It was a typical Sunday afternoon, lazing around the house, watching some TV, and doing some chores, when the phone rang. “Hello Mr. Rubin, this is KGO News calling.”
“Are you aware that the BART website MyBart had been hacked into?”
Nope! I was not aware.
“We understand you had an account on that site. Well, we got all your info from the hack on-line, and someone has posted all the information of about 2400 people from that site, and information about you is on the web. We have your name, your cell phone number, and your email address. That is how we knew to call you. Oh and is your password *******?”
WHAT!!!!!??!?!?!?!? “Uh, yeah, that is my password. That was published too?
Now I was` paying attention. This reporter from ABC news had just told me the password I often use for non-critical websites. My data had been hacked, and now it was published on the internet for al to see.
The news is always full of stories of companies being hacked. They are usually all about the data that got stolen, how the company is doing what they can to secure their site, how much money it will costs them, what they lost, etc., etc. But seldom do we hear about the victims of the hack. You know, the people who actually had their data stolen. What happens to them?
OK, time for some back-story. BART (Bay Area Rapid Transit) has been the target of a number of protests lately. Much of this stems from the shooting of Oscar Grant, an unarmed back youth, shot by BART police on Jan 1, 2009. You can read that story here. On July 8th, 2010, the officer was found guilty of involuntary manslaughter, but not guilty of second-degree murder, and protests and riots broke out. On June 13, 2011, he was paroled. The protests and small riots began again. And most of these were targeted at San Francisco BART. In response to the threat of a new protest last week, BART shut down cell phone service in its San Francisco Civic Center underground station, believing that the protest was being fueled by SMS and cell phone calls. The hacking group “Anonymous”, in retaliation to this shutdown, attacked (unsuccessfully) BART’s main web site, but did manage to break into their rider site called MyBart. They said it was so easy, any eight year old could have done it.
I immediately fired up my Mac and opened my email. How odd, nothing from MyBart about the attack (an email showed up 2 hours later.) Was this some kind of a prank? The phone rang again. KGO was calling back, and wanted to know if they could send a truck out to my house to record my thoughts. How did I feel about all this attack? Would I share? Here is the ABC story.
I was angry, that is how I felt. I had nothing to do with BART issues other than being a rider. I have little choice of getting to work any other way But the hack is not going to hurt BART at all, but it does hurt the people who had data stolen. I was now going to have to spend many hours changing passwords and making sure my accounts were not hacked as well by kiddies who found my data on-line.
And now the fun began: find all the website where I used that password, or a similar one, and change them. So what would you do? How would you go about that?
I know the rule well, and I preach it to others. NEVER use the same password on different sites, so if one password gets stolen, you do not compromise your data on the other sires. But seriously, I log into dozen of sites a month, maybe even a week, and it becomes cumbersome to keep trying to remember all those passwords. But now that laziness is going to cost me.
Luckily for me, I use a program (not completely correctly it turns out) called 1Password. 1Password is a password manager for both Windows and Mac, and also has an iPhone app. On the Mac, when you visit a new website, assuming your version of Safari is compatible, 1Password will prompt you to save that login name, password, and website in a secure database on your computer. Using sync technology, it will also push your new info and changes to the other copies of the program (encrypted of course).
So I fired up the program, typed the published password into the search field, selected passwords as the filter, and sadly a very long list of websites appeared in the search results using that password. My work was cut out for me.
But it seems, I am not using 1Password correctly, One feature that this program has is the ability to generate random passwords for sites when you create your account, and then save them for you so when you come back, it can fill in the password for you automatically. But did I use this feature? No. And will I use this feature now as I change my passwords? Probably not. And here is why:
Unfortunately, 1Password requires some integration into the web browser to work well. When this software is working correctly, I can right click on a password field, and see the 1Password menu, and choose to fill in my data for that site, or generate a new random password. The problem is, every time Apple updates Safari (which seems to be quite often), 1Password integration stops working. And on the iPhone, there is no integration at all. And it does not seem to work in Firefox at all now.
What that means is IF I use a random password, I would have to open the 1Password app, search for the site, and then copy the log in info back to the web page. If I change something, I have to enter it by hand back into 1Password. What a pain in the butt. And there are times you are not on your own machine and want to access a site. No way you will remember that random password, meaning you need to open you iPhone, launch 1Password, enter two pass codes, find the website entry, and look up the password. Not exactly simple or fast, and if you do not have your phone with your, forget about it.
I spent a good 3 hours Sunday afternoon doing this manual task, and I have not changed everything yet, and I am sure there are some I missed. Not only did I change the stolen password, but also I changed any passwords that were similar as well, since that is an easy hack to find a close password.
But the story’s not over yet. My wife and I left for dinner. On the drive out, my cell phone rang again. Another TV station wanting another interview. “Sorry, can’t do that now.” Then it rang again. There was a man’s voice on the other end. The caller ID showed a New York number.
“Hello, is this Owen?”
“Hi Owen, this is an anonymous friend. You need to go change all your passwords. All your data is on the internet….”
Then we went into a tunnel and AT&T dropped the call. I tried to call this person back, but a woman answered instead. She said there was no man there, it was her cell phone alone, and she had no idea what I was talking about. How curious. Seems this may have been a friendly call from an “anonymous” hacker?
After dinner, I was up until 2 AM changing passwords and updating accounts. Did I miss anything? Did anyone get in before I changed them all? I may never know. But all of BART’s so called “action” on this problem has not saved me any time. And STILL no call from BART to tell me that my password was compromised. And, I did discover from the news report that my password was stored on their site UNENCRYPTED. Seriously? Now I am really angry.
I get Anonymous’ anger and revenge thing, I really do. I was angry with BART myself for cutting off phone service, especially since this is the way they claim to warn the public of potential dangers or delays. But this group should think about who this really hurts. Not BART! It hurts people like me who used the BART system, and frankly, BART could care less about my time. They have proven that by not making contacting me further.
But the lesson learned here is that your data is not safe. Be prepared. If you do not use 1Password, use another solution that keeps track, securely, of all your accounts, passwords, and websites. Think, for just a second, what you would have done if you got this phone call? Would you be ready?