Hackers Broke Into FAA Air Traffic Control Systems

PL/SQL Guy writes "Hackers have repeatedly broken into the air traffic control mission-support systems of the US Federal Aviation Administration, according to an Inspector General report sent to the FAA this week, and the FAA's increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said. Intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities. In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, 'including critical incidents in which hackers may have taken over control' of operations computers, the report said."

I guess this is what happens

[Anonymous Coward]

when 4chan goes down for a week. Seems that keeping that site running is a matter of national security!

Re:

[Divebus]

So much for web applications.

Re:

[Philip K Dickhead]

Blisters in their rectums. That's what they get. Bad 'strong star property' design in network access.

Someone call Jack Bauer

[Anonymous Coward]

They have the CIP device.

Re:

[Endo13]

You beat me to it. But yes, it HAD to be mentioned.

Re:

[PolygamousRanchKid]

Sorry, Jack is in the slammer, for head butting some dude "to protect Brooke Shields' honor," or something like that: http://edition.cnn.com/2009/SHOWBIZ/TV/05/07/sutherland.charged/index.html [cnn.com]

Truly bizarre . . . an impromptu alcohol fueled celebrity involuntary nose job.

Re:

[Anonymous Coward]

I hadn't heard the guy ran Mac.

Counterattacks - US Military Strikes Possible

[maz2331]

The Times of India has a story about this. FTA:

"Gen Kevin Chilton, who heads US Strategic Command, said he worries that foes will learn to disable or distort battlefield communications.

"Chilton said even as the Pentagon improves its network defences against hackers, he needs more people, training and resources to hone offensive cyber war capacity. At the same time, he asserted that the US would consider using military force against an enemy who attacks and disrupts the nation's critical networks."

Basically

Re:

[grcumb]

Basically, they are considering dispatching air strikes or commando raids at hackers if they can identify their identity and location.

Cool, so this means that my NUKE FROM ORBIT button will finally work?

Question

[grassy_knoll]

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

Seems like from TFA [cnet.com] they're not:

The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.

Re:

[FooAtWFU]

I'm not a huge fan of the "air gap!!!!1" solution. Sure, it's simple, but for things like air traffic control, you need to have systems which aren't right next to each other, talk to each other, sooner or later, and that means networking. And if the stuff is spread out, sooner or later it can be compromised. And when that happens you still need real security measures behind it. (Including OS security updates, which non-internetted machines have a nasty habit of missing.)

Re:Question

[Rich0]

I believe in defense in depth. Even though the guards inside the castle may be trained to password challenge everybody walking around and check coats of arms, it never hurts to raise the drawbridge when there isn't anybody using it and there is a besieging army.

Sure, have firewalls all over the place, but any route into and out of the network itself needs to be HIGHLY secure. NOTHING goes IN or even OUT without a reason. Nothing wrong with the airport having a flight status board, but you have the ATC central database polled by some central server which generates an xml digest of the important info and have it dump that data across a serial line (transmit only) to another server which then puts it onto a webserver which the airports can parse. Flight plan requests come into some intermediate server on the internet (but well secured). That server validates the requests and sends xml files to some intermediate server (perhaps over serial) which otherwise isn't on any network. That server re-validates the input and then makes it available to a more trusted server that then does the application logic.

Of course the internal network has a firewall at every WAN connection that only passes the minumum defined data to make the system work. That still doesn't mean that you shouldn't keep the actual traffic on the mission critical network down to the minumum necessary. There shouldn't be a single packet on that ATC network that doesn't originate from an FAA-validated piece of software. Any connection to the outside should be sanitized, and they should be few in number.

This isn't about being smarter than the hackers - it is about being thorough and having a fully specified architecture.

Re:

[ender-]

Thank you for posting that. It seems like a valid, workable solution, that still for the most part takes advantage of the cost-savings by using modern products. There's definitely secure ways to handle their computing needs without it opening the network up to every script kiddie that comes along. Yes, it will cost a bit more than just buying a bunch of computer and networking gear off the shelf, but it can be every bit as secure as the previous setup, while being much cheaper to implement and maintain.

