Anonymous OpBART steals public transportation user info

Anonymous has kept busy the past few weeks. The hacker collective launched a "Free Topiary" campaign this month in support of arrested LulzSec spokesperson Jake Davis, and held day one (of three) of the more general Paperstorm Revival over the weekend. Its latest effort - Operation BART - saw the group return to its roots. Put simply, Anonymous hacked the hell out of a site.

ADVERTISEMENT

Anonymous' ire is aimed squarely at San Francisco's Bay Area Rapid Transit (BART) after operators killed cellular service last week to stymie gathered citizens protesting the July shooting death of Charles Blair Hill.

Operation Bart was two-fold. Local citizens would gather and hold a "peaceful protest" at BART's Civic Center station on Monday. Members who couldn't be there in person were asked to "show solidarity by using black fax, email bombs and phone calls to the BART Board of Directors" in an attempt to disrupt the organization. "BART decided to cut off your communications," the group explained, "and now we will flood theirs."

The Guardian confirmed a bunch of Guy Fawkes lookalikes were spotted at Civic Center station. The protest even forced operators to temporarily shut down four BART stations.

ADVERTISEMENT

While Anonymous urged attendees to bring cameras and cell phones to counter the possibility of media spinning and "legitimize the protest," it struck another retaliatory blow in its stomping grounds. The cyber activists announced they had accessed MyBart.gov and lifted names and passwords:

BART has proved multiple times that they have no problem exploiting and abusing the people. First they displayed this by the two recent killings by BART police. Under no circumstance, unless police are shot at, make police killings acceptable. Non-lethal weapons were available to use during both incidents, providing even that was necessary, but instead they shot to kill. Next they violated the people's right to assembly and prevented other bystanders from using emergency services by blocking cell phone signals in order to stop a protest against the BART police murders. Lastly, they set up this website called mybart.gov and they stored their members information with virtually no security. The data was stored and easily obtainable via basic sqli. Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted.

The "user info database" has since been published online.

Sophos' Naked Security blog pondered whether such methods help or hurt the group's cause. Protesting is one thing, reasoned Chester Wisniewski, Senior Security Adviser at Sophos. But releasing the personal information of those who use BART to commute is quite another. "This simply takes a bad situation and makes it worse by creating even more victims," he wrote.

ADVERTISEMENT

Anonymous has offered its sympathies to those possibly affected by the data leak, but attempted to shift the blame.

"We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn't secure," the group said, adding that it's likely just BART employees who will be "abused."

No posts to display