3,800 Vulnerabilities Detected In FAA's Web Apps

ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. ... Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection."

BRB Guys

[pwnies]

Gonna hack into the FAA's site and arrange for some low fly-bys of New York city so I can take some nice pics. I'm sure no one will notice.

Geeksquad.Gov

[tanmanX]

Something perhaps the federal government needs. A pool of IT professionals that are available to all federal agencies, with the full range of clearances to keep critical, and not so critical, networked government information and hardware safe from ill-intentioned eyes.

Re:Geeksquad.Gov

[arizwebfoot]

We'll get Chuck from the Nerd Herd and he can "flash" 'em.

Re:Geeksquad.Gov

[rackserverdeals]

The problem is that an operating system is just something you need to get the application to work on the hardware you choose. It might be a small part of the problem. If you decide to create your own custom distro for the purpose of running your application you're going to possibly run into problems getting your application stack to work correctly on top of it or may have problems getting support.

The OS they chose was RHEL and you can infer some of the rest of the stack from the requirements.

Looks like they went with an SOA architecture on top of a J2EE stack with an Oracle backend using Eclipse as the development platform.

I don't know why these stories turn into OS flame wars. It's like blaming the spark plug for poor engine performance. The OS is probably adding vulnerabilities (Don't know of any OS that doesn't have listed vulnerabilities) but you have to look at the whole stack. Any individual part of the stack could be fine on it's own, but in combination may create other problems. On top of that, this system isn't just a combination of off the shelf components, there is a lot of coding involved and for all we know that's where most of the issues may be.

Re:Geeksquad.Gov

[Zero__Kelvin]

"The NSA developed SELinux, yes? Which is supposed to be an insanely secure Linux for the paranoid (who of course wouldn't download something written by the NSA...)."

We don't accept binaries from the NSA. Source code is welcome, thus SELinux.

Re:Just read through the PDF

[Roadkills-R-Us]

They do mention a compromised domain controller, which suggests (though doesn't guarantee) Windows.

They also mention DOT, which I believe is heavily into Windows.

In the late 1980s I know there was some UNIX/X11 development going on for ATC in Germany, but I never heard whether it went big time in Europe, much less in the USA.

There are some references on the net from 2007 or so that the FAA was switching from Win to Lin, but I'm not sure what systems those were, or if it really happened. They could easily run a mix of UNIX, Linux, Windows and others on the back end, and mostly Windows on the front end.

Finally, the ATC systems probably run RTOS or a real-time UNIX.

Security expert point of view.

[canipeal]

As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means. What I DO find disturbing is the amount of detail provided in a public report given the fact that the FAA has yet to fully apply it's remediation strategies for the vulnerabilities identified. Is there any info as to what tools they used for app testing? My experience shows that tools such as App Detective and Web Inspect actually inflate the number of findings. This is due to the fact that the applications identify vulnerabilities by instance and not by category/type.

Re:Security expert point of view.

[phantomfive]

What bugs me is all these links in the summary are to articles. Forget that, I want a link to the page where I can control a plane!!

Re:Security expert point of view.

[Zapotek]

Funny thing...
I was developing a web app security assessment platform like Metasploit but for web apps...so I had to get a peak at the competition.
So like a good boy I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website.
I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct. So I e-mailed them back and told them and got a response with an apology.
If they used an automated tool like that it's very probable most of the vulns were false positives.
Oh and by the way, many of these tools detect e-mail addresses or contact info posted on the site as a possible vulnerabilities because they provide "sensitive information".

My point being...don't fully trust the report. Sure they must have some serious security risks on their website but 3.800 seems extravagant.

PS. Sorry to the guy above me with the

I want a link to the page where I can control a plane!!

for removing my mod +1 funny to his comment. I just had to post this reply. hehe

Re:Security expert point of view.

[rtb61]

In this case step 1 of the security assessment, does it need to be connected to the internet, 'NO', then don't connect it. Step 2 risk assessment, just because web apps and the internet are the cheapest way of doing things, is it appropriate where thousands of peoples lives are at risk 'NO', then don't do it as a web app, spend the extra money or eventually the laws will change and you will go to jail for killing people just to save a few bucks.