I ha

Re:

[MrYowler]

Interesting factoid... NSA Wally and I recently visited an FAA remote air traffic monitoring location which was secured by an ancient cylinder lock and alarm system with a poorly hidden override switch.

Once inside the facility, network access was frame-relay, and traffic interception appeared trivial. Authentication controls were antiquated and simplistic, and firewall/IDS countermeasures were useless when physical security was that lax, and most facilities were unmanned.

One hopes that the systems involve

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ImYourVirus]

That can still be done, even without the internet. Sure it may take some more time, but it still can be done. Besides I don't really see why they would need updating if they are never going to be on the internet. Just a thought...

Re:

[sjames]

The air gap need not be applied to only one system, it can apply to an entire network of systems.

That is, no common switches (for best results not even switches partitioned by vlans, one config error and you're screwed), common routers (same deal, MPLY is not secure against configuration screwups), or machines connected to more than one network domain. At least color code everything.

To make sure the air gap isn't violated, the address domains should be distinct as well. Both layer 2 and layer 3. A packet wi

Re:

[Reece400]

While these systems obviously need to be connected to a network, I really can't see the need for connection to a public network, or even their internal company network.

They should have a separate, secured network for these systems to communicate with each other. I can see the convenience of management/support staff having access to these networks, but it's clearly not worth the risk.

Re:Question

[Anonymous Coward]

Trust me, any NAS equipment doesn't remotely come close to the public network. This article is misleading as they are talking about websites that 'aid' in landing aircraft. Trust me, these websites don't land aircraft.

Re:

[dangle]

Posting to delete accidental mod "funny" instead of "informative." I've only had one drink, sorry.

Re:

[Starlon]

You are right. Humans still do the landing with computer aid, and these critical computers are not connected to an accessible network.

Re:

[einhverfr]

The FAA relies, I believe, on leased telco lines with a backup system of microwave transmitters. Unfortunately, either of these could be compromised between sites.

Lack of connectivity to other networks is no substitute for security between sites.

Re:

[boaworm]

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

I'm honestly not sure. I work with ATC, although not in the US. The systems I have installed (Europe and Asia) have all been closed systems, there are very few physical connection between the servers and software working on radar- and flight data, and any equipment used to communicate externally.

Almost all communication is done via VCCS equipment (radio etc), so the controllers have screens with radar- and flight data, and separate screens and terminals for external data, such as flight plan processing term

Re:

[jddj]

Why are critical systems not protected by a one inch air gap between the NIC and cable from remote exploit?

Won't help. The 12AX7s the air traffic control system ENIAC runs on are microphonic. Brings a whole new meaning to the term "ping" ;)

Yes, I'm old. You will be too - if you're lucky.

Re:

[herwin]

They are. Or at least they were when I was involved in FAA security. Consider the agenda of the source of the report.

Then use IPv6.

[jd]

It's non-proprietary, the applications should work just fine, but most skript-kiddies don't have any idea on how to set up the necessary tunnels. It's also designed from the start to be secure, IPv4 has had all security back-ported in.

Also, use Active IDS, not passive. It's no good telling the operators that the last three planes crashed into a mountain because a system cracker decided it would be fun to use the radar computer for a game of Netrek. You're much better off by detecting the intrusions in real-time and countering them right then. Particularly if actual mission-critical systems are being broken into.

Third, Stop Using Windows! Gaah! The chances are that the software can be modded to work under Linux or OpenBSD just fine.

Re:

[Rich0]

The only issue with an Active IDS is having zero false positives. You don't want some TRACON to go down when some IDS update causes a router to alarm and shut down JFK approach with 18 aircraft enroute to final on 3 runways.

Re:

[jd]

That's very true. As things stand, though, that could potentially happen through computer misuse and (to judge from TFA) the level of security breeches already makes this a practical possibility.

