Traffic & Transport
‘Keys to the kingdom’: hackers who gained access to heart of London transport network jailed | Cybercrime
The data of millions of commuters was stolen, Londoners were left out of pocket and 27,000 Transport for London staff were forced to reset their passwords.
Over four days in 2024 a pair of teenage hackers had London’s transport network at their mercy. Thalha Jubair and Owen Flowers had burrowed into the heart of Transport for London’s IT systems and held the “keys to the kingdom”.
While the main tube and bus networks were not directly affected, the dial-a-ride service for disabled passengers was unable to process bookings for a period. The head of TfL, Andy Lord – a veteran of British Airways – said the attack was the worst incident he had faced in his career.
TfL said the attack, which occurred between 31 August and 3 September 2024, could have caused “catastrophic damage” to its technology systems and could have led to “significant and extended transport service degradation and disruption”.
In the end, the duo were only stopped when TfL in effect “pulled the plug” on its systems.
They pleaded guilty in June, and on Thursday Jubair was sentenced to five and a half years for the attack, and Flowers to five and a half years for the TfL crime as well as for hacking two US healthcare providers.
At one point, according to prosecutors in the case, Jubair and Flowers “could have shut out and shut down TfL completely” having hacked their way to the “highest privileged access” in the system and creating a “domain admin” account described in court as “the keys to the kingdom”. They even searched through TfL’s customer database for celebrities.
The two hackers had led apparently closeted, online lives which nonetheless had a disproportionate impact on the outside world.
Jubair, 20, lived with his parents in a council flat in Bow, east London, and Flowers, 19, lived with his grandmother and uncle in a three-bedroom property in Walsall, in the West Midlands. They had communicated with each other throughout the hack using the Telegram messaging service, and Flowers recorded a livestream of the attack that Jubair broadcast while he carried out the multi-day crime.
Both were key figures within a loose collective of English-speaking hackers known as Scattered Spider, which is suspected of numerous hacks in recent years. The pair’s activities had made them wealthy, accruing millions of dollars in cryptocurrency.
The Scattered Spider name was conferred on these hackers by cybersecurity researchers who create monikers for the groups they monitor. Jubair and Flowers embraced it, exchanging messages citing Scattered Spider during the attack. Flowers warned his counterpart that his “scattered spider lvl 5 pass will be revoked” as he appeared to complain about Jubair’s slow progress. In a later group chat Jubair wrote: “SCATTERED SPIDER IS CREATING WEBS ON THE UNDERGRND.”
Flowers was known to have spent most of his time in his bedroom playing video games – a typical pathway for hackers – and using chat forums. Jubair also started out in the gaming world and would disrupt other players by stealing their usernames, before he moved into criminal activity.
Jubair, whose father is a care worker and whose mother had given up her job to act as a full-time carer for her son, was a hacker from a young age. He went to school locally, passed a number of GCSEs and had attempted to enrol at colleges. But he had always been interested in computing and gaming.
A two-day sentencing hearing at Woolwich crown court this week heard that Jubair was shown how to use a smartphone at the age of four, had a laptop and was gaming from the age of six or seven, was writing his own computer programs by the age of 10, and at 13 was introduced to hacking by older hackers.
Before the TfL conviction, Jubair had been convicted of 22 offences as a teenager, including 13 counts of fraud, two of unauthorised access to a computer, one of obtaining access to a computer, and one of blackmail. He had also been convicted in a youth court of stalking two young women and hacking into a City of London police server. Jubair was 18 when he carried out the TfL hack.
after newsletter promotion
Both defendants have been diagnosed with autism, and Jubair has depression and a severe mood disorder. Woolwich crown court heard that Jubair had tried to kill himself and that from a young age he was “isolated and bullied at school”. On behalf of Flowers, who was 17 when he carried out the hack, Adam Davis KC described his client as an “immature child trying to show off online”, who had been through an “unsettled childhood” that included contact with children’s services a year after he was born. Davis said Flowers had experienced “significant” isolation throughout his childhood and struggled with social relationships.
Flowers, too, had been active before the TfL cyber-attack. He was previously known to police and came into contact with them after turning 16. He had been subject to a cease-and-desist notice issued by West Midlands police in October 2023. Flowers was offered training to guide him away from cybercrime, which he turned down, and was given advice over computer misuse offences.
The TfL hack was not a “ransomware” attack, whereby IT systems are encrypted and data is stolen, allowing hackers to demand a ransom in cryptocurrency for decryption and return of the data.
Nonetheless, Jubair and Flowers have come into contact with vast sums of money. A previous hearing was told that $10m (£7.5m) was moved from Jubair’s crypto wallets after he was released from custody in March last year and $200m vworth of crypto had also moved through accounts belonging to him. An earlier hearing was also told that Flowers held $7.1m, including crypto, in accounts he controlled, despite having no source of income.
