Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

3,800 Vulnerabilities Detected In FAA's Web Apps

kdawson posted more than 5 years ago | from the fear-of-flying dept.

Security 88

ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA's Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). "And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. ... Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA's Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA's Traffic Flow Management Infrastructure leaves related applications open to malware injection."

cancel ×

88 comments

Sorry! There are no comments related to the filter you selected.

I bet... (-1, Flamebait)

the1337g33k (1268908) | more than 5 years ago | (#27915465)

they could find more vulnerabilities in a windows install.

Re:I bet... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27915499)

They can find more nigger DNA in your mom's pussy, that's for shizzle.

Re:I bet... (0)

Anonymous Coward | more than 5 years ago | (#27915785)

no

Re:I bet... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27916327)

Spic DNA in your dad's butthole?

Re:I bet... (1)

CarpetShark (865376) | more than 5 years ago | (#27915923)

Yeah, they're using windows without the .exe/.dll loader component.

BRB Guys (4, Funny)

pwnies (1034518) | more than 5 years ago | (#27915479)

Gonna hack into the FAA's site and arrange for some low fly-bys of New York city so I can take some nice pics. I'm sure no one will notice.

Re:BRB Guys (0, Offtopic)

Brian Gordon (987471) | more than 5 years ago | (#27915791)


-pwnies

Re:BRB Guys (0, Redundant)

FunPika (1551249) | more than 5 years ago | (#27915817)

How about you while your at it arrange for some planes to pass within 100 feet of the White House, U.S. Capitol, Pentagon, and anywhere else that will cause mass nation-wide panic?

Re:BRB Guys (1)

JazzLad (935151) | more than 5 years ago | (#27925937)

Geeksquad.Gov (5, Funny)

tanmanX (1275146) | more than 5 years ago | (#27915505)

Something perhaps the federal government needs. A pool of IT professionals that are available to all federal agencies, with the full range of clearances to keep critical, and not so critical, networked government information and hardware safe from ill-intentioned eyes.

Re:Geeksquad.Gov (0)

Anonymous Coward | more than 5 years ago | (#27915535)

Oh yeah, definitely - cuz the Geek Squad is good at that kind of stuff.

Re:Geeksquad.Gov (4, Funny)

arizwebfoot (1228544) | more than 5 years ago | (#27915605)

We'll get Chuck from the Nerd Herd and he can "flash" 'em.

Re:Geeksquad.Gov (1)

canipeal (1063334) | more than 5 years ago | (#27915953)

We'll get Chuck from the Nerd Herd and he can "flash" 'em.

The fear of being subjected to pasty hairy man boobs just might get the operations team at the FAA to get off their asses and do their job.

Re:Geeksquad.Gov (1)

Baricom (763970) | more than 5 years ago | (#27918281)

I could be missing the joke, but isn't said agency the NSA [nsa.gov] ?

Re:Geeksquad.Gov (1)

Ihmhi (1206036) | more than 5 years ago | (#27919855)

The NSA developed SELinux, yes? Which is supposed to be an insanely secure Linux for the paranoid (who of course wouldn't download something written by the NSA...).

Since Linux could be written to do pretty much, well, anything, a better investment would be an organization that writes custom OSes for departments. ATTLinux (Air Traffic Control), for example. It can do what it has to do and nothing more. No web browser, for instance, or if it had one only certain ports would work period.

If they keep stuff like this feature-light it would be trivial to program seperate versions for the departments that really need it (IRS, FBI, Pentagon, etc.) by using a basic, stripped-down version of Linux as the starting point.

Re:Geeksquad.Gov (2, Informative)

rackserverdeals (1503561) | more than 5 years ago | (#27920127)

The problem is that an operating system is just something you need to get the application to work on the hardware you choose. It might be a small part of the problem. If you decide to create your own custom distro for the purpose of running your application you're going to possibly run into problems getting your application stack to work correctly on top of it or may have problems getting support.

The OS they chose was RHEL [gcn.com] and you can infer some of the rest of the stack from the requirements [74.125.47.132] .

Looks like they went with an SOA architecture on top of a J2EE stack with an Oracle backend using Eclipse as the development platform.

