jump to navigation

Italian Air Force website hacked? November 4, 2009

Posted by David Cenciotti in Hacking, Information Security, Information Warfare, Italian Air Force.
Tags: , , , , , ,
add a comment

On Nov. 2, I typed the URL http://www.aeronautica.difesa.it to get the latest news from the website of the Aeronautica Militare (Italian Air Force, ItAF) but I got the following message:

Looks like the website has been report as being compromised with some malware injected on the page. According to Google, in the last 90 days, suspicious activity has been reported 3 times. 135 out of 563 pages visited by Google, caused the download of malicious code.

The last time the website was checked is Nov. 2, 2009, while the last time malcious code was detected on the site is Oct. 30, 2009 (again, according to Google).
By ignoring the message I got access to homepage of the ItAF website that is temporary unavailable because is currently under maintenance as you can see from the below screenshot. What is not clear right now is whether the ItAF website is being updated because it was hacked with malicious code or it is undertaking maintenance that has nothing to do with the malicious code inserted in some of its internal pages.

RFID at Luke AFB October 5, 2009

Posted by David Cenciotti in Information Security, Military Aviation.
Tags: , , , , , , ,
add a comment

As I explained in a previous post (Helicopter and the risk of RFID hacks) RFID applications are spreading also within the world of aviation. The article I propose below deals with the implementation of an RFID inventory tracking system to manage the 56th FW storage warehouse at Luke AFB in Arizona to replace the old bar codes and to solve a series of bar code-related issues, among which also security ones. The warehouse is used to send out aircraft pallets carrying everything a combat unit deployed in theatre needs to survive for five days without base support: weapons, radio equipment, generators, food and water. The pallets must be assembled and ready to be shipped within 24 hours from the order. The RFID systems provides also alerts to warn base personnel if they have forgotten something on the readiness pallet.

RFID Improves Inventory Accuracy
Luke Air Force Base (AFB) manages mission-critical inventory in real time.

Integrated Solutions, October 2009
Written by: Brian Albright
Inventory accuracy is important no matter what business you’re in, but when your inventory is used to support military personnel and has to be deployed halfway around the world on short notice, the reliability of your inventory data can be the difference between life and death.

Luke AFB in Glendale, AZ is home to the Air Force’s 56th Fighter Wing. The 56th Security Forces Squadron (SFS) at Luke recently replaced a bar code tracking system in its 25,000-square-foot storage warehouse with an RFID (radio frequency identification) solution to better manage equipment inventory for staff on the base and personnel deployed abroad. The warehouse stocks two types of inventory. Supply inventory is used to support on-base staff and includes everything from pens and pencils to body armor, all-terrain vehicles (ATVs), and gun holsters.

Mobility inventory, on the other hand, is used to build 463L aircraft pallets that can hold up to 10,000 pounds of equipment and must be ready to ship within 24 hours. These “readiness pallets” are designed to support teams deployed in foreign battle zones and contain everything necessary to survive for five days without base support —weapons, ammunition, food, water, generators, fuel, radios, etc.

In 2003, the base deployed a batch bar code tracking system that fed inventory information into a stand-alone database application. This system did not allow staff to track routine maintenance and calibration schedules, didn’t provide real-time inventory visibility, and posed some security and accountability issues. “We were the only location using bar codes to track our gear and the deployment gear,” says Matthew Owen, resources advisor for security forces at Luke AFB. “Our headquarters at the Air Education and Training Command in San Antonio wanted to be able to see what each base has in real time, and we came up with an RFID tracking system to piggyback on what we’d already done with bar codes.”

In 2008, the SFS began investigating possible RFID solutions and teamed up with integrator American Barcode and RFID (AB&R) to find an appropriate system. After conducting a systems requirements study, AB&R recommended the CribMaster Accu-Port and Last-Point-Read Tracking Module, along with CribMaster inventory management software from WinWare.

RFID ENABLES EFFICIENT INVENTORY PROCESSES
Before the system went live, Owen organized a 12-person team to tag all 65,000 items in the warehouse with RFID labels containing an EPCglobal Gen 2-compliant Squiggle Tag from Alien Technology. Smaller items that couldn’t accommodate a label were placed inside tagged plastic bags for tracking.