It's a question of choosing the least-worst option, since all options are going to have problems. The solution they are actually migrating to (a totally insecure option) is the worst possible world, so all others will be at least equal and probably better.

Now, there are many approaches to Active IDS, some more likel

Re:

[turbidostato]

"Let's say, for example, that all authorized connections must use strong authentication and must use IPSEC (or S/WAN, or some other authenticated encrypted communication system of your choosing). The IDS can then look for any other type of connection and slam the door on it."

And here we have a glaring example of the "buzzword du-jour". "active IDS" in this case. Let's say, for example, that all authorized connections must look like X. Then you don't need "active IDS" you just don't open these kinds of con

Re:

[jd]

I see you don't quite understand the process. Ok. If external machine A attempts an unauthorized connection type (say, a portscan), then not allowing it is not enough. What you want is to detect the attempt and then block all further connections from A, regardless of what they are. ie: You are actively updating the firewall to exclude known attackers. For this, you need Active IDS. That's what it is for, dynamic firewall updates and other countermeasures when a hostile source is identified.

This isn't a buzz

Re:

[turbidostato]

"What you want is to detect the attempt and then block all further connections from A, regardless of what they are. ie: You are actively updating the firewall to exclude known attackers. For this, you need Active IDS. "

Yes, that was exactly my point: that in order to shoot your foot off you need and active IDS. The example you used is typical on this regard: the next you will know is that somehow you lost contact to control tower five (of course my signature injection with source spoofing might have someth

Re:Then use IPv6.

[raddan]

Air traffic control systems should not be connected to the Internet. Period. Use of IPv4 as a messaging system in that case should be fine-- because all that address space will be private.

I love OpenBSD. We use it everywhere at work. But our computers do not control airplanes. A general-purpose OS is appropriate in the kind of environment where you have hard real-time limits and where bounds-checking errors have the potential to kill lots of people. This is a case where rolling-your-own is actually a good idea, and worth the money.

If you're trying to decide what kind of IDS to put on your air-traffic-control net, you need to back up and undo some of your decisions.

Re:

[jd]

Well, yes, arguably you are correct on all points.

Ok, for the absolutely rigorous, there ARE pared-down versions of Linux which are considered "carrier-grade" and even one or two that are "FCC-approved" for limited applications. It's also hard to get a general-purpose OS to respect Hard Real-Time, the best you can really get is Soft Real-Time.

But aside from a couple of minor exceptions and a quibble over the real-time, yes, mission-critical systems should NOT be on the Internet. They should not even have US

No, use IBM's SNA . . .

[PolygamousRanchKid]

. . . it's proprietary, so no one, not even IBM, understands how it works.

The script kiddies will have to learn JCL. Have fun, you little rotten bastards!

And even if they manage to break into a machine, they will be confronted with z/OS ISPF . . . can they get their tn3270 sessions to work? Hee, hee! Find your PA1 key!

The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.

Wait for a script kiddie post, on how to use nmap to probe for ports on LU6.2.

Re:

[jd]

JCL? You want the FAA to be prosecuted for crimes against humanity? You're sick! That's even more perverted than networking using X.25 PADs!

Re:

[Have Brain Will Rent]

//sysin dd dummy

to them eh?
LOL the /. lameness filter objects to JCL being in upper case... hee hee

Re:

[Alex Belits]

The best choice for a truly secure system, is to use some weird shit, that nobody else wants to use. And thus, there are not a lot of folks hacking about trying to poke holes in it.

Yeah. So the only people that will try to break into that will be people who know it better than its admins. That will end well, indeed...

Remote Control

[Cult of Creativity]

Glad they don't have commercial planes with complete remote control. Or do they?

That was proposed.

[Ungrounded Lightning]

Glad they don't have commercial planes with complete remote control. Or do they?

