Anonymous Hacks myBART.org
The online hacker group Anonymous has hacked into myBART.org and released thousands of names, email and home addresses, and phone numbers, reports TheNextWeb. They’ve also defaced myBART.org, an independent website, with the hacker group’s logo, reports CNET.
The hacker group had threatened to take BART.gov off line today and also proposed a protest on Monday at 5 p.m. As of 3:15 p.m., the BART.gov website is still live.
All of this came from BART’s decision to cut cell service last Thursday in anticipation of a protest about the July 3 shooting.
Read more about it at the SFAppeal and the Bay Citizen.
What do you think: is this an effective way to protest BART’s cell disruption?
Appropriate? Yes. Whether it’s web site security or train control systems, BART should be shamed into following best practices. This is not at all unlike Bill Wattenburg’s criticism (and demonstrations) decades ago.
Effective? No. Seems to me there are a lot of grumpy commuters who have little to no sympathy for BART PD killing passengers or any sort of disruption as long as their lives aren’t at risk.
One more reason I’m glad I no longer work in SF. While I don’t agree with BART’s actions (and didn’t at times as a commuter when I worked in the city), I would never condone such a disruptive action as jeopardizing the personal information of innocent commuters who may have no other option for getting to work. Are the means Anonymous is using any less draconian than the restriction BART pulled, or justified? Hacking the site alone and leaving their ultimatum would have been sufficient.
Here’s the thing. That web site was (obviously) never secure. In an ideal world that would be of no concern. But we don’t live in the real world. Would you rather someone with more covert or perhaps insidious motives (such as financial gain) were to access the information, not tell BART, and not let you know? Or would you rather that a group with well defined intentions does this and has raised the attention of BART?
‘Cause if BART had not been made aware of the attack, think how many people could have already been accessing your information. Think about how many people may have already accessed that information.
While I’m unsure if my information was leaked, I’m not particularly angry. Why? Name, address, p.o. box and maybe a phone number aren’t particularly hard to find pieces of information. It looks like no passwords or credit card numbers were leaked (yet). The important questions in my mind are:
– Why was BART collecting information in such an insecure manner?
– Why should we trust BART with personal information in the future?
Do also keep in mind that like them or loathe them, Anonymous isn’t particularly affiliated with the people protesting the BART PD killings.
Okay, I was wrong. Anonymous did indeed release passwords. And, yeah, that rates as outright malicious by my standards.
But… WHAT THE FUCK BART? BART’s behaviour is absolutely, 100% negligent. I don’t care how wrong Anonymous is in releasing passwords (and IMO they are), BART should NEVER EVER EVER have stored them that way. Period. Full stop. If I’d written code like that I’d’ve gotten fired or lost the client.
I hope that instead of jumping to rage, BART and its riders can learn a few lessons to protect themselves in the future:
– Don’t give out unnecessary personal information. Does myBART really need access to your phone number and address? In this case, SMS updates aren’t handled through myBART.
– Try to use a number of different passwords. Even just two or three will help. That way if something like this happens, random strangers won’t readily have access to all of your accounts. On OSX there’s a great little tool called Password Assistant that you can download. It pops up the OSX password generation dialog box. Said box lets you create relatively easy to memorize yet secure passwords.
– Change your passwords semi-regularly.
– Don’t use easily guessable passwords[1]. Some of the passwords used included ‘password’, ‘mybart’, ‘bart’, and ‘sfgiants’. You don’t need Anonymous either screwed up or purposefully obfscuated the data a wee bit, so I only spent a few minutes digging through the passwords. But, really, you don’t need Anonymous to guess passwords like those.
– Don’t patronize web sites that store passwords in plain text. MySpace and MPIX come to mind as sites that STILL do this. Most of the other semi-pro photo labs are the same way, sadly. Try out a site’s password reset function. If it sends you your old password, that’s bad. Contact the site’s customer service and explain why you won’t use their site (it was programmed after a night of binge drinking and is ridiculously insecure). If you /must/ use the site, use a throw away password that you don’t use for anything else.
