Security 500 conference     

 Don’t miss the networking event of the year for security executives!
Register today for the Security 500 Conference.

Security Newswire

Anonymous Hack Exposes Personal Data of San Francisco-Area Commuters

August 15, 2011
/ Print / Reprints /
ShareMore
/ Text Size+

Passengers who ride the San Francisco regional subway system are the latest innocent victims, as hacktivist collective Anonymous stole and released sensitive information belonging to more than 2,000 riders.

On Aug. 14, the loose-knit group of hackers breached MyBart.org, the Website commuters use to get information from the Bay Area Rapid Transit system. The names, street and email addresses and site passwords for about 2,400 people who'd registered with the Website were dumped on various torrent sites. Some database dumps also included phone numbers for many users. The attackers defaced the Website with Guy Fawkes masks.

The attack was in protest of two fatal shootings by the transit police and the regional subway authority's decision to temporarily suspend cell phone service in its stations, Anonymous wrote in a note. BART officials disconnected cellular antennas used at several San Francisco stations on Aug. 11 to disrupt plans for a demonstration protesting a fatal shooting of a passenger accused of throwing a knife at a transit officer July 3. No protest actually took place during the time the cellular link was down.

"A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators," BART officials said in an Aug. 12 statement. The suspension was for only a few hours and did not affect cellular service outside the stations, the officials said.

An earlier protest on July 11 had disrupted BART service in the evening. Organizers planned to use mobile devices to get the word out about the Aug. 11 demonstration and not with a "public announcement beforehand" to maintain the "element of surprise," the local-news site SFist reported.

The data breach victims had nothing to do with the decision to suspend the services or with the fatal shooting. "It is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.

"It's just common sense that I shouldn't be the target,” one of the victims whose details were included in the data dump told The Register, adding that he'd received a "creepy" phone call from a person claiming to be a member of Anonymous who uttered "foul language, hushed tones and threats."

Attackers exploited a SQL-injection vulnerability on the site, according to the Anonymous note. In this kind of attack, database commands are entered inside a form, such as a forum post, comment box or even log-in box, and if the developers didn't enter proper error-handling methods in the code, the form would return data from the database server.

MyBart.org had "virtually no security," according to the note. Adding that any "8-year-old with a Internet connection" could have breached the site, Anonymous pointed out that none of the information, including passwords, was encrypted.

"It's time for organizations that store customer data to step up and take responsibility for the information they have been trusted with," Josh Shaul, CTO of Application Security, told eWEEK. If the database contains any sensitive information, then organizations "simply must" directly protect the databases and not rely on perimeter defenses such as corporate firewalls and antivirus systems, Shaul said.

Consumers need to start demanding that businesses they work with have better information security practices. "If the market doesn't punish those who lose our data with complaints and lost customers, this flood of successful attacks is not going to stop," Shaul said.

Anonymous and similar groups of protest-hackers have breached a number of major government-related Websites recently, such as the information from 70 law enforcement agencies around the country.

Anonymous released some information on follow-up OpBART attacks, including a campaign to bombard email addresses and fax numbers with messages, knocking the site offline, and a “physical protest” at the Civic Center Bart Station.

BART officials said it was preparing for further attacks from Anonymous but stressed that the Web infrastructure was separate from any networks running BART transportation services, so train service would not be affected by any further incidents.

 


 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security Magazine 2014 September cover

2014 October

Security takes a look at safety and preparedness for the harshest of weather phenomena in this October 2014 edition of the magazine. Also, we investigate supply chain security and the many benefits of PSIM. 

Table Of Contents Subscribe

Travel & the Ebola Risk

Are you and your enterprise restricting travel due to Ebola risks?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.