Forgot your password?
typodupeerror
Security Government News

3,800 Vulnerabilities Detected In FAA's Web Apps 88

Posted by kdawson
from the fear-of-flying dept.
ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. ... Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection."
This discussion has been archived. No new comments can be posted.

3,800 Vulnerabilities Detected In FAA's Web Apps

Comments Filter:
  • BRB Guys (Score:5, Funny)

    by pwnies (1034518) * <j@jjcm.org> on Monday May 11, 2009 @06:40PM (#27915479) Homepage Journal
    Gonna hack into the FAA's site and arrange for some low fly-bys of New York city so I can take some nice pics. I'm sure no one will notice.
  • by tanmanX (1275146) <gweatherlight.yahoo@com> on Monday May 11, 2009 @06:42PM (#27915505)

    Something perhaps the federal government needs. A pool of IT professionals that are available to all federal agencies, with the full range of clearances to keep critical, and not so critical, networked government information and hardware safe from ill-intentioned eyes.

    • by arizwebfoot (1228544) * on Monday May 11, 2009 @06:51PM (#27915605)
      We'll get Chuck from the Nerd Herd and he can "flash" 'em.
      • by canipeal (1063334)

        We'll get Chuck from the Nerd Herd and he can "flash" 'em.

        The fear of being subjected to pasty hairy man boobs just might get the operations team at the FAA to get off their asses and do their job.

    • by Baricom (763970)

      I could be missing the joke, but isn't said agency the NSA [nsa.gov]?

    • by Ihmhi (1206036)

      The NSA developed SELinux, yes? Which is supposed to be an insanely secure Linux for the paranoid (who of course wouldn't download something written by the NSA...).

      Since Linux could be written to do pretty much, well, anything, a better investment would be an organization that writes custom OSes for departments. ATTLinux (Air Traffic Control), for example. It can do what it has to do and nothing more. No web browser, for instance, or if it had one only certain ports would work period.

      If they keep stuff like

      • Re: (Score:3, Informative)

        The problem is that an operating system is just something you need to get the application to work on the hardware you choose. It might be a small part of the problem. If you decide to create your own custom distro for the purpose of running your application you're going to possibly run into problems getting your application stack to work correctly on top of it or may have problems getting support.

        The OS they chose was RHEL [gcn.com] and you can infer some of the rest of the stack from the requirements [74.125.47.132].

        Looks like they

      • Re:Geeksquad.Gov (Score:4, Insightful)

        by Zero__Kelvin (151819) on Tuesday May 12, 2009 @07:20AM (#27920249) Homepage

        "The NSA developed SELinux, yes? Which is supposed to be an insanely secure Linux for the paranoid (who of course wouldn't download something written by the NSA...)."

        We don't accept binaries from the NSA. Source code is welcome, thus SELinux.

        • by Ihmhi (1206036)

          I trust you haven't looked through the code, then? The first letter of the first few lines spells out "I-A-M-A-T-E-R-R-O-R-I-S-T", and then BAM they have you!

  • ... and here we have people worried about exploding shoes and finger nail clippers.

  • by canipeal (1063334) on Monday May 11, 2009 @07:15PM (#27915825)
    As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means. What I DO find disturbing is the amount of detail provided in a public report given the fact that the FAA has yet to fully apply it's remediation strategies for the vulnerabilities identified. Is there any info as to what tools they used for app testing? My experience shows that tools such as App Detective and Web Inspect actually inflate the number of findings. This is due to the fact that the applications identify vulnerabilities by instance and not by category/type.
    • by phantomfive (622387) on Monday May 11, 2009 @07:25PM (#27915927) Journal
      What bugs me is all these links in the summary are to articles. Forget that, I want a link to the page where I can control a plane!!
      • by Canazza (1428553)

        I'll get to work on a Google Maps Mash-up right away :D

      • Forget that, I want a link to the page where I can control a plane!!

        Are you sure you don't want a VB GUI to trace its route? ;-)

        • (Sorry for the self-reply, but I wanted my two points to be independently moddable; this'll probably get modded OT, but I got karma to burn...)

          Speaking of computers and technology in pop culture, I've recently watched Die Hard 4.

          In general, it's everything we hate: overblown graphical interfaces ("tracing $BADGUY, [$n percent progress bar]"), interfaces that work the "wrong" way (when your box gets hacked, the screen goes fuzzy like a TV with poor reception), nonsensical terminology ("it's a E-bomb!").

          But!

