BART Cellphone Cutoff Prompts Hack by Anonymous
A BART train at the Daly City station, just south of San Francisco.
CREDIT: Wikipedia user Lensovet
Crowd control through cut-off communications — it's not just for Third World dictatorships anymore.
In a move that British Prime Minister David Cameron might have approved of, Bay Area Rapid Transit (BART), the commuter rail network for most of the San Francisco Bay Area, shut down underground cellular phone service on its system Thursday evening to quell a planned protest.
True to form, the hacktivists of Anonymous soon retaliated, breaking into the servers of a BART website Sunday and posting email addresses and passwords of hundreds of hapless citizens who'd had the misfortune of signing up for a customer-information service.
The saga began Thursday afternoon, when BART officials noticed that a local activist group, No Justice No BART, was trying to organize a "flash" protest for 4:30 p.m. PDT beginning at the Civic Center station underneath downtown San Francisco.
At 4:10 p.m., underground cellular service in the central San Francisco stations suddenly went dead, according to Twitter user Greggawatt, who spoke to Computerworld via email but didn't want his real name used.
"I noticed other riders looking quizzically at their phones as well," Greggawatt said, adding that his T-Mobile didn’t come back until the train went above ground in Oakland. "Shutting down 911 service was extremely irresponsible."
BART waited until the following afternoon to issue a press statement.
"BART temporarily interrupted service at select BART stations as one of many tactics to ensure the safety of everyone on the platform," read the statement. "A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators."
Mountain out of a molehill
The protest, intended to highlight the second killing of an unarmed man by BART police in two years, was indeed nipped in the bud. (Another one, this time to protest the cellular cutoff, is planned for 5 p.m. Monday.) But the move may not have been worth the resulting public-relations firestorm.
"I'm just shocked that they didn't think about the implications of this. We really don't have the right to be this type of censor," BART director Lynette Sweet told the Associated Press. "This is a land of free speech and for us to think we can do that shows we've grown well beyond the business of what we're supposed to be doing and that's providing transportation. Not censorship."
"BART officials are showing themselves to be of a mind with the former president of Egypt, Hosni Mubarak, who ordered the shutdown of cell phone service in Tahrir Square in response to peaceful, democratic protests earlier this year," the San Francisco-based Electronic Frontier Foundation said in a statement. "Free speech advocates have called out British Prime Minister David Cameron for considering new, broad censorship powers over social networks and mobile communication in the UK, and we are appalled to see measures that go beyond anything Cameron has proposed being used here in the United States."
Enter Anonymous. On Sunday, hackers associated with the nebulous online free-speech movement used a SQL injection, a common Web server exploit, to crack into the registered-user database of BART's consumer-outreach website, MyBART.org.
"BART has proved multiple times that they have no problem exploiting and abusing the people," read a rambling manifesto posted online. "First they displayed this by the two recent killings by BART police. .... Next they violated the people's right to assembly and prevented other bystanders from using emergency services by blocking cell phone signals in order to stop a protest against the BART police murders. Lastly, they set up this website called mybart.gov and they stored their members [sic] information with virtually no security."
Appended to the manifesto was a table containing the names, email addresses, ZIP codes and account passwords of thousands of Bay Area residents who'd signed up to receive emails from MyBART.org — and now are much more at risk of having their identities stolen.
The intrusion may have satisfied the hackers of Anonymous that they'd struck a blow for free speech, but the fact is that they attacked a soft target — the main BART website, bart.gov, was left untouched — and compromised the information of innocent people in the process.
"It is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users," wrote security export Chet Wisniewski on Sophos' Naked Security blog. "If you are a user of myBART.org, I recommend changing your passwords anywhere you might have used the same password. Aside from that, there is little you can do now that your information has been published."
It was also striking that BART riders seemed to have a better sense of computer security that BART itself.
The transit agency made two egregious errors in setting up MyBART.org: It failed to protect itself against SQL injections, and it stored its registered users' passwords in plaintext, so that anyone breaking in could see them.
The exposed passwords, on the other hand, were remarkably strong, perhaps what you'd expect from the tech-conscious Bay Area.
Instead of the usual "password" and "12345" you often find in exposed user databases, almost all the BART user passwords used both letters and numbers. Most were at least 8 digits long, and few were based on words you'd find in the dictionary.
It's too bad those passwords now all have to be changed.