– For BART: don’t program your site like a bunch of morons. Don’t store passwords. Period. Put some /sane/ requirements[1] on the passwords used (minimum length, doesn’t match other user data like email address, name, or zipcode, nothing stupidly easy to guess like ‘password’ or the name of the site).
For those that are curious here’s the long winded tech bit: BART was storing your passwords in plain text. If your password was ‘foo’, somewhere BART had written down ‘foo’. This is bad, very, very, very bad. This type of thing has been out of favour for years now. Decades at this point if I’ve got my Unix history remembered correctly. Even Apple and Microsoft, two companies that have been historically lax with security, have stopped doing this years ago[2] with MacOS 10.6 and Vista respectively. It’s pretty easy to see why storing passwords in plain text is bad: if someone compromises your system they suddenly have access to everyone’s passwords.
So what’s the alternative? You store a salted[3] hash[4] of the password. What’s a hash? A hash is a mathematical function that takes some input (like your password) and returns output that represents your password. The idea is that while this is deterministic (same input always equals same output), it’s difficult (and probably very time consuming) to reverse engineer. So it would work like this: you enter your password, the site computes the hash and stores it. When you enter your password to login again, the hash is computed again and compared to the original hash. If you’ve entered in the same password you’ll always get the same hash value and the site can authenticate you. But, because it’s very difficult to go backwards from a hash to a password you’ve got that extra level of security. So let’s say your password is again ‘foo’, but if BART were storing a hash this time it would save something like ‘acbd18db’.
Unfortunately, because a hash is deterministic, if you use a commonly used password the attackers could recognize ‘acbd18db’ as an indication that you’ve used a password of ‘foo’. So what do you do? You add a salt[5]. In this context salt refers to random data added to your password. So instead of calculating a hash of ‘foo’, BART might do something like calculate a hash of ‘RANDOMNUMBERfoo’ and storing that. This way if someone uses a common password like foo, the attackers would still not see ‘acbd18db’ and still have to work to determine what the password was. Even if two users on myBART used a password of ‘foo’ the stored hash would be different for both of them making the leaked data that much more useless.
1: http://xkcd.com/936/
2: OSX would actually store plain text passwords to deal with Windows file sharing (and might still do this) and transferred passwords over the network in plain text to deal with AppleTalk file sharing. Windows XP would use some cryptography if your password was over a certain length, otherwise it is, by default, /trivial/ to extract passwords from an XP machine. They had to maintain compatibility with Windows 95, after all.
3: http://en.wikipedia.org/wiki/Salt_(cryptography)
4: http://en.wikipedia.org/wiki/Cryptographic_hash_function
5: http://www.developerfusion.com/article/4679/you-want-salt-with-that/3/
As an occasional user of mybart, I’m just angry about this. Any sympathy I had for Anonymous is gone. How is hacking my personal information a good way to get me on their side? Yeah, no.
“Anonymous” is an anarchist group, not a political group. They have no serious political agenda. They are just looking for excuses to cause trouble.
Thank you Alex; that’s an excellent explanation. I certainly don’t support Anonymous’s actions here in any way, nor do I think that releasing people’s personal information is a productive way to improve the situation here. But storing passwords in plaintext in this way is absolutely inexcusable; this is something anyone who develops web applications should have known for many years. If BART bothered to store its users’ information securely, this would have all been averted. If an Anonymous agent could do this within a day or two, chances are pretty good one of the “blackhats” had stolen this information already, and they aren’t inclined to let us know about their exploits.
Meanwhile, BART has shut down both Powell and Civic Center now and is about to close Montgomery, and listening to the police scanner, they are clearly scrambling and making their plan up on the spot. Apparently they’ve decided to punish every commuter in the area instead of maintaining service while providing reasonable opportunities for peaceful protests. It’s like they are a stubborn schoolmarm saying, “well if one of you can’t play nice, no one gets to play at all!”