Consumable items used on the base are primarily held inside a caged area in the warehouse. Staff access the storage area using a PIN. After picking up the items they need, they pass through a single Accu-Port RFID portal that matches the RFID tags to the PIN. The system generates an inventory list at the supply desk, which employees sign before leaving. By automatically matching supplies to personnel, the system provides full accountability and traceability of inventory and cuts down on the time needed to process and log inventory deductions. The system can also automatically trigger stock reorders. “That saves us time and also saves us money because we don’t overorder,” Owen says. “Eventually, the system will let us know how much material we’re actually consuming so we can adjust our inventory levels.”

Luke AFB utilizes a Motorola fixed-position RFID reader that tracks items too large for the caged supply area or items that have been moved outside for storage. The reader generates last-point-read information on those items so that staff can locate them more easily. Staff use Motorola MC9090 handheld RFID readers to scan goods that are loaded into the readiness pallets. The CribMaster application creates a location record that lists every item stored within each pallet. “The directions for loading the pallet are specific enough to tell you where each piece of equipment goes on the pallet,” Owens says. “We scan everything as it goes on to the container, and as soon as that pallet goes out the door it automatically deducts all of that equipment from our inventory.”

Because certain perishable items (like water and oil) are loaded onto the pallets just before shipment, the system also alerts staff if they’ve forgotten to load something. “If we tried to send a pallet out and we haven’t put those items in, the system lets us know,” Owens says. CribMaster also tracks routine maintenance schedules for items like generators or radios that have to be serviced periodically while in storage.

The system went live in January 2009, and Owen says the base is in the process of evaluating performance data to determine their cost savings. The Air Force expects the system to reduce purchasing costs and make building and issuing readiness pallets more efficient.

RFID has already cut down the time it takes to issue gear to base personnel. “Issuing equipment to a new arrival on the base used to take 45 minutes to an hour to do,” Owen says. “Now we can do it in 15 minutes and have them out the door and on their way.”
http://www.isminfo.com/index.php?option=com_jambozine&layout=article&view=page&aid=6064

Back up is a must: the AVSIM hack story August 18, 2009

Posted by David Cenciotti in Flight Simulation, Information Security.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
add a comment

A press release, a few months ago struck my attention. AVSIM, one of the leading Flight Simulation sites, that was operating since 1996, issued the following press release:

“We regret to inform the flight simulation community that on Tuesday, May 12, AVSIM was hacked and effectively destroyed. The method of the hack makes recovery difficult, if not impossible, to recover from. Both servers, that is the library / email and web site / forum servers were attacked. AVSIM is totally offline at this time and we expect to be so for some time to come. We are not able to predict when we will be back online, if we can come back at all. We will post more news as we are able to in the coming days and weeks….”.

Actually, I was not struck by the hack itself, since it is quite obvious that the more a website is very well known, the more the possibilities that it becomes a valuable target for a hacker. In this particular case, the attacker did not perform a typical defacing (did not change the layout and contents of the portal), nor caused a Denial-of-Server (thus preventing legitimate users to access the site), but “simply” deleted the partitions of both AVSIM servers. I don’t know how the attacker performed the attack. However, I’m pretty sure he followed the usual “procedure”: initially, he exploited a vulnerability of the Web Application to gain access to the server, then he uploaded some code on the web server to make a local privilege escalation gaining the rights to use any kind of command.
Anyway, what really “shocked” me is not that despite security countermeasures were in place a website was attacked, but that a serious web business was wiped off as there wasn’t any Disaster Recovery plan foreseing content back ups off-site. The data is the business for many web-based organizations and back ups are paramount for business continuity in case of attack. Not only performing a periodic backup is important. HOW you back up data can prevent loss of money and downtime of services too.
On May 13, 2009, a quote in the AVSIM temporary forum explained that they dutifully backed up their servers every day. Unfortunately, they backed up the servers BETWEEN servers. “That is, GREEN, our library server, would be backed up to PURPLE, our WEB/Forum server. That way, if one or the other failed, we would have a back up on the remaining active server. The hacker took out both servers, destroying our ability to use one or the other back up to remedy the situation”. Although cross back up is better than no-back ups and backing up on the same servers, it is not a procedure I could expect in a large organisation that makes money with its website! A proper back up for such a portal would require at least an off site back up and possibly a back up of the back up. There are various methods to make a back up and to keep it available. One could be using a mix of protected RAID (Redundant Array of Independent Disks) architecture in mirroring, striping or parity configuration and an off-site weekly back up.
For sure AVSIM had not a certified Information Security Management System (ISMS), “that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security” (where Information Security means “preservation of confidentiality, integrity and availability of information”). ISO 27001 would have asked for a back up policy “to maintain the integrity and availability of information and information processing facilities” (A.10.5) and for a Business Continuity Management “to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption” (A.14).
By the way, with the support of the community (even financial one), AVSIM was patiently restored….I hope with some lessons learned for the future!

