Category Archives: Information Security

Air Transport IT Security needs

There are a lot of signs confirming the (near) future positive trends in Information Security investments by airlines and airports all around the world. According with the analysis made by SITA, a Geneva based company specialist in air transport communication and information technology (IT) solutions, the entire aviation industry considers Information Security as a priority for both the internal information (73%) and customer data (68%). The SITA’s analysis underlines how the 68% of the IT professionals working for 188 airlines is going to increase the budget for Information Security solutions, while the 34% has already increased it by 1 and 6% with the 2008 one. The report explains that service outsourcing is also showing a positive trend as a consequence of the need for a better costs management. 62% of the airlines (and airports) has already outsourced all or most of the security processes to specialised companies with the aim to increase the efficiency of the countermeasures at lower overall cost. In the future, even more should outsource their security to external companies, since 29% claimed to have planned an increase in service and solutions outsourcing in the next couple of years.
But which are an airline group’s main IT security needs?
SITA’s Executive Summary of the “Global Airline IT Security Survey 2009” provides an in-depth view of the current status of IT Security awareness within airlines. The survey shows encouraging signs of improvement in security awareness in the sector. Respondents in the survey estimated that airlines are exposed each year to 28 incidents of network slowdown as a result of malware presence on the network. However, since most of them are only worried by viruses and regularly update Antivirus products I wonder if the number of incident is actual or is simply based on their current detection capability. Just think that 51% of the airlines has a permanent patching/upgrade process (22% claims to have updated the AV less than 2 month ago) while 26% has a sort of real-time upgrade process focused on the Firewalls or IP Gateways, 36% on the IPS (Intrusion Prevention System) and only 11% has a real-time/on-going Security Event management process. This suggests that, among airlines security is still strictly tied to the Antivirus solutions and there’s still a lot to do about in reinforcing defences against all the other security threats. Another interesting thing worth notice is that, despite a growing use of e-ticketing and remote access to the travel information, booking and frequent flyers programs, authentication and data confidentiality risks are underevaluated. Most of airlines don’t use any kind of VPN or Strong Authentication systems making access to personal customer information quite easy for an attacker. Access to a frequent flyer account on a carrier’s website can give an attacker the possibility to redeem miles collected using a program with free tickets or give the unauthorized user access to personal information.
Compliance to international regulations and standards is also a major area of focus for SITA. According to the report, 42% of respondents overall explained that they received input into IT compliance as both industry compliance (73%) and customer information compliance (68%) are considered important to the airlines’ business.
Interestingly, among the key compliance initiatives there are the PCI DSS (Payment Card Industry Data Security Standard – a guideline to help organizations that process card payments prevent credit card fraud and hacking) and the ISO27001, an auditable international standard which defines the requirements for an Information Security Management System that, as a Lead Auditor ISO27001, I’ve often referred to in this site. Honestly, I’m a bit skeptical about the degree of compliance of the airlines to this latter. The ISO27001 is designed to ensure the selection of adequate and proportionate security controls to protect an organisation’s valuable information assets and not many companies, neither among those operating in the TLC market, have the security awareness and readiness to achieve such a demanding certification. Nevertheless, such a certification is for sure suitable for an airline, that manage internal and external information, and need to protect them since they are critical (for the business, for the company’s image, for the customers’ trust, for compliance with the laws, etc.).
In fact, the SITA report shed some light to the challenges faced in the field of compliance within the sector. First of all resources, then skills and budget play a fundamental role as top priority challenges for IT professionals supporting compliance issues. This is another area where outsourcing could address the specific needs of each airline.

