinkedIn, Mastercard and others have been hacked over the years. Criminals buy the emails and accompanying passwords, and that’s how they construct the ransom demand you received. It’s the password that gets your attention and makes you think they have you. Just ignore it.

      There is an online tool, can’t find it at mo, which allows you to enter your email address and it will confirm if the email address was one that was hacked from LinkedIn etc.

    4. rotide

      I’m genuinely surprised there’s so many people who don’t realise this is a scam and think its directly targeted.

  2. SOQ

    Not one media outlet reported this correctly.

    The Luas operator is Transdev. They are responsible for the website. Luas did not get ransomed, Transdev got ransomed which is potentially a very serious matter if any customer’s personal details were stored on that site.

    Thier IT system security will now be audited by the owners (TII) and if found negligent, could result in thier contract being cancelled.

    Serious poo.

    1. :-Joe

      The website is being hosted by an ‘murican company who specialises in “sucuri-ty” https://sucuri.net/company/

      The Irish state have outsourced the contract to international global conglomorate transdev who are being paid to manage the Luas transport service and are headquartered in Paris which is also in the EU.

      Anyone who knows anything about websites and data security will tell you that you should not host data especially when it relates specifically to EU citizens on behalf of an EU soverign state outside the jurisdiction of the EU.

      It should be kept in Ireland in an ideal scenario and hosted by an Irish company or at least have it stored securely within the EU as a worst case scenario.

      Even better, if you care about real security and privacy from government agencies and other spying groups then host the data in Switzerland, Iceland or a country that has laws, legal frameworks and infrastructure that respects data privacy and security and is more focused on human rights.

      Whatever the location of the data may be, why Ireland has any of your personal data being supposedly protected by a ‘murican based company is frankly laughable and a serious case of negligence on behalf of the government in the first place.

      If you use any of these online services in Ireland then buy blank Leap cards with cash or anonymous payment methods like gift credit cards etc and don’t put your real name address or dob or any accurate personal details on them or their online websites.

      Always fake your personal data where possible and use cash or something like the new gift credit cards from payzone or bitcoin etc to pay for services where possible.

      Also, delete any of your facederp, gurgle military industrial advertising and marketing complex company accounts and any other accounts that are stealing your data or letting everone else just walk around your life and grab what they like at will for profit and abuse of your rights.

      The problem is not the hackers most of the time, it’s the absolutely incompetant and/or willfully complicit governments either failing to do their job or intentionally doing most of the damage themselves in the first place.

      One or maybe a handful of hacker vs the Five, nine and fourteen eyes…. I know which side I’m on.

      :-J

      1. SOQ

        Very very rarely is a site hacked and ransomware installed, mainly because the risk of being traced is much higher than the one in a thousand who might pay. Normally it comes in on an email or a phishing link thrown out to the world.

        This is not some sort of educational crusade by well meaning geeks, it is criminal blackmail which can cause absolute chaos to a business but if you think state sector is shoddy, believe me, it is nothing to most of the private sector.

        In this case, while TII had a responsibility to ensure the site was secure, the buck most definitely stops with Transdev. And another point, even if no personal data was involved, the fact that one or more malintents had access means that anything on that public service website could have been changed.

        Not good enough.

        1. :-Joe

          Oops forgot to send this last night…

          @SOQ My last post was not meant as a direct reply to you… Just in in case there was any misunderstanding there…

          Ye most ransome-ware is spread through automated phishing, virus, worms and malware installing itself on random devices and then programmed to alert a remote computer when activated by the victim and the process has started…

          Although, it’s not that difficult to focus on a target website or computer especially if you’ve already found the vunerability in a system either intentionally or by any other means. In most cases hackers find these flaws through random curiousity. Good or bad It makes them an important part of the equation in progress and strengthening the security of the network.

          It looks to me like the hacker was looking for a bounty reward or at least some credit or
          acknowledgement for pointing out the vunerability on the website and could easily be
          Irish or living in the state.

          After no reply or reward it’s typical that any hacker will get frustrated and often malicious and decide to flex their ability to cause a bit of chaos. Most of the time it’s just to prove a serious point about weak data security, nevermind satisfying ego.

          It could just as easily be an entirely fake or automated message just to up the ante and
          seem more of a threat to get paid faster or gain notoriety amongst peers. I’m not convinced it’s even intentionally a serious demand and not automated, fake or a joke, it’s obviously irresponsible and illegal to hack a website and threaten the release of data but you have to look at it both ways

          If the hacker warned the site about serious flaws and the company did not engage in dialogue then to many and for many good reasons that is fair game. It’s the way the system works best so far until we have blockchain and AGI.

          It’ll be an even bigger farce if the site has to worry about paying a ransom or dealing with the malware to fix the problem. The security company and a contract that size will most likely have a snapshot and backup of the site to recover from. We’ll probably find out that the data was leaked either way eventually but nothing much will be said about a pay-off…. other than refuting it would happen for obvious reasons.

          Anyway I don’t agree the fault at source lies with newscorp, siteserv or transdev etc.. whatever the bland dystopian corporate name is…

          The government and the EU shouldn’t be allowing Irish user data to be managed
          by, let alone stored on foreign servers outside the EU and especially not by companies
          operating from ‘murica where there is ZERO respect for data privacy and the most basic human rights, nevermind legal or digital rights online. Think about all the spying, mass global surveillance and manipulation they’ve been at for decades and not just on their own people. Hint: Doing it all over most of the planet right now. (Hello NSA !)

          To be fair there’s nothing much to worry about, the only data on there is basic leap card account info. The credit card info and payment history should be encrypted so that they are not stored together or can be associated. I’ve never put personal info on a government related service website before or built or tried to hack into one so I don’t know?..