    • by Zapotek (1032314) <.tasos.laskos. .at. .gmail.com.> on Monday May 11, 2009 @08:06PM (#27916263) Homepage
      Funny thing...
      I was developing a web app security assessment platform like Metasploit but for web apps...so I had to get a peak at the competition.
      So like a good boy I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website.
      I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct. So I e-mailed them back and told them and got a response with an apology.
      If they used an automated tool like that it's very probable most of the vulns were false positives.
      Oh and by the way, many of these tools detect e-mail addresses or contact info posted on the site as a possible vulnerabilities because they provide "sensitive information".

      My point being...don't fully trust the report. Sure they must have some serious security risks on their website but 3.800 seems extravagant.

      PS. Sorry to the guy above me with the

      I want a link to the page where I can control a plane!!

      for removing my mod +1 funny to his comment. I just had to post this reply. hehe

      • by rtb61 (674572)

        In this case step 1 of the security assessment, does it need to be connected to the internet, 'NO', then don't connect it. Step 2 risk assessment, just because web apps and the internet are the cheapest way of doing things, is it appropriate where thousands of peoples lives are at risk 'NO', then don't do it as a web app, spend the extra money or eventually the laws will change and you will go to jail for killing people just to save a few bucks.

        • by Zapotek (1032314)
          I'm with you 100%.
          Mission critical systems should not be accessible to the outside world.
          If you really want to remote control it write your own client/server or whitelist IP addresses, add encryption or just use a VPN.
          Scratch that...do all of the above!
          I mean which net architect/admin can't set up a simple VPN? That's what they were designed for...that's what they're good at.
          You can pick-up any CCNA (yes I know i'm kinda advertising here I don't care) student and he'll do it for you...

          Yeah I know if y
          • Re: (Score:3, Informative)

            by Anonymous Coward

            As a pilot I've had to interact with a lot of the FAA's web presence. Much of this seems to stem from convenience and cost cutting around flight planning.

            Currently, the FAA operates a telnet based Direct User Access Terminal, which provides flight planning information (both weather and wind/time calculations) and the ability to file a flight plan over the internet. That system is used by any number of sites to put a pretty face on it and make it more user friendly. In short, a pilot could plan a flight and

        • does it need to be connected to the internet, 'NO', then don't connect it.

          This is the question I'm really interested in... are the machines in question (particularly those actually involved in ATC) connected to the internet? If the machines can be hit from the internet, this is a giant problem. But if you have to start with physical access to the network because it's physically isolated from the larger internet, that's not nearly as bad. You still have to worry about an "inside job", but that's a lot less

      • The scanner used against you must not have been very good. The most common (and least expensive) vulnerability scanner, Nessus, only generates a very small minority of false-positive results.

      • "I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website. I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct"

        What was the name of this big security firm, the name of the web assessment tool and the name of your site. And how does this affect the validity or otherwise of the FAA report [dot.gov]?
    • by wdmr (884924)

      I am very familiar with White Hat. They use a combination of internally developed tools and real live thinking human beings really actively trying to exploit code and logic flaws in the environment.

      In my experience, they are very sharp and very (exhaustively) comprehensive.

      This is not a handful of "audit kiddies" who barely know how to install and run their tools let alone understand what those tools find.

    • Yeah, I remember my old job...they hired Arthur Andersen to do some security testing...some guy in a nice suit arrived, ran Nessus against our network, PRINTED IT OUT, and gave it to the boss in a nice leather-bound book. And that was it.

      Nessus circa 2001 was well-known for its many false positives and warnings, although there was useful information in there if you went through it.

    • "As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means"

      Any 'security engineer' who is responsible for such a system should be fired and face criminal charges. The average ISP has better security.
  • PDF Report (Score:5, Funny)

    by InsertWittyNameHere (1438813) on Monday May 11, 2009 @07:17PM (#27915835)

    The PDF report itself tests for the 3801st vulnerability.

  • You don't say? (Score:5, Insightful)

    by schon (31600) on Monday May 11, 2009 @07:20PM (#27915885)

    Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications.

    Oh, well that makes it OK then.

    After all, when a Chinese or Russian hacker out to prove a point wreaks havok by exploiting one of these, they can always just say "Don't worry, we're no worse than blogger.com!"

    • I have never seen a company with a security department large enough to realistically keep the number of publicly-discoverable/exploitable vulneraiblites in a network to near zero. Most companies have just enough IT security staff to fill checkboxes on some auditor's clipboard. Companies with relatively "good" security may have enough staff to actually address the most severe and easily exploited problems with their networks. In such a "good" company, any hacker who wants to break in to that company will be

  • "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his se

  • Programming (Score:4, Interesting)

    by icepick72 (834363) on Monday May 11, 2009 @07:36PM (#27916019)
    Who builds the FAA web apps?
    • Re:Programming (Score:5, Insightful)

      by xanadu-xtroot.com (450073) <xanadu@ino r b it.com> on Monday May 11, 2009 @08:09PM (#27916291) Homepage Journal

      Who builds the FAA web apps?