I don't know why these stories turn into OS flame wars. It's like blaming the spark plug for poor engine performance. The OS is probably adding vulnerabilities (Don't know of any OS that doesn't have listed vulnerabilities) but you have to look at the whole stack. Any individual part of the stack could be fine on it's own, but in combination may create other problems. On top of that, this system isn't just a combination of off the shelf components, there is a lot of coding involved and for all we know that's where most of the issues may be.

Re:Geeksquad.Gov (0)

Anonymous Coward | more than 5 years ago | (#27922389)

This is probably a J2EE app that is rife with the standard web exploits that the bottom of the barrel, cheapest bidder routinely produces.
 
    It doesn't matter the platform if the application you write looks like swiss cheese.

Re:Geeksquad.Gov (3, Insightful)

Zero__Kelvin (151819) | more than 5 years ago | (#27920249)

"The NSA developed SELinux, yes? Which is supposed to be an insanely secure Linux for the paranoid (who of course wouldn't download something written by the NSA...)."

We don't accept binaries from the NSA. Source code is welcome, thus SELinux.

Re:Geeksquad.Gov (1)

Ihmhi (1206036) | more than 5 years ago | (#27925901)

I trust you haven't looked through the code, then? The first letter of the first few lines spells out "I-A-M-A-T-E-R-R-O-R-I-S-T", and then BAM they have you!

Re:Geeksquad.Gov (0)

Anonymous Coward | more than 5 years ago | (#27919885)

HA! I've worked for and with IT contractors. Most of them are decent, fairly competent people. It only takes 1 bad manager or coder to royally f*ck over an entire multi-year IT project.

Just read through the PDF (0, Troll)

erroneus (253617) | more than 5 years ago | (#27915693)

I saw no mention of how they are using Windows or if they are using Windows at all. Under the recommendations, they made no recommendations to stop using Windows at all.

Re:Just read through the PDF (4, Informative)

Roadkills-R-Us (122219) | more than 5 years ago | (#27915797)

They do mention a compromised domain controller, which suggests (though doesn't guarantee) Windows.

They also mention DOT, which I believe is heavily into Windows.

In the late 1980s I know there was some UNIX/X11 development going on for ATC in Germany, but I never heard whether it went big time in Europe, much less in the USA.

There are some references on the net from 2007 or so that the FAA was switching from Win to Lin, but I'm not sure what systems those were, or if it really happened. They could easily run a mix of UNIX, Linux, Windows and others on the back end, and mostly Windows on the front end.

Finally, the ATC systems probably run RTOS or a real-time UNIX.

Re:Just read through the PDF (0)

Anonymous Coward | more than 5 years ago | (#27920117)

I think this [freeonlinegames.com] might be the software they use?

Re:Just read through the PDF (0)

Anonymous Coward | more than 5 years ago | (#27926411)

I used to work on a team that provided hardware for the CIMACT project, which was basically a system for coordinating all the data from radar sites across Europe.

It used Linux + tcl, although I did see an awful lot of older hardware, mostly dedicated equipment from the likes of Barco

Re:Just read through the PDF (0)

Kalriath (849904) | more than 5 years ago | (#27916309)

So what? Properly secured proxies, etc, make Windows a perfectly secure operating system. This isn't 2001, you know.

Re:Just read through the PDF (2, Insightful)

Antique Geekmeister (740220) | more than 5 years ago | (#27918021)

No, it really doesn't secure it. Too many network based utilities require far too much privilege to operate, Internet Explorer is a sinkhole of security vulnerabilities, and autorun remains the default for CD's, USB's, and other detachable media. Proxies are like the Maginot Line of security: they provide a useful pretense at security, but only have to be pierced once to allow the invaders to overrun your internal network.

It only takes one newly installed laptop, exposed to the Internet while pulling down its first service packs and security software, to service as the staging point for all sorts of attacks.

