Anonymous hacks BART, creating even more innocent victims

Filed Under: Data loss, Featured, Privacy, Vulnerability

Guy Fawkes mask protesterAnonymous continued their crusade against governments and organizations this weekend, attacking the myBART.org website belonging to San Francisco's BART (Bay Area Rapid Transit) system.

They performed a SQL injection (SQLi) attack against the site and were able to extract more than 2,000 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes.

They also defaced the website with Guy Fawkes masks, which BART has yet to remove more than four hours later.

Mybart.org defacement

While it is understandable that people are upset with BART after the recent blocking of cell phone communications to prevent protesters from organizing, it is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users.

Users of rapid transit are certainly not the problem, and this simply takes a bad situation and makes it worse by creating even more victims.

During my interview about the incident with KCBS radio in San Francisco this afternoon, I was asked what people can do to protect themselves against these types of attacks. What an interesting question...

Personally, I am skeptical of anyone asking for my information for almost any reason. We can't know how that data will be protected, shared or sold regardless of what the privacy policy may say.

The best approach is to not provide your personal information where it isn't needed and make sure you always use a unique password for every website, regardless of how unimportant you think the site may be.

If you are a user of myBART.org, I recommend changing your passwords anywhere you might have used the same password. Aside from that, there is little you can do now that your information has been published.

Website admins, if you are still storing passwords in plain text and haven't examined your web site for SQL injection vulnerabilities, even after the attacks against Sony, I highly recommend doing so. This is not a list you want your site to be added to.

, , , , ,

You might like

8 Responses to Anonymous hacks BART, creating even more innocent victims

  1. jagsv · 1114 days ago

    Well, another successful target of Anonymous. As you said, it's true that more people have been affected, even so many people who had nothing to do with the "riot" at first.

    At first I thought that this cyber-criminal attacks were going to be a "one-time" or two thing, but It has now become serious.

    After many cyber-attacks completed, does this mean that the next "world war" will take place on the cyber space and even more, it cannot be controlled?

    What is Anti-Hacker or Ethical Hackers going to do to prepare us for this?

    • Mike · 1114 days ago

      Anonymous are the ethical hackers, douche

      • Oliver V · 1114 days ago

        What about this makes them ethical?

      • Tiger · 1114 days ago

        Mike...If you think Anonymous are the ethical hackers, then that makes you the douche.

      • (a)nonymous · 1114 days ago

        I'd bet few members of Anonymous have ever studied ethical decision-making in any depth or even know what the tools of ethics are, nevermind how to use them.

        This no more makes you ethical than running LOIC makes you a hacker. They are mere script kiddies in multiple domains.

  2. Paul · 1114 days ago

    So you protect the passengers of the transit system, one of which was shot - by hacking the accounts of those same passengers?

    Now instead of getting shot, they get shot AND hacked. Brilliant.

  3. Grank · 1114 days ago

    Frankly, anyone who codes up a public site susceptible to SQL injection in this day and age is incredibly lazy and/or incompetent and should be sued for every penny they were paid to write it.

  4. stick fickerton · 1031 days ago

    Did anyone here actually get anything hacked as a result of Anon's activity?

    BART will SELL your info, and we don't seem to mind that at all, but anon lets it be known that they can get access to it, and y'all seem to freak out. Guess what, if someone wants yer identity, their gonna get it. Like the guy above me said, this is laziness on behalf of BART.

    Let me know if Anon charges you for pizzas unfairly, cuz I don't think anyone actually got hurt from this display.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.