That was proposed after 9/11 as a solution to hijacked planes. Remote control devices that could take over a hijacked plane, remotely, locking out control by those on board and allowing it to be landed safely. Remote devices strategically located at all major commercial airports - or at least those near high-value targets (which is pretty much all of 'em).

When the trial balloon went up it was soon pointed out that, with such a system, hijackers could use it to hijack the planes without even being on board. And the tech would be distributed to many locations (worldwide) from which it could be stolen.

Haven't heard much about it since. B-) Of course that means that it will fall off the mental horizon for decision makers and they might decide to do it after all. B-(

Re:

[Ungrounded Lightning]

If such a device could be activated only by the pilot, it wouldn't be so unreasonable.

If such a device could be activated only by the pilot it would mean:
a) The hijackers would keep the pilot from activating it as their first act upon storming the cabin.
b) If it got activated the pilot, minimum, would be far more likely to be killed than if he had no hand in activating it.

Also: If such a device existed, even if it required activation by the pilot, malfunctions could lead to a non-controllab

Re:

[destroyer661]

A relative of mine was working for KLM [wikipedia.org] 25 years ago and said they could remotely take off a 747 from New York and land it in Amsterdam with 0 persons onboard. Now, I'm not sure if they specially rigged stuff into it to accomplish that, but that leads me to believe that the infrastructure is already in the planes and it's A) not being used because of the ethical pile of mud, or B) not many people know about it.

Re:

[Cult of Creativity]

I thought I remembered something like that. I knew I had at least stumbled upon the idea in a few different science fiction books I had read over time though couldn't track back to it's first usage. Thanks much for helping out my memory though! Also awesome .sig. Like!

Well that would explain

[mandark1967]

Why my last 4 flights arrived on time.

Re:

[Virtucon]

Why my last 4 flights arrived on time.

That has more to do with the fact that the Airline doesn't want to pay for overtime...

Re:

[CarpetShark]

I am fucking your airplanes.

There, fixed that for you.

I usually laud hacker hijinks

[Taibhsear]

As it tends to enlighten people to the necessity of better computer security... but when it involves things like airport control towers and hospital equipment and files it is totally not cool.

Re:

[NewbieProgrammerMan]

I dunno...do you really think they'd have addressed things like "only 11 out of hundreds" of facilities having intrusion detection measures unless somebody did this?

Re:

[legirons]

I dunno...do you really think they'd have addressed things like "only 11 out of hundreds" of facilities having intrusion detection measures unless somebody did this?

To me, that seems an odd sort of thing to mention. Having an IDS rather assumes that hackers have free access to the network and that the "security" is limited to chasing them down.

Surely a system with correct security doesn't need IDS, because there would be nothing to detect?!? i.e. a secure system only allows actions which it knows are correct, whereas an IDS detects the system allowing actions which it knows are incorrect.

Re:

[legirons]

As others have mentioned, XKCD [xkcd.com] explains much better why IDS seems wrong...

Re:

[pjt33]

Hacking into government computers is old hat. I'm more concerned that someone seems to have hacked /. and changed the front page to be an RSS feed.

Re:

[felipekk]

Yeah, it is not cool, but if it weren't for them, those systems would be left untested and, probably, insecure.

As long as they keep testing without killing anyone or causing major financial losses...

This is Crazy

[Clipless]

This was just a partial look at the ATC's systems and these are the kinds of numbers that come up?

"Our test identified a total of 763 high-risk, 504 medium-risk, and
2,590 low-risk vulnerabilities, such as weak passwords and unprotected critical
file folders."

This is just unacceptable, and I bet this get little to no mainstream media attention.

Ineptitude

[s-whs]

increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

From what I've read about air-industry people in the US they are no different from in the Netherlands: People who almost invariable have a superiority complex and think they're doing tremendously important work while not having justify why they make so much noise, are so inept at sound calculations (dBA which is pointless for noise as related to annoyance, contrary to Sone for example), produce reports with incorrect units (upper and lower case wrong showing they don't have a proper education in elementary physics) etc.

