Hacker breaks Luas tram website security demanding a Bitcoin in five days - Sensationalist Headlines

https://www.breakingnews.ie/ireland/hacker-breaks-luas-website-security-demanding-a-bitcoin-in-five-days-895306.html The Luas website has been hacked, with the tram operator being held to ransom for one Bitcoin. It is claimed the hacker emailed the company some time ago saying that there were security holes, with no reply. The attacker is threatening to publish all data and send emails to users if they refuse to pay one Bitcoin within five days, that is around €3,400. https://files.facepunch.com/forum/upload/107290/ad9129f3-5799-4acd-8a7b-57d0862285a6/image.png

while obviously no one benefits from what the hacker is threatening, there's a strange sort of schadenfreude to seeing companies get fucked when they ignore good samaritan attempts at helping them personally

You know its bad when news can publish an article and that site still has the same message displayed.

When they don't listen to the white hat, so you put on the black hat.

Only one bitcoin dudes gotta step up his game lmao

Yeah, that's a pretty modest ransom. Guess the dude just wants his "white hat" fee paid.

Yeah, this is actually pretty benevolent, all things considered. I don't think the attacker has any malicious intent here, really. There are far worse things they could have done, than just deface their website with a message stating "I warned you bro" and demanding an honestly very modest ransom. It's a fee that's extremely trivial for a corporation to pay, while still being embarrassing enough of a PR debacle to maybe actually get them to do something.

I wouldn't call 4000 dollars trivial. It's enough to prove the company should fix its exploits or it would face even worse next time.

If you really know anything about bug-hunter programs, $4000 really is fairly trivial for a critical security flaw, such as the alleged flaw here that exposes critical user information. Just a few quick looks. [1] [2] [3] https://files.facepunch.com/forum/upload/107272/d183d9a5-7725-43e0-a8a1-e5ee50531f46/image.png https://files.facepunch.com/forum/upload/107272/7b70cad4-87cb-445c-a7b8-2a68f59cb6d4/image.png https://files.facepunch.com/forum/upload/107272/6b028db2-c408-4ad4-9e2e-a71661c84a0c/image.png Throw in the fact the company allegedly ignored the attacker's warnings, and so throw in an extra percentage as a "spite fee," and that $4000 is actually pretty much exactly within the median range for a white-hack reward for such a flaw.

That's exactly my point though. $4000 is $4000. Yeah it might not be that much in comparison to the overall profits a company has, but that's still $4000 that could be spent paying an actual bug hunter who fixes more than just these security flaws, or giving an employee a bonus, etc. $4000 needlessly spent is the kind thing a financial office tries to cut down on, so the company is going take notice of it. It might be trivial in comparison to the overall worth of the company, but it's not to the people who have to deal with it.

If 4000$ is all I had to pay to get my systems back up and running, HO would consider that a smaller expense than upgrading our hardware(a 45,000$ estimated operation) or hiring a full time systems management company(60,000$ a month).

If I had to guess he probably does this kind of stuff for a living and wasn't too happy about being ignored, all things considering this seems like a pretty effective idea to get your point across Clearly wasn't after extortion money or he would have asked for a lot more. Might cost him quite a bit of jail time if he gets caught, though.

$4000 on a bug bounty/ ransom (because you ignored the initial bug disclosure) is a lot, lot less than the company would have been paying for proper penetration testing and dedicated bug hunters. $4k is a considerable amount for an individual, but for a company $4k for a bug that lets someone hijack their entire website is a literal drop in the ocean.

$4k is also a LOT less than one would be paying if the hacker was actually doing something dangerous there's a decent chance the hacker did nothing but deface the website, too that being said, I've reported exploits to Google and Facebook and have been cheated out of bounties before because they "don't seem fit" so bug bounty programs hold a sourness in my heart

You obviously don't get it though since you sound like you're seeing it from the common person's point of view; that money could be spent on someone who can fix this issue yes, like the person that warned them of this issue but chose to ignore them, think about it properly.

Wow, only 1 bitcoin? If it were me I would have asked for at least 3-5 times as much.

Literally my point it's just an amount that I'm sure a company would not like to pay in the future and so they'll fix their servers. That's it.

Aren't hackers who hold websites for ransom after asking to fix it called Grey Hats?

Doesn't seem like they paid the guy and they claim the customer data wasn't compromised. Interestingly the bitcoin address had some activity though. Bitcoin Address 3FsR4CTUmumBJK12Zk8QRwdpPTJEY11aSX 0.00026382 BTC which is exactly 1USD

My understanding of gray hats is that they are people who penetrate security systems without permission as a sort of challenge, to prove to themselves or to others that they can, or just to learn about a given security system. Where white hats penetrate systems with permission for the explicit purpose of helping the system-owner find and patch security flaws before others can exploit them; and black hats penetrate systems solely for the purpose of exploiting the accessed information and leveraging it against the system-owner for personal gain; gray hats penetrate systems for no other reason than the fact that they can, without any intention to either help the system-owner patch the flaw, nor any intention to exploit the vulnerability for personal gain. That being said, I can absolutely see why people would consider white-hat-going-black-hat to be a gray hat. I don't think the term is often used to mean that, but I can absolutely see why someone would think it appropriate.

It is a pretty big middle finger to the company that the guy (initially) wanted to help for free. It makes them look incredibly foolish, which I am willing to bet was the intention. I bet a whole bitcoin

But nobody would take that seriously since it's such a ridiculous amount of money, 1 on the other hand is completely reasonable.

There's no actual evidence that he offered them the information for free. He said he sent them an email saying that they had security holes. He didn't say that he told them what the holes were, or that he offered that information for free.

i can be ur angel or ur devil....