          Nah.. who am I kidding.. Let’s be honest with ourselves. It’s inevitable there must be all your credit card and personal data and a whole lot more linked together from other government departments. All wrapped up in a nice little easy to access bundle of free data on everyone in Ireland… It’s the good auld ‘oirish political way… worry about it later..let someone else deal with it so we can blame them.. grab a few perks and wa-hey!…

          It’s another case of privatisation of a public service by a lousy greedy incompetant non-governmant satisfying foreign interests thanks to the ff/fg “establishment for the wealthy elite” party..

          We have swapped extreme right wing “stamp on the poor” politics for extreme global finance and shareholders first before citizens of the EU and the planet as a whole.

          The neoliberal fantasy of globalisation has failed. We have no leaders or leadership anymore just beige middle managers standing over the burning corpse of 20th century ideas of social democracy giving a free ride to monopolys and oligarchyies.

          It was fun while it lasted…. kick back and bask in the anthropocene and wait for the next oncoming phase in the ongoing global psychadelic facist oppression of the third industrial revolution.

          It’s not synthetic intelligence and the robots that worries me it’s the f***cking sheer lack of intellegence coming from the humans we already have.. Humans who are failing badly at being or even looking like humans, let alone politicians. Failing at even acting like leaders while seemingly intent on flying this giant wonky spaceship into an asteroid…

          Don’t believe the neo-facist corporate advertising and marketing propaganda hype.
          Privacy is not dead. Like poor auld Shergar, it’s just been and is continually being buried somewhere nearby but we will find common sense collectively to wake up and resurrect it one day… Eventually.

          :-J

      2. Cian

        calm down :-Joe, it’s http://www.luas.ie ; what personal data would be on it? it tells me how much the fares are, and stuff about the stations. It’s not my bank details or nuclear launch controls.

        1. Martco

          mmm. you can say that maybe but he’s talking about old school safety precautions & personal responsibilities there that generally seem to have vanished from the vernacular altogether (and I mean amongst many so-called pros not the youngwans on snapshite or whatever the latest social toys are!)

          the problem is most people don’t care until they have to care & if someone educated in good practice tries to express it they can be fingered as tinfoil hatstand yet the essence of what he’s saying there is bang on.

          from personal professional experience I can tell you for a fact there’s some shocking badly implemented stuff out there right now today involving your personal data, the banking system at all levels for example, poor shoddy design reliant on soft contractual obligations rather than hard actual technical & operational solutions.

          & it’s only getting worse.

        2. SOQ

          The damage done by these sorts of attacks is reputational rather than disclosure of personal data. If they can’t keep a public information website secure then serious questions should be asked about how they maintain their other systems.

        3. SOQ

          @ Marto, totally agree.

          The use of third party platforms is a classic example, even Microsoft’s Azure, where giving administration rights to develop a site will by default also give full access into a company’s 365 email system.

          There are thousands of companies out there who do not even know who has access to their 365 email systems and that incredibly serious security breech is actually being encouraged by Microsoft through their ‘trusted partner’ scheme.

        4. :-Joe

          I was calm as I am most of the time…

          Even my fitbit told me it thought my heart was about to stop and suggested I be more productive and less zen-like… if you must know.

          Even your meta data leads to the nuclear codes…. In fact your personal data alone is a nuclear code.

          Think about it… ye?.

          :-J

      3. gerry

        You are wrong, there is an adequacy agreement between the EU and the US which recognises US data protection standards as being sufficient to cover data of EU citizens and vice-versa. It is called Privacy Shield and means that a company can store the data in the US or the EU.

        However, just because the company is American doesn’t mean they don’t have servers in the EU.

        1. SOQ

          The big one now a days is GDPR. It doesn’t matter where the servers are physically located but if they hold personal data on European citizens then they must comply. And that includes things like email addresses which incorporate the full name.

          But, location IS becoming an issue and clients are now asking where their data is to be stored. Post Brexit, a much bigger problem for British warehouses than elsewhere of course.

        2. :-Joe

          Do you really believe that ‘murica respects legal documents or agreements internationally or even internally amongst themselves?

          Shield and GDPR is a farcical distraaction from what is really going on. It’s a notion and an idea for news and media to use to calm the masses into believing that things are fine keep moving on and nothing to worry about.

          Just have a look at any of these organic search link results :

          Brought to you thanks to duckduckgo.com privacy search engine
          (unlike the non-organic search link results subtely manipulating and brainwashing you on gurgle search)

          https://duckduckgo.com/?q=fibre+link+us+eu+spying&t=ffab&ia=web

          The ‘muricans have an under-sea cable data link from the east coast to the coast of britain. It should be well known that they have a permanent surveillance nd monitoring system installed on the uk side at source that literally records the signal for later investigation at any time.

          Think about just recording your own internet connection from your house and how complicated that would be to analyse in any meaningful way.

          Anyway, point being those links point to how Brasil and Portugal are building a link under-sea cable to circumvent the ongoing spying and manipulation of the us in their digital affairs. Nevermind all their other analogue affairs.

          Fair effort but your Privacy Shield argument is a total fantasy….

          :-J

  3. Andrew

    So what happens the subscribers whose email addresses was disclosed? Is there a penalty imposed on Transdev and do the ‘victims’ in turn receive any recompense for this data breach?

    1. SOQ

      The data commissioner will investigate and most likely make a list of recommendations which will be followed up in due course. There is a 4% of yearly turnover plenty cited but it is very early days so it has never been imposed.

      GDPR is a weird one in that if you can prove that you are actually taking steps to comply, that is usually enough.

      As for the subscribers, they would have to take their own legal action and prove that this breech has been harmful I expect. Knowledge that you are subscribing to a Luas newsletter is hardly going to have the neighbours pointing and staring now is it?

Comments are closed.