Helicopters and the risk of RFID hacks

Eurocopter and Telit recently signed a contract according to which, Telit RF Technology will develop a wireless communication system to monitor helicopters critical systems and to improve aircraft maintenance. According to the information that have been released so far, each critical system/part will be monitored using an Active RFID tag. The tag will be used to store the current status of the part, (most probably) the maintenance checks’ expiration dates, the date of the last check, and so on. The information will be transmitted to a Back End server where an application will correlate the data providing a means to monitor the status of the entire helicopter using the radiofrequency. Unfortunately, the news doesn’t provide any more detail dealing, for example, with the way the communication between tag and the reader will be secured and how the Back End system is going to be protected from hackers’ attacks. I’m a worrying for nothing? Probably. In my experience (I also wrote my graduation thesis on RFID security) security matters are underestimated when implementing RFID solutions. However the risk is extremely high for many reasons. First of all, because, being not as spread as other very well know technologies, RFID is hacked only by skilled people whose probability to cause significant damage is extremely high. Many tend to think that RFID is a safe technology just because only a few know exactly how a transaction between a reader and a tag works. Lack of “security awareness” aside, security countermeasures cost and make tags more expensive (thus render the solution less convenient). Security countermeasures like encryption or authentication require more power, more memory, more space on the tag to accomodate processors and memories able to perform crypto funcions and, consequently, more money. But the risk is extremely high. Just think to the following scenarios:
1) a DoS (Denial of Service) on the reader prevents the internal system from collecting information transmitted by the tag (leaving the Back End application “blind” and unable to perform the typical monitoring functions)
2) malware is injected by a rogue R/W tag to the reader to attack the Back End database or application, to gain unauthorized access to the internal network, to spread a virus, etc.
3) a cloned tag with wrong data (expiration dates, performed checks etc) can be used to provide a false information to the Back End system leading to an aviation safety risk (or disaster).

The Phidget RFID kit I used to test the radiofrequency identification vulnerabilities

The Phidget kit I used to test the RFID vulnerabilities

There are many more and the previous ones were interesting only to show the different risks embedded with Radio Frequency IDentification.
We currently don’t know the countermeasures that were thought to prevent the above theoretical risks from becoming real information or aviation incidents in the Telit – Eurocopter solution. However, just to provide an idea, of the technical measures required to secure an RFID solution and to improve the data security (and the aviation safety in this specific case), as an Information Security expert I will provide a list of the countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised (for more information on the attributes I suggest reading: About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

  • Mutual Authentication between tags and readers (to be sure that the information are transmitted to valid readers or received by valid tags)
  • Frequency Hopping Spread Spectrum systems with multi-frequency tags (in order to switch on another frequency if the channel is saturated by jamming)
  • Redundant architecture without any SPF (Single Point of Failure): in order to ensure “business continuity”
  • Shielding of the components
  • Physical protection of the readers
  • PUF (Physically Unclonable Functions) as private keys for a challenge-response process
  • Roles segregation with Least Privilege access
  • Middleware code review
  • Input validation before connecting to the DB
  • Network separation by means of Application Gateway Firewalls
  • etc.

About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

In the last couple of days, I was asked by many friends and colleagues about the recent Wall Street Journal news that top secret details about the Lockheed F-35 JSF (Joint Strike Fighter) were stolen by hackers that were able to gain access to the Pentagon network.

According to the reports, Information Leakage dealt with thousands of confidential files that were compromised over the past two years. The data related to the electronics systems and avionics of the JSF. Some sources claimed Terabytes (!) of data were stolen: design and performance statistics of the fighter, as well as the system used by the aircraft to conduct self-diagnostics during flight. The intruders were able to compromise the data by gaining access to the computers of Pentagon contractors in charge of designing and building the aircraft.

These were the facts, more or less reported the same way by many newspaper, agencies and web magazines.

“How was that possible?” is the first thing that came to my mind.

If those files were so sensitive, they had to be protected by applying a series of countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised. The three attributes1 are the basis of Information Security. By evaluating the impact that the loss of any of those attributes for a particular type of asset (meaning information at the higher possible level = data, documents, personal computer, hardware, software, oral communication, people, company’s reputation, etc) you can understand which assets require particular countermeasures and which other are less critical and require “loose” security measures.

For example, it is obvious that the file containing the office numbers of all the employees is less important than the file containing the detailed description of the weaknesses of the passive and active countermeasures of the F-22. So, you shouldn’t worry about the security of the group telephone and address book, but you should invest a lot (in terms of security devices, training, policies and procedures of course) to protect the survey about the weaknesses of the F-22 self-protection suite.

The entire process that goes from the evaluation of the Risk (Risk Analysis) to the ways to manage the Risk (Risk Treatment), is named Risk Management. You can’t say an asset is secure or not if you don’t put into relation the value of the asset (under the organisation’s perspective) and its peculiar threats.

Since Risk Management is paramount to address the investments on Information Security, organisations all around the world perform Risk Assessment and consequent Risk Treatment continuously. he Risk Management enables an organisation to manage the Risk’s lifecycle; after applying the countermeasures, an organisation is called to test their effectiveness and to fill the gap between the expected security level and the actual one (in accordance with the Plan Do Check Act or Deming Cycle paradigm).

Let’s get back to the presumed JSF hack.

