Feeds

US air traffic faces 'serious harm' from cyber attackers

When. Not if

Secure remote control for conventional and virtual desktops

The United States' air traffic control system is vulnerable to serious cyber attack, according to a watchdog report that detailed several recent security breaches that could have been used to sabotage mission-critical networks.

One of the most serious attacks came last August, when hackers took control of Federal Aviation Administration computers in Alaska. By exploiting the administration's interconnected networks, the miscreants then stole an administrator's password and finally took control of a domain controller in the Western Pacific region. That gave them access to more than 40,000 login credentials used to control part of the FAA's mission-support network.

Two separate attacks in 2006 hit the FAA's remote maintenance monitoring system and its air traffic control systems. The latter forced the FAA to shut down a portion of ATC systems in Alaska.

"These web vulnerabilities occurred because (1) web applications were not adequately configured to prevent unauthorized access and (2) web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors," the report, which was prepared by Assistant Inspector General Rebecca Leng, concluded.

In addition to reviewing recent security breaches, the report also analyzed 70 web applications that support ATC systems and conducted penetration tests into them. The results weren't encouraging.

Auditors identified 763 vulnerabilities rated "high-risk," meaning they could provide attackers with "immediate access into a computer systems, such as allowing execution of remote commands." They also found weak passwords and unprotected critical file folders.

The report went on to fault the FAA for employing woefully inadequate IDS, or intrusion detection systems. While ATC computers are located at hundreds of airport control towers, radar controls and other locations, IDS sensors are installed in only 11 ATC facilities, the report said. What's more, none of the IDS sensors monitor mission critical ATC operation systems.

"In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations," the report warned (its emphasis).

The report offers five recommendations for the FAA's acting chief information officer, including ensuring all web apps are configured in compliance with governmental security standards and taking immediate action to correct high-risk vulnerabilities.

In a separate portion of the report, FAA managers said they "will treat vulnerabilities in this report with the utmost diligence." A PDF version of the report is available here. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.