Feeds

US air traffic faces 'serious harm' from cyber attackers

When. Not if

High performance access to file storage

The United States' air traffic control system is vulnerable to serious cyber attack, according to a watchdog report that detailed several recent security breaches that could have been used to sabotage mission-critical networks.

One of the most serious attacks came last August, when hackers took control of Federal Aviation Administration computers in Alaska. By exploiting the administration's interconnected networks, the miscreants then stole an administrator's password and finally took control of a domain controller in the Western Pacific region. That gave them access to more than 40,000 login credentials used to control part of the FAA's mission-support network.

Two separate attacks in 2006 hit the FAA's remote maintenance monitoring system and its air traffic control systems. The latter forced the FAA to shut down a portion of ATC systems in Alaska.

"These web vulnerabilities occurred because (1) web applications were not adequately configured to prevent unauthorized access and (2) web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors," the report, which was prepared by Assistant Inspector General Rebecca Leng, concluded.

In addition to reviewing recent security breaches, the report also analyzed 70 web applications that support ATC systems and conducted penetration tests into them. The results weren't encouraging.

Auditors identified 763 vulnerabilities rated "high-risk," meaning they could provide attackers with "immediate access into a computer systems, such as allowing execution of remote commands." They also found weak passwords and unprotected critical file folders.

The report went on to fault the FAA for employing woefully inadequate IDS, or intrusion detection systems. While ATC computers are located at hundreds of airport control towers, radar controls and other locations, IDS sensors are installed in only 11 ATC facilities, the report said. What's more, none of the IDS sensors monitor mission critical ATC operation systems.

"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report warned (its emphasis).

The report offers five recommendations for the FAA's acting chief information officer, including ensuring all web apps are configured in compliance with governmental security standards and taking immediate action to correct high-risk vulnerabilities.

In a separate portion of the report, FAA managers said they "will treat vulnerabilities in this report with the utmost diligence." A PDF version of the report is available here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.