Report: US air-traffic control systems hacked
Summary
Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to a report.
Topics
Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.
In February, hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, on 48,000 current and former FAA employees, the report said.
Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said. Hackers took over FAA computers in Alaska, becoming "insiders," according to the report dated Monday.
Then, taking advantage of interconnected networks, hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password and compromised the FAA domain controller in the Western Pacific Region, giving them the access to more than 40,000 FAA user IDs, passwords, and other data used to control a portion of the mission-support network, the report said.
And in 2006, a virus spread to the air traffic control (ATC) systems, forcing the FAA to shut down a portion of its systems in Alaska, according to the report.
The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.
"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report concluded.
This article was originally posted on CNET News.
Just In
The FAA need to have these systems linked to a public facing system? Couldn't they use private networks and segment this stuff from the internet? I just don't understand why there needs to be a connection. I would just like someone to explain that to me.
Even SS numbers should be in a database encrypted. They should be easily viewable. AES encryption requires a coded word to decrypt any AES encryption. So the time that they had would not be enough to decrypt the SS#. One layer of security is not enough, you need internal monitoring and levels.
http://www.theinquirer.net/inquirer/news/1008257/faa-switches-air-traffic-control-to-linux
But It does not matter what Operating system they use, it all comes down to
http://www.cioinsight.com/c/a/Past-News/Report-Air-Traffic-Systems-Wide-Open-to-Hacker-Attacks/
But It does not matter what Operating system they use, it all comes down to
http://www.cioinsight.com/c/a/Past-News/Report-Air-Traffic-Systems-Wide-Open-to-Hacker-Attacks/
pwned!
When did OpenSolaris become a version of Linux?
http://www.eweek.com/c/a/IT-Infrastructure/How-the-FAA-Is-Bringing-Its-Air-Traffic-Systems-into-the-21st-Century/1/
http://www.eweek.com/c/a/IT-Infrastructure/How-the-FAA-Is-Bringing-Its-Air-Traffic-Systems-into-the-21st-Century/1/
Windoze is at fault!!!
to remain silent.
On page 9 of the report you can read:
"These Web vulnerabilities occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors ."
Is Linux a software vendor?
On page 9 of the report you can read:
"These Web vulnerabilities occurred because (1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors ."
Is Linux a software vendor?
"... was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors."
Just to drive the point home. Security updates had been published by the vendors but those had not been installed.
Just to drive the point home. Security updates had been published by the vendors but those had not been installed.
What makes any of us think the FAA is REALLY interested in security and safety?
They have a track record of puting safety second to "smooth" commercial operations (you wouldn't suppose $$money$$ has anything to do with this?)!
They have a track record of puting safety second to "smooth" commercial operations (you wouldn't suppose $$money$$ has anything to do with this?)!
Throw money at it, that will fix it. So this day in age, I would say hey worry about the money and the rest will follow. Looks like we have come real far as a human race. Money.. money.money....money.........money.
So I'm really not sure what your complaint is. Everything could be safer, but by far the safest way to travel is to fly. Walking down a sidewalk is more dangerous.
Especially if you magically know it is going to be YOUR life lost due to stupidity, incompetence, or worse - greed!
but considering the stupidity of other drivers has a far bigger impact on our lives than this I think maybe we're focusing too much in a relatively unimportant part. It's sort of like our reaction to the Swine Flu. No more deadly than the regular flu and yet it's treated like the black plague. Conficker is another good case of overreaction to one problem rather than focusing on the bigger picture.
How does greed lead to someone getting killed?
No one is paying anyone to lose lives. If
anything, greed would motivate air travel to
become safer.
No one is paying anyone to lose lives. If
anything, greed would motivate air travel to
become safer.
What makes YOU think that the FAA is NOT interested in security and safety.
That is what they exist for!
Do you know anything about aviation?
That is what they exist for!
Do you know anything about aviation?
That's the reason these got hacked - how may more
Windows security breaches will we tolerate before we
banish Windows to the scrap heap?
Windows security breaches will we tolerate before we
banish Windows to the scrap heap?
They saved $15 million because they stopped managing their systems with the proper techs it seems. Switching OS's is not were the savings is it is mostly with the cost of maintenance. Someone probably told them they could switch to linux and get rid of the techs. They probably lost the $15 million they saved in putting out the fires. Again, it makes you wonder?
If they really wanted to do the job right, they
would've moved to a real distribution... Red Hat
is like the runt of the litter... purely designed
new users, simplistic admin and those too stuck in
winedows mode to move on to the real stability,
security and performance Linux can provide such as
from a customized Debian installation.
would've moved to a real distribution... Red Hat
is like the runt of the litter... purely designed
new users, simplistic admin and those too stuck in
winedows mode to move on to the real stability,
security and performance Linux can provide such as
from a customized Debian installation.
"hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password"
They must have used techniques from Hackers to steal PII from Unix and Oracle based systems in 2009 with three year old passwords from Windows!
References:
http://www.imdb.com/title/tt0113243/
http://www.cioinsight.com/c/a/Past-News/Report-Air-Traffic-Systems-Wide-Open-to-Hacker-Attacks/
http://www.theinquirer.net/inquirer/news/1008257/faa-switches-air-traffic-control-to-linux
References:
http://www.imdb.com/title/tt0113243/
http://www.cioinsight.com/c/a/Past-News/Report-Air-Traffic-Systems-Wide-Open-to-Hacker-Attacks/
http://www.theinquirer.net/inquirer/news/1008257/faa-switches-air-traffic-control-to-linux
The article starts with: "Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years "
They have been continuously hacking those systems because they got administrative privileges through windoze!
On page 9 of the report you can read:
"the ATC IP-based network infrastructure consists primarily of its backbone FTI wide-area network and numerous local area networks within ATC facilities."
I wonder what OS those network clients are running.
They have been continuously hacking those systems because they got administrative privileges through windoze!
On page 9 of the report you can read:
"the ATC IP-based network infrastructure consists primarily of its backbone FTI wide-area network and numerous local area networks within ATC facilities."
I wonder what OS those network clients are running.
work to be proactive and not reactive. There obviously was not enough emphasis on this and is the reason that they were compromised. Our government is notorius for this kind of stuff and you would think they would be the best at it since they are probably the most targeted organization on the web today.
Makes you wonder if the ship is just too large to manage. I think so, and this stuff will keep happening for years and years to come so get used to it. Someone needs some damn common sense before hooking stuff up to the internet.
Makes you wonder if the ship is just too large to manage. I think so, and this stuff will keep happening for years and years to come so get used to it. Someone needs some damn common sense before hooking stuff up to the internet.
almost no news article on this mentions the OS that was compromised. GL is right on the switch. Now if it were Windows do you think it wouldn't be plastered all over right about now? If this were a Windows network breach it would be pounded into our head.
The idea that the government, with the amount of money it wastes, is running ANY commercial, public sector operating system is absolutely absurd. If anything they should be running a custom build of BSD or Linux if not for the open source license issues. Anything if the OS is either A) has the source code available or B) is under the constant attack of the Windows ecosystem, has absolutely no business being used to protect national security. The government systems should be, by far, the most closed systems on the planet with absolutely not interaction with the outside world that isn't extremely tightly controlled.
Is this a job for Windows? No. Any distro of Linux currently out there? No. Off the shelf BSD distro? No. Apple? No.
The idea that the government, with the amount of money it wastes, is running ANY commercial, public sector operating system is absolutely absurd. If anything they should be running a custom build of BSD or Linux if not for the open source license issues. Anything if the OS is either A) has the source code available or B) is under the constant attack of the Windows ecosystem, has absolutely no business being used to protect national security. The government systems should be, by far, the most closed systems on the planet with absolutely not interaction with the outside world that isn't extremely tightly controlled.
Is this a job for Windows? No. Any distro of Linux currently out there? No. Off the shelf BSD distro? No. Apple? No.
BEFORE Linux arrived there.
'hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password'
'hackers later stole an administrator's password in Oklahoma, installed "malicious codes" with the stolen password'
Problem with going with the lowest bidder and commercial software (etc.).
Hackers started stealing admin passwords before 2006. Linux implementation started in 2006.
what has been happening since is simply an unavoidable consequence of windoze vulnerabilities.
On page 9 of the report it says: "the ATC IP-based network infrastructure consists primarily of its backbone FTI wide-area network and numerous local area networks within ATC facilities."
Plenty of windoze clients for those hackers to exploit!
On page 9 of the report it says: "the ATC IP-based network infrastructure consists primarily of its backbone FTI wide-area network and numerous local area networks within ATC facilities."
Plenty of windoze clients for those hackers to exploit!
What has been happening since 2006? I don't understand.
Hackers got access to the system in 2006; the system was converted from Windows to something else in 2006, and hackers still have access to admin accounts? What kind of IT management can't detect and remove rogue admin accounts for 3 years and after switching to a different OS? Why is this unavoidable?
Somebody also suggested having passwords in documents stored on less secure systems. What kind of madness would that be and why would it be Windows fault?
IMO there is no information in the report to make assumptions as to what has been actually happening and with what kinds of OS and databases.
Hackers got access to the system in 2006; the system was converted from Windows to something else in 2006, and hackers still have access to admin accounts? What kind of IT management can't detect and remove rogue admin accounts for 3 years and after switching to a different OS? Why is this unavoidable?