Recently small aircraft were prohibited from flying near Schiphol. Reason was transponders are now in all of them, the LVNL (dutch airtraffic control) couldn't handle all those signals. A tremendous display of ineptitude again as they had plenty of time to prepare their systems (software), but being the sort of people they are, this is actually logical. Because they feel superior, they don't actually consider they might be doing things badly or need to change. In other words, despite them feeling they are superior, they are in fact amateurs...

You can find more on the web on this (in dutch).

Re:

[Locke2005]

Small aircraft aren't allowed near LAX or in other high-traffic air corridors in the US either. Is it possible that if you've got too many transponders for the air traffic controllers to keep track of, then you've also got too many aircraft for the planes themselves to avoid running into each other? In other words, don't assume that once they upgrade the software, that you'll automatically be able to fly your small aircraft anywhere you want -- too many planes in too small an air space will ALWAYS be a safe

Re:

[GooberToo]

That's what's usally called ineptitude, but those FAA guys like to spin it round so someone else, or circumstances beyond their control, are the problem.

Their not happy until your not happy! You can't blame them for living their moto.

In all seriousness, the FAA is in the middle of a huge political game right now, which is actually very complex to explain. They are working overtime trying to get out from under Congressional oversight. I wouldn't be surprised if they're looking the other way in an attempt to

Re:

[keefus_a]

They're not happy until you're not happy.

Fixed that for you. Now what were you saying?

Re:

[jwhitener]

"despite them feeling they are superior, they are in fact amateurs"

This reminds me of the years I spent in IT for a large hospital chain.

Replace air-industry with medical-industry.
Replace air traffic controller with doctor, etc..

In many ways, they ARE superior in their field of expertise, they just seem to have a problem understanding that they are not experts in everything.

I've had many a highly trained physician do idiotic things on computers, and, left to their own devices, I'm sure they would have made

This is a serious break down in Security

[Virtucon]

SCADA systems should always be disconnected from Intranets and the Internet. Sorry, this is a serious architectural and national security issue.

Whoever came up with this architecture and authorized it should be terminated.

Yup

[mkcmkc]

I'm not sure it gets much worse than this. I guess the local nuke plant could install a "whack-a-rod" live webcam game and secure it with DMCA technology...

Missing Forest for the Trees?

[PK Tech Guy]

from the CNET article "Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency's mission-support network, the report said"

"However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems."

It's OK everybody, the hacker's have shut down the network but they havent gained any critical access.

Re:

[haus]

Air traffic controllers are quick to tell you that they do not care about the ATC system that sit in front of them.

If they are unreliable, or go down, they will continue to perform their job, by slowing everyone down, increasing the gaps, limiting the number of new plans onto the grid.

It gums up the works a bit, but everyone gets to walk away.

Is the FAA using Windows?!?

[Locke2005]

That certainly brings new meaning to the phrase "Blue screen of death"!

Obligatory

[plaxion]

"Where do you want to go today?"

"The Good Ole Days"

[erroneus]

Being a programmer meant you could make a lot of money, not because you could make something that could be sold, but because you make programs that were useful for a purpose. Bill Gates and people like him turned computing into a software industry and this is more or less the result of that.

There was nothing "wrong" with systems maintained by professional programming teams and for those people to work at the same job for their entire lives earning a good wage. "Industry" has not only weakened systems everywhere with their homogenous nature, but cheapened the industry and lowered wages for everyone in the profession.

Re:

[phantomfive]

You can still make a lot of money. $80k for a programmer is pretty normal, and if you manage to specialize in something you can easily swing a six digit salary.

If you want to look at it a different way, look at starting salaries for college graduates. [cnn.com] Computer Science graduates on average make $49,000 right out of college. This is compared to English majors who make $31,000 right out of college, or psychology majors who make $28,000 right out of college. Ouch. Keep in mind that the per capita GDP in

Re:

[jwhitener]

I know what you mean.

