3,800 Vulnerabilities Detected In FAA's Web Apps 88
ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. ... Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection."
You don't say? (Score:5, Insightful)
Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications.
Oh, well that makes it OK then.
After all, when a Chinese or Russian hacker out to prove a point wreaks havok by exploiting one of these, they can always just say "Don't worry, we're no worse than blogger.com!"
Re:Programming (Score:5, Insightful)
The lowest bidder, of course!
Re:Just read through the PDF (Score:5, Insightful)
Karma be damned, but the use of Windows in a secure system is nowhere near as bad as not sanitizing your inputs on any system. No platform can just make up for bad practice. FreeBSD will happily allow someone to guess 'PASSWORD' as the login password (from TFA: "Software configuration involves setting up a software system for one's particular uses, such as changing a factory-set default password of "PASSWORD" to one less easily guessed."). If you're using Oracle DB, MS SQL or MySQL, if you store passwords as plaintext instead of hashes and secure data in plaintext, you will run into problems (TFA: "...hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network."). Microsoft may not patch in a timely manner, but it doesn't matter what platform you're running if you don't apply the patches (TFA: "...software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors."). PHP, JSP, ASP, ASP.NET, Ruby, Perl or whatever, if you program poorly, you're going to have problems.
First question (Score:5, Insightful)
Why does the FAA have web based air traffic control applications?!
Re:Just read through the PDF (Score:5, Insightful)
Windows isn't the weak link here, and properly securing Windows isn't exactly rocket science.
Re:Just read through the PDF (Score:3, Insightful)
No, it really doesn't secure it. Too many network based utilities require far too much privilege to operate, Internet Explorer is a sinkhole of security vulnerabilities, and autorun remains the default for CD's, USB's, and other detachable media. Proxies are like the Maginot Line of security: they provide a useful pretense at security, but only have to be pierced once to allow the invaders to overrun your internal network.
It only takes one newly installed laptop, exposed to the Internet while pulling down its first service packs and security software, to service as the staging point for all sorts of attacks.
Re:Geeksquad.Gov (Score:4, Insightful)
We don't accept binaries from the NSA. Source code is welcome, thus SELinux.