Category Archives: Information Security

US Air Traffic Control system at hackers risk

During the recent Defcon hacker conference held in Las Vegas, a security researcher explained how’s the FAA (Federal Aviation Administration) air traffic control system is vulnerable to hackers attacks. Even though he did not show how to that, Righter Kunkel explained a sort of workflow that could be used to compromise the ATC system by submitting fake FPLs (Flight PLans). The process is linked to the possibility of submitting your own FPL provided that you have obtained a student pilot’s certificate number that gives you access to the pilot registration page on the FAA’s website. Since, theoretically, a user can submit a large number of FPL, a certain number of fake pilots could create a Distributed Denial of Service (DDoS) as FAA admitted that some of its networks are not properly separated and systems not completely hardened (for instance, Kunkel said Telnet is still widely used within FAA’s networks). An internal report issued in May 2009, claims that 763 vulnerabilities affect 70 FAA’s internal web applications. Even if before understanding the security level of the network, I would like to see the type of vulnerability listed in the report (there could be some minor ones of course), basing on the current details, it is obvious that, despite being a valuable asset for the FAA, a critical system (we can consider it “mission critical”) is not properly defended. This is something that happens in both Aviation, Industry, Telco, Finance sectors, where the lack of security countermeasures can be caused by lack of budget, lack of knowledge, lack of resources, lack of security awareness, or simply because security was a requirement that came later, when the system was already operative.

Air Transport IT Security needs

There are a lot of signs confirming the (near) future positive trends in Information Security investments by airlines and airports all around the world. According with the analysis made by SITA, a Geneva based company specialist in air transport communication and information technology (IT) solutions, the entire aviation industry considers Information Security as a priority for both the internal information (73%) and customer data (68%). The SITA’s analysis underlines how the 68% of the IT professionals working for 188 airlines is going to increase the budget for Information Security solutions, while the 34% has already increased it by 1 and 6% with the 2008 one. The report explains that service outsourcing is also showing a positive trend as a consequence of the need for a better costs management. 62% of the airlines (and airports) has already outsourced all or most of the security processes to specialised companies with the aim to increase the efficiency of the countermeasures at lower overall cost. In the future, even more should outsource their security to external companies, since 29% claimed to have planned an increase in service and solutions outsourcing in the next couple of years.
But which are an airline group’s main IT security needs?
SITA’s Executive Summary of the “Global Airline IT Security Survey 2009” provides an in-depth view of the current status of IT Security awareness within airlines. The survey shows encouraging signs of improvement in security awareness in the sector. Respondents in the survey estimated that airlines are exposed each year to 28 incidents of network slowdown as a result of malware presence on the network. However, since most of them are only worried by viruses and regularly update Antivirus products I wonder if the number of incident is actual or is simply based on their current detection capability. Just think that 51% of the airlines has a permanent patching/upgrade process (22% claims to have updated the AV less than 2 month ago) while 26% has a sort of real-time upgrade process focused on the Firewalls or IP Gateways, 36% on the IPS (Intrusion Prevention System) and only 11% has a real-time/on-going Security Event management process. This suggests that, among airlines security is still strictly tied to the Antivirus solutions and there’s still a lot to do about in reinforcing defences against all the other security threats. Another interesting thing worth notice is that, despite a growing use of e-ticketing and remote access to the travel information, booking and frequent flyers programs, authentication and data confidentiality risks are underevaluated. Most of airlines don’t use any kind of VPN or Strong Authentication systems making access to personal customer information quite easy for an attacker. Access to a frequent flyer account on a carrier’s website can give an attacker the possibility to redeem miles collected using a program with free tickets or give the unauthorized user access to personal information.
Compliance to international regulations and standards is also a major area of focus for SITA. According to the report, 42% of respondents overall explained that they received input into IT compliance as both industry compliance (73%) and customer information compliance (68%) are considered important to the airlines’ business.
Interestingly, among the key compliance initiatives there are the PCI DSS (Payment Card Industry Data Security Standard – a guideline to help organizations that process card payments prevent credit card fraud and hacking) and the ISO27001, an auditable international standard which defines the requirements for an Information Security Management System that, as a Lead Auditor ISO27001, I’ve often referred to in this site. Honestly, I’m a bit skeptical about the degree of compliance of the airlines to this latter. The ISO27001 is designed to ensure the selection of adequate and proportionate security controls to protect an organisation’s valuable information assets and not many companies, neither among those operating in the TLC market, have the security awareness and readiness to achieve such a demanding certification. Nevertheless, such a certification is for sure suitable for an airline, that manage internal and external information, and need to protect them since they are critical (for the business, for the company’s image, for the customers’ trust, for compliance with the laws, etc.).
In fact, the SITA report shed some light to the challenges faced in the field of compliance within the sector. First of all resources, then skills and budget play a fundamental role as top priority challenges for IT professionals supporting compliance issues. This is another area where outsourcing could address the specific needs of each airline.

