Airports in Danger FAA Employees: Its Easy to Shut Down Radar

By Sascha Segan

Oct. 16  Federal officials have criticized security at the Federal Aviation Administration, but former and current FAA systems administrators tell ABCNEWS.com the problem is even worse than has been admitted, and almost anyone with a little technical savvy could break into the system and shutdown radar at major air hubs around the nation. The administrators say that with an ordinary home computer, a few freely available programs and the right password, anyone could dial into a secure FAA maintenance system. Once inside, they would have access to the computers that are used to control airport radar systems.

Whats more, thousands of unsecured laptops used by FAA employees, some pre-programmed with important passwords, could provide the wrong people with shortcuts into the system if they were lost or stolen, the administrators said. If this thing fell into the wrong hands, a terrorist could really do some damage, retired FAA administrator Norm Haase said. A report from the congressional General Accounting Office, released Sept. 27, condemned the FAA for having lousy security and hinted at the potential for computer break-ins. The administrators gave clear details  and explained how easy it really is to wreak havoc on FAA systems. Security experts, including notorious reformed computer criminal Kevin Mitnick, agreed with the administrators assessment and said they could probably break into an air traffic Maintenance Control System in anywhere from five minutes to a week, given the security structure the administrators described. An FAA spokeswoman said the agency couldnt talk about specifics, but that it was aware of the security flaws and was working to fix them.

Potential areas of vulnerability in the MCS  have been identified, with the appropriate security countermeasures implemented, Tammy Jones said. But the GAO report said the FAA has a poor track record on following its own security policies, saying the agency has made little progress swatting known, exploitable bugs and that two out of three systems tested for hack-ability a year ago have yet to be fixed. And the system is vulnerable from the inside as well. The agency never updated its security regime after a 1996 reorganization, leaving many employees with greater access than they should have, administrators said. Open Access Administrators need to get to their maintenance systems 24 hours a day, often from home  for instance, to fix urgent system problems that come up in the middle of the night. If the remote access was secure, it wouldnt be a problem, experts said.

But the systems use unencrypted connections over public phone lines. That means any hacker can get in with a war dialer (an early-1980s piece of software that dials a lot of phone numbers, searching for computer modem tones), the right passwords, and an obscure but free program for connecting to mainframes. It would be the same sort of attack that hackers have used repeatedly to compromise numerous corporate computer systems, as well as some in government. The laptops make break-ins even easier, and more than 3,700 have been distributed nationwide, according to Haase. Some have pre-programmed phone numbers and passwords for various FAA systems, many with passwords for the MCS. Some, he said, have already been lost. The laptops dont have to be stolen, said Jim Jones, director of response services for computer security firm Global Integrity. As theyre also used for private e-mail, a Trojan Horse program could be sent through e-mail, which would redirect passwords and phone numbers into the wrong hands.

Gaining Control The maintenance systems, known as the Maintenance Management System and the Monitor Control System, allow administrators to shut down, restart and reorient the radars and instruments that feed into air traffic controllers screens.

You cant access ATC command stations remotely, but you can screw up the data going into them, Haase said. The dial-up systems dont encrypt their data, which would prevent passwords from being stolen through wiretaps. Encrypting the laptop hard drives would make them useless to unauthorized users, and the FAA had a plan to do that but hasnt followed through, Haase said. The systems arent classified, either, so they dont have to conform to regulations on classified data. The agency owns dialback modems which only accept calls from pre-screened phone numbers, but doesnt use them much. I wont say that they used them, but they were there, another retired FAA administrator said. Fortunately, theres no firm evidence that hackers have ever broken into critical FAA systems, though a Colorado teenager hacked into agency mail and Web servers last year. Few hackers are familiar with the FAAs mainframes, and administrators said fewer are interested in breaking into a low-profile system that isnt connected to the Internet.

Hack Attacks Mitnick, a reformed ex-computer criminal who now speaks on computer security issues, said someone with his skills would have no problem breaking into the FAAs system. A break-in artist could use a war dialer to find the right phone number and smooth talk to trick users into revealing passwords, or could reroute the phone number to a decoy system which would appear to be the real one, but would just capture passwords. I could have a valid user name and password in less than five minutes, he said. The central problem is that the systems are accessible through public phone lines, he said. Bob Miller, deputy director of the federal Critical Infrastructure Assurance Center, said the FAAs security was no worse than that of many major corporations.

Personnel Problems Even if outsiders dont crack into FAA systems, security within the agency is lax, administrators said. Its the insider threat that worries most of the security people in government, said Miller.

The GAO report said the FAA hadnt done background checks on many employees and contractors  including Chinese nationals hired as part of the effort to head off the Y2K bug, and penetration testers who were assigned to break into sensitive systems and diagnose security flaws. A current FAA computer system administrator who did not want to be identified said that after a reorganization in 1996, many employees were left with security levels much higher than necessary  levels that could allow them to access personal data about other employees, or systems they dont necessarily supervise. They can look at personnel records for anybody across the whole maintenance organization, he said. The administrator also backed up the GAO reports conclusion that FAA employees havent been properly trained on computer security, violating an FAA policy. Security varies widely from one place to another, he said.

Denying Knowledge At a hearing before the House Science Committee last week, FAA head Jane Garvey said she hadnt known about the agencys security problems until the GAO brought them up, and that the agency was working on them.

But the FAA adminstrators disagreed: they said theyd brought various concerns to higher-ups as far back as 1996. I specifically, for the last four years or more, have been screaming and hollering about computer security and the access problems, Haase said. Science committee chairman Jim Sensenbrenner, R-Wis., said the FAA has had to be brought into security awareness kicking and screaming  but that the final responsibility for safety lies with the agency. It is your job to be proactive on this, he told Garvey. FAA spokeswoman Jones said the agency is fixing the security holes. But one current FAA system administrator is still worried.

The FAA has this wonderful mentality of not reacting to something until its already happened, he said. Until there is some kind of incident, they dont tend to be genuinely proactive.

http://abcnews.go.com/sections/us/DailyNews/faa_computers001016.html

-- Martin Thompson (mthom1927@aol.com), October 16, 2000