US Air Traffic Control system at hackers risk August 8, 2009

Posted by David Cenciotti in Aviation, Information Security, aviation safety, civilian aviation.
Tags: , , , , , , , , , , ,
1 comment so far

During the recent Defcon hacker conference held in Las Vegas, a security researcher explained how’s the FAA (Federal Aviation Administration) air traffic control system is vulnerable to hackers attacks. Even though he did not show how to that, Righter Kunkel explained a sort of workflow that could be used to compromise the ATC system by submitting fake FPLs (Flight PLans). The process is linked to the possibility of submitting your own FPL provided that you have obtained a student pilot’s certificate number that gives you access to the pilot registration page on the FAA’s website. Since, theoretically, a user can submit a large number of FPL, a certain number of fake pilots could create a Distributed Denial of Service (DDoS) as FAA admitted that some of its networks are not properly separated and systems not completely hardened (for instance, Kunkel said Telnet is still widely used within FAA’s networks). An internal report issued in May 2009, claims that 763 vulnerabilities affect 70 FAA’s internal web applications. Even if before understanding the security level of the network, I would like to see the type of vulnerability listed in the report (there could be some minor ones of course), basing on the current details, it is obvious that, despite being a valuable asset for the FAA, a critical system (we can consider it “mission critical”) is not properly defended. This is something that happens in both Aviation, Industry, Telco, Finance sectors, where the lack of security countermeasures can be caused by lack of budget, lack of knowledge, lack of resources, lack of security awareness, or simply because security was a requirement that came later, when the system was already operative.
Radar

Air Transport IT Security needs August 4, 2009

Posted by David Cenciotti in Aviation, Hacking, Information Security, Information Warfare, civilian aviation.
Tags: , , , , , , , , , , , , , ,
add a comment

