Forgot your password?
typodupeerror
Security Technology

FAA Network Hacked 110

Posted by CmdrTaco
from the in-good-company dept.
coondoggie writes "The Federal Aviation Administration has joined the growing list of government agencies that have had their supposedly safe systems hacked. The agency this week notified about 45,000 employees that one of its servers was hacked into and employee personal identity information was stolen. The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system. It did say two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA's rolls as of the first week of February 2006."
This discussion has been archived. No new comments can be posted.

FAA Network Hacked

Comments Filter:
  • Uhh Ohh! (Score:5, Funny)

    by Anonymous Coward on Wednesday February 11, 2009 @10:37AM (#26812161)

    Hope they find that CIP device soon!

  • 24? (Score:1, Offtopic)

    by soconn (1466967)
    Arghhh... Call Jack Bauer!!!!
  • Oh noes! (Score:3, Funny)

    by Anonymous Coward on Wednesday February 11, 2009 @10:40AM (#26812213)

    Has the CIP device been recovered yet? Should we call in Jack Bauer?

  • by Oswald (235719) on Wednesday February 11, 2009 @10:49AM (#26812329)
    ...but they have said nothing to me or my wife or any of the other dozen people I know who are blissfully retired from that shit hole. Typical.
    • by timeOday (582209)
      Blissfully retired, no kidding. Air traffic controllers retire with full pay after only 25 years, don't they? It's like a military pension without having to move every 3 years and risk getting shot.
      • by Oswald (235719)
        It's 20 years at age 50 or 25 at any age. I was only 23 when I hired on, so for me it was 25.0000000 years.
        • by Em Emalb (452530)

          Interesting to me that you call it a "shit hole" and still spent 25 years employed there.

          Was it always a "shit hole" or has it declined over the years?

          Here in DC they're running all kinds of negative "campaign" ads regarding the FAA and their treatment of the ATC union.

          I imagine both sides are responsible, as usual, but all I'm hearing is the traffic controllers side.

          The latest one consists of "The government is running ATC like a Wall Street company. WTH does that even mean?

          • by Oswald (235719) on Wednesday February 11, 2009 @11:26AM (#26812961)

            I think it's supposed to mean that the FAA is being run like a profit-seeking enterprise when its job is to make sure that actual profit-seeking enterprises (i.e. the airlines) have a safe environment to work in (and that they don't pinch so many pennies trying to eke out a profit that safety suffers). The union, in their usual drama-queen fashion, is trying to say that the FAA is being run on a shoestring by people who think it's their job to blow happy smoke up Congress's collective ass rather than tell them the truth.

            As for your first question, the place went from high-intensity, challenging, and interesting to flat-out miserable over the course of my career due to gross mismanagement by the government and the greed of controllers. I have never been so excited to start something as I was my ATC career, and never so happy to see something end (well, maybe my first marriage). I stayed for the retirement package.

            • by Em Emalb (452530)

              Yeah, I've heard that in the past that the job used to be pretty fun but has slowly morphed into "just another government job" over the years.

              Kudos to you though, for finding a field where you can actually spend 25 years employed by the same "company" and not get surplussed, fired, or let go. It's really rare these days.

              Christ, slashdot, you suck with this 2 minute posting shit. Seriously, LAME. No wonder I haven't posted here in a long time. I'd forgotten how retarded some of this stuff can be.

              • Kudos to you though, for finding a field where you can actually spend 25 years employed by the same "company" and not get surplussed, fired, or let go.

                Stagnation is a desirable job characteristic? If your attitude is prevalent, it's no wonder the economy is fucked.

                • Stagnation is a desirable job characteristic?

                  Who said that longevity means stagnation? If your attitude is prevalent, we're all screwed.

          • Yes, because everyone who works at a shithole job is capable of changing in a flash, uprooting the kids from school, moving to a new city where the weather is uncomfortable, and finding a new, good job elsewhere. A lot of people work shithole jobs, because the alternatives are even worse. I've even had a few myself.
            • by Em Emalb (452530)

              I make a simple statement, in this case "Interesting to me that you call it a "shit hole" and still spent 25 years employed there." and then followed it up with a question: "Was it always a "shit hole" or has it declined over the years?"

              But rather than see that, you instantly go for the knee-jerk (surprised you didn't hit your face with your knee) reaction which is to assume something and then go off on it.

              Anyway, sorry your work-life has sucked in the past. Hope it doesn't now.

  • by captainpanic (1173915) on Wednesday February 11, 2009 @10:49AM (#26812331)

    I'm assuming that the operation of the air traffic control system is not connected to the internet in ANY way at all?

    Some questions:
    1. Is being offline a guarantee for not being hacked? (How else than through the cable / wifi can you hack into a network)?
    2. Is the FAA indeed offline?

    • Well someone who really wanted to could physically enter the building and either set up their own wireless access point or use some other setup to allow themselves to acess the network.

      • Well... that's then my question:
        Does such a network use the same plugs, and systems so that anyone who actually is able to break into the building can also access the network?
        Are such important networks using wifi, or normal utp cable networks, so that anyone who can break in can access the network? (I'm ignoring the whole encryption here, just wondering if it's physically possible to even send one byte of data to such a network without having to use a megaton EMP device)?