Re:Just read through the PDF (5, Insightful)

ASBands (1087159) | more than 5 years ago | (#27916385)

Karma be damned, but the use of Windows in a secure system is nowhere near as bad as not sanitizing your inputs on any system. No platform can just make up for bad practice. FreeBSD will happily allow someone to guess 'PASSWORD' as the login password (from TFA: "Software configuration involves setting up a software system for one's particular uses, such as changing a factory-set default password of "PASSWORD" to one less easily guessed."). If you're using Oracle DB, MS SQL or MySQL, if you store passwords as plaintext instead of hashes and secure data in plaintext, you will run into problems (TFA: "...hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network."). Microsoft may not patch in a timely manner, but it doesn't matter what platform you're running if you don't apply the patches (TFA: "...software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors."). PHP, JSP, ASP, ASP.NET, Ruby, Perl or whatever, if you program poorly, you're going to have problems.

Re:Just read through the PDF (0)

Anonymous Coward | more than 5 years ago | (#27918897)

But, but, but...this is Slashdot! Of course it is Microsoft's fault that someone does not sanitize MySQL queries. Remember Bobby Tables, you insensitive clod? WE SHALL NEVER FORGET!

Re:Just read through the PDF (0)

Anonymous Coward | more than 5 years ago | (#27919329)

Just because a steel vault can be password-hacked just as easily as a plastic vault doesn't mean that you shouldn't get a better password and get a steel vault.

plaintext FreeBS password (1)

viralMeme (1461143) | more than 5 years ago | (#27921993)

'FreeBSD will happily allow someone to guess 'PASSWORD' as the login password (from TFA: "Software configuration involves setting up a software system for one's particular uses, such as changing a factory-set default password of "PASSWORD" to one less easily guessed.")'

Where does it say they were using FreeBSD

'if you store passwords as plaintext instead of hashes and secure data in plaintext, you will run into problems (TFA: "...hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network.")'

Where does it say they were using plaintext passwords. According to the FAA report they installed malicious codes and an administrator's password.

"

By taking advantage of FAA's interconnected networks, hackers later stole FAA's enterprise administrator's password in Oklahoma, installed malicious codes with the stolen password, and compromised FAA's domain controller in its Western Pacific Region

"

"Microsoft may not patch in a timely manner, but it doesn't matter what platform you're running if you don't apply the patches .. PHP, JSP, ASP, ASP.NET, Ruby, Perl or whatever, if you program poorly, you're going to have problems"

Where does it say a poorly patched PHP, JSP, Ruby, Perl or whatever app was the cause of the vulnerabilities?

Re:Just read through the PDF (0)

Anonymous Coward | more than 5 years ago | (#27916841)

Under the recommendations, they made no recommendations to stop using Windows at all.

Maybe the didn't make those recommendations, because they weren't doing so in the first place? Are you making assumptions just to get in a dig at Microsoft?

Re:Just read through the PDF (4, Insightful)

gparent (1242548) | more than 5 years ago | (#27917143)

Mainly before it doesn't matter. These computers have a problems that are totally unrelated to Windows at all, such as easily guessable passwords, unpatched vulnerabilities and easily accessible passwords, unencrypted in the database.

Windows isn't the weak link here, and properly securing Windows isn't exactly rocket science.

Re:Just read through the PDF (1)

rackserverdeals (1503561) | more than 5 years ago | (#27919299)

I saw no mention of how they are using Windows or if they are using Windows at all. Under the recommendations, they made no recommendations to stop using Windows at all.

Actually, it looks like one of these FAA system (Traffic Flow Management System) is running RedHat Enterprise Linux on the servers and workstations with an Oracle backend. The system was migrated from HP/UX to Linux [gcn.com] .

Hum... (1)

genw3st (1373507) | more than 5 years ago | (#27915783)

... and here we have people worried about exploding shoes and finger nail clippers.

Security expert point of view. (5, Interesting)

canipeal (1063334) | more than 5 years ago | (#27915825)

As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means. What I DO find disturbing is the amount of detail provided in a public report given the fact that the FAA has yet to fully apply it's remediation strategies for the vulnerabilities identified. Is there any info as to what tools they used for app testing? My experience shows that tools such as App Detective and Web Inspect actually inflate the number of findings. This is due to the fact that the applications identify vulnerabilities by instance and not by category/type.

