On The Far End of an Anonymous Attack

It was a typical Sunday afternoon, lazing around the house, watching some TV, and doing some chores, when the phone rang. “Hello Mr. Rubin, this is KGO News calling.”

“Really?”

“Are you aware that the BART website MyBart had been hacked into?”

Nope! I was not aware.

From the KGO news story, BART site hacked.

“We understand you had an account on that site. Well, we got all your info from the hack on-line, and someone has posted all the information of about 2400 people from that site, and information about you is on the web. We have your name, your cell phone number, and your email address. That is how we knew to call you. Oh and is your password *******?”

WHAT!!!!!??!?!?!?!? “Uh, yeah, that is my password. That was published too?

Now I was` paying attention. This reporter from ABC news had just told me the password I often use for non-critical websites. My data had been hacked, and now it was published on the internet for al to see.

The news is always full of stories of companies being hacked. They are usually all about the data that got stolen, how the company is doing what they can to secure their site, how much money it will costs them, what they lost, etc., etc. But seldom do we hear about the victims of the hack. You know, the people who actually had their data stolen. What happens to them?

OK, time for some back-story. BART (Bay Area Rapid Transit) has been the target of a number of protests lately. Much of this stems from the shooting of Oscar Grant, an unarmed back youth, shot by BART police on Jan 1, 2009. You can read that story here. On July 8th, 2010, the officer was found guilty of involuntary manslaughter, but not guilty of second-degree murder, and protests and riots broke out. On June 13, 2011, he was paroled. The protests and small riots began again. And most of these were targeted at San Francisco BART. In response to the threat of a new protest last week, BART shut down cell phone service in its San Francisco Civic Center underground station, believing that the protest was being fueled by SMS and cell phone calls. The hacking group “Anonymous”, in retaliation to this shutdown, attacked (unsuccessfully) BART’s main web site, but did manage to break into their rider site called MyBart. They said it was so easy, any eight year old could have done it.

I immediately fired up my Mac and opened my email. How odd, nothing from MyBart about the attack (an email showed up 2 hours later.) Was this some kind of a prank? The phone rang again. KGO was calling back, and wanted to know if they could send a truck out to my house to record my thoughts. How did I feel about all this attack? Would I share?  Here is the ABC story.

I was angry, that is how I felt. I had nothing to do with BART issues other than being a rider. I have little choice of getting to work any other way But the hack is not going to hurt BART at all, but it does hurt the people who had data stolen. I was now going to have to spend many hours changing passwords and making sure my accounts were not hacked as well by kiddies who found my data on-line.

And now the fun began: find all the website where I used that password, or a similar one, and change them. So what would you do? How would you go about that?

I know the rule well, and I preach it to others. NEVER use the same password on different sites, so if one password gets stolen, you do not compromise your data on the other sires. But seriously, I log into dozen of sites a month, maybe even a week, and it becomes cumbersome to keep trying to remember all those passwords. But now that laziness is going to cost me.

Luckily for me, I use a program (not completely correctly it turns out) called 1Password. 1Password is a password manager for both Windows and Mac, and also has an iPhone app. On the Mac, when you visit a new website, assuming your version of Safari is compatible, 1Password will prompt you to save that login name, password, and website in a secure database on your computer. Using sync technology, it will also push your new info and changes to the other copies of the program (encrypted of course).

So I fired up the program, typed the published password into the search field, selected passwords as the filter, and sadly a very long list of websites appeared in the search results using that password. My work was cut out for me.

But it seems, I am not using 1Password correctly, One feature that this program has is the ability to generate random passwords for sites when you create your account, and then save them for you so when you come back, it can fill in the password for you automatically. But did I use this feature? No. And will I use this feature now as I change my passwords? Probably not. And here is why:

Unfortunately, 1Password requires some integration into the web browser to work well. When this software is working correctly, I can right click on a password field, and see the 1Password menu, and choose to fill in my data for that site, or generate a new random password. The problem is, every time Apple updates Safari (which seems to be quite often), 1Password integration stops working. And on the iPhone, there is no integration at all. And it does not seem to work in Firefox at all now.

What that means is IF I use a random password, I would have to open the 1Password app, search for the site, and then copy the log in info back to the web page. If I change something, I have to enter it by hand back into 1Password. What a pain in the butt. And there are times you are not on your own machine and want to access a site. No way you will remember that random password, meaning you need to open you iPhone, launch 1Password, enter two pass codes, find the website entry, and look up the password. Not exactly simple or fast, and if you do not have your phone with your, forget about it.

I spent a good 3 hours Sunday afternoon doing this manual task, and I have not changed everything yet, and I am sure there are some I missed. Not only did I change the stolen password, but also I changed any passwords that were similar as well, since that is an easy hack to find a close password.