There are a lot of signs confirming the (near) future positive trends in Information Security investments by airlines and airports all around the world. According with the analysis made by SITA, a Geneva based company specialist in air transport communication and information technology (IT) solutions, the entire aviation industry considers Information Security as a priority for both the internal information (73%) and customer data (68%). The SITA’s analysis underlines how the 68% of the IT professionals working for 188 airlines is going to increase the budget for Information Security solutions, while the 34% has already increased it by 1 and 6% with the 2008 one. The report explains that service outsourcing is also showing a positive trend as a consequence of the need for a better costs management. 62% of the airlines (and airports) has already outsourced all or most of the security processes to specialised companies with the aim to increase the efficiency of the countermeasures at lower overall cost. In the future, even more should outsource their security to external companies, since 29% claimed to have planned an increase in service and solutions outsourcing in the next couple of years.
But which are an airline group’s main IT security needs?
SITA’s Executive Summary of the “Global Airline IT Security Survey 2009″ provides an in-depth view of the current status of IT Security awareness within airlines. The survey shows encouraging signs of improvement in security awareness in the sector. Respondents in the survey estimated that airlines are exposed each year to 28 incidents of network slowdown as a result of malware presence on the network. However, since most of them are only worried by viruses and regularly update Antivirus products I wonder if the number of incident is actual or is simply based on their current detection capability. Just think that 51% of the airlines has a permanent patching/upgrade process (22% claims to have updated the AV less than 2 month ago) while 26% has a sort of real-time upgrade process focused on the Firewalls or IP Gateways, 36% on the IPS (Intrusion Prevention System) and only 11% has a real-time/on-going Security Event management process. This suggests that, among airlines security is still strictly tied to the Antivirus solutions and there’s still a lot to do about in reinforcing defences against all the other security threats. Another interesting thing worth notice is that, despite a growing use of e-ticketing and remote access to the travel information, booking and frequent flyers programs, authentication and data confidentiality risks are underevaluated. Most of airlines don’t use any kind of VPN or Strong Authentication systems making access to personal customer information quite easy for an attacker. Access to a frequent flyer account on a carrier’s website can give an attacker the possibility to redeem miles collected using a program with free tickets or give the unauthorized user access to personal information.
Compliance to international regulations and standards is also a major area of focus for SITA. According to the report, 42% of respondents overall explained that they received input into IT compliance as both industry compliance (73%) and customer information compliance (68%) are considered important to the airlines’ business.
Interestingly, among the key compliance initiatives there are the PCI DSS (Payment Card Industry Data Security Standard – a guideline to help organizations that process card payments prevent credit card fraud and hacking) and the ISO27001, an auditable international standard which defines the requirements for an Information Security Management System that, as a Lead Auditor ISO27001, I’ve often referred to in this site. Honestly, I’m a bit skeptical about the degree of compliance of the airlines to this latter. The ISO27001 is designed to ensure the selection of adequate and proportionate security controls to protect an organisation’s valuable information assets and not many companies, neither among those operating in the TLC market, have the security awareness and readiness to achieve such a demanding certification. Nevertheless, such a certification is for sure suitable for an airline, that manage internal and external information, and need to protect them since they are critical (for the business, for the company’s image, for the customers’ trust, for compliance with the laws, etc.).
In fact, the SITA report shed some light to the challenges faced in the field of compliance within the sector. First of all resources, then skills and budget play a fundamental role as top priority challenges for IT professionals supporting compliance issues. This is another area where outsourcing could address the specific needs of each airline.

Helicopters and the risk of RFID hacks May 13, 2009

Posted by David Cenciotti in Aviation, Hacking, Information Security, aviation safety, civilian aviation.
Tags: , , , , , , , , , , , , , , , , , , , , ,
1 comment so far

Eurocopter and Telit recently signed a contract according to which, Telit RF Technology will develop a wireless communication system to monitor helicopters critical systems and to improve aircraft maintenance. According to the information that have been released so far, each critical system/part will be monitored using an Active RFID tag. The tag will be used to store the current status of the part, (most probably) the maintenance checks’ expiration dates, the date of the last check, and so on. The information will be transmitted to a Back End server where an application will correlate the data providing a means to monitor the status of the entire helicopter using the radiofrequency. Unfortunately, the news doesn’t provide any more detail dealing, for example, with the way the communication between tag and the reader will be secured and how the Back End system is going to be protected from hackers’ attacks. I’m a worrying for nothing? Probably. In my experience (I also wrote my graduation thesis on RFID security) security matters are underestimated when implementing RFID solutions. However the risk is extremely high for many reasons. First of all, because, being not as spread as other very well know technologies, RFID is hacked only by skilled people whose probability to cause significant damage is extremely high. Many tend to think that RFID is a safe technology just because only a few know exactly how a transaction between a reader and a tag works. Lack of “security awareness” aside, security countermeasures cost and make tags more expensive (thus render the solution less convenient). Security countermeasures like encryption or authentication require more power, more memory, more space on the tag to accomodate processors and memories able to perform crypto funcions and, consequently, more money. But the risk is extremely high. Just think to the following scenarios:
1) a DoS (Denial of Service) on the reader prevents the internal system from collecting information transmitted by the tag (leaving the Back End application “blind” and unable to perform the typical monitoring functions)
2) malware is injected by a rogue R/W tag to the reader to attack the Back End database or application, to gain unauthorized access to the internal network, to spread a virus, etc.
3) a cloned tag with wrong data (expiration dates, performed checks etc) can be used to provide a false information to the Back End system leading to an aviation safety risk (or disaster).