Re:Security expert point of view. (4, Funny)

phantomfive (622387) | more than 5 years ago | (#27915927)

What bugs me is all these links in the summary are to articles. Forget that, I want a link to the page where I can control a plane!!

Re:Security expert point of view. (0)

Anonymous Coward | more than 5 years ago | (#27916213)

What bugs me is all these links in the summary are to articles. Forget that, I want a link to the page where I can control a plane!!

Unfortunately, the plane-control page is in Chinese.

Re:Security expert point of view. (0)

Anonymous Coward | more than 5 years ago | (#27917199)

Well the chinese page is not bad, but honestly I think the russian version has a lot more features.
My favorite: you can interface it with your own (legit of course) copy of Flight Simulator.

Re:Security expert point of view. (1)

Canazza (1428553) | more than 5 years ago | (#27919041)

I'll get to work on a Google Maps Mash-up right away :D

Re:Security expert point of view. (1)

jonaskoelker (922170) | more than 5 years ago | (#27920391)

Forget that, I want a link to the page where I can control a plane!!

Are you sure you don't want a VB GUI to trace its route? ;-)

Computers and technology in pop culture (1)

jonaskoelker (922170) | more than 5 years ago | (#27920563)

(Sorry for the self-reply, but I wanted my two points to be independently moddable; this'll probably get modded OT, but I got karma to burn...)

Speaking of computers and technology in pop culture, I've recently watched Die Hard 4.

In general, it's everything we hate: overblown graphical interfaces ("tracing $BADGUY, [$n percent progress bar]"), interfaces that work the "wrong" way (when your box gets hacked, the screen goes fuzzy like a TV with poor reception), nonsensical terminology ("it's a E-bomb!").

But! It has one redeeming quality; Mr. Nerdy Sidekick described cryptography as "Math-based security". That's a phrase that's handy for talking to non-geeks ("the washed masses"? :D)

It points in the general direction of the application of cryptography, "security", and it says something about what cryptography is (or contains), "math[-based]".

And since cryptography requires math which most people haven't learned anything about, if people start to speculate "so how can you secure stuff with math", in the two seconds or so they can do it during a conversation they're not going to come up with something wrong which they don't know is wrong---they're going to come up with nothing, making them ask "so how can you make security with math?".

Thus, saying "math-based security" gives you an opportunity to give people only correct ideas about what you do, and in as much detail as people want to hear about.

Re:Security expert point of view. (5, Interesting)

Zapotek (1032314) | more than 5 years ago | (#27916263)

Funny thing...
I was developing a web app security assessment platform like Metasploit but for web apps...so I had to get a peak at the competition.
So like a good boy I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website.
I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct. So I e-mailed them back and told them and got a response with an apology.
If they used an automated tool like that it's very probable most of the vulns were false positives.
Oh and by the way, many of these tools detect e-mail addresses or contact info posted on the site as a possible vulnerabilities because they provide "sensitive information".

My point being...don't fully trust the report. Sure they must have some serious security risks on their website but 3.800 seems extravagant.

PS. Sorry to the guy above me with the

I want a link to the page where I can control a plane!!

for removing my mod +1 funny to his comment. I just had to post this reply. hehe

Re:Security expert point of view. (2)

rtb61 (674572) | more than 5 years ago | (#27916325)

In this case step 1 of the security assessment, does it need to be connected to the internet, 'NO', then don't connect it. Step 2 risk assessment, just because web apps and the internet are the cheapest way of doing things, is it appropriate where thousands of peoples lives are at risk 'NO', then don't do it as a web app, spend the extra money or eventually the laws will change and you will go to jail for killing people just to save a few bucks.

Re:Security expert point of view. (1)

Zapotek (1032314) | more than 5 years ago | (#27916539)

I'm with you 100%.
Mission critical systems should not be accessible to the outside world.
If you really want to remote control it write your own client/server or whitelist IP addresses, add encryption or just use a VPN.
Scratch that...do all of the above!
I mean which net architect/admin can't set up a simple VPN? That's what they were designed for...that's what they're good at.
You can pick-up any CCNA (yes I know i'm kinda advertising here I don't care) student and he'll do it for you...