Helicopters and the risk of RFID hacks

Eurocopter and Telit recently signed a contract according to which, Telit RF Technology will develop a wireless communication system to monitor helicopters critical systems and to improve aircraft maintenance. According to the information that have been released so far, each critical system/part will be monitored using an Active RFID tag. The tag will be used to store the current status of the part, (most probably) the maintenance checks’ expiration dates, the date of the last check, and so on. The information will be transmitted to a Back End server where an application will correlate the data providing a means to monitor the status of the entire helicopter using the radiofrequency. Unfortunately, the news doesn’t provide any more detail dealing, for example, with the way the communication between tag and the reader will be secured and how the Back End system is going to be protected from hackers’ attacks. I’m a worrying for nothing? Probably. In my experience (I also wrote my graduation thesis on RFID security) security matters are underestimated when implementing RFID solutions. However the risk is extremely high for many reasons. First of all, because, being not as spread as other very well know technologies, RFID is hacked only by skilled people whose probability to cause significant damage is extremely high. Many tend to think that RFID is a safe technology just because only a few know exactly how a transaction between a reader and a tag works. Lack of “security awareness” aside, security countermeasures cost and make tags more expensive (thus render the solution less convenient). Security countermeasures like encryption or authentication require more power, more memory, more space on the tag to accomodate processors and memories able to perform crypto funcions and, consequently, more money. But the risk is extremely high. Just think to the following scenarios:
1) a DoS (Denial of Service) on the reader prevents the internal system from collecting information transmitted by the tag (leaving the Back End application “blind” and unable to perform the typical monitoring functions)
2) malware is injected by a rogue R/W tag to the reader to attack the Back End database or application, to gain unauthorized access to the internal network, to spread a virus, etc.
3) a cloned tag with wrong data (expiration dates, performed checks etc) can be used to provide a false information to the Back End system leading to an aviation safety risk (or disaster).

The Phidget RFID kit I used to test the radiofrequency identification vulnerabilities

The Phidget kit I used to test the RFID vulnerabilities

There are many more and the previous ones were interesting only to show the different risks embedded with Radio Frequency IDentification.
We currently don’t know the countermeasures that were thought to prevent the above theoretical risks from becoming real information or aviation incidents in the Telit – Eurocopter solution. However, just to provide an idea, of the technical measures required to secure an RFID solution and to improve the data security (and the aviation safety in this specific case), as an Information Security expert I will provide a list of the countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised (for more information on the attributes I suggest reading: About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

  • Mutual Authentication between tags and readers (to be sure that the information are transmitted to valid readers or received by valid tags)
  • Frequency Hopping Spread Spectrum systems with multi-frequency tags (in order to switch on another frequency if the channel is saturated by jamming)
  • Redundant architecture without any SPF (Single Point of Failure): in order to ensure “business continuity”
  • Shielding of the components
  • Physical protection of the readers
  • PUF (Physically Unclonable Functions) as private keys for a challenge-response process
  • Roles segregation with Least Privilege access
  • Middleware code review
  • Input validation before connecting to the DB
  • Network separation by means of Application Gateway Firewalls
  • etc.

About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

In the last couple of days, I was asked by many friends and colleagues about the recent Wall Street Journal news that top secret details about the Lockheed F-35 JSF (Joint Strike Fighter) were stolen by hackers that were able to gain access to the Pentagon network.

According to the reports, Information Leakage dealt with thousands of confidential files that were compromised over the past two years. The data related to the electronics systems and avionics of the JSF. Some sources claimed Terabytes (!) of data were stolen: design and performance statistics of the fighter, as well as the system used by the aircraft to conduct self-diagnostics during flight. The intruders were able to compromise the data by gaining access to the computers of Pentagon contractors in charge of designing and building the aircraft.

These were the facts, more or less reported the same way by many newspaper, agencies and web magazines.

“How was that possible?” is the first thing that came to my mind.

If those files were so sensitive, they had to be protected by applying a series of countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised. The three attributes1 are the basis of Information Security. By evaluating the impact that the loss of any of those attributes for a particular type of asset (meaning information at the higher possible level = data, documents, personal computer, hardware, software, oral communication, people, company’s reputation, etc) you can understand which assets require particular countermeasures and which other are less critical and require “loose” security measures.