The Phidget RFID kit I used to test the radiofrequency identification vulnerabilities

The Phidget kit I used to test the RFID vulnerabilities

There are many more and the previous ones were interesting only to show the different risks embedded with Radio Frequency IDentification.
We currently don’t know the countermeasures that were thought to prevent the above theoretical risks from becoming real information or aviation incidents in the Telit – Eurocopter solution. However, just to provide an idea, of the technical measures required to secure an RFID solution and to improve the data security (and the aviation safety in this specific case), as an Information Security expert I will provide a list of the countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised (for more information on the attributes I suggest reading: About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project

  • Mutual Authentication between tags and readers (to be sure that the information are transmitted to valid readers or received by valid tags)
  • Frequency Hopping Spread Spectrum systems with multi-frequency tags (in order to switch on another frequency if the channel is saturated by jamming)
  • Redundant architecture without any SPF (Single Point of Failure): in order to ensure “business continuity”
  • Shielding of the components
  • Physical protection of the readers
  • PUF (Physically Unclonable Functions) as private keys for a challenge-response process
  • Roles segregation with Least Privilege access
  • Middleware code review
  • Input validation before connecting to the DB
  • Network separation by means of Application Gateway Firewalls
  • etc.

About the hack into the F-35 Lightning II JSF (Joint Strike Fighter) project April 23, 2009

Posted by David Cenciotti in Hacking, Information Security, Information Warfare, Military Aviation.
Tags: , , , , , , , , ,
1 comment so far

In the last couple of days, since I’m a Computer Engineer and Lead Auditor ISO27001 working in the Information Security field, I was asked by many friends and colleagues about the recent Wall Street Journal news that top secret details about the Lockheed F-35 JSF (Joint Strike Fighter) were stolen by hackers that were able to gain access the Pentagon network. According to the reports, Information Leakage dealt with thousands of confidential files that were compromised over the past two years. The data related to the electronics systems and avionics of the JSF. Some sources claimed Terabytes (!) of data were stolen: design and performance statistics of the fighter, as well as the system used by the aircraft to conduct self-diagnostics during flight. The intruders were able to compromise the data by gaining access to the computers of Pentagon contractors in charge of designing and building the aircraft.
These were the facts, more or less reported the same way by many newspaper, agencies and web magazines, here in Italy too.
The first thing I thought was: “how was that possible?” If those files were so sensitive, they had to be protected by applying a series of countermeasures aimed to prevent Integrity, Confidentiality and Availability of information (i.e. data) from being compromised. The three attributes1 are the basis of Information Security. By evaluating the impact that the loss of any of those attributes for a particular type of asset (meaning information at the higher possible level = data, documents, personal computer, hardware, software, oral communication, people, company’s reputation, etc) you can understand which assets require particular countermeasures and which other are less critical and require “loose” security measures. For example, it is obvious that the file containing the office numbers of all the employees is less important than the file containing the detailed description of the weaknesses of the passive and active countermeasures of the F-22. So, you shouldn’t worry about the security of the group telephone and address book, but you should invest a lot (in terms of security devices, training, policies and procedures of course) to protect the survey about the weaknesses of the F-22 self-protection suite.
The entire process that goes from the evaluation of the Risk (Risk Analysis) to the ways to manage the Risk (Risk Treatment), is named Risk Management. You can’t say an asset is secure or not if you don’t put into relation the value of the asset (under the organisation’s perspective) and its peculiar threats.
Since Risk Management is paramount to address the investments on Information Security, organisations all around the world perform Risk Assessment and consequent Risk Treatment continuously. he Risk Management enables an organisation to manage the Risk’s lifecycle; after applying the countermeasures, an organisation is called to test their effectiveness and to fill the gap between the expected security level and the actual one (in accordance with the Plan Do Check Act or Deming Cycle paradigm).
Let’s get back to the presumed JSF hack. For sure, someone that was not authorized to, was able to gain access to particular file –> Confidentiality break. Even if I have no idea how the Pentagon network is protected I’m sure there are plenty of Firewalls, Authentication Servers, Intrusion Prevention Systems, Document Right Management and many other technical and procedural countermeasures to protect the sensitive information. If the stolen files were so critical, it is hard to believe they were so simply available on contractor’s computers.
So, there are three possibilities:
1) the information were not secured as they were not so critical
2) since the risk can’t be avoided but just reduced (you can’t ever be 100% secure), there were a series of breaches that enabled the information to be leaked despite data was protected in a (most probably) heavily defended network architecture.
3) Pentagon has no basic idea on how to deal with Information Security

