Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/18/2011
08:55 AM
50%
50%

3 Security Lessons From BART's Anonymous Breach

As BART continues to face attacks from the hacker group Anonymous, its security weak points have become painfully obvious. Here's what your IT staff can learn from BART's mistakes.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
An attack on Bay Area Rapid Transit websites by the hacker collective Anonymous this week drew international attention for political reasons. But these intrusions are catching the interest of IT pros for professional reasons, since the weaknesses in BART's IT security are by no means unique to the transit authority.

On Sunday, Anonymous appeared to have attempted a denial of service attack on BART.gov, the agency's primary site, to little effect, but did manage to breach a secondary site, myBART.org, and released the private information of BART customers on an Anonymous website. On Wednesday, the group compromised the BART Police Officers Association site, again publishing private information from the database of BART police officers.

So what can IT admins learn from looking at BART's security crisis? Plenty. Here are the three biggest lessons from BART's ordeal.

1. Use Strong Passwords

This one's so basic that every enterprise IT worker who reads it might feel inclined to roll his or her eyes right now, but face it: Too many of us aren't doing the job. If the Wednesday hack on BARTpoa.org demonstrated anything, it's that far too many users are allowed to jeopardize the organization's security with flimsy passwords that any 9-year-old could break via a crude dictionary attack.

Yes, users gripe loudly when you enforce sound password security policy, but holding the line on strong passwords eliminates one of the most basic security threats any network faces. Standard rules apply: at least eight characters, at least one number, a capital, and a punctuation mark.

2. Reign In Outside Sites

After the latest breach, BART officials demonstrated an appalling lack of authority over the weakness of the compromised sites. In an interview with NPR, BART police chief Daniel O. Hartwig repeatedly passed the buck, emphasizing that the hacked sites were not operated by BART.

"When you have a site that's not controlled by the BART district and/or owned and operated by the BART district, that would fall back on the administrators and operators," Hartwig said.

While it's far from clear that Hartwig's comments reflect BART's overall IT security policy, his words betray a lack of concern for security of the organization's data, wherever it may reside. By allowing so much of its customers' and employees' data to reside outside the control of its own IT organization, BART abdicated responsibility for the security of that data.

Enterprise IT organizations know this story all too well, and diligent IT pros constantly fight the good fight to keep data assets securely within the company's control, even when working with third parties. BART failed to protect its workers by vetting the security of its third-party sites, and now it's reaping the consequences.

3. Respond Swiftly And Proactively

As of this writing, BART and its affiliates have sustained nearly a week of threats attacks from Anonymous, and the transit district's passengers and workers have taken the brunt of the attack thanks to repeated security failures.

It's unclear whether BART's IT staffers could have intervened quickly enough to prevent any data from leaking out, but the agency could almost certainly have shored up its defenses by moving quickly to lock down its security gaps (and those of its affiliated sites) when it first got word of the threat. Had BART issued a demand that all workers and members of its third-party sites take a moment to examine and beef up their security last Friday, the press would likely be telling a somewhat less depressing story about them today.

Ultimately, as they say, hindsight is 20/20. There's a lot BART could've done differently to protect the privacy of its employees and customers, and it won't help them to dwell on what could've been. But for the rest of us, watching these events mindfully can be a very helpful lesson in IT security best practices.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.