Yeah I know if you use a VPN even with the current state of their system the vulns will still be there and I know that no-one likes security through obscurity but access would be limited to the staff anyways and it'd at least be easier to track down the intruder...

This felt like a rant...I didn't plan for my reply to sound like that, excuse me.

Re:Security expert point of view. (3, Informative)

Anonymous Coward | more than 5 years ago | (#27916693)

As a pilot I've had to interact with a lot of the FAA's web presence. Much of this seems to stem from convenience and cost cutting around flight planning.

Currently, the FAA operates a telnet based Direct User Access Terminal, which provides flight planning information (both weather and wind/time calculations) and the ability to file a flight plan over the internet. That system is used by any number of sites to put a pretty face on it and make it more user friendly. In short, a pilot could plan a flight and file a flight plan all from the comfort of his armchair, and not have to call a Flight Service Station.

Its convenient, but as the parent posters said, also introduces a major vulnerability.

In addition, the FAA has moved Airman certification over to a web based client that, frankly, is a total disaster. When it first went online, it would ONLY work with IE 6 on Windows. It was totally nonfunctional outside that little segment of the population. Its been upgraded recently, so its slightly less irritating. It still loses applications, which forces applicants to recreate their application (a non-trivial process).

All in all, I've been happy with the FAA as a regulatory body. Their IT division, however, has to get their act together.

You've hit on the question I had right away (1)

sean.peters (568334) | more than 5 years ago | (#27926345)

does it need to be connected to the internet, 'NO', then don't connect it.

This is the question I'm really interested in... are the machines in question (particularly those actually involved in ATC) connected to the internet? If the machines can be hit from the internet, this is a giant problem. But if you have to start with physical access to the network because it's physically isolated from the larger internet, that's not nearly as bad. You still have to worry about an "inside job", but that's a lot less likely than an attack from outside. TFA didn't make it clear whether the auditors hit the machines from the internet, or started with access to the actual network in question.

Re:Security expert point of view. (0)

Anonymous Coward | more than 5 years ago | (#27918967)

I'm hoping they did nothing as stupid and close-minded as testing the web apps exclusively from outside. A security audit means almost nothing if they didn't take a look at the code, at the data storage solutions, the internal logic, scalability, criptography etc. One XSS found on 3800 pages is bad, but trivial compared to, say, a priviledged account using 'bofh' as login and no password, to give a simplistic example.

Re:Security expert point of view. (1)

Lord Ender (156273) | more than 5 years ago | (#27921381)

The scanner used against you must not have been very good. The most common (and least expensive) vulnerability scanner, Nessus, only generates a very small minority of false-positive results.

automated false positives in FAA report (1)

viralMeme (1461143) | more than 5 years ago | (#27921769)

"I set up a logger on my website and asked a big security firm to demo their own automated web assessment tool on my website. I received a report of some hundreds of vulnerabilities. Needles to say not one of them was correct"

What was the name of this big security firm, the name of the web assessment tool and the name of your site. And how does this affect the validity or otherwise of the FAA report [dot.gov] ?

Re:Security expert point of view. (1)

wdmr (884924) | more than 5 years ago | (#27918039)

I am very familiar with White Hat. They use a combination of internally developed tools and real live thinking human beings really actively trying to exploit code and logic flaws in the environment.

In my experience, they are very sharp and very (exhaustively) comprehensive.

This is not a handful of "audit kiddies" who barely know how to install and run their tools let alone understand what those tools find.

Re:Security expert point of view. (1)

DNS-and-BIND (461968) | more than 5 years ago | (#27918831)

Yeah, I remember my old job...they hired Arthur Andersen to do some security testing...some guy in a nice suit arrived, ran Nessus against our network, PRINTED IT OUT, and gave it to the boss in a nice leather-bound book. And that was it.

Nessus circa 2001 was well-known for its many false positives and warnings, although there was useful information in there if you went through it.

the average ISP has better security (1)

viralMeme (1461143) | more than 5 years ago | (#27922039)

"As a security engineer(CISSP&CSSLP) with several years of experience in C&A and pen testing, I must say that the results aren't a surprise by any means"

Any 'security engineer' who is responsible for such a system should be fired and face criminal charges. The average ISP has better security.

