FAA: Lousy Security

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread


Airports in Danger

FAA Employees: ItBs Easy to Shut Down Radar

FAA systems administrators and security experts say almost anyone could break into an air traffic Maintenance Control System and shut down radar. (www.ArtToday.com)

By Sascha Segan

Oct. 16 B Federal officials have criticized security at the Federal Aviation Administration, but former and current FAA systems administrators tell ABCNEWS.com the problem is even worse than has been admitted, and almost anyone with a little technical savvy could break into the system and shut down radar at major air hubs around the nation. The administrators say that with an ordinary home computer, a few freely available programs and the right password, anyone could dial into a secure FAA maintenance system. Once inside, they would have access to the computers that are used to control airport radar systems. WhatBs more, thousands of unsecured laptops used by FAA employees, some pre-programmed with important passwords, could provide the wrong people with shortcuts into the system if they were lost or stolen, the administrators said. BIf this thing fell into the wrong hands, a terrorist could really do some damage,B retired FAA administrator Norm Haase said. A report from the congressional General Accounting Office, released Sept. 27, condemned the FAA for having lousy security and hinted at the potential for computer break-ins. The administrators gave clear details B and explained how easy it really is to wreak havoc on FAA systems. Security experts, including notorious reformed computer criminal Kevin Mitnick, agreed with the administratorsB assessment and said they could probably break into an air traffic Maintenance Control System in anywhere from five minutes to a week, given the security structure the administrators described. An FAA spokeswoman said the agency couldnBt talk about specifics, but that it was aware of the security flaws and was working to fix them. BPotential areas of vulnerability in the MCS B have been identified, with the appropriate security countermeasures implemented,B Tammy Jones said. But the GAO report said the FAA has a poor track record on following its own security policies, saying the agency has made Blittle progressB swatting Bknown, exploitable bugsB and that two out of three systems tested for hack-ability a year ago have yet to be fixed. And the system is vulnerable from the inside as well. The agency never updated its security regime after a 1996 reorganization, leaving many employees with greater access than they should have, administrators said.

Open Access Administrators need to get to their maintenance systems 24 hours a day, often from home B for instance, to fix urgent system problems that come up in the middle of the night. If the remote access was secure, it wouldnBt be a problem, experts said. But the systems use unencrypted connections over public phone lines. That means any hacker can get in with a Bwar dialerB (an early-1980s piece of software that dials a lot of phone numbers, searching for computer modem tones), the right passwords, and an obscure but free program for connecting to mainframes. It would be the same sort of attack that hackers have used repeatedly to compromise numerous corporate computer systems, as well as some in government. The laptops make break-ins even easier, and more than 3,700 have been distributed nationwide, according to Haase. Some have pre-programmed phone numbers and passwords for various FAA systems, many with passwords for the MCS. Some, he said, have already been lost. The laptops donBt have to be stolen, said Jim Jones, director of response services for computer security firm Global Integrity. As theyBre also used for private e-mail, a Trojan Horse program could be sent through e-mail, which would redirect passwords and phone numbers into the wrong hands.

Gaining Control The maintenance systems, known as the Maintenance Management System and the Monitor Control System, allow administrators to shut down, restart and reorient the radars and instruments that feed into air traffic controllersB screens. BYou canBt access ATC command stations remotely, but you can screw up the data going into them,B Haase said. The dial-up systems donBt encrypt their data, which would prevent passwords from being stolen through wiretaps. Encrypting the laptop hard drives would make them useless to unauthorized users, and the FAA had a plan to do that but hasnBt followed through, Haase said. The systems arenBt classified, either, so they donBt have to conform to regulations on classified data. The agency owns BdialbackB modems which only accept calls from pre-screened phone numbers, but doesnBt use them much. BI wonBt say that they used them, but they were there,B another retired FAA administrator said. Fortunately, thereBs no firm evidence that hackers have ever broken into critical FAA systems, though a Colorado teenager hacked into agency mail and Web servers last year. Few hackers are familiar with the FAABs mainframes, and administrators said fewer are interested in breaking into a low-profile system that isnBt connected to the Internet.

Hack Attacks Mitnick, a reformed ex-computer criminal who now speaks on computer security issues, said someone with his skills would have no problem breaking into the FAABs system. A break-in artist could use a war dialer to find the right phone number and smooth talk to trick users into revealing passwords, or could reroute the phone number to a decoy system which would appear to be the real one, but would just capture passwords. BI could have a valid user name and password in less than five minutes,B he said. The central problem is that the systems are accessible through public phone lines, he said. Bob Miller, deputy director of the federal Critical Infrastructure Assurance Center, said the FAABs security was no worse than that of many major corporations.