Around 15 years ago, I recall a couple small programming shops that employed ~5-6 people each in my original home town.

Each of the offices supported only a handful of industrial clients, creating unique software for them. They had been doing so for over 10 years (might have been a bit less, I forget).

One office, for instance, produced the software that 2-3 of the biggest fruit warehouses in the country used. Very very specific software. Sold pre-installed on the server, which was bas

Why is this stuff connected to the internet?

[amiga3D]

I fail to understand why government systems like this are connected to the internet. The military industrial complex and FAA and other critical government systems should be tied into a seperate network. This harks back to the story about classified info for the Joint Strike Fighter getting stolen from an internet attack. WTF!? I can't believe how inept....I take that back, I can believe how inept these guys are. This has to stop. There is no need for these systems to be connected to yahoo and myspace

Re:

[Burkin]

But the controller needed to download the latest episode of Monk from iTunes!

Let me guess -- China?

[bensafrickingenius]

We need to borrow enough money from them to mobilize our forces and kick their asses!

Event counts for IDS are mostly useless..

[haus]

Anyone who has worked with IDS/IPS systems will realize that unless very carefully managed you will have a large number of events that amount to nothing, even some with some very scary sounding titles.

I am actually surprised to see the count levels so low, even for systems that are believed to be somewhat out of the way.

ATC is not actually a single system within the FAA this function is broken up over several different systems, each with their own silo of responsibility. My understanding from talking with traffic controllers is that the systems are not a requirement for controlling traffic. If the systems are down, or are believed to be unreliable the controllers will simply continue with a more conservative approach, although this can have the effect of gumming up the works as everyone is slowed down and larger gaps are used.

Real danger would be if information was off in some subtle way that was not detected, but as soon as it was determined that something was wrong, the system in question would be taken out of the work flow and further issues with it would not matter.

Crafting such a problem would take not only the IT info to gain access to the system, but at least some level of ATC understanding on how to alter a situation without tipping your hand. While far from impossible, it is not what I would suspect would be a common skill set.

I hear that Candida uses Amiga systems for ATF

[Joe The Dragon]

I hear that Candida uses Amiga systems for ATF or they used to.

Remind me again why we are replacing it?

[Suzuran]

Was there ever a real need to screw with the ATC other than giving airlines more control of the system so they can adjust things to maximize their profits?

I'm not suprised.

[fhage]

I worked as a engineer for NCAR, building and installing high-tech weather systems for the FAA (AWRP) for over a decade in the mid-90's-00's. I found the FAA leadership is filled with bunches of Republican partisan hacks who spent their time telling AL Gore Jokes in their technical meetings rather than getting things done. It literally takes them 10 or more years to get technology to their employees in the trenches. (officially). Because of upper mgt incompetence, the local level tech is a free-for-all, running in the closet. When I installed our sanctioned equipment in the Long Island FAA TRACON, I found a shift supervisor had brought his old PC in and got an AOL account so that the "super secure war room" could see what the weather was like outside as they managed 40% of the air traffic in the US. The FAA literally watches the weather channel with the sound off and competes with all the every day Joes for Nexrad images on accu weather. One of our (NCAR) systems under rigid performance evaluation at the FAA Technical Center (NJ) kept "hanging" several times per week, and we received poor evaluations and threats of funding cuts. I finally discovered that the reason for the failures was one of their staff had opened a shell terminal, ran Mosaic (remember that) and went porn surfing.(up our dedicated 64kbps line back to NCAR in Boulder and out through our .edu POP). The FAA has lots of ad-hoc systems installed everywhere. Can anyone say "Pass your USB key over here Bob - Ya gotta watch this". Maybe Obama's administration will clean the rot out of the FAA. I lost any hope many years ago.

Re:I'm not suprised. - Ha Ha.