Somebody also suggested having passwords in documents stored on less secure systems. What kind of madness would that be and why would it be Windows fault?
IMO there is no information in the report to make assumptions as to what has been actually happening and with what kinds of OS and databases.
Most probably the true admins never suspected what was happening until recently.
Why is windows is at fault here? Because the best hacker tools run on windows, and those hackers needed some very good tools to get into that system.
Why is windows is at fault here? Because the best hacker tools run on windows, and those hackers needed some very good tools to get into that system.
That's odd. When I went to a recent security conference put on by the secret service, every utility they gave us for remote exploitation of code ran on Linux. Something to do with limiting TCP connections and pack capture ability within Windows to prevent these utilities from being as useful as they are on Linux.
Also, it must have been my imagination that were using remote escalation and execution attacks on Apache web servers back in the mid-90s. It wasn't terribly difficult back then, of course in the mid-90s no one took security very seriously.
Also, it must have been my imagination that were using remote escalation and execution attacks on Apache web servers back in the mid-90s. It wasn't terribly difficult back then, of course in the mid-90s no one took security very seriously.
"in 2006 a virus spread to the air traffic control"
Now tell us, where would those tools run best? A vulnerable windows client of course!
According to the report there are numerous local area networks within ATC facilities (page 9), I guess those clients run on windoze.
Now tell us, where would those tools run best? A vulnerable windows client of course!
According to the report there are numerous local area networks within ATC facilities (page 9), I guess those clients run on windoze.
All this time the Linux fanboys are saying Linux is more secure by design, and thinking they are "safe by default" they lost sight of the fact that their sercurity was because it was not worth the effort.
When there is a high value target, something worth going for Linux is clearly no match.
Its quite common to hear about web site being hacked and defaced, and yet Linux claims to host most of the web, again when the value of the target is high enough Linux seems to be no problems.
When the Windows NT and W2K source code was stolen off a PC in a lab it was from a Linux box.
Again when the value of the data is high enough Linux is no problems.
It also shows its a serious error to ever think an OS or system is secure.
When there is a high value target, something worth going for Linux is clearly no match.
Its quite common to hear about web site being hacked and defaced, and yet Linux claims to host most of the web, again when the value of the target is high enough Linux seems to be no problems.
When the Windows NT and W2K source code was stolen off a PC in a lab it was from a Linux box.
Again when the value of the data is high enough Linux is no problems.
It also shows its a serious error to ever think an OS or system is secure.
From: Report: Hackers broke into FAA air traffic control systems
In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
It is also reported that they did not do adequate security of the infrastructure (as in, installing an IDS) which allowed it to be compromised easily. Welcome to 'lowest bidder wins' type infrastructure decisions (US Government procurement).
In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
It is also reported that they did not do adequate security of the infrastructure (as in, installing an IDS) which allowed it to be compromised easily. Welcome to 'lowest bidder wins' type infrastructure decisions (US Government procurement).
However running Windows, or any other commercial software, linked to the ATC system is stupid anyway. As far as low-bid, that's perfectly fine but only if the requirements are very well outlined and met by the vendor that is selected.
In 2006 the lowest bidder was Red Hat: http://www.linuxinsider.com/story/LsB1h2Ftrztp7M/Red-Hat-Move-to-Linux-Saved-FAA-15-Million.xhtml?wlc=1241803203&wlc=1241890799.
After refreshing the entire system there remains many hundreds of vulnerabilities, according to the actual report. http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf.
You wrote:
> In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
If you follow the link for "secrity experts have said", it has nothing to do with the report that is being discussed.
I could not find words Windows, Microsoft, UNIX or Linux in the report.
After refreshing the entire system there remains many hundreds of vulnerabilities, according to the actual report. http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf.
You wrote:
> In general, the nation's critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
If you follow the link for "secrity experts have said", it has nothing to do with the report that is being discussed.
I could not find words Windows, Microsoft, UNIX or Linux in the report.
more, much more.
With marketers outnumbering coders 8 to 1 what could M$ do more?
With marketers outnumbering coders 8 to 1 what could M$ do more?
Even if just 5% of Microsoft's 90,000 employees
actually touch code, that's still almost twice
as many people coding as Red Hat's entire
company of 2,800 people.
actually touch code, that's still almost twice
as many people coding as Red Hat's entire
company of 2,800 people.
Red Hat concentrate on producing good software while M$ concentrates on WGA, crippling their code to genetate several versions of the same product, etc.
Those WGA and crippling efforts are a part of M$'s marketing strategy, they do reduce the quality of code produced and deviate the coder's attention from what has to be done.
And let us not forget that Red Hat coders benefit a lot from code produced by the community.
Those WGA and crippling efforts are a part of M$'s marketing strategy, they do reduce the quality of code produced and deviate the coder's attention from what has to be done.