But the story’s not over yet. My wife and I left for dinner. On the drive out, my cell phone rang again. Another TV station wanting another interview. “Sorry, can’t do that now.” Then it rang again. There was a man’s voice on the other end. The caller ID showed a New York number.

“Hello, is this Owen?”

“Yes”

“Hi Owen, this is an anonymous friend. You need to go change all your passwords. All your data is on the internet….”

Then we went into a tunnel and AT&T dropped the call. I tried to call this person back, but a woman answered instead. She said there was no man there, it was her cell phone alone, and she had no idea what I was talking about. How curious. Seems this may have been a friendly call from an “anonymous” hacker?

After dinner, I was up until 2 AM changing passwords and updating accounts. Did I miss anything? Did anyone get in before I changed them all? I may never know. But all of BART’s so called “action” on this problem has not saved me any time. And STILL no call from BART to tell me that my password was compromised. And, I did discover from the news report that my password was stored on their site UNENCRYPTED. Seriously? Now I am really angry.

I get Anonymous’ anger and revenge thing, I really do. I was angry with BART myself for cutting off phone service, especially since this is the way they claim to warn the public of potential dangers or delays. But this group should think about who this really hurts. Not BART! It hurts people like me who used the BART system, and frankly, BART could care less about my time. They have proven that by not making contacting me further.

But the lesson learned here is that your data is not safe. Be prepared. If you do not use 1Password, use another solution that keeps track, securely, of all your accounts, passwords, and websites. Think, for just a second, what you would have done if you got this phone call? Would you be ready?

Be ready!

6 thoughts on “On The Far End of an Anonymous Attack

  1. Owen,

    I used to use 1Password the same as you do, but I’ve since gone to letting it generate at least 14 character, mixed case with numbers, passwords for me. Yes, it’s more of a pain on iPad and iPhone, but I myself went through a couple situations where sites I was using a regularly used password on got hacked and I finally decided to quit taking chances and just do the more secure thing.

    I’ve never had a problem with 1Password taking long to get a new version up when a new Safari comes out, and usually you get just edit a plist file and tell it to support the new version. Lion and Safari 5 were an exception, of course.

    On the mobile devices, yes, I have to copy and paste, but you can use 1Password’s internal browser instead, and it will autofill using that method. Or copy and paste, and you’ll stay logged in for awhile on most sites so it’s not that onerous anyway.

  2. Thanks Scott. Great info.

    And here is an update: I as informed by a local news media company, that more info is coming out. The Admin password for the MyBart website was a VERY weak link. Their password was “admin123”. So not only did they keep passwords in the clear, they used a simple, easy to crack password as the admin access. Negligence at its best.

  3. Ouch. No wonder Anonymous was claiming that an 8 year old could have hacked it. They could have. I wouldn’t even call that hacking.

    It’s not right that you have to suffer because of what Anonymous did, but it’s really just as much because of how BART handles the security of their information.

    I read an interesting quote attributed to AnonOps either on twitter or IRC, not sure, but the guy was saying that he didn’t agree with it either, that leaking the data was a really irresponsible thing to do, but there’s Anonymous and then there’s Anonymous. They don’t always agree on how to do things and sometimes some members do things that are really destructive and immature. I guess it’s no shock that a group of hackers has some immature elements.

  4. Owen-

    What a horrible story, but thanks for sharing it. Maybe someone will learn from your experience.

    As for 1Password not working with Firefox: I had the same problem when I upgraded to FF5. Here’s the fix from 1Password’s Help pages:

    1Password still won’t appear in Firefox

    Often Firefox will cache some data from a previous version, causing the 1Password extension to not load. You can fix this by completely uninstalling the Firefox extension and reinstalling it:

    1. Make sure Firefox is not running.
    2. Launch 1Password from your /Applications folder
    3. Click 1Password > Preferences > Browsers
    4. Uncheck the box next to all versions of Firefox
    5. Launch Firefox and click Tools > Add-ons > Extensions. Make sure that 1Password is not listed.
    6. Step #5 is the most important step so we’re repeating it again here 🙂 Launch Firefox and make sure 1Password is not there.
    7. If 1Password is appearing in the Extensions window, click the Uninstall button on the 1Password extension and quit Firefox.
    8. Return to your 1Password window and check the box next to Firefox. If there are two versions, pick the one that you have installed and deselect the other one.
    9. Restart Firefox and click Tools > Add-ons > Extensions. Make sure that 1Password is listed.

    After following these steps, the Firefox extension will have forgotten everything about previous versions and should work correctly.

    Hope this helps!

Leave a Reply