ABC
Airports in Danger
FAA Employees: ItB�s Easy to
Shut Down Radar
FAA systems administrators and security
experts say almost anyone could break
into an air traffic Maintenance Control
System and shut down radar.
(www.ArtToday.com)
By Sascha Segan
Oct. 16 B� Federal officials have criticized
security at the Federal Aviation Administration,
but former and current FAA systems
administrators tell ABCNEWS.com the problem
is even worse than has been admitted, and
almost anyone with a little technical savvy could
break into the system and shut down radar at
major air hubs around the nation.
The administrators say that with an ordinary home
computer, a few freely available programs and the right
password, anyone could dial into a secure FAA
maintenance system. Once inside, they would have access
to the computers that are used to control airport radar
systems.
WhatB�s more, thousands of unsecured laptops used by
FAA employees, some pre-programmed with important
passwords, could provide the wrong people with shortcuts
into the system if they were lost or stolen, the
administrators said.
B�If this thing fell into the wrong hands, a terrorist could
really do some damage,B� retired FAA administrator Norm
Haase said.
A report from the congressional General Accounting
Office, released Sept. 27, condemned the FAA for having
lousy security and hinted at the potential for computer
break-ins. The administrators gave clear details B� and
explained how easy it really is to wreak havoc on FAA
systems.
Security experts, including notorious reformed computer
criminal Kevin Mitnick, agreed with the administratorsB�
assessment and said they could probably break into an air
traffic Maintenance Control System in anywhere from five
minutes to a week, given the security structure the
administrators described.
An FAA spokeswoman said the agency couldnB�t talk
about specifics, but that it was aware of the security flaws
and was working to fix them.
B�Potential areas of vulnerability in the MCS B� have
been identified, with the appropriate security
countermeasures implemented,B� Tammy Jones said.
But the GAO report said the FAA has a poor track
record on following its own security policies, saying the
agency has made B�little progressB� swatting B�known,
exploitable bugsB� and that two out of three systems tested
for hack-ability a year ago have yet to be fixed.
And the system is vulnerable from the inside as well.
The agency never updated its security regime after a 1996
reorganization, leaving many employees with greater
access than they should have, administrators said.
Open Access
Administrators need to get to their maintenance systems 24
hours a day, often from home B� for instance, to fix urgent
system problems that come up in the middle of the night. If
the remote access was secure, it wouldnB�t be a problem,
experts said.
But the systems use unencrypted connections over
public phone lines. That means any hacker can get in with a
B�war dialerB� (an early-1980s piece of software that dials a
lot of phone numbers, searching for computer modem
tones), the right passwords, and an obscure but free
program for connecting to mainframes. It would be the
same sort of attack that hackers have used repeatedly to
compromise numerous corporate computer systems, as well
as some in government.
The laptops make break-ins even easier, and more than
3,700 have been distributed nationwide, according to
Haase. Some have pre-programmed phone numbers and
passwords for various FAA systems, many with passwords
for the MCS. Some, he said, have already been lost.
The laptops donB�t have to be stolen, said Jim Jones,
director of response services for computer security firm
Global Integrity. As theyB�re also used for private e-mail, a
Trojan Horse program could be sent through e-mail, which
would redirect passwords and phone numbers into the
wrong hands.
Gaining Control
The maintenance systems, known as the Maintenance
Management System and the Monitor Control System,
allow administrators to shut down, restart and reorient the
radars and instruments that feed into air traffic controllersB�
screens.
B�You canB�t access ATC command stations remotely,
but you can screw up the data going into them,B� Haase
said.
The dial-up systems donB�t encrypt their data, which
would prevent passwords from being stolen through
wiretaps. Encrypting the laptop hard drives would make
them useless to unauthorized users, and the FAA had a
plan to do that but hasnB�t followed through, Haase said.
The systems arenB�t classified, either, so they donB�t have
to conform to regulations on classified data.
The agency owns B�dialbackB� modems which only
accept calls from pre-screened phone numbers, but doesnB�t
use them much.
B�I wonB�t say that they used them, but they were there,B�
another retired FAA administrator said.
Fortunately, thereB�s no firm evidence that hackers have
ever broken into critical FAA systems, though a Colorado
teenager hacked into agency mail and Web servers last
year. Few hackers are familiar with the FAAB�s
mainframes, and administrators said fewer are interested in
breaking into a low-profile system that isnB�t connected to
the Internet.
Hack Attacks
Mitnick, a reformed ex-computer criminal who now speaks
on computer security issues, said someone with his skills
would have no problem breaking into the FAAB�s system.
A break-in artist could use a war dialer to find the right
phone number and smooth talk to trick users into revealing
passwords, or could reroute the phone number to a decoy
system which would appear to be the real one, but would
just capture passwords.
B�I could have a valid user name and password in less
than five minutes,B� he said.
