Security Newswire

Anonymous Hack Exposes Personal Data of San Francisco-Area Commuters

Passengers who ride the San Francisco regional subway system are the latest innocent victims, as hacktivist collective Anonymous stole and released sensitive information belonging to more than 2,000 riders.

On Aug. 14, the loose-knit group of hackers breached MyBart.org, the Website commuters use to get information from the Bay Area Rapid Transit system. The names, street and email addresses and site passwords for about 2,400 people who'd registered with the Website were dumped on various torrent sites. Some database dumps also included phone numbers for many users. The attackers defaced the Website with Guy Fawkes masks.

The attack was in protest of two fatal shootings by the transit police and the regional subway authority's decision to temporarily suspend cell phone service in its stations, Anonymous wrote in a note. BART officials disconnected cellular antennas used at several San Francisco stations on Aug. 11 to disrupt plans for a demonstration protesting a fatal shooting of a passenger accused of throwing a knife at a transit officer July 3. No protest actually took place during the time the cellular link was down.

"A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators," BART officials said in an Aug. 12 statement. The suspension was for only a few hours and did not affect cellular service outside the stations, the officials said.

An earlier protest on July 11 had disrupted BART service in the evening. Organizers planned to use mobile devices to get the word out about the Aug. 11 demonstration and not with a "public announcement beforehand" to maintain the "element of surprise," the local-news site SFist reported.

The data breach victims had nothing to do with the decision to suspend the services or with the fatal shooting. "It is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.

"It's just common sense that I shouldn't be the target,” one of the victims whose details were included in the data dump told The Register, adding that he'd received a "creepy" phone call from a person claiming to be a member of Anonymous who uttered "foul language, hushed tones and threats."

Attackers exploited a SQL-injection vulnerability on the site, according to the Anonymous note. In this kind of attack, database commands are entered inside a form, such as a forum post, comment box or even log-in box, and if the developers didn't enter proper error-handling methods in the code, the form would return data from the database server.

MyBart.org had "virtually no security," according to the note. Adding that any "8-year-old with a Internet connection" could have breached the site, Anonymous pointed out that none of the information, including passwords, was encrypted.

"It's time for organizations that store customer data to step up and take responsibility for the information they have been trusted with," Josh Shaul, CTO of Application Security, told eWEEK. If the database contains any sensitive information, then organizations "simply must" directly protect the databases and not rely on perimeter defenses such as corporate firewalls and antivirus systems, Shaul said.

Consumers need to start demanding that businesses they work with have better information security practices. "If the market doesn't punish those who lose our data with complaints and lost customers, this flood of successful attacks is not going to stop," Shaul said.

Anonymous and similar groups of protest-hackers have breached a number of major government-related Websites recently, such as the information from 70 law enforcement agencies around the country.

Anonymous released some information on follow-up OpBART attacks, including a campaign to bombard email addresses and fax numbers with messages, knocking the site offline, and a “physical protest” at the Civic Center Bart Station.

BART officials said it was preparing for further attacks from Anonymous but stressed that the Web infrastructure was separate from any networks running BART transportation services, so train service would not be affected by any further incidents.

 


 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive

THE SECURITY STORE

Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.