myBART hack by Anonymous could have been worse

The website for several years issued randomly generated passwords, which were unlikely to be resued

The disclosure of 2,000 usernames and passwords by the hacking collective Anonymous against a San Francisco transportation website could have been more damaging, according to a doctoral candidate at the University of Cambridge.

Joseph Bonneau, who is working on a thesis on password security, analyzed the disclosed passwords and found that more than 1,300 were randomly generated when users signed up for accounts at myBART, a marketing site for Bay Area Rapid Transit (BART).

Between 2001 until 2006, myBART did not allow users to change passwords, which consisted of two digits plus up to eight lower-case characters, Bonneau said in an interview. That was good, since users were unlikely to reuse the randomly generated passwords on other accounts, such as e-mail or social networking services.

It's not uncommon for people to use the same password across a range of websites. Security experts generally advise against it, since if the password is compromised, a variety of data could be obtained by hackers by trying out the password on other sites.

In the case of myBART, which was a marketing site, the accounts that were compromised aren't valuable.

"There's no interest for criminals or even people who want to do vandalism in the myBART account, but if you can try those passwords and e-mail addresses elsewhere, you can get interesting accounts," Bonneau said.

It's rare for websites to mandate randomly generated passwords. Bonneau and a colleague, Sören Preibusch, conducted a survey in 2010 of password practices across some 150 popular websites. Only one issued a randomly generated passwords.

MyBART e-mailed the passwords to users, which may be fine for accounts that aren't that important or infrequently accessed since users can look the password up if they forget, Bonneau said. But the website stored the passwords unhashed in its database -- considered to be an unsound security practice -- which eventually led to exposure by Anonymous.

Anonymous attacked myBART after the transportation agency on Aug. 11 shut off mobile-phone service to hundreds of thousands of commuters to thwart a planned protest over two fatal shootings by its police force.

Just a few days later, Anonymous struck BART again, publicly posting names, home addresses, e-mail addresses and passwords of 102 BART police officers.

Send news tips and comments to jeremy_kirk@idg.com

Tags University of Cambrigesecuritydata breachdata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?