Whenever I see something hit the headlines with the velocity that today’s Luas hack did, my first reaction is not to jump on it. Following the Luas strikes and knowing people are generally apprehensive about online security, it all… well it all makes for beautiful clickbait. You’ll have seen many news sources were really quick to jump out with “Luas site hacked” articles that don’t really offer much substance. I’m hoping I can take a slightly different approach.
What Happened With the Luas Website?
On December 3 2019, it was noticed that the Luas website was defaced. This means the website familiar to us all was removed and in its place was this message:
This is known as a ransom attack where the “hacker” expects payment in return for data they’ve stolen. In this case, the ransom was 1 Bitcoin. At the time of the hack, this 1 Bitcoin demand was around €3300
Generally speaking, defacements are a nuisance for website owners, but skilled teams can quickly revert everything.
Looking purely at the facts that emerged early on this story, I believed that was being blown out of proportion. Here’s why…
Defacement < Hack
Defacements are often the calling card of a failed hack. Let me explain. If a hacker really got in and downloaded huge quantities of data, their biggest chance of getting money from a company like Transdev who runs the Luas website is to keep quiet. Defacement is a public attack, made in the hope that the owners of the website panic and react without thinking straight.
Also, data is rarely taken because monetising this data isn’t very easy.
The Luas Website Doesn’t Handle Much Data
Thankfully, the Luas website also doesn’t handle very much personal data. At first, I didn’t think they handled any at all. Immediately after the news broke, many jumped on the hack and didn’t stop to point out there was no connection between the compromised website and the likes of Leap Card.
A Luas spokesperson even came out and said themselves that their website was “static” which means it doesn’t store data, but instead offers people information like maps and timetables.
Unfortunately, that’s not entirely true.
The Luas Hack Might Be a Data Breach
If I was a gambling man, I'd say this contact form is where the Luas site was compromised. So, in theory, while the site itself is static and doesn't contain any personal data, anyone who contacted @Luas via this form may have had their data taken. I still don't think data was… pic.twitter.com/vPaPTqsi7z
— Marty Meany (@martinmeany) January 3, 2019
While the Luas website was down, I did some digging and using the WayBack Machine found that there is one weakness where a hacker may have gotten in.
Websites with open forms like the Luas contact form might be an area of weakness. Hackers can use one of the most popular forms of breaking into a site, know as an SQL injection. In short, my theory is that hackers submitted code through the form which was then stored on Luas.ie servers, opening a backdoor for the hackers to get in.
I have to emphasise, this is my own personal theory as to what might have happened. I reached out to online security company Sophos to see if I could validate this theory, but it’s too early to know for sure.
Anyway, the important thing here is that this made me realise that there is indeed personal data stored on Luas.ie servers. Why? Because people can submit queries. To submit a query, people can hand over their name, email and phone number. In a statement which came later today, Luas confirmed that 3226 user records may have been compromised.
Do You Have a Website?
If you have a website yourself or are involved in one at all, I’m sure today gave you a fright. Well, I don’t think this will help, but you’re not in any more danger today than you were yesterday, as Brian Honan clarified to me in a tweet today.
Over at @irisscert we get notified of roughly 30,000 breaches each year. Most don’t make headlines as they are sites that are not well known. But when the website of a large organization gets hit it does make the news as many would not expect large orgs to be hit
— BrianHonan (@BrianHonan) January 3, 2019
These hacks happen all the time, however, I can offer you some tips from the guys over in Sophos.
Paul Ducklin, Senior Technologist with the company says his two top tips for stopping online crooks are “patching and passwords”. Simply put: patch early, patch often; pick proper passwords; and prefer 2FA wherever you can use it.”
Basically, that means when your website has a message saying you need to update, update it. Don’t use your dog’s name as a password, try passphrases and use two-factor authentication where you can.
Finally, while this did end up being a serious enough hack because people’s data may have been compromised, please do stay frosty when it comes to clickbait articles around stories like this. My personal opinion is that they often air on the side of exaggeration rather than fact.