Personnel Problems Even if outsiders donBt crack into FAA systems, security within the agency is lax, administrators said. BItBs the insider threat that worries most of the security peopleB in government, said Miller. The GAO report said the FAA hadnBt done background checks on many employees and contractors B including Chinese nationals hired as part of the effort to head off the Y2K bug, and Bpenetration testersB who were assigned to break into sensitive systems and diagnose security flaws. A current FAA computer system administrator who did not want to be identified said that after a reorganization in 1996, many employees were left with security levels much higher than necessary B levels that could allow them to access personal data about other employees, or systems they donBt necessarily supervise. BThey can look at personnel records for anybody across the whole maintenance organization,B he said. The administrator also backed up the GAO reportBs conclusion that FAA employees havenBt been properly trained on computer security, violating an FAA policy. BSecurity varies widely from one place to another,B he said.

Denying Knowledge At a hearing before the House Science Committee last week, FAA head Jane Garvey said she hadnBt known about the agencyBs security problems until the GAO brought them up, and that the agency was working on them. But the FAA adminstrators disagreed: they said theyBd brought various concerns to higher-ups as far back as 1996. BI specifically, for the last four years or more, have been screaming and hollering about computer security and the access problems,B Haase said. Science committee chairman Jim Sensenbrenner, R-Wis., said the FAA has had to be brought into security awareness Bkicking and screamingB B but that the final responsibility for safety lies with the agency. BIt is your job to be proactive on this,B he told Garvey. FAA spokeswoman Jones said the agency is fixing the security holes. But one current FAA system administrator is still worried. BThe FAA has this wonderful mentality of not reacting to something until itBs already happened,B he said. BUntil there is some kind of incident, they donBt tend to be genuinely proactive.B

-- Rachel Gibson (rgibson@hotmail.com), November 10, 2000


USA Today

Report: Air traffic vulnerable to hackers

Congressional review finds 'pervasive weaknesses' in air traffic computer system security programs

By Blake Morrison, USA TODAY

WASHINGTON B The nation's air-traffic control system could be vulnerable to hackers because the Federal Aviation Administration has failed to adequately address ''pervasive weaknesses in its computer security programs,'' a congressional report to be released Wednesday contends.

In addition, General Accounting Office (GAO) investigators found the agency has not performed adequate background checks on computer experts hired to spot system vulnerabilities or on foreign nationals hired to tackle Y2K problems.

''As a result,'' the report reads, ''FAA allowed and is continuing to allow contractors to undertake sensitive assessments of the weaknesses in its systems without sufficient assurance that the individuals performing these assessments are reliable and trustworthy.''

The report by the GAO, the investigative arm of Congress, does not address what sort of problems hackers could create, and FAA officials downplayed any threats Tuesday. ''We think there are stringent protections which we're moving to improve daily,'' spokesman Eliot Brenner said. ''There are multiple layers of protection, and we take the security of the air-traffic system seriously.''

Members of the House Science Committee have scheduled a hearing for Wednesday to review FAA efforts to correct the shortcomings, many of which Brenner said the agency already has taken steps to remedy. Even so, he said, the FAA ''is in full agreement'' with the report's recommendations.

The GAO review is the watchdog group's fourth such assessment of the FAA's computer security system in the past three years. All have detailed what the GAO calls ''significant'' security problems.

According to the report to be released Wednesday:

FAA officials have allowed background checks for many senior agency employees with top-secret security clearances to lapse.

''Of 350 headquarters employees with Top Secret clearances,'' the report reads, ''75 were overdue for reinvestigations.'' One employee had not been investigated since 1973, the report says.

Officials have failed to inspect and secure ''numerous air-traffic control facilities.'' Access to the facilities is not being regulated adequately, the report says, and the FAA continues ''to lack assurance that it can effectively prevent the loss or damage of its property, injury of its employees, and compromise of its ability to perform critical aviation functions.''

The agency ''has made little progress'' in assessing its operating systems and therefore ''does not know how vulnerable many of its systems are and has little basis for determining what protective measures are required.''

Despite the findings, FAA Administrator Jane Garvey is expected to testify Wednesday that the agency ''has taken the steps necessary to close the gaps identified by the GAO.''

-- Rachel Gibson (rgibson@hotmail.com), November 10, 2000.

Sounds like they're getting ready to blame all their anticipated breakdowns on hackers.

-- Doris (reaper@pacifier.com), November 10, 2000.

Moderation questions? read the FAQ