Vulnerabilities / Threats
8/18/2011
08:55 AM
Connect Directly
RSS
E-Mail
50%
50%

3 Security Lessons From BART's Anonymous Breach

As BART continues to face attacks from the hacker group Anonymous, its security weak points have become painfully obvious. Here's what your IT staff can learn from BART's mistakes.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
An attack on Bay Area Rapid Transit websites by the hacker collective Anonymous this week drew international attention for political reasons. But these intrusions are catching the interest of IT pros for professional reasons, since the weaknesses in BART's IT security are by no means unique to the transit authority.

On Sunday, Anonymous appeared to have attempted a denial of service attack on BART.gov, the agency's primary site, to little effect, but did manage to breach a secondary site, myBART.org, and released the private information of BART customers on an Anonymous website. On Wednesday, the group compromised the BART Police Officers Association site, again publishing private information from the database of BART police officers.

So what can IT admins learn from looking at BART's security crisis? Plenty. Here are the three biggest lessons from BART's ordeal.

1. Use Strong Passwords

This one's so basic that every enterprise IT worker who reads it might feel inclined to roll his or her eyes right now, but face it: Too many of us aren't doing the job. If the Wednesday hack on BARTpoa.org demonstrated anything, it's that far too many users are allowed to jeopardize the organization's security with flimsy passwords that any 9-year-old could break via a crude dictionary attack.

Yes, users gripe loudly when you enforce sound password security policy, but holding the line on strong passwords eliminates one of the most basic security threats any network faces. Standard rules apply: at least eight characters, at least one number, a capital, and a punctuation mark.

2. Reign In Outside Sites

After the latest breach, BART officials demonstrated an appalling lack of authority over the weakness of the compromised sites. In an interview with NPR, BART police chief Daniel O. Hartwig repeatedly passed the buck, emphasizing that the hacked sites were not operated by BART.

"When you have a site that's not controlled by the BART district and/or owned and operated by the BART district, that would fall back on the administrators and operators," Hartwig said.

While it's far from clear that Hartwig's comments reflect BART's overall IT security policy, his words betray a lack of concern for security of the organization's data, wherever it may reside. By allowing so much of its customers' and employees' data to reside outside the control of its own IT organization, BART abdicated responsibility for the security of that data.

Enterprise IT organizations know this story all too well, and diligent IT pros constantly fight the good fight to keep data assets securely within the company's control, even when working with third parties. BART failed to protect its workers by vetting the security of its third-party sites, and now it's reaping the consequences.

3. Respond Swiftly And Proactively

As of this writing, BART and its affiliates have sustained nearly a week of threats attacks from Anonymous, and the transit district's passengers and workers have taken the brunt of the attack thanks to repeated security failures.

It's unclear whether BART's IT staffers could have intervened quickly enough to prevent any data from leaking out, but the agency could almost certainly have shored up its defenses by moving quickly to lock down its security gaps (and those of its affiliated sites) when it first got word of the threat. Had BART issued a demand that all workers and members of its third-party sites take a moment to examine and beef up their security last Friday, the press would likely be telling a somewhat less depressing story about them today.

Ultimately, as they say, hindsight is 20/20. There's a lot BART could've done differently to protect the privacy of its employees and customers, and it won't help them to dwell on what could've been. But for the rest of us, watching these events mindfully can be a very helpful lesson in IT security best practices.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.