        I mean, breaking into a building is

        • by eln (21727)

          If you can gain physical access, network security is essentially meaningless. I would hope FAA air traffic control facilities have more security than a simple key and lock.

          • wait so if any point on a network is insecure, everything on the network is unsafe?
            And nobody ever developed a protocol to allow two known safe computer to connect over such an unsafe network?

        • What I was more refering to was.

          1:
          You walk in the front door into the guest/public area.
          Lean down and plug something into a network port which acts as a wireless repeater.
          Of course it would be stupid to have live network ports in the public areas.

          2:
          Bullshit your way into the office area one way or another.
          Do the same.

          3:
          Bullshit your way into the server room.
          At this point you have full physical access and the game is over.

        • Re: (Score:1, Informative)

          by Anonymous Coward

          A couple of things.

          The FAA has been in a broad transition to becoming more secure. This is mainly pointed at the administration network, as ATC and all operations run on an internal network that in no way touches the outside world.

          Some things that have happened and are happening on the admin network.

          -Wirless intrusion detection (complete, alarms go off if any new wireless devices are detected)
          -Network access control (will be completed soon, anything that is not registered will not touch the network)
          -Encryp

      • Physical Access to ATC facilities is tightly regulated, unless an employee set up the access point or allowed it to be set up this is very unlikely. Also, the FAA does periodically sweep facilities for wireless devices. That said the FAA administrative LANs are connected to the internet through various firewalls and proxy servers, so with some ingenuity and time someone could gain access. The real question is, what is the FAA going to do about the breech of their employees privacy and security?
    • Re: (Score:2, Informative)

      by cyberprophet (1411663)
      The FAA Air Traffic equipment is never connected to any of the administrative LANs, in fact by policy any computer that is going to be connected to operational equipment is not supposed to be used on a public network.
    • 80% of all security incidents are Insider Threat.

      I assume most of those numbers are users deleting files, and bringing in virus infected media from home, but still its something to think about.

      What protects your data from authorized users already inside your perimeter?

      Being off-the-grid reduces drive by attacks from worms, but not dedicated attackers, or insiders.

    • by pasv (755179)
      It doesn't matter I'm afraid. The system is compromised because the people operating it are. The reason for this is simple, every piece of identifying information on those employees is leaked... Imagine what a decent social engineer could do with this information. Hell, with that information you wouldn't even need much talent to control the aviation systems. It's probably more stupid to attack this system from the network/computer vector because it's the most likely to be targeted.
    • by Greyfox (87712) on Wednesday February 11, 2009 @02:45PM (#26816441) Homepage Journal
      The FAA network security is enforced through obscurity. To successfully hack it you have to be a retired COBOL programmer.
  • Someone should ask the FAA how they managed to get an entire network (see: article title) onto one server (see: article summary). Was it a server, or a single work station? A server can dispense data, but dispensing data does not make it a server. Servers tend to act as the dispenser for data bearing machines, no?

    What's the matter, wouldn't an article that said "One FAA Computer Hacked - Employee Data Stolen" be sexy enough? Probably not. The title as is misleads people into wondering if the ATC network was

    • by causality (777677)

      Someone should ask the FAA how they managed to get an entire network (see: article title) onto one server (see: article summary). Was it a server, or a single work station? A server can dispense data, but dispensing data does not make it a server. Servers tend to act as the dispenser for data bearing machines, no?

      What's the matter, wouldn't an article that said "One FAA Computer Hacked - Employee Data Stolen" be sexy enough? Probably not. The title as is misleads people into wondering if the ATC network was implicated.

      If you own or administer the equipment in question, you'd have to assume that an attacker getting into the server is the same thing as an attacker getting into the network until proven otherwise. That's for the simple reasons that the attacker has already proven their ability to compromise at least one of your systems and that server can now be used as a platform to attack any other machine with which that server can communicate (i.e. that network). Incidentally, am I the only one who still says "proven"?

      • by anss123 (985305)

        I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

        You cannot rule out the cost factor. It's for instance not economically feasible to link up all power stations to a separate secure network, so they use the internet.

        Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks. Similarly, a secure network can still be compromised so that is not always the best way for securing networked computers.

        • by causality (777677)

          I don't know anything about the FAA or their systems but this is simply common sense. Any administrator who doesn't understand this should not be trusted with such important networks.

          You cannot rule out the cost factor. It's for instance not economically feasible to link up all power stations to a separate secure network, so they use the internet. Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks. Similarly, a secure network can still be compromised so that is not always the best way for securing networked computers.

          That's a rather verbose way of saying that my statements are intentionally general and therefore might not describe every possible specific application. I hope we already knew that.

          By the way, you quoted me slightly out of context because you left out the one previous sentence that addressed your concern. This is the full block of text:

          This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that

          • by anss123 (985305)

            This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way.

            (Emphasis mine). In my example there is "another way", even so they use the internet. If you had just said "critical systems should not be Internet-accessible unless it's impractical" I would have understood you better.