PDF Report (5, Funny)

InsertWittyNameHere (1438813) | more than 5 years ago | (#27915835)

The PDF report itself tests for the 3801st vulnerability.

You don't say? (4, Insightful)

schon (31600) | more than 5 years ago | (#27915885)

Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications.

Oh, well that makes it OK then.

After all, when a Chinese or Russian hacker out to prove a point wreaks havok by exploiting one of these, they can always just say "Don't worry, we're no worse than blogger.com!"

Re:You don't say? (1)

Lord Ender (156273) | more than 5 years ago | (#27921611)

I have never seen a company with a security department large enough to realistically keep the number of publicly-discoverable/exploitable vulneraiblites in a network to near zero. Most companies have just enough IT security staff to fill checkboxes on some auditor's clipboard. Companies with relatively "good" security may have enough staff to actually address the most severe and easily exploited problems with their networks. In such a "good" company, any hacker who wants to break in to that company will be able to do so; the security efforts only keep "drive-by" style attackers at bay.

Anybody running life-critical systems, like the FAA, must have IT security far far in excess of the "standard" levels in the private sector. They should have enough security staff that no in-house or custom code ever sees production without white and black-box vulnerability testing. They should have enough to analyze and look for anomalies in every network and authentication log. They should have enough to have penetration tests going on 24/7. And they should have enough security staff to investigate every detection picked up by the pen-testers and routine scanning.

Comparing such organizations as the FAA to the averages for industry just doesn't cut it.

Ineptitude confirmed. (1)

s-whs (959229) | more than 5 years ago | (#27915893)

"And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, 'including critical incidents in which hackers may have taken over control of ATO computers,' the report says. ... While the number of serious flaws in the FAA's apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. .

As someone else mentioned and as I implied in my response about their obvious ineptitude in the previous slashdot story: Why are critical systems directly available through the web?

Using Windows? Sheesh, if they were serious about security at least install something like OpenBSD, or perhaps even OpenVMS.

It all fits though with their inability to see their own flaws because of a general 'we are superior' attitude that's present in most areas connected with air-travel.

For dutch readers, webpages on this and more on the subject of behaviour of people (in dutch organisations such as Schiphol, NLR, LVNL, and areas of the government that deals with air-traffic) see:

http://www.xs4all.nl/~swhs/kritiek/schiphol/index.html [xs4all.nl]

Programming (3, Interesting)

icepick72 (834363) | more than 5 years ago | (#27916019)

Who builds the FAA web apps?

Re:Programming (4, Insightful)

xanadu-xtroot.com (450073) | more than 5 years ago | (#27916291)

Who builds the FAA web apps?

The lowest bidder, of course!

Re:Programming (1)

Zapotek (1032314) | more than 5 years ago | (#27916557)

Unfortunately this sounds about right...

Re:Programming (1)

teridon (139550) | more than 5 years ago | (#27919537)

The lowest bidder, of course!

This is a myth about government contracts. While cost is of course a major factor in government bids, they are also required to take into account factors like service, company reputation, and proven technical ability to do the job at the cost quoted.

Of course, there is also the good-ole boy factor...

Mod parent up (1)

sean.peters (568334) | more than 5 years ago | (#27926423)

I work for a defense contractor, and in every contract where I've been a part of the bidding process, yes, cost is a factor... but it's explicitly the least important factor. It comes in behind past performance, demonstrated ability to do the work, etc. I'm not sure how the government selected contractors in the past, but these days, cost is only part of the answer, and not necessarily the biggest part.

Re:Programming (1)

JazzLad (935151) | more than 5 years ago | (#27949309)

Fortunately the Bush Administration used no-bid contracts. -1 Troll & +1 Insightful

They were KIDDING!!! (0)

Anonymous Coward | more than 5 years ago | (#27916167)

You didn't REALLY think Bush was serious about making America secure, did you?

It was all a joke! That's what the TSA "security performance theatre" is all about!

Tell me you weren't laughing when they ACTUALLY made you take off your shoes?

