Audit_of_the_Charlie_Ticketing_System

Views:
 
Category: Education
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority : 

Audit of the Charlie Ticketing SystemFor the Massachusetts Bay Transportation Authority Team China Auditing Luke, Dylan, Scott, and Craig.

The Incident : 

The Incident Three MIT students explored the obvious weaknesses at the MBTA. The MBTA’s fare-collection system named the Charlie Card was “hacked” to show false values. The entire MBTA facility was shown to be lacking security in general.

What Happened? : 

What Happened? The students got into the building through unlocked doors. Many locks were unlocked on rooms, phone boxes, and networking systems. They also found a key and other physical identification that should not have been laying around. They also eventually hacked the Charlie card’s mag-stripe value and then explored the RFID cards. They documented their entire experience with photos and assembled a slideshow. Link Here

Recommendations : 

Recommendations Risk Assessment (Internal & Third-party) Improve Physical Security Access Control Hardware & Software Visitor Management System

Risk Assessment : 

Risk Assessment Regularly scheduled (Internal & Third-party) Management, Security and end-user involvement Reports to identify risk areas and levels CounterMeasures® – Risk Analysis Software $14,500 (CounterMeasures®, n.d.) RFP’s to be reviewed for vendor selection

Physical Security : 

Physical Security Access Control Hardware & Software Increase security by eliminating keys Provide management, audit tracking and incident response Typical installations $1500 - $2500 per door (Access control, n.d.) RFP’s to be reviewed for vendor selection

Physical Security : 

Physical Security Visitor Management System – Lobby Track™ Increased control and security of visitors in MBTA facilities Security desk, on-line or self-registration kiosk check-in available $1800 per location (Edition Comparison, n.d.)

Questions? : 

Questions?

Thank You : 

Thank You Luke, Dylan, Scott, and Craig. Team China Auditing

References : 

References Access control system pricing. (n.d.). Retrieved May 6, 2010, from BuyerZone: http://www.buyerzone.com/security/access_control/buyers_guide6.html Ahlers, M. M., & Quijano, E. (2009, May 20). National Archives loses hard drive with Clinton era records. Retrieved March 10, 2010, from CNN Politics:http://www.cnn.com/2009/POLITICS/05/20/lost.hard.drive.clinton/   Baxter, C. (2008, August 12). MIT students' report makes security recommendations to T. Retrieved April 20, 2010, from The Boston Globe:http://www.boston.com/news/local/articles/2008/08/12/mit_students_report_makes_security_recommendations_to_t/   B., B. (2008). CRACKING THE CHARLIE CARD. CSO Magazine, 7(8), 17. Retrieved from Risk Management Reference Center database.    COBIT Student Book. (2004). COBIT in Academia. Rolling Measows, IL: IT Governance Institude.   http://alarcos.inf-cr.uclm.es/doc/Auditoria/Cobit_Student_Book.pdf     CounterMeasures®Enterprise Platform 8.1. (n.d.). Retrieved May 10, 2010, from CounterMeasures Risk Analysis Software: http://www.countermeasures.com/enterprise_platform_product.htm Edition Comparison. (n.d.). Retrieved May 10, 2010, from Jolly Lobby Track: http://www.jollytech.com/products/lobby_track/systems/edition_comparison.php Lewis, D. (2008, 8 20). MIT CharlieCard Hackers Gag Free. Retrieved April 6, 2010, from LiquidMatrix Security Digest:http://www.liquidmatrix.org/blog/2008/08/20/mit-charliecard-hackers-gag-free/   McGraw-Herdeg, M. (2008, August 14). Public Documents Seem to Show Free T Fare. Retrieved March 10, 2010, from The Tech, Online Edition:http://tech.mit.edu/V128/N30/subwayvulnerabilities.html

References Cntd. : 

References Cntd. McNamara, P. (2008, 8 11). Exclusive: 'MBTA vs. MIT' lawsuit really about Charlie, not CharlieCard. Retrieved April 6, 2010, from Network World:http://www.networkworld.com/community/node/30940   Mills, E. (2008, Decemer 23). MIT students to help Boston secure subway fare system. Retrieved March 10, 2010, from CNET News:http://news.cnet.com/8301-1009_3-10128632-83.html?tag=mncol;title National Archives Offers Reward of Up to $50,000 for Return of a Missing Clinton Administration Hard Drive. (2009, May 29). Retrieved March 10, 2010, from The National Archives:http://www.archives.gov/press/press-releases/2009/nr09-89.html    Pesaturo. (2007, 3 05). MBTA Transit Police Charge Retiree with Theft. Retrieved April 6, 2010, from MBTA:http://www.mbta.com/about_the_mbta/news_events/?id=11063&month=&year=   Russell, R., Zack, A., & Alessandro, C. (2008, August 8). Anaomy of a Subway Hack. Retrieved March 10, 2010, from http://tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf   Szaniszlo, M. (2008, August 10). MIT students barred from exposing MBTA security flaws. Retrieved March 10, 2010, from Boston Herald: http://news.bostonherald.com/news/regional/general/view.bg?articleid=1112081&srvc=home&position=emailed   Szaniszlo, M. (2008, 8 14). Board member demands MBTA audit. Retrieved April 6, 2010, from http://www.bostonherald.com: http://www.eff.org/files/filenode/MBTA_v_Anderson/Exhibit%207.pdf   Szaniszlo, M. (2008, 8 15). MIT students must turn in CharlieCard data today. Retrieved April 6, 2010, from Boston Herald:http://www.bostonherald.com/news/regional/general/view.bg?articleid=1113095   Vijayan, J. (2008). Flap Over Transit Flaws Exposes Disclosure Divide. (Cover story). Computerworld, 42(33), 10. Retrieved from Academic Search Premier database.

authorStream Live Help