[fhage]

In Nelson's Voice: Ha Ha. I was laid off from NCAR early this year after making noise about; 1 Sending DOD developed software to China, 2; Exposing unsecured DOD data and systems to the Internet and 3; Billing the US Army for developing systems for the French Navy. I wrote e-mails, I visited managers. I was a trouble maker, so, after 18 years of service, they said there was no longer any work for me at NCAR. I can still obtain access to live, sensitive data from Army bases and the Pentagon through NCAR we

Remediate this!

[Lije Baley]

Just who was the jackass that decided we had to say "remediated" instead of "fixed"??

You're Doing it Wrong!

[Bob9113]

I believe the late 20th / early 21st century poet, philosopher, and artist, Randall Munroe, said it best: "You're doing it wrong!"

http://xkcd.com/463/ [xkcd.com]

Correction:

[Alex Belits]

"s/commercial software/Windows/g"

Sneakers reference

[airuck]

Whistler: Anybody want to crash a couple of passenger jets?

Back to vacuum tubes!

[tubeguy]

Back to basics!

Airport hacking in the 1990s.

[GWBasic]

I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems.

Anyway, as the story goes, this teenager came across a phone number, answered by a modem, that behaved very differently then any other phone number. There was NO password or security whatsoever. The interface was very foreign; however, this board teenager spent a few months hacking at the system, trying to learn what

dialback modem security

[viralMeme]

"I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems"

What was the name of this airport and are their any reports on this incident. Usually, where you have dial-in access to a modem, the modem drops the connection and dials back a particular number. See Dialback Modem Security [phrack.org] from a Phrack article of 1988

Re:

[GWBasic]

What was the name of this airport and are their any reports on this incident.

Worcester Airport, either 1997 or 1998. The lead investigator told his side of the story at the Microsoft Security Summit in Boston in 2004.

From what I understand, the story didn't hit the newspapers until 6-7 months after the incident because it really was a case where anyone with a modem could find the airport's phone number and type in the command to bring it down. They had to wait until they fixed the system.

Honestly, I'm not entirely sure what's public information at this point. I approached the lea

Re:

[viralMeme]

Worcester Airport, either 1997 or 1998. The lead investigator told his side of the story at the Microsoft Security Summit in Boston in 2004

If this is it then I say connecting a computer to a modem without dialback is one of the dumbest things you can do.

'The juvenile computer hacker identified the telephone numbers of the modems .. he accessed and disabled both in sequence.

Acting Special Agent in Charge Johnston stated, "This case, with the associated national security ramifications, is one of the

Re:

[GWBasic]

If this is it then I say connecting a computer to a modem without dialback is one of the dumbest things you can do.

Never underestimate what lazy contractors / employees can do. I worked with a guy who ignored my, "you're open to SQL injection" statement.

Anyway, dialbacks weren't common back in the late 90s. Some of my friends used to war dial and then trade numbers.

To put it bluntly: My hobby dial-up BBS had better security then some of these systems, and I was a teenager.

the solution is obvious

[viralMeme]

The solution is obvious [blogspot.com], create a network of VPN nodes with multiple redundant routes, that utilize end-to-end encryption and authentication and connect your 'computers' to that. Now don't tell how/why it can't be done, tell me how it can be !

Re:

[Burkin]

I have a glandular problem you insensitive clod!

Re:

[plasmacutter]

"poses a higher security risk to the systems than when they relied primarily on proprietary software"....Someone actually put this into an FAA IG report? That's ridiculous. Correlation and causation are two ENTIRELY different things. You'd think the FAA, of all people, would understand that.

Exhibit A: Microsoft products. A huge collection of proprietary software which are security swiss cheese. Sorry, that's not fair to swiss cheese.

I dont think that's what they mean by "prprietary". I think they mean specifically or "in house" developed specifically for the task.

The bigger issue here is infrastructure which is partially tied to the military is being run in the civilian domain. You don't use public radio to broadcast tactical data, why on EARTH would you use public internet?

The only way to ensure such critical defense communication infrastructure remains robust is to develop a second, completely separate military internet with deliber