The central problem is that the systems are accessible
through public phone lines, he said.
Bob Miller, deputy director of the federal Critical
Infrastructure Assurance Center, said the FAAB�s security
was no worse than that of many major corporations.
Personnel Problems
Even if outsiders donB�t crack into FAA systems, security
within the agency is lax, administrators said.
B�ItB�s the insider threat that worries most of the security
peopleB� in government, said Miller.
The GAO report said the FAA hadnB�t done background
checks on many employees and contractors B� including
Chinese nationals hired as part of the effort to head off the
Y2K bug, and B�penetration testersB� who were assigned to
break into sensitive systems and diagnose security flaws.
A current FAA computer system administrator who did
not want to be identified said that after a reorganization in
1996, many employees were left with security levels much
higher than necessary B� levels that could allow them to
access personal data about other employees, or systems
they donB�t necessarily supervise.
B�They can look at personnel records for anybody across
the whole maintenance organization,B� he said.
The administrator also backed up the GAO reportB�s
conclusion that FAA employees havenB�t been properly
trained on computer security, violating an FAA policy.
B�Security varies widely from one place to another,B� he
said.
Denying Knowledge
At a hearing before the House Science Committee last
week, FAA head Jane Garvey said she hadnB�t known about
the agencyB�s security problems until the GAO brought them
up, and that the agency was working on them.
But the FAA adminstrators disagreed: they said theyB�d
brought various concerns to higher-ups as far back as 1996.
B�I specifically, for the last four years or more, have
been screaming and hollering about computer security and
the access problems,B� Haase said.
Science committee chairman Jim Sensenbrenner,
R-Wis., said the FAA has had to be brought into security
awareness B�kicking and screamingB� B� but that the final
responsibility for safety lies with the agency.
B�It is your job to be proactive on this,B� he told Garvey.
FAA spokeswoman Jones said the agency is fixing the
security holes. But one current FAA system administrator
is still worried.
B�The FAA has this wonderful mentality of not reacting
to something until itB�s already happened,B� he said. B�Until
there is some kind of incident, they donB�t tend to be
genuinely proactive.B�
-- Rachel Gibson (rgibson@hotmail.com), November 10, 2000
USA
Today
Report: Air traffic vulnerable to hackers
Congressional review finds 'pervasive weaknesses'
in air traffic computer system security programs
By Blake Morrison, USA TODAY
WASHINGTON B� The nation's air-traffic control system
could be vulnerable
to hackers because the Federal Aviation Administration
has failed to
adequately address ''pervasive weaknesses in its
computer security programs,''
a congressional report to be released Wednesday
contends.
In addition, General Accounting
Office (GAO) investigators found
the agency has not performed
adequate background checks on
computer experts hired to spot
system vulnerabilities or on foreign nationals hired
to tackle Y2K problems.
''As a result,'' the report reads, ''FAA allowed and
is continuing to allow
contractors to undertake sensitive assessments of the
weaknesses in its
systems without sufficient assurance that the
individuals performing these
assessments are reliable and trustworthy.''
The report by the GAO, the investigative arm of
Congress, does not address
what sort of problems hackers could create, and FAA
officials downplayed
any threats Tuesday. ''We think there are stringent
protections which we're
moving to improve daily,'' spokesman Eliot Brenner
said. ''There are multiple
layers of protection, and we take the security of the
air-traffic system
seriously.''
Members of the House Science Committee have scheduled
a hearing for
Wednesday to review FAA efforts to correct the
shortcomings, many of
which Brenner said the agency already has taken steps
to remedy. Even so, he
said, the FAA ''is in full agreement'' with the
report's recommendations.
The GAO review is the watchdog group's fourth such
assessment of the
FAA's computer security system in the past three
years. All have detailed
what the GAO calls ''significant'' security problems.
According to the report to be released Wednesday:
FAA officials have allowed background checks for many
senior agency
employees with top-secret security clearances to
lapse.
''Of 350 headquarters employees with Top Secret
clearances,'' the report
reads, ''75 were overdue for reinvestigations.'' One
employee had not been
investigated since 1973, the report says.
Officials have failed to inspect and secure
''numerous air-traffic control
facilities.'' Access to the facilities is not being
regulated adequately, the report
says, and the FAA continues ''to lack assurance that
it can effectively prevent
the loss or damage of its property, injury of its
employees, and compromise of
its ability to perform critical aviation functions.''
The agency ''has made little progress'' in assessing
its operating systems and
therefore ''does not know how vulnerable many of its
systems are and has little
basis for determining what protective measures are
required.''
Despite the findings, FAA Administrator Jane Garvey is
expected to testify
Wednesday that the agency ''has taken the steps
necessary to close the gaps
identified by the GAO.''
-- Rachel Gibson (rgibson@hotmail.com), November 10, 2000.