A CIP Device (1)

doroshjt (1044472) | more than 5 years ago | (#27916229)

I would just build a CIP device to give access to all our nations infrastucture via a hardware interface. As long as Sengala doesn't screw with it, we should all be fine.

I love these hard-hitting reports (2, Interesting)

e9th (652576) | more than 5 years ago | (#27916575)

FTFR:

35 Internet-based or public use web applications were tested. On those web based applications 212 high risk, 169 medium risk, and 1,037 low risk vulnerabilities were found.

What apps? What vulns?
Surely they've all been fixed/replaced by now (if not, why not?), so why not let the rest of us know what was discovered?

It's not just the systems, it's the people (1)

chckn.grg (1549777) | more than 5 years ago | (#27916793)

Does that make you feel unsafe? How about the fact that all the guys hired after Reagan fired the ATCs for striking are retiring en masse right now? I guess the bright side is when the new guys show up, they'll raise hell about the Rube Goldberg computer system in operation now. "Hey, I can write an iPhone app that would do a better job than this old PASCAL program ..."

Re:It's not just the systems, it's the people (0)

Anonymous Coward | more than 5 years ago | (#27917049)

I guess the firemen and cops should all strike too. Fucking blame Reagan. You're an asshat

Please try to remember... (1)

tychovi (1221054) | more than 5 years ago | (#27916817)

it is Air Traffic Control. They need those big gaping holes so they can fit the planes into the tubes...

First question (5, Insightful)

slapout (93640) | more than 5 years ago | (#27916843)

Why does the FAA have web based air traffic control applications?!

Re:First question (0)

Anonymous Coward | more than 5 years ago | (#27917003)

Good question, since the FAA is full of old equipment it takes alot of work to get data to the correct place. ie airport, planes, air traffic controller. I thought they were slowing moving into more of a web services model. Although I thought it was suppose to operate on a secure network designed for the FAA only. They're just starting to make the transition so it might have holes for now. I'm sort of surprise, there's that many holes actually, since they make us go through some extraordinary length to secure our system, even though its not even connect to the net.

Re:First question (-1, Flamebait)

ceoyoyo (59147) | more than 5 years ago | (#27917323)

Yeah, that's what got my attention. One more reason not to fly to the US.

Re:First question (0)

Anonymous Coward | more than 5 years ago | (#27918741)

cuz their kewl

Re:First question (1)

EddyPearson (901263) | more than 5 years ago | (#27919111)

Insightful?

So as to keep hardware costs down, make the systems easily scalable, and speed up development and upgrade timescales?

Re:First question (1)

wvmarle (1070040) | more than 5 years ago | (#27919183)

Web based can be easy to develop UI wise, and flexible client wise (no need to install client software, easy maintenance of the software server side only).

The big question to me would be: how can a hacker get access to flight control in the first place? There is no need for those computers to be exposed to the Internet - and definitely not for those web servers to talk to anyone outside their own subnet. I do assume at least we're not talking about hackers that have gained physical access as then there is much more to worry about than just some software vulnerabilities.

Re:First question (1)

lewko (195646) | more than 5 years ago | (#27919735)

Because a manager wanted it to run on his iPhone.

Re:First question (1)

ryturner (87582) | more than 5 years ago | (#27921903)

Why does the FAA have web based air traffic control applications?!

It makes it easier to file a flight plan. Instead of calling up a flight service station on the phone and going through the error prone process of giving them my flight plan, I can do it online. I find it to be easier and the government likes it because it is cheaper.

Different Article; Same Report (4, Informative)

Rary (566291) | more than 5 years ago | (#27917195)

Sounds vaguely familiar [slashdot.org] ...

Note that, although this is not a good thing, we're not actually talking about the ATC system here. We're talking about administrative web applications that employees can access from home, web sites that provide information about air traffic services to employees and to the public, power monitoring applications, things like that. Some are pretty serious, but most are not that serious. And none of them are the ATC system itself.