      The lowest bidder, of course!

      • by Zapotek (1032314)
        Unfortunately this sounds about right...
      • by teridon (139550)
        The lowest bidder, of course!

        This is a myth about government contracts. While cost is of course a major factor in government bids, they are also required to take into account factors like service, company reputation, and proven technical ability to do the job at the cost quoted.

        Of course, there is also the good-ole boy factor...

        • I work for a defense contractor, and in every contract where I've been a part of the bidding process, yes, cost is a factor... but it's explicitly the least important factor. It comes in behind past performance, demonstrated ability to do the work, etc. I'm not sure how the government selected contractors in the past, but these days, cost is only part of the answer, and not necessarily the biggest part.
      • by JazzLad (935151)
        Fortunately the Bush Administration used no-bid contracts. -1 Troll & +1 Insightful
  • I would just build a CIP device to give access to all our nations infrastucture via a hardware interface. As long as Sengala doesn't screw with it, we should all be fine.
  • FTFR:

    35 Internet-based or public use web applications were tested. On those web based applications 212 high risk, 169 medium risk, and 1,037 low risk vulnerabilities were found.

    What apps? What vulns?
    Surely they've all been fixed/replaced by now (if not, why not?), so why not let the rest of us know what was discovered?

  • Does that make you feel unsafe? How about the fact that all the guys hired after Reagan fired the ATCs for striking are retiring en masse right now? I guess the bright side is when the new guys show up, they'll raise hell about the Rube Goldberg computer system in operation now. "Hey, I can write an iPhone app that would do a better job than this old PASCAL program ..."
  • it is Air Traffic Control. They need those big gaping holes so they can fit the planes into the tubes...
  • First question (Score:5, Insightful)

    by slapout (93640) on Monday May 11, 2009 @09:14PM (#27916843)

    Why does the FAA have web based air traffic control applications?!

    • Insightful?

      So as to keep hardware costs down, make the systems easily scalable, and speed up development and upgrade timescales?

    • by wvmarle (1070040)

      Web based can be easy to develop UI wise, and flexible client wise (no need to install client software, easy maintenance of the software server side only).

      The big question to me would be: how can a hacker get access to flight control in the first place? There is no need for those computers to be exposed to the Internet - and definitely not for those web servers to talk to anyone outside their own subnet. I do assume at least we're not talking about hackers that have gained physical access as then there is

    • by lewko (195646)

      Because a manager wanted it to run on his iPhone.

    • by ryturner (87582)

      Why does the FAA have web based air traffic control applications?!

      It makes it easier to file a flight plan. Instead of calling up a flight service station on the phone and going through the error prone process of giving them my flight plan, I can do it online. I find it to be easier and the government likes it because it is cheaper.

  • by Rary (566291) on Monday May 11, 2009 @09:57PM (#27917195)

    Sounds vaguely familiar [slashdot.org]...

    Note that, although this is not a good thing, we're not actually talking about the ATC system here. We're talking about administrative web applications that employees can access from home, web sites that provide information about air traffic services to employees and to the public, power monitoring applications, things like that. Some are pretty serious, but most are not that serious. And none of them are the ATC system itself.

  • Scan Complete!

    423,827
    Viruses Found!

    A New Record!!

    "Waaugh! That is not a small number!! That is a big number!!! What'm I gonna do?!"

  • Newsworthy? Yes. Should it be reportable? No. One of the biggest problems in reporting stories like this is the fact that the information is now OUT THERE. FFS, it's pretty dumb to put this information in the public press. "Hey! Terrorists! You want to know where our vulnerabilities are!? We've just finished the report, so here you go!" I don't believe in censoring press... but doesn't common sense kick in at some point? Fix the vulnerabilities FIRST!!!
  • How did they manage to not once mention what Operating System these 'computers' run on

    In FY 2008, hackers took over FAA computers in Alaska, becoming FAA "insiders." By taking advantage of FAA's interconnected networks, hackers later stole FAA's enterprise administrator's password in Oklahoma, installed malicious codes [dot.gov] with the stolen password, and compromised FAA's domain controller in its Western Pacific Region. At that point, hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and

  • I would love for Obama to step it up a notch and force these guys to adopt better policies for their ATC units.

  • I'm the last person to defend a federal agency, but if you run any large application through something like Fortify this will happen and this is 70 applications being tested for the first time.

    High and medium vulns need to be addressed very quickly, and there were 1267 of those. Of those, 381 were on public facing systems. The remaining were "low" which are often things like "your server appears to be running Apache" or on internal systems, which while bad, is not as bad as stuff in your DMZ.

    This headline i

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...