Vulnerabilities / Threats
8/18/2011
08:55 AM
50%
50%

3 Security Lessons From BART's Anonymous Breach

As BART continues to face attacks from the hacker group Anonymous, its security weak points have become painfully obvious. Here's what your IT staff can learn from BART's mistakes.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
An attack on Bay Area Rapid Transit websites by the hacker collective Anonymous this week drew international attention for political reasons. But these intrusions are catching the interest of IT pros for professional reasons, since the weaknesses in BART's IT security are by no means unique to the transit authority.

On Sunday, Anonymous appeared to have attempted a denial of service attack on BART.gov, the agency's primary site, to little effect, but did manage to breach a secondary site, myBART.org, and released the private information of BART customers on an Anonymous website. On Wednesday, the group compromised the BART Police Officers Association site, again publishing private information from the database of BART police officers.

So what can IT admins learn from looking at BART's security crisis? Plenty. Here are the three biggest lessons from BART's ordeal.

1. Use Strong Passwords

This one's so basic that every enterprise IT worker who reads it might feel inclined to roll his or her eyes right now, but face it: Too many of us aren't doing the job. If the Wednesday hack on BARTpoa.org demonstrated anything, it's that far too many users are allowed to jeopardize the organization's security with flimsy passwords that any 9-year-old could break via a crude dictionary attack.

Yes, users gripe loudly when you enforce sound password security policy, but holding the line on strong passwords eliminates one of the most basic security threats any network faces. Standard rules apply: at least eight characters, at least one number, a capital, and a punctuation mark.

2. Reign In Outside Sites

After the latest breach, BART officials demonstrated an appalling lack of authority over the weakness of the compromised sites. In an interview with NPR, BART police chief Daniel O. Hartwig repeatedly passed the buck, emphasizing that the hacked sites were not operated by BART.

"When you have a site that's not controlled by the BART district and/or owned and operated by the BART district, that would fall back on the administrators and operators," Hartwig said.

While it's far from clear that Hartwig's comments reflect BART's overall IT security policy, his words betray a lack of concern for security of the organization's data, wherever it may reside. By allowing so much of its customers' and employees' data to reside outside the control of its own IT organization, BART abdicated responsibility for the security of that data.

Enterprise IT organizations know this story all too well, and diligent IT pros constantly fight the good fight to keep data assets securely within the company's control, even when working with third parties. BART failed to protect its workers by vetting the security of its third-party sites, and now it's reaping the consequences.

3. Respond Swiftly And Proactively

As of this writing, BART and its affiliates have sustained nearly a week of threats attacks from Anonymous, and the transit district's passengers and workers have taken the brunt of the attack thanks to repeated security failures.

It's unclear whether BART's IT staffers could have intervened quickly enough to prevent any data from leaking out, but the agency could almost certainly have shored up its defenses by moving quickly to lock down its security gaps (and those of its affiliated sites) when it first got word of the threat. Had BART issued a demand that all workers and members of its third-party sites take a moment to examine and beef up their security last Friday, the press would likely be telling a somewhat less depressing story about them today.

Ultimately, as they say, hindsight is 20/20. There's a lot BART could've done differently to protect the privacy of its employees and customers, and it won't help them to dwell on what could've been. But for the rest of us, watching these events mindfully can be a very helpful lesson in IT security best practices.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.