Neither appeared to have a lavish lifestyle. Flowers’s crypto account had been used to pay for food deliveries, while US authorities were able to trace Jubair because he paid for food deliveries using gift cards bought with crypto from an account that allegedly stored ransomware payments. Experts point to evidence that Scattered Spider attacks are often driven more by a desire for bragging rights and notoriety than financial gain.
The court heard that the TfL attack prevented live tube arrival information from appearing on the TfL Go app and the TfL website, while TfL was also unable to process any payments on the Oyster and contactless apps or to register Oyster cards to customer accounts. The attack cost TfL £39m, comprised of £29m in damage caused to IT systems and £10m in loss of income. The data of about 7 million people was also stolen.
The court heard that Jubair and Flowers got into TfL’s systems via an unnamed co-conspirator who called the TfL help desk and pretended to be an employee struggling to access the network remotely. A call handler was tricked into resetting the authentication process to a device in control of Jubair and Flowers, who then set about escalating their access.
Paul Foster, the head of the National Crime Agency’s national cyber crime unit, said the convictions had severely affected the Scattered Spider group. “Their activities and their impact have now been severely degraded as a result of this action.”
At one point during the attack, Flowers unwittingly foretold the consequences of their actions. Messaging Jubair, he said: “u won’t be laughing when ur sat in prison.”
Traffic & Transport
Drivers charging electric cars handed shock parking fines | Electric, hybrid and low-emission cars
Does refuelling your car class as parking? The answer appears to be yes if it’s an electric vehicle. Guardian Money has been contacted by several readers who were fined after charging their cars away from home.
The motorists report being caught out by signs that fail to make clear that charging points are subject to parking tariffs or to store opening times. Also, they have found some chargers being advertised as available for use when it would be a breach of the car park’s terms and conditions to use them.
Kevin Laban hoped his electric car would save him money as well as the planet. However, after he used a charger in a supermarket car park he received an expensive surprise. Through the post came a £70 parking charge notice (PCN) for using the service when the supermarket was closed.
The app operated by the EV charger operator Pod Point had directed him to a bay in an Aldi car park in Weymouth. Parking is not permitted on the site outside store opening times and, unbeknownst to Laban, EV charging is deemed to be parking by the landowner.
“Pod Point advertises the charger as open to the public, while the car park’s cameras are set to immediately fine anyone who enters to use it,” Laban says. “If the landowner does not want people charging outside store hours, the chargers must be deactivated, or the EV apps must sync with the parking restrictions.”
Laban says there were no signs in the car park, on the charger or on the app stating it could only be used during store opening times.
Aldi cancelled the PCN when Laban complained and insisted that car park terms and conditions are clearly displayed.
Pod Point told Guardian Money that landowners are responsible for notices about parking charges and restrictions displayed in its app and on site and while some prominently detail the relevant terms for EV drivers, others do not.
Laban’s experience exposes an anomaly in the rollout of EV chargers on private land: car park rules have not evolved to accommodate vehicles that stop solely to charge in a designated bay.
Another motorist, Clive Sanders*, paid more than he had bargained for when he charged his new EV in a Devon car park. He received a £100 PCN from the parking operator, Smart Parking, because he had only paid for charging. “There was no indication on the InstaVolt charger that I needed to pay the parking tariff as well as the charging fee,” he said.
“InstaVolt assured me they could get the PCN cancelled and gave me a letter to send to Smart Parking, but it refused to comply.”
InstaVolt said car park rules are set by the landowner and notices around its chargers warn that parking restrictions apply. It offered Sanders a £50 credit for the “inconvenience” after Guardian Money questioned the clarity of the signs.
“Parking terms vary from site to site and may refer to time limits rather than charges, so to tell drivers that ‘parking charges apply when charging’ would not accurately reflect the range of conditions that exist across our network,” a spokesperson said.
“That said, we do recognise that for drivers who are newer to public charging, the distinction between charging fees and site-specific parking terms may not always be immediately obvious.”
Smart Parking said it was up to drivers to check the terms and conditions before using the car park. “There is no free parking and motorists must pay for the duration they stay,” a spokesperson said. “In this case, the driver stayed for nearly an hour without paying for his parking, so was he correctly issued a charge.
Anthony Stone* was hit with a £100 PCN after using an advertised charger in a Holiday Inn car park without registering his number plate at the hotel.
“How many contracts should a driver be expected to enter to charge a vehicle?” he said. “I understood that I was contracting with the charger operator to provide electricity, but it seems I was also entering one with the hotel or its parking operative.”
A spokesperson for Holiday Inn said vehicles are identified by ANPR cameras that do not distinguish between parking and charging. It claimed that the display screen tells drivers to register their cars for free parking before charging. It agreed to cancel the PCN after Guardian Money got in touch.