I pick the first one, since the second one is simply less probable (but still possible) and I believe the third is just impossible for a nation where Network-Centric Warfare was pioneered. The second option is also possible but the more the information was critical, the less the possibilities that a security breach could remain undetected for 2 years (enabling leakeage of TB of data…).

Following picture courtesy of LM

1 Let’s quickly explain the meaning of the attributes:
Confidentiality: Assurance that information is shared only among authorised persons. Breaches of Confidentiality can occur when data is disclosed in any way (for example, watching the content of a document, eavesdropping a conference call, accessing private records, and so on).
Integrity: Assurance that the information is authentic and complete. Therefore, this attribute refers to the need to keep the data as it is, without any change. Information must be trusted.
Availability: Assurance that the data is available when needed. Leak of availability occurs if any network failure prevent an authorized user to gain access to a file stored in a Server.

French Navy Rafales grounded by a computer virus February 13, 2009

Posted by David Cenciotti in Aviation, Hacking, Information Security, Information Warfare, Military Aviation, aviation safety.
Tags: , , , , , , , , , , , ,
add a comment

French Navy (Marine Nationale) has recently admitted that the Conficker worm struck some important systems preventing operative units to download their flight plans as databases were infected. Even if warnings about the risk of being attacked by the virus had been issued in October 2008, the French military authorities did not install the required security patches on their Windows systems, issued by Microsoft on Oct. 15, 2008. Conficker targets the Microsoft Windows operating system and exploits a known vulnerability in the Windows Server service used by Windows 2000, WinXP, Vista, Windows Server 2K3 and Windows Server 2K8. When executed, the worm disables some system services (as the Win Update, the Security Center and the Personal Firewall), then connects to a server to download other malware, to gather information stored in the computer or to propagate to another target. According to the information released by the French military, the proliferation of the worm caused the loss of Availability but did not cause loss of data Integrity or Confidentiality. As a consequence of Conficker proliferation, the Marine Nationale had to cut the communication links and to use telephone, fax and post to communicate. A USB drive is suspected to be the media used by Conficker to enter the French internal networks. French officials believe it was not a deliberate attack and affirm that the most sensitive network, named Sicmar, was not affected by the worm that attacked only non-secured internal networks. Among them, the Intramar French Navy network, that was immediately isolated. However a certain number of computers were infected and on Jan 15 and 16, Navy’s Rafale could not depart since they were not able to download their flight plans. The French newspapers stressed that the Marine Nationale was not the only one to be hit by the virus: at the beginning of January 2009, the British Defence Ministry was atteacked by a version of the virus that infected some 24 RAF bases and 75% of the Royal Navy fleet, Ark Royal aircraft carrier comprised! Information Security is a driver of flight operations (and improves Aviation Safety).

French Navy picture

© Marine Nationale

Airport Network Failures… January 25, 2009

Posted by David Cenciotti in Aviation, Hacking, Information Security, aviation safety, civilian aviation.
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
add a comment

Look at the following picture. It was taken by my friend Rage at the Terminal B of Barcelona airport on Jan 7, 2009. Can you notice something weird?

