MTA confirms Cyber Attack in ...

Revelations of cyberattacks on transportation systems in New York and Massachusetts heightened concerns about the threat to U.S. businesses and essential services Wednesday, after hackers held hostage the world’s largest meat processor this week. However why is nobody listening or taking action even after being provided Actionable Intelligence?

Over six months ago we wrote to the NY Mayor's office to alert them to our research in the area of NYC and the plethora of sub optimal websites. We received, some eight weeks later, on the 8 January, the following email form Ben xxxx the NYC's deputy Cyber Security Officer.

I replied on the same day with further information including examples of similar transport operators, namely STM and SEPTA, who had been victims of cyber attacks, and who were in the same, sub optimal domain position as many NYC official websites including MTA. I added the fact we had recently shared similar information with Ritchie Torres' office as he had been very vocally campaigning for a central NY Cyber Centre and had himself, by virtue of maintaining a sub optimal and insecure website, flouting privacy laws and making the organisation a target for cyber criminals. My email back to Ben:

A few weeks passed and a security team member from MTA contacted me to ask if I could share the security 'gaps' they had missed and would I be ok to have a call. Several people were copied into the email and to suit their team, the call was set up for the 12 February at 22.00 hrs UK time. I believe twelve, possibly fourteen people, from the IT and Security team from MTA were on the call. We discussed our research and shared information with them on several of the MTA domains that were using obsolete SSL certificates, were misconfigured or using mismatched certificates which rendered the website as Not Secure, exposed and highly vulnerable. A lady called Valerie played the lead role to a great extent from the MTA side and requested further information in an email the following day, I duly obliged and forwarded further information.

MTA then went on silent... I followed up via email on the 16 February and the 23 February. Not a word, not even confirmation of the intelligence shared, a big fat zero...Until confirmation this week of a cyber attack, several months after I started alerting them to their insecure and highly vulnerable position which they chose to ignore...

This weeks coverage, by literally every US major paper is the typical, pumped up chests being pounded and blaming Russia, China, and anyone, and everyone else for their 'Sophisticated' attacks. It is a futile, useless blame game being played out before your very eyes.

These attacks are NOT Sophisticated, they are opportunistic attacks and prey on the oversight, ignorance or even incompetence of those charged with security. Even when we 'gifted' the information and concerns to the NYC Mayor's office, department for transport and MTA they did nothing and then a while later, became victims to a cyber attack...

This week the Steamship Authority were the latest victims to suffer an attack. As you can see they are kindly informing the public of the sequence of events. Like many before them, they have limited, to no clue why. Look again at the address bar, there, as bold as brass, they are telling the world we are a travel company, we know nothing at all about internet security and there it is confirming the fact with a Not Secure sign... In the security world this is basic security at its lowest. It not only makes them a target, but a near guarantee to be infiltrated and disrupted and hit with a ransom demand. Just as the recent cyber assault in Florida of one hundred and forty five schools being shut down by a seventeen year old pupil, almost by mistake, these attacks will keep coming thick and fast and most certainly do not need State backing.

Corporate America is like a sitting duck and will continue to be so until internet security is a) acknowledged and b) prioritised. We have previously assisted CWE Mitre, NCSC, FBI, CISA and many, many more. Internet security must become mainstream or corporate America, and the rest of the world will continue to burn.

Finally, Scripps Healthcare announced this week that they settled a ransomware payment. As you can see from above, Scripps are maintaining a sub optimal internet security position. An F and 0 is as bad as security is registered. The F can stand for FAIL, it can also stand for something else... If you are maintaining, storing, sharing or receiving PII data and need to keep that data secure, chances are, if you maintain an F, you more than likely will be f...ed.

It gives us no pleasure to see an organisation like MTA become a victim of a cyber attack. The saying, we did warn you helps nobody: but we did, six months ago....

Whitethorn Shield

[email protected]