3799 were cross-site scripting (0)

Anonymous Coward | more than 5 years ago | (#27917527)

At least that's what happens in every automated security scanner audit I've seen. Of course, that CSS report often doesn't reflect that the input was accepted but cleaned- rendering it harmless- by the webapp, or that the css content is only shown back to the user who inputs it...ooo, you can hack yourself! Or the best one- the input is supplied by an authenticated user in an otherwise secure environment- meaning the bigger issue would be that an authenticated user's account was hacked and used to insert CSS attacks. The horse is already out of the barn...but lets close the barn door...

I'm sure # 3800 was "app server supports TRACE method" or "web server reports server version in response". Both incredibly dangerous- enough so to keep app security auditors in business until they think up other low risk things to report on.

Figures... (0)

Anonymous Coward | more than 5 years ago | (#27917861)

It amazes me at some people's ignorance towards security.

Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."

obligatory (1)

Incoherent07 (695470) | more than 5 years ago | (#27918791)

Scan Complete!

423,827
Viruses Found!

A New Record!!

"Waaugh! That is not a small number!! That is a big number!!! What'm I gonna do?!"

Aiding and abetting (1)

Milskin (1027078) | more than 5 years ago | (#27919211)

Newsworthy? Yes. Should it be reportable? No. One of the biggest problems in reporting stories like this is the fact that the information is now OUT THERE. FFS, it's pretty dumb to put this information in the public press. "Hey! Terrorists! You want to know where our vulnerabilities are!? We've just finished the report, so here you go!" I don't believe in censoring press... but doesn't common sense kick in at some point? Fix the vulnerabilities FIRST!!!

Right... (0)

Anonymous Coward | more than 5 years ago | (#27919891)

So, when they say this isn't out of the ordinary, what they mean is "it's got more holes than Swiss cheese, but that's OK, because *everything*'s got more holes than Swiss cheese"?

Thanks for putting that into perspective, guys. I'm feeling much safer already. :)

Bad Policy (0)

Anonymous Coward | more than 5 years ago | (#27921265)

Some vulnerabilities have been known for years.

No enforcement of basic IT security.

Connecting ATC systems to non-ATC networks.

Allowing access to the FAA WAN by foreign nationals.

Allowing unlimited vpn access to FAA networks.

Organizations that simply don't comply with security policies.

hackers took over FAA computers in Alaska (1)

rs232 (849320) | more than 5 years ago | (#27921593)

How did they manage to not once mention what Operating System these 'computers' run on

In FY 2008, hackers took over FAA computers in Alaska, becoming FAA "insiders." By taking advantage of FAA's interconnected networks, hackers later stole FAA's enterprise administrator's password in Oklahoma, installed malicious codes [dot.gov] with the stolen password, and compromised FAA's domain controller in its Western Pacific Region. At that point, hackers had the ability to obtain more than 40,000 FAA user IDs, passwords, and other information used to control a portion of the FAA mission-support network

I just hope Obama steps in! (1)

hesaigo999ca (786966) | more than 5 years ago | (#27924777)

I would love for Obama to step it up a notch and force these guys to adopt better policies for their ATC units.

This is surprising? (1)

rgviza (1303161) | more than 5 years ago | (#27927401)

I'm the last person to defend a federal agency, but if you run any large application through something like Fortify this will happen and this is 70 applications being tested for the first time.

High and medium vulns need to be addressed very quickly, and there were 1267 of those. Of those, 381 were on public facing systems. The remaining were "low" which are often things like "your server appears to be running Apache" or on internal systems, which while bad, is not as bad as stuff in your DMZ.

This headline is just a wee bit sensationalist.

7.63 highs per web app is not bad for the first run through, it's 100% average. Some of the apps are probably 10 years old to boot.

I don't care how good you think you are, I'll find something if I test your app. Getting your stuff tested, coming to terms with this and fixing it is *what is supposed to happen*. The fact that there are vulnerabilities on an untested app is like saying there's water in the ocean, and is almost as surprising.

I come from a code security background, and what the testers found is about as surprising as the sun coming up.

I think the *real* issue, and the one people should be fired over, is why did they wait til now to start pen-testing them and looking for code security issues?

Boggles the mind...

Realistically they need to be doing this once per quarter. I guarantee you they'll find something every time they test.

-Viz

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>