If you look closely, you can see a “NETWORK FAILURE” message among the departures. Failures can happen. I work in the IT area and everyday I have to deal with the concepts of Redundancy, Back Up, Storage, High Availability, Disaster Recovery, etc. What it is really strange in this case, is not the failure itself but the fact that the error message appears on the display. This is what I consider a dual mistake: a communication and a design error. Let me explain what I mean.
That message doesn’t contain any useful information for a passenger departing from the Spanish airport. It answer no question but creates confusion: since travellers are not aware of the type of failure, they don’t know if the message refers to something within the display (is the airport network down? are departures affected by some kind of routes network problem? etc.) or outside it (the source of the information displayed at the Terminal B). Under an Security point of view, providing that message is risky too: if the failure is the consequence of a hacker attack, giving him the confirmation that the hack was succesfull is not a clever idea. Next time he could achieve a DoS (Denial Of Service) basing on the first successful attack. So, programmers, LAN and IT managers at the airports should prevent some error messages to be broadcasted.

Under a design point of view, a network failure is a symptom that something in the “chain” has failed: there was a Single Point of Failure (SPF), the Business Continuity Plan (BCP) did not succeed, the Back Up plan did not work, the configuration was not correctly implemented, the Hardware was obsolete or at full capacity, etc. There can be many reasons for a failure (or a network one). For sure, they must be avoided, especially if the network is used to trasmit mission critical information: in this case, a fault can be catastrophic. Risk Management should be performed, in order to assess those assets that must be hardened, to mitigate the risk of loss or deterioration of the assets, and to monitor the risk in accordance with a particular metric in order to keep it to an “acceptable level”. Even if the flying operations and the Air Traffic Control are those fields where Aviation Safety focus more often, the IT department of an airport must be seriously taken in consideration. Even if applying effective countermeasures and contingency plans can cost a lot, underestimate the damage that can be inflicted by a poorly maintained Local Area Network or Hardware Component could lead to a disaster. A few examples: On Apr. 20, 2002 a power supply problem makes the Rome Fiumicino Tower mute betweek 4.40 and 5.20 LT. On Mar 16, 2003, a network failure causes a radar black out at Rome ACC based in Ciampino around 22.00LT: all intercontinental flights to Fiumicino are diverted to Malpensa, Rome Radar switches to procedural control and take off are blocked until midnight. On Aug. 2007 a malfunctioning NIC (Network Interface Card), which allowed computer to interconnect to the LAN (Local Area Network), on a single desktop computer of the immigration control in the Tom Bradley International Terminal at LAX, experiences a failure. A total system failure affecting other computer of the same immigration system occurs at 14.00LT and lasts some 9 hours. All international flights are delayed by some hours. Thousands passengers have to wait for hours at the airport. A second outage on the Customs systems is caused by a power supply failure. Customs computers with a life of about 4 years were at their four-year phase and had to be replaced. In July 2008, a failure of the Dublin airport radar system causes fear and many grouned flights. Tracks vanish from the controllers’ radar screens. The first failure lasts 10 minutes, the second time the controllers have to close the airport to all inbound flights. As a consequence, 200 flights are delayed, diverted or cancelled. Ryanair, that is the main airport’s user, claims that more than 13.000 passengers are affected with a cost to the airline of about 1 million GBP. The shutdown was caused by a faulty network interface card (once again) but was actually a double fault, since the LAN recovery failed too. The following is an excerpt of an interesting article on the Dublin event published by the Irish Times (http://www.irishtimes.com/newspaper/ireland/2008/0920/1221835128140.html):

……
When it subsequently emerged that there had been a series of faults in the radar system since June 2nd, Ryanair called on the Department of Transport “and Ireland’s useless aviation regulator” to explain why there was no contingency plan for the repeated IAA computer system failures at Dublin airport.

Aer Lingus chief executive Dermot Mannion suggested that a back-up system may be needed if the upheaval was not to repeat itself, but industry sources said a back-up system would cost as much to install as an initial system.

However, yesterday’s Report of the Irish Aviation Authority into the ATM System Malfunction at Dublin Airport maintained that while “worldwide, air navigation service providers cannot rule out the possibility of failures” the IAA was “confident that the measures recommended by the system supplier Thales ATM and now being implemented will minimise the effect of a recurrence of like or similar failures of its ATM system in the future”.