For sure, someone who was not authorized to, was able to gain access to particular file –> Confidentiality break.

Even if I have no idea how the Pentagon network is protected I’m sure there are plenty of Firewalls, Authentication Servers, Intrusion Prevention Systems, Document Right Management and many other technical and procedural countermeasures to protect the sensitive information. If the stolen files were so critical, it is hard to believe they were so simply available on contractor’s computers.

So, there are three possibilities:

  1.  the data was not secured because it was not deemed to be critical
  2. since the risk can’t be avoided but just reduced (you can’t ever be 100% secure), there were a series of breaches that enabled the information to be leaked despite data was protected in a (most probably) heavily defended network architecture.
  3. Pentagon has no basic idea on how to deal with Information Security

I pick the first, since the second one is simply unlikely (but still possible) and I believe the third is just impossible for a nation where Network-Centric Warfare was pioneered. The second option is also possible but the more the information was critical, the less the possibilities that a security breach could remain undetected for 2 years (enabling leakeage of TB of data…).

1 Let’s quickly explain the meaning of the attributes:
Confidentiality: Assurance that information is shared only among authorised persons. Breaches of Confidentiality can occur when data is disclosed in any way (for example, watching the content of a document, eavesdropping a conference call, accessing private records, and so on).
Integrity: Assurance that the information is authentic and complete. Therefore, this attribute refers to the need to keep the data as it is, without any change. Information must be trusted.
Availability: Assurance that the data is available when needed. Leak of availability occurs if any network failure prevent an authorized user to gain access to a file stored in a Server.

Salva

French Navy Rafales grounded by a computer virus

French Navy (Marine Nationale) has recently admitted that the Conficker worm struck some important systems preventing operative units to download their flight plans as databases were infected. Even if warnings about the risk of being attacked by the virus had been issued in October 2008, the French military authorities did not install the required security patches on their Windows systems, issued by Microsoft on Oct. 15, 2008. Conficker targets the Microsoft Windows operating system and exploits a known vulnerability in the Windows Server service used by Windows 2000, WinXP, Vista, Windows Server 2K3 and Windows Server 2K8. When executed, the worm disables some system services (as the Win Update, the Security Center and the Personal Firewall), then connects to a server to download other malware, to gather information stored in the computer or to propagate to another target. According to the information released by the French military, the proliferation of the worm caused the loss of Availability but did not cause loss of data Integrity or Confidentiality. As a consequence of Conficker proliferation, the Marine Nationale had to cut the communication links and to use telephone, fax and post to communicate. A USB drive is suspected to be the media used by Conficker to enter the French internal networks. French officials believe it was not a deliberate attack and affirm that the most sensitive network, named Sicmar, was not affected by the worm that attacked only non-secured internal networks. Among them, the Intramar French Navy network, that was immediately isolated. However a certain number of computers were infected and on Jan 15 and 16, Navy’s Rafale could not depart since they were not able to download their flight plans. The French newspapers stressed that the Marine Nationale was not the only one to be hit by the virus: at the beginning of January 2009, the British Defence Ministry was atteacked by a version of the virus that infected some 24 RAF bases and 75% of the Royal Navy fleet, Ark Royal aircraft carrier comprised! Information Security is a driver of flight operations (and improves Aviation Safety).

French Navy picture

© Marine Nationale

Airport Network Failures…

Look at the following picture. It was taken by my friend Rage at the Terminal B of Barcelona airport on Jan 7, 2009. Can you notice something weird?

If you look closely, you can see a “NETWORK FAILURE” message among the departures. Failures can happen. I work in the IT area and everyday I have to deal with the concepts of Redundancy, Back Up, Storage, High Availability, Disaster Recovery, etc. What it is really strange in this case, is not the failure itself but the fact that the error message appears on the display. This is what I consider a dual mistake: a communication and a design error. Let me explain what I mean.
That message doesn’t contain any useful information for a passenger departing from the Spanish airport. It answer no question but creates confusion: since travellers are not aware of the type of failure, they don’t know if the message refers to something within the display (is the airport network down? are departures affected by some kind of routes network problem? etc.) or outside it (the source of the information displayed at the Terminal B). Under an Security point of view, providing that message is risky too: if the failure is the consequence of a hacker attack, giving him the confirmation that the hack was succesfull is not a clever idea. Next time he could achieve a DoS (Denial Of Service) basing on the first successful attack. So, programmers, LAN and IT managers at the airports should prevent some error messages to be broadcasted.

