Slashdot Mirror
Hackers Broke Into FAA Air Traffic Control Systems
PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."
when 4chan goes down for a week. Seems that keeping that site running is a matter of national security!
They have the CIP device.
Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?
Seems like from TFA they're not:
A Human Right
windows is going to kill everyone, I keep tripping on these winged pigs.
Seriously WTF
Somebody get Jack Bauer - he'll find the C.I.P. device that made this possible.
It's non-proprietary, the applications should work just fine, but most skript-kiddies don't have any idea on how to set up the necessary tunnels. It's also designed from the start to be secure, IPv4 has had all security back-ported in.
Also, use Active IDS, not passive. It's no good telling the operators that the last three planes crashed into a mountain because a system cracker decided it would be fun to use the radar computer for a game of Netrek. You're much better off by detecting the intrusions in real-time and countering them right then. Particularly if actual mission-critical systems are being broken into.
Third, Stop Using Windows! Gaah! The chances are that the software can be modded to work under Linux or OpenBSD just fine.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Glad they don't have commercial planes with complete remote control. Or do they?
Why my last 4 flights arrived on time.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I have your fucking airplanes.
As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.
This was just a partial look at the ATC's systems and these are the kinds of numbers that come up?
"Our test identified a total of 763 high-risk, 504 medium-risk, and
2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical
file folders."
This is just unacceptable, and I bet this get little to no mainstream media attention.
Fact is they can fly planes into buildings by gaining access with box cutters. This is more pre-budget fear mongering for the new 'Cyber-Security Czar' and bureaucracy.
That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.
From what I've read about air-industry people in the US they are no different from in the Netherlands: People who almost invariable have a superiority complex and think they're doing tremendously important work while not having justify why they make so much noise, are so inept at sound calculations (dBA which is pointless for noise as related to annoyance, contrary to Sone for example), produce reports with incorrect units (upper and lower case wrong showing they don't have a proper education in elementary physics) etc.
Recently small aircraft were prohibited from flying near Schiphol. Reason was transponders are now in all of them, the LVNL (dutch airtraffic control) couldn't handle all those signals. A tremendous display of ineptitude again as they had plenty of time to prepare their systems (software), but being the sort of people they are, this is actually logical. Because they feel superior, they don't actually consider they might be doing things badly or need to change. In other words, despite them feeling they are superior, they are in fact amateurs...
You can find more on the web on this (in dutch).
I have a glandular problem you insensitive clod!
SCADA systems should always be disconnected from Intranets and the Internet. Sorry, this is a serious architectural and national security issue.
Whoever came up with this architecture and authorized it should be terminated.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
On the plus side, it makes it easier for the controllers to run iTunes on their consoles.
...WTF!? Why are they doing this? This is one of the places where you want proprietary software.
from the CNET article "Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said"
"However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems."
It's OK everybody, the hacker's have shut down the network but they havent gained any critical access.
That certainly brings new meaning to the phrase "Blue screen of death"!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Glad they don't have commercial planes with complete remote control. Or do they?
That was proposed after 9/11 as a solution to hijacked planes. Remote control devices that could take over a hijacked plane, remotely, locking out control by those on board and allowing it to be landed safely. Remote devices strategically located at all major commercial airports - or at least those near high-value targets (which is pretty much all of 'em).
When the trial balloon went up it was soon pointed out that, with such a system, hijackers could use it to hijack the planes without even being on board. And the tech would be distributed to many locations (worldwide) from which it could be stolen.
Haven't heard much about it since. B-) Of course that means that it will fall off the mental horizon for decision makers and they might decide to do it after all. B-(
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Where do you want to go today?"
I'm not sure it gets much worse than this. I guess the local nuke plant could install a "whack-a-rod" live webcam game and secure it with DMCA technology...
"Not an actor, but he plays one on TV."
The only difference the pilots noticed was that suddenly, the vectors they got from Washington Center didn't suck...
Being a programmer meant you could make a lot of money, not because you could make something that could be sold, but because you make programs that were useful for a purpose. Bill Gates and people like him turned computing into a software industry and this is more or less the result of that.
There was nothing "wrong" with systems maintained by professional programming teams and for those people to work at the same job for their entire lives earning a good wage. "Industry" has not only weakened systems everywhere with their homogenous nature, but cheapened the industry and lowered wages for everyone in the profession.
I fail to understand why government systems like this are connected to the internet. The military industrial complex and FAA and other critical government systems should be tied into a seperate network. This harks back to the story about classified info for the Joint Strike Fighter getting stolen from an internet attack. WTF!? I can't believe how inept....I take that back, I can believe how inept these guys are. This has to stop. There is no need for these systems to be connected to yahoo and myspace for crying out loud.
We need to borrow enough money from them to mobilize our forces and kick their asses!
I am not left-handed, either!
Comment removed based on user account deletion
. . . it's proprietary, so no one, not even IBM, understands how it works.
The script kiddies will have to learn JCL. Have fun, you little rotten bastards!
And even if they manage to break into a machine, they will be confronted with z/OS ISPF . . . can they get their tn3270 sessions to work? Hee, hee! Find your PA1 key!
The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.
Wait for a script kiddie post, on how to use nmap to probe for ports on LU6.2.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Anyone who has worked with IDS/IPS systems will realize that unless very carefully managed you will have a large number of events that amount to nothing, even some with some very scary sounding titles.
I am actually surprised to see the count levels so low, even for systems that are believed to be somewhat out of the way.