The report revealed that the root cause of the failures at Dublin airport was a faulty network interface card and that all of the Dublin failures had the same root cause.

It concluded that the failure was not “a single point of failure” but was caused by a double failure – a hardware failure of the network interface card and a failure of the local area network recovery mechanism.

The IAA said the system had been “stable” since July 9th and added: “IAA engineering, air traffic control, safety, support and management staff worked around the clock to resolve the issues as quickly as possible.”

Recommendations

Thales ATM, suppliers of the radar system at Dublin airport, recommended:

• That additional network monitoring be undertaken. Monitoring tools and a “passive analyser” should be installed for the early identification of any similar malfunctions. This work has been completed.

• That a software programme to protect the local area network recovery mechanism be developed. This programme is currently being tested.

• That changes in procedures in relation to hardware testing be made before insertion in the operational system. These changes have been implemented.

• Thales ATM is also studying other potential improvements in the network design to prevent a recurrence.

• A spokeswoman for the IAA said it and Thales ATM had jointly supplied engineers to work on the problem. While it did not expect to have its costs refunded by Thales ATM, neither did it expect a bill from the company for its time.

USAF vs Information Leakage March 21, 2008

Posted by David Cenciotti in Information Security, Information Warfare, Military Aviation.
Tags: , , , , , , ,
1 comment so far

The USAF decided to deny the access some websites, the ones containing the word “blog” (and a few others according to the information provided on some forums and websites on the Internet), to its personnel in order to prevent some important information to be disclosed without control. Even if the majority of its users, especially those deployed abroad, used the blogs to provide information to their relatives, some witnessed things that could not be unveiled and shared their thoughs in a way that was considered dangerous. Information Leakage is one of the major threats to the military secrets even if restricting users’ web access is only a minor solution. First of all, some of the most important information are stored on sites that are not correctly protected or hardened and are consequently ofter hacked by both internal and external visitors. Then, it must be considered that if a military wants to disclose secrets, in both an intentional or unintentional way, he could do that with alternative means or from his home laptop or smartphone.
The blocks on the navigation were implemented using Blue Coat proxying technology. This kind of system use an internal policy that is matched on the destination URL requested by an internal user. If the destination IP address is matched against the list of blocked sites, the user is redirected elsewhere, to a blank page or to a default page. Otherwise he can surf. The black list (the list containing those sites that can not be accessed) can be category-based (hence automatic) and/or custom. Since categories and subcategories on these systems are wide, adding a category to the black list could lead to false positives, that is to say that a user could be denied from accessing a permitted website. In this case a manual exclusion is required (with effort needed to track exclusion requests and to analyse them).
According to what some important magazines reported, all the URLs containing “blog” are currently banned but it is still unclear if other domains, like wordpress.com or pages.google.com, where blogs can be hosted but don’t contain the explicit word “blog”, are among the denied destinations (for instance I still don’t know if this site can be accessed by Air Force bases). Actually, not only Blogspot was cut off the “white list” containing the “good sites” but also some social networking websites have been restricted on military network for various reasons. Youtube, Photobucket and MySpace have been banned because of bandwidth they eat while reputable media should be still available to everyone. Even if, officially, the problem is tied to the Information Leakage, someone speculated the risk is that the military could use the social networks (without disclosing classified information) to share opinions against their commanders or to convince troops that the war it’s not worth fighting. There are also productivity explainations: watching videos, uploading pictures and blogging is wasteful Internet usage. However there’s not much consistence in blocking blogs and permitting ESPN, News and commercial email. Using Gmail, people can still send and receive email, and chat. Using a commercial email address, a military can still upload its pictures to Photobucket by sending them to the configured email address and can still post its thoughs on a blog by forwarding the text to his wife or friends that are not blocked by any Firewall or Proxy. So there are only two options: leaving free access (but evangelise personnel on the risks of Information Leakage for their own safety) or blocking everything but those sites needed for their specific activities or work. Since the second options would have a deep impact on the morale, the first one its smarter to me.