Under a design point of view, a network failure is a symptom that something in the “chain” has failed: there was a Single Point of Failure (SPF), the Business Continuity Plan (BCP) did not succeed, the Back Up plan did not work, the configuration was not correctly implemented, the Hardware was obsolete or at full capacity, etc. There can be many reasons for a failure (or a network one). For sure, they must be avoided, especially if the network is used to trasmit mission critical information: in this case, a fault can be catastrophic. Risk Management should be performed, in order to assess those assets that must be hardened, to mitigate the risk of loss or deterioration of the assets, and to monitor the risk in accordance with a particular metric in order to keep it to an “acceptable level”. Even if the flying operations and the Air Traffic Control are those fields where Aviation Safety focus more often, the IT department of an airport must be seriously taken in consideration. Even if applying effective countermeasures and contingency plans can cost a lot, underestimate the damage that can be inflicted by a poorly maintained Local Area Network or Hardware Component could lead to a disaster. A few examples: On Apr. 20, 2002 a power supply problem makes the Rome Fiumicino Tower mute betweek 4.40 and 5.20 LT. On Mar 16, 2003, a network failure causes a radar black out at Rome ACC based in Ciampino around 22.00LT: all intercontinental flights to Fiumicino are diverted to Malpensa, Rome Radar switches to procedural control and take off are blocked until midnight. On Aug. 2007 a malfunctioning NIC (Network Interface Card), which allowed computer to interconnect to the LAN (Local Area Network), on a single desktop computer of the immigration control in the Tom Bradley International Terminal at LAX, experiences a failure. A total system failure affecting other computer of the same immigration system occurs at 14.00LT and lasts some 9 hours. All international flights are delayed by some hours. Thousands passengers have to wait for hours at the airport. A second outage on the Customs systems is caused by a power supply failure. Customs computers with a life of about 4 years were at their four-year phase and had to be replaced. In July 2008, a failure of the Dublin airport radar system causes fear and many grouned flights. Tracks vanish from the controllers’ radar screens. The first failure lasts 10 minutes, the second time the controllers have to close the airport to all inbound flights. As a consequence, 200 flights are delayed, diverted or cancelled. Ryanair, that is the main airport’s user, claims that more than 13.000 passengers are affected with a cost to the airline of about 1 million GBP. The shutdown was caused by a faulty network interface card (once again) but was actually a double fault, since the LAN recovery failed too. The following is an excerpt of an interesting article on the Dublin event published by the Irish Times (http://www.irishtimes.com/newspaper/ireland/2008/0920/1221835128140.html):

……
When it subsequently emerged that there had been a series of faults in the radar system since June 2nd, Ryanair called on the Department of Transport “and Ireland’s useless aviation regulator” to explain why there was no contingency plan for the repeated IAA computer system failures at Dublin airport.

Aer Lingus chief executive Dermot Mannion suggested that a back-up system may be needed if the upheaval was not to repeat itself, but industry sources said a back-up system would cost as much to install as an initial system.

However, yesterday’s Report of the Irish Aviation Authority into the ATM System Malfunction at Dublin Airport maintained that while “worldwide, air navigation service providers cannot rule out the possibility of failures” the IAA was “confident that the measures recommended by the system supplier Thales ATM and now being implemented will minimise the effect of a recurrence of like or similar failures of its ATM system in the future”.

The report revealed that the root cause of the failures at Dublin airport was a faulty network interface card and that all of the Dublin failures had the same root cause.

It concluded that the failure was not “a single point of failure” but was caused by a double failure – a hardware failure of the network interface card and a failure of the local area network recovery mechanism.

The IAA said the system had been “stable” since July 9th and added: “IAA engineering, air traffic control, safety, support and management staff worked around the clock to resolve the issues as quickly as possible.”

Recommendations

Thales ATM, suppliers of the radar system at Dublin airport, recommended:

• That additional network monitoring be undertaken. Monitoring tools and a “passive analyser” should be installed for the early identification of any similar malfunctions. This work has been completed.

• That a software programme to protect the local area network recovery mechanism be developed. This programme is currently being tested.

• That changes in procedures in relation to hardware testing be made before insertion in the operational system. These changes have been implemented.

• Thales ATM is also studying other potential improvements in the network design to prevent a recurrence.

• A spokeswoman for the IAA said it and Thales ATM had jointly supplied engineers to work on the problem. While it did not expect to have its costs refunded by Thales ATM, neither did it expect a bill from the company for its time.