Vulnerabilities / Threats
8/18/2011
08:55 AM
Connect Directly
RSS
E-Mail
50%
50%

3 Security Lessons From BART's Anonymous Breach

As BART continues to face attacks from the hacker group Anonymous, its security weak points have become painfully obvious. Here's what your IT staff can learn from BART's mistakes.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
An attack on Bay Area Rapid Transit websites by the hacker collective Anonymous this week drew international attention for political reasons. But these intrusions are catching the interest of IT pros for professional reasons, since the weaknesses in BART's IT security are by no means unique to the transit authority.

On Sunday, Anonymous appeared to have attempted a denial of service attack on BART.gov, the agency's primary site, to little effect, but did manage to breach a secondary site, myBART.org, and released the private information of BART customers on an Anonymous website. On Wednesday, the group compromised the BART Police Officers Association site, again publishing private information from the database of BART police officers.

So what can IT admins learn from looking at BART's security crisis? Plenty. Here are the three biggest lessons from BART's ordeal.

1. Use Strong Passwords

This one's so basic that every enterprise IT worker who reads it might feel inclined to roll his or her eyes right now, but face it: Too many of us aren't doing the job. If the Wednesday hack on BARTpoa.org demonstrated anything, it's that far too many users are allowed to jeopardize the organization's security with flimsy passwords that any 9-year-old could break via a crude dictionary attack.

Yes, users gripe loudly when you enforce sound password security policy, but holding the line on strong passwords eliminates one of the most basic security threats any network faces. Standard rules apply: at least eight characters, at least one number, a capital, and a punctuation mark.

2. Reign In Outside Sites

After the latest breach, BART officials demonstrated an appalling lack of authority over the weakness of the compromised sites. In an interview with NPR, BART police chief Daniel O. Hartwig repeatedly passed the buck, emphasizing that the hacked sites were not operated by BART.

"When you have a site that's not controlled by the BART district and/or owned and operated by the BART district, that would fall back on the administrators and operators," Hartwig said.

While it's far from clear that Hartwig's comments reflect BART's overall IT security policy, his words betray a lack of concern for security of the organization's data, wherever it may reside. By allowing so much of its customers' and employees' data to reside outside the control of its own IT organization, BART abdicated responsibility for the security of that data.

Enterprise IT organizations know this story all too well, and diligent IT pros constantly fight the good fight to keep data assets securely within the company's control, even when working with third parties. BART failed to protect its workers by vetting the security of its third-party sites, and now it's reaping the consequences.

3. Respond Swiftly And Proactively

As of this writing, BART and its affiliates have sustained nearly a week of threats attacks from Anonymous, and the transit district's passengers and workers have taken the brunt of the attack thanks to repeated security failures.

It's unclear whether BART's IT staffers could have intervened quickly enough to prevent any data from leaking out, but the agency could almost certainly have shored up its defenses by moving quickly to lock down its security gaps (and those of its affiliated sites) when it first got word of the threat. Had BART issued a demand that all workers and members of its third-party sites take a moment to examine and beef up their security last Friday, the press would likely be telling a somewhat less depressing story about them today.

Ultimately, as they say, hindsight is 20/20. There's a lot BART could've done differently to protect the privacy of its employees and customers, and it won't help them to dwell on what could've been. But for the rest of us, watching these events mindfully can be a very helpful lesson in IT security best practices.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-3636
Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.