For example, it is obvious that the file containing the office numbers of all the employees is less important than the file containing the detailed description of the weaknesses of the passive and active countermeasures of the F-22. So, you shouldn’t worry about the security of the group telephone and address book, but you should invest a lot (in terms of security devices, training, policies and procedures of course) to protect the survey about the weaknesses of the F-22 self-protection suite.

The entire process that goes from the evaluation of the Risk (Risk Analysis) to the ways to manage the Risk (Risk Treatment), is named Risk Management. You can’t say an asset is secure or not if you don’t put into relation the value of the asset (under the organisation’s perspective) and its peculiar threats.

Since Risk Management is paramount to address the investments on Information Security, organisations all around the world perform Risk Assessment and consequent Risk Treatment continuously. he Risk Management enables an organisation to manage the Risk’s lifecycle; after applying the countermeasures, an organisation is called to test their effectiveness and to fill the gap between the expected security level and the actual one (in accordance with the Plan Do Check Act or Deming Cycle paradigm).

Let’s get back to the presumed JSF hack.

For sure, someone who was not authorized to, was able to gain access to particular file –> Confidentiality break.

Even if I have no idea how the Pentagon network is protected I’m sure there are plenty of Firewalls, Authentication Servers, Intrusion Prevention Systems, Document Right Management and many other technical and procedural countermeasures to protect the sensitive information. If the stolen files were so critical, it is hard to believe they were so simply available on contractor’s computers.

So, there are three possibilities:

  1.  the data was not secured because it was not deemed to be critical
  2. since the risk can’t be avoided but just reduced (you can’t ever be 100% secure), there were a series of breaches that enabled the information to be leaked despite data was protected in a (most probably) heavily defended network architecture.
  3. Pentagon has no basic idea on how to deal with Information Security

I pick the first, since the second one is simply unlikely (but still possible) and I believe the third is just impossible for a nation where Network-Centric Warfare was pioneered. The second option is also possible but the more the information was critical, the less the possibilities that a security breach could remain undetected for 2 years (enabling leakeage of TB of data…).

1 Let’s quickly explain the meaning of the attributes:
Confidentiality: Assurance that information is shared only among authorised persons. Breaches of Confidentiality can occur when data is disclosed in any way (for example, watching the content of a document, eavesdropping a conference call, accessing private records, and so on).
Integrity: Assurance that the information is authentic and complete. Therefore, this attribute refers to the need to keep the data as it is, without any change. Information must be trusted.
Availability: Assurance that the data is available when needed. Leak of availability occurs if any network failure prevent an authorized user to gain access to a file stored in a Server.


French Navy Rafales grounded by a computer virus

French Navy (Marine Nationale) has recently admitted that the Conficker worm struck some important systems preventing operative units to download their flight plans as databases were infected. Even if warnings about the risk of being attacked by the virus had been issued in October 2008, the French military authorities did not install the required security patches on their Windows systems, issued by Microsoft on Oct. 15, 2008. Conficker targets the Microsoft Windows operating system and exploits a known vulnerability in the Windows Server service used by Windows 2000, WinXP, Vista, Windows Server 2K3 and Windows Server 2K8. When executed, the worm disables some system services (as the Win Update, the Security Center and the Personal Firewall), then connects to a server to download other malware, to gather information stored in the computer or to propagate to another target. According to the information released by the French military, the proliferation of the worm caused the loss of Availability but did not cause loss of data Integrity or Confidentiality. As a consequence of Conficker proliferation, the Marine Nationale had to cut the communication links and to use telephone, fax and post to communicate. A USB drive is suspected to be the media used by Conficker to enter the French internal networks. French officials believe it was not a deliberate attack and affirm that the most sensitive network, named Sicmar, was not affected by the worm that attacked only non-secured internal networks. Among them, the Intramar French Navy network, that was immediately isolated. However a certain number of computers were infected and on Jan 15 and 16, Navy’s Rafale could not depart since they were not able to download their flight plans. The French newspapers stressed that the Marine Nationale was not the only one to be hit by the virus: at the beginning of January 2009, the British Defence Ministry was atteacked by a version of the virus that infected some 24 RAF bases and 75% of the Royal Navy fleet, Ark Royal aircraft carrier comprised! Information Security is a driver of flight operations (and improves Aviation Safety).

French Navy picture

© Marine Nationale