Re:Security expert point of view.

As a pilot I've had to interact with a lot of the FAA's web presence. Much of this seems to stem from convenience and cost cutting around flight planning.

Currently, the FAA operates a telnet based Direct User Access Terminal, which provides flight planning information (both weather and wind/time calculations) and the ability to file a flight plan over the internet. That system is used by any number of sites to put a pretty face on it and make it more user friendly. In short, a pilot could plan a flight and file a flight plan all from the comfort of his armchair, and not have to call a Flight Service Station.

Its convenient, but as the parent posters said, also introduces a major vulnerability.

In addition, the FAA has moved Airman certification over to a web based client that, frankly, is a total disaster. When it first went online, it would ONLY work with IE 6 on Windows. It was totally nonfunctional outside that little segment of the population. Its been upgraded recently, so its slightly less irritating. It still loses applications, which forces applicants to recreate their application (a non-trivial process).

All in all, I've been happy with the FAA as a regulatory body. Their IT division, however, has to get their act together.

PDF Report

[InsertWittyNameHere]

The PDF report itself tests for the 3801st vulnerability.

You don't say?

[schon]

Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications.

Oh, well that makes it OK then.

After all, when a Chinese or Russian hacker out to prove a point wreaks havok by exploiting one of these, they can always just say "Don't worry, we're no worse than blogger.com!"

Programming

[icepick72]

Who builds the FAA web apps?

Re:Programming

[xanadu-xtroot.com]

Who builds the FAA web apps?

The lowest bidder, of course!

Re:Just read through the PDF

[ASBands]

Karma be damned, but the use of Windows in a secure system is nowhere near as bad as not sanitizing your inputs on any system. No platform can just make up for bad practice. FreeBSD will happily allow someone to guess 'PASSWORD' as the login password (from TFA: "Software configuration involves setting up a software system for one's particular uses, such as changing a factory-set default password of "PASSWORD" to one less easily guessed."). If you're using Oracle DB, MS SQL or MySQL, if you store passwords as plaintext instead of hashes and secure data in plaintext, you will run into problems (TFA: "...hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network."). Microsoft may not patch in a timely manner, but it doesn't matter what platform you're running if you don't apply the patches (TFA: "...software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors."). PHP, JSP, ASP, ASP.NET, Ruby, Perl or whatever, if you program poorly, you're going to have problems.

I love these hard-hitting reports

[e9th]

FTFR:

35 Internet-based or public use web applications were tested. On those web based applications 212 high risk, 169 medium risk, and 1,037 low risk vulnerabilities were found.

What apps? What vulns?
Surely they've all been fixed/replaced by now (if not, why not?), so why not let the rest of us know what was discovered?

First question

[slapout]

Why does the FAA have web based air traffic control applications?!

Re:Just read through the PDF

[gparent]

Mainly before it doesn't matter. These computers have a problems that are totally unrelated to Windows at all, such as easily guessable passwords, unpatched vulnerabilities and easily accessible passwords, unencrypted in the database.

Windows isn't the weak link here, and properly securing Windows isn't exactly rocket science.

Different Article; Same Report

[Rary]

Sounds vaguely familiar...

Note that, although this is not a good thing, we're not actually talking about the ATC system here. We're talking about administrative web applications that employees can access from home, web sites that provide information about air traffic services to employees and to the public, power monitoring applications, things like that. Some are pretty serious, but most are not that serious. And none of them are the ATC system itself.

Re:Just read through the PDF

[Antique+Geekmeister]

No, it really doesn't secure it. Too many network based utilities require far too much privilege to operate, Internet Explorer is a sinkhole of security vulnerabilities, and autorun remains the default for CD's, USB's, and other detachable media. Proxies are like the Maginot Line of security: they provide a useful pretense at security, but only have to be pierced once to allow the invaders to overrun your internal network.

It only takes one newly installed laptop, exposed to the Internet while pulling down its first service packs and security software, to service as the staging point for all sorts of attacks.