And let us not forget that Red Hat coders benefit a lot from code produced by the community.
When Linux implementation started they already had their admin passwords. Besides, there are numerous local area networks within ATC facilities (page 9 of the report) with clients running on windoze.
Those hackers exploited windoze vulnerabilities to get into that system!
Those hackers exploited windoze vulnerabilities to get into that system!
No where in the article does it say what they are running. I have found articles that indicate that the FAA uses *nix, and Windows. The articles certainly does not say which of these systems were comprimized.
Just a whole lot of trolls here from both sides of that fence.
The underlying issue is, why are they not running stricter firewall policies?
Just a whole lot of trolls here from both sides of that fence.
The underlying issue is, why are they not running stricter firewall policies?
Go back and read my posts and you will always see that I recommend security on everything attached to the net. I could care less what you use, but I like to set the record straight when I see it being so miscontrued its almost laughable what people will say. And sorry if I defend Windows, but I do not have the same issues that everyone seems to freak out about and so like I always say maybe I am just that good a tech or Windows is actually a very good OS. That doesn't mean Linux and Mac's aren't.
I agree with your last assessment and most if not all of these issues are caused by human error and not taking best practices to heart. Good techs can mitigate security issues when they are proactive, its not 100%, but sure does make for a tougher target and in most cases will prevent them from attempting a compromise. I don't care what OS you run.
I agree with your last assessment and most if not all of these issues are caused by human error and not taking best practices to heart. Good techs can mitigate security issues when they are proactive, its not 100%, but sure does make for a tougher target and in most cases will prevent them from attempting a compromise. I don't care what OS you run.
Speed is on the money though. There are some trolls on both sides. But really it's silly because we shouldn't be having this discussion. Firewall policies should be FAR stricter. If you approach security from all angles it makes it almost impossible to get you. I'm not personally responsible for keeping something like the FAA safe, but I have my share of law enforcement agencies, banks and doctors offices under my belt. And any place we implement "best" practices their proactive maintanence is very predictable and they very rarely have problems. When they try to "get by" with just AV they usually get burned.
You always have 2 backups, one quickly/easily accessable and another to tape if possible. You always have AV, Firewall, IPS, Gateway AV, Gateway Anti-spyware. You use encryption for sensitive data. Throw in Group Policy and, if they're willing, ScriptLogic and you can prevent anything you don't want on any machine you don't want. I have networks where policy defines programs allowed to run. If it's not one of those programs, the OS won't launch it.
These situations really make me sad for our industry. I personally know so many terrible, terrible network administrators that it scares me. When I have to go setup Exchange 2007 for a Network Admin who does nothing all day and only has 70 users it makes me wonder... This oversaturation of underskilled support for computer systems, given their complexity, is dragging the entire industry down and infecting every sector now. A few years ago Linux was safe from the clueless but I ran into one recently at a fairly large medical software vendor. And apparently the FAA has no shortage of them.
You always have 2 backups, one quickly/easily accessable and another to tape if possible. You always have AV, Firewall, IPS, Gateway AV, Gateway Anti-spyware. You use encryption for sensitive data. Throw in Group Policy and, if they're willing, ScriptLogic and you can prevent anything you don't want on any machine you don't want. I have networks where policy defines programs allowed to run. If it's not one of those programs, the OS won't launch it.
These situations really make me sad for our industry. I personally know so many terrible, terrible network administrators that it scares me. When I have to go setup Exchange 2007 for a Network Admin who does nothing all day and only has 70 users it makes me wonder... This oversaturation of underskilled support for computer systems, given their complexity, is dragging the entire industry down and infecting every sector now. A few years ago Linux was safe from the clueless but I ran into one recently at a fairly large medical software vendor. And apparently the FAA has no shortage of them.
Once they got admin to the domain it might have been trivial
to locate documentaiton indicating what the root passwords
were on the 'nix systems. Once you got root, it's game over.
to locate documentaiton indicating what the root passwords
were on the 'nix systems. Once you got root, it's game over.
of what the FAA was running and which systems were comprimised. The article does not say if it was the FAA's *nix systems, or windows, or other based systems.
When you see the words "domain controller" you usually think, "Aha! Windows!"
So, I'd say that from what little detail there is written that it was windows systems that were hacked (first) and maybe the *nix ones after that. However, I am reconsidering if I want to fly the friendly skies anytime soon...
So, I'd say that from what little detail there is written that it was windows systems that were hacked (first) and maybe the *nix ones after that. However, I am reconsidering if I want to fly the friendly skies anytime soon...
the Domain Controller was not named until the 3rd paragraph, and a whole lot of system failures happened in betwix. So without knowing what that internet facing computer was, it still leaves it to assumption as to what systems were really comprimised.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