ATC is not actually a single system within the FAA this function is broken up over several different systems, each with their own silo of responsibility. My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach, although this can have the effect of gumming up the works as everyone is slowed down and larger gaps are used.
Real danger would be if information was off in some subtle way that was not detected, but as soon as it was determined that something was wrong, the system in question would be taken out of the work flow and further issues with it would not matter.
Crafting such a problem would take not only the IT info to gain access to the system, but at least some level of ATC understanding on how to alter a situation without tipping your hand. While far from impossible, it is not what I would suspect would be a common skill set.
I hear that Candida uses Amiga systems for ATF or they used to.
Was there ever a real need to screw with the ATC other than giving airlines more control of the system so they can adjust things to maximize their profits?
The Times of India has a story about this. FTA:
"Gen Kevin Chilton, who heads US Strategic Command, said he worries that foes will learn to disable or distort battlefield communications.
"Chilton said even as the Pentagon improves its network defences against hackers, he needs more people, training and resources to hone offensive cyber war capacity. At the same time, he asserted that the US would consider using military force against an enemy who attacks and disrupts the nation's critical networks."
Basically, they are considering dispatching air strikes or commando raids at hackers if they can identify their identity and location.
(What could POSSIBLY go wrong there...)
I worked as a engineer for NCAR, building and installing high-tech weather systems for the FAA (AWRP) for over a decade in the mid-90's-00's. I found the FAA leadership is filled with bunches of Republican partisan hacks who spent their time telling AL Gore Jokes in their technical meetings rather than getting things done. It literally takes them 10 or more years to get technology to their employees in the trenches. (officially). Because of upper mgt incompetence, the local level tech is a free-for-all, running in the closet. When I installed our sanctioned equipment in the Long Island FAA TRACON, I found a shift supervisor had brought his old PC in and got an AOL account so that the "super secure war room" could see what the weather was like outside as they managed 40% of the air traffic in the US. The FAA literally watches the weather channel with the sound off and competes with all the every day Joes for Nexrad images on accu weather. One of our (NCAR) systems under rigid performance evaluation at the FAA Technical Center (NJ) kept "hanging" several times per week, and we received poor evaluations and threats of funding cuts. I finally discovered that the reason for the failures was one of their staff had opened a shell terminal, ran Mosaic (remember that) and went porn surfing.(up our dedicated 64kbps line back to NCAR in Boulder and out through our .edu POP). The FAA has lots of ad-hoc systems installed everywhere. Can anyone say "Pass your USB key over here Bob - Ya gotta watch this".
Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.
"poses a higher security risk to the systems than when they relied primarily on proprietary software"....Someone actually put this into an FAA IG report? That's ridiculous. Correlation and causation are two ENTIRELY different things. You'd think the FAA, of all people, would understand that.
Exhibit A: Microsoft products. A huge collection of proprietary software which are security swiss cheese. Sorry, that's not fair to swiss cheese.
These are mainly issues with data access and transfer. As noted by many others, it is about being thorough and having security features integrated into a fully specified architecture.
It is not accurate or responsible to say that this is based on "FAA's increasing use of commercial software and Internet Protocol-based technologies". There is NO such evidence.
Fire the incompetent acquisition managers who contracted for a low-bid "slap random technologies together" solution over a well-engineered and disciplined system development. Then fire the FAA IG report writer. They generate trash.
Just who was the jackass that decided we had to say "remediated" instead of "fixed"??
Strange things are afoot at the Circle-K.
I believe the late 20th / early 21st century poet, philosopher, and artist, Randall Munroe, said it best: "You're doing it wrong!"
http://xkcd.com/463/
Stop-Prism.org: Opt Out of Surveillance
"s/commercial software/Windows/g"
Contrary to the popular belief, there indeed is no God.
Whistler: Anybody want to crash a couple of passenger jets?
First entomology, then virology, and finally bioinformatics systems. Bugs follow me wherever I go.
Back to basics!
I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems.
Anyway, as the story goes, this teenager came across a phone number, answered by a modem, that behaved very differently then any other phone number. There was NO password or security whatsoever. The interface was very foreign; however, this board teenager spent a few months hacking at the system, trying to learn what it did and how to operate it.
As the story goes, he eventually came across some form of a manual, and decided to test the reboot command. A few days later, when the feds showed up at his door, he found out that he was responsible for bringing an airport down for an entire afternoon.
The irony of the matter is that the board teenager was a well-meaning, curious, upstanding teenager. He had no malicious intentions whatsoever.
No, I will not work for your startup
I think they should have to pay for all three.
The solution is obvious, create a network of VPN nodes with multiple redundant routes, that utilize end-to-end encryption and authentication and connect your 'computers' to that. Now don't tell how/why it can't be done, tell me how it can be !
"I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems"
What was the name of this airport and are their any reports on this incident. Usually, where you have dial-in access to a modem, the modem drops the connection and dials back a particular number. See Dialback Modem Security from a Phrack article of 1988
In Nelson's Voice: Ha Ha. I was laid off from NCAR early this year after making noise about; 1 Sending DOD developed software to China, 2; Exposing unsecured DOD data and systems to the Internet and 3; Billing the US Army for developing systems for the French Navy. I wrote e-mails, I visited managers. I was a trouble maker, so, after 18 years of service, they said there was no longer any work for me at NCAR. I can still obtain access to live, sensitive data from Army bases and the Pentagon through NCAR web sites. Investigators, Auditors, please look me up. I'm using the same ID I've used for 35 years. I'd be happy to expose the wide open holes I know about as long as the law is on my side.