The United States' air traffic control system is vulnerable to serious cyber attack, according to a watchdog report that detailed several recent security breaches that could have been used to sabotage mission-critical networks. One of the most serious attacks came last August, when hackers took control of Federal Aviation …
Why are these fizz-heads connecting to publicaly accessable networks? I know, I know, to save money .... IMO, whoever signed off on that needs to be taken out behind the barn and horse-whipped, on live television, so nobody pulls such a boneheaded mistake again!
What a bunch of fucking morons ... Furrfu!
"In a separate portion of the report, FAA managers said they 'will treat vulnerabilities in this report with the utmost diligence.'"
What's concerning is not the level of diligence the managers will give towards vulnerabilities in this report, but the level given towards vulnerabilities NOT in this report (those currently existing but not in the report, and those found in the future).
Doesn't affect me
I don't travel to America any more. Their border control policy saw to that.
This is just another string to the bow.
Agree with Jake
What is exactly is the reason for connecting this stuff to public networks, they can't possibly save that much money.
If you have to you would at least chuck a VPN in the mix.
Asking for trouble.
skull and crossbones is the closest to bonehead I could find
Reached the same conclusions as Jake.
Some bean counter is putting lives at risk because its 'cheaper'. And they think that they (or their loved ones) won't be on the plane that is deliberately crashed when it does happen.
Who ever signed off really, REALLY does need to be jailed for this.
must now be placed in a clear resealable plastic bag of dimensions no greater than 20x20.
There's already been a major, successful, attack on the integrity of the US ATS: on Sept 11, 2001.
US air traffic control being hacked?
Get Jack Bauer. He'll retrieve the custom CPI unit they're using.
But how are they connected?
Are the machines actually "on the internet" or has someone broken into an encrypted datastream between them? It's a very important distinction -- if the former then, as Jake points out, those responsible should be punished. If it's the latter then does this mean all corporate networks that use leased lines are in trouble?
Unpatched Windows Anyone?
Auditors identified 763 vulnerabilities rated "high-risk,"
WOW. And you though your nan was bad
So they've got unpatched boxes connected to the web with easy admin passwords providing unfettered access to safety-critical kit, and they can still claim that Gary McKinnon is a cyberhacker-terrorist or whatever who's going down for 20 years? Sorry, but if they can't even take the time for basic due diligence or at least standard maintenance patching, then while a hacker is still breaking the law, these morons need to accept a large portion of the blame for unauthorised access incidents.
Echoing the sentiments of Jake and others, I wonder why they are using web applications for ATC systems at all? You would imagine that such a critical system would require a better infrastructure than a stateless transport protocol and an immature scripting language, transacting over a public and hostile network.
good points by many but why did this happen
My guess is this is a classical organisational problem, not a technical one. There's no single person in charge of security so there's no single person to push for the necessary, their job/neck being on the line.
Even sadder is the case where a few people try to get something done but for exactly the same reasons are prevented because it's not their official responsibility - and no-one within the organisation can give them that responsibility.
@DZ-Jay: perhaps as an technical architect you could lay bare for us the problems with stateless transport protocols and your recommended alternative, and let us also know where immature (?) scripting languages come into this.
the solution is obvious
Create a network of VPN nodes with multiple redundan routes, that utilize end-to-end encryption and authentication and connect your 'computers' to that. Now don't tell how/why it can't be done, tell me how it can be !
"when hackers took control of Federal Aviation Administration computers in Alaska. By exploiting the administration's interconnected networks"
"Two separate attacks in 2006 hit the FAA's remote maintenance monitoring system and its air traffic control systems. The latter forced the FAA to shut down a portion of ATC systems in Alaska"
"The report went on to fault the FAA for employing woefully inadequate IDS, or intrusion detection systems. .. none of the IDS sensors monitor mission critical ATC operation systems"
"What's concerning is not the level of diligence the managers will give towards vulnerabilities in this report, but the level given towards vulnerabilities NOT in this report..."
In the words of that great American, are these "known unknowns" or "unknown unknowns" ?
Just curious. ;)
So US Air Traffic Controllers can now work from home?
Because I cannot think of any other plausible reason for these systems to be directly connected to the general internet.
What any ATC organisation does is pretty specific and pretty specialised. Like SCADA systems in utility companies. The bulk of people who have a *legitimate* interest in their detailed operations are similar bodies around the world.
To be fair the quotes "IDS sensors are installed in only 11 ATC facilities" and "What's more, none of the IDS sensors monitor mission critical ATC operation systems" may be misleading. If the truly "Mission critical" systems are on an entirely separate network there would be *no* need for an IDS. Likewise if those 11 sites are the main data centre, and the *only* points of net access they *should* be the only places you need IDS installation. Not saying that is how it is. Merely that it *could* be that way. The tone of the report suggests it is not.
But "ensuring all web apps are configured in compliance with governmental security standards"
This should be a level 1 requirement in the boilerplate for *any* new US Gov. system. And I'm prepared to bet that all of these systems have a *lot* of development doc. attached to each of them. Yes there is probably a big book of stuff to be waded through to ensure this. That's part of the difference between being a professional software developer and a hacker (in the pejorative sense).
The real cost benefit of using internet derived (and open source) standards is the freedom to change suppliers *provided* you follow those standards. Don't like your server farm suppliers deal. Dump them and port it. Tired of browser X's botched rendering engine. Roll out Y. Database not cutting the mustard in response time. Start a new procurement and comment out those xxxx specific macros.You don't *need* to use the *actual* open internet itself to get these benefits.
And not a word on virtual private networks, which would seem an elementary security precaution.
Understanding these questions, and their implications, is the difference between being a Network Architect, a network plumber and a bean counter.
We can hope European ATC organisations are a bit tighter. But who knows?
Mines the one with Die Hard 2 in the pocket. Obviously on the basis of this report they were clueless amateurs.
All that a real tower controller needs is a radio and his flight-strips.
All that a real approach-controller needs is a radio and his radar.
No computers needed.
As long as most organisations and individuals pay little or no attention to security what can we expect? Our entire society depends on secure computer systems and networks. It's time to pick up the game and be a little serious about security.