PCNs for charging are an increasing problem for EV drivers, according to the motoring group the RAC. “Signage needs to be clearer, so drivers realise straight away whether they need to pay for parking, how long they can stay to charge and the hours of operation,” said its head of policy, Simon Williams. “Equally, charge point operators should add a warning to their devices and apps to make drivers aware.”
The Ministry of Housing, Communities and Local Government said that private car parks are governed by contract law and that tariffs for using EV chargers must be clearly displayed. It said it plans to publish a new code to raise standards for private parking later this year.
* Names have been changed
Traffic & Transport
M25 traffic: Dartford Crossing lane closures after serious crash with delays
Drivers are facing massive delays to their journeys.
Source link
Traffic & Transport
‘Like a sauna’: London tube travellers swelter in temperatures higher than legal limit for cattle | London Underground
As the escalator descends below ground at King’s Cross St Pancras station in London, the shift from what was already a hot station entrance to the furnace-like subterranean depths is perceptible.
On the tube it’s worse: a man leans back in his seat, eyes closed, sweltering; people hold electric fans an inch away from their faces. London commuters are known for their stoicism and the heat appears to be another tribulation to accept. They will need to: heatwaves in the capital are becoming routine.
“We’re quite lucky that this platform is almost empty, because when the platform gets packed it’s [like a] sauna,” Anna, a passenger at Oxford Circus, says. “When it’s peak hours, it’s quite difficult.”
Anna says she usually adapts well to hot temperatures, but even she finds the heat on the platform hard to bear. Craig, another passenger, says he has to travel in gym clothes and change into his work clothes at the office because of the heat on the tube.
London’s underground isn’t adapted for the 30C+ heatwaves that have hit the city over the last few summers. Lines such as the Victoria line – the deepest on the network – and the Bakerloo line – which TfL says has some of the oldest trains in passenger use anywhere in the country – are particularly bad when it comes to withstanding the heat.
Sharmin, a barista at the Pret a Manger stationed by the barriers at King’s Cross St Pancras, says she has seen people faint in and around the station. She finds the heat so oppressive that she has asked to go home early during some of her shifts this week. She wonders why there are no coolers or industrial fans set up near Pret or the barriers. “I’ve felt like I was going to faint,” she says.
A quick glance at the thermometer I’m carrying on this unscientific investigation shows that the station is about 30C. On the platform and tube it crawls up to 32C, and then at the Victoria line platform at Finsbury Park it hits 34C. In the UK, it is illegal to transport cattle above 30C; transporting people at 34C, though, might be becoming the norm.
It’s ten degrees higher underground than it is outside at this point, according to my iPhone’s built-in weather app. Between 8am and 9am the thermometer shows readings of 34C on the Victoria line platforms at Finsbury Park, on the Victoria and Bakerloo line platforms at Victoria, and on the northbound Bakerloo line platform at Oxford Circus.
Asher Minns, executive director of the Tyndall Centre for Climate Change Research, a partnership across several UK universities, says that tube tunnels are “basically radiators”, taking on the heat of the clay and concrete around them. The carriages, platforms and surrounding tunnels are also warmed by the hundreds of kilowatts of heat the trains produce while breaking. And the warmer it is outside, the worse it gets underground.
But Minns adds that the infrastructure is difficult to adapt because of its age and the surrounding clay. It will likely be years before the network is better suited to dealing with the heat, so for now he says the focus needs to be reducing risks to passengers.
“It can’t go on like this, and it’s not going to get any better,” he says. “[The underground] absolutely has to adapt to the impacts of climate change, but right now I think [the focus] has to be looking after passengers.”
He suggests limiting the number of passengers allowed to travel when the temperature is above a certain limit, or reducing the number of tubes in service during heatwaves.
Nick Dent, TfL’s director of customer operations, said TfL was continuing to invest in making the network more resilient and comfortable as hotter summers become more common, as well as introducing new air-conditioned trains on the Piccadilly line and DLR.
Dent added that the “short-term and stop-start nature of funding over recent years has meant that TfL has had to carefully prioritise its investment and – while remaining open to measures that will help manage the impact of increasing temperatures due to climate change – has focused on programmes that will see the biggest benefits to customers”.
-
UK News4 weeks agoUK defence spending plan ‘well short of what’s required’ and harder choices needed, says John Healey – UK politics live | Politics
-
Student Life4 weeks agoHome Office proposes doubling of Campsfield capacity
-
Oxford News3 weeks agoJune heatwave would be ‘virtually impossible’ in 1976
-
Oxford Events3 weeks agoStage Watch: ‘I think we need much more laughter in the world’ says John Cleese
-
UK News4 weeks agoUS to review benefits of having troops in Europe with ‘era of free-riding’ over – Europe live | World news
-
UK News4 weeks agoDriver killed in Bedford train crash named
-
Student Life4 weeks agoOxford Union holds “This House Believes the West is Right to be Suspicious of Islam” Debate
-
UK News4 weeks agoCCTV shows moments leading up to arrest in anti-Muslim attacks probe