            • by causality (777677)

              This is about what you would expect because such critical systems should not be Internet-accessible unless there were some incredibly strong overruling need for it that could not be addressed any other way.

              (Emphasis mine). In my example there is "another way", even so they use the internet. If you had just said "critical systems should not be Internet-accessible unless it's impractical" I would have understood you better.

              That's a funny thing that happens to me from time to time. For a moment it will appear that there is a disagreement or a debate and then I'll find that the other person and I were actually saying (more or less) the same thing, just in different ways or from different perspectives. That most often happens when the other person and I are both knowledgable about the subject. I appreciate you taking the time to clear that up for me :-).

        • by causality (777677)
          I did have one other response to you, for what it's worth. At first, you may think this is just semantics but I hope you don't feel that way after you read my full response.

          Facing the Internet is not necessarily insecure. It is possible to make 100% hack proof computers - not counting DOS and physical attacks.

          I think we'll have to agree to disagree on this part. The whole problem is that you'd never be able to actually prove that a computer is 100% secure (no one has found a way to do that), only that it

          • by anss123 (985305)
            A system can indeed be "100% hack proof" from attacks originating from the Internet. The problem with desktop systems, servers, etc, is complexity. Get that complexity down to manageable levels and you can have your hack proof system.

            For a system, for instance, that just reports power usage over the Internet the complexity is at so a low level that it's possible to validate all possible inputs and outputs. The biggest complexity in this example is actually the TCP/IP protocol.

            Ultimately, what you can accomplish is a system that is secure enough that the effort required to break into it far exceeds any value that would be gained by doing so. The rest is damage control.

            In theory everything is hack

  • Whatever (Score:3, Interesting)

    by SatanicPuppy (611928) * <Satanicpuppy&gmail,com> on Wednesday February 11, 2009 @10:56AM (#26812425) Journal

    We know the air traffic control computers weren't hacked...There hardly are any, which is in itself a problem.

    But being sloppy with data is a bad sign in any organization. If you can't keep your secure data secure, then what other important things are you also letting slide?

  • by bleh-of-the-huns (17740) on Wednesday February 11, 2009 @10:57AM (#26812443)

    Of which the FAA is apart of, I can say, with absolute certainty, that like every other major entity, there are literally dozens and dozens of systems that are in no way connected to the ATC, or any other network for that matter. Yes they are networked, but so is every desktop and every camera, that does not mean they are not well isolated and secure from each other.

    FAA has well over 10k hosts (desktops, servers, etc etc), its unfortunate, but expected that many of those hosts are probably vulnerable to something. But at the same time, critical systems (ATC for example), are generally isolated from the basic FAA backbone, and on a closed network.

  • Not found (Score:4, Funny)

    by UnixUnix (1149659) on Wednesday February 11, 2009 @11:01AM (#26812511) Homepage
    Windows cannot find Control Tower. Hit any key to continue.
    • Re: (Score:3, Interesting)

      by causality (777677)

      Windows cannot find Control Tower. Hit any key to continue.

      "Where's the 'any' key?" [bauer-power.net]

      Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

      If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are

      • by tlhIngan (30335)

        Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

        If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are in front of a computer, this is a

        • by causality (777677)

          Am I the only one who remembers the "ANY" stickers that were usually placed on the ENTER key and were specifically designed for (l)users who kept asking that question? When I first saw them, someone had to explain to me that yes it's a serious product, it's not a joke item or a gag gift. I think I looked at the world a bit differently after that.

          If I ever marvel at how even otherwise intelligent people sometimes shut down all common sense and ability to reason when they are in front of a computer, this is an example of what I'm talking about. That they wouldn't even consider whether "any" might be an adjective, or that the sentence should be written differently if it were intended to mean a key bearing the label of "ANY" just blows my mind.

          Well, you have to remember that computers also have buttons people have never seen before - especially on a keyboard. Think keys like "Ctrl", "Alt", "PrtSc", "SysRq", "NumLk", "ScrLk" and the like. It's entirely possible believe that "ANY" refers to some computer-y term rather than literally, any (and in most cases, any key won't work - keys like Shift, Ctrl, Alt, the locks, other modifiers (Windows, Menu, AltGr, Compose, blah blah blah) probably won't make the message go away). A slightly better wording might be "Press a key co continue". The literalists will probably type "a", the pedants will try the modifiers and complain, and the rest of us will hit space or something.

          I don't think you're appreciating how deep the lack of common sense really is.

          If what you're saying were the crux of the problem, then such a user might have this problem one time. It wouldn't take very long to exhaustively perform a visual search of the keyboard and conclude that there is no key labelled "ANY". At that point, this theory that the prompt refers to a specific key has been falsified and it's time to abandon it. Isn't that simple? The only possible remaining explanation is that "any" is

          • You're equating hard-won esoteric knowledge with common sense. Common sense as a concept is bankrupt - it doesn't exist in isolation, it is simply learned behavior which is not in any way universal. Dragging the term out derisively is a merely a rhetorical crutch.

            • by causality (777677)

              You're equating hard-won esoteric knowledge with common sense. Common sense as a concept is bankrupt - it doesn't exist in isolation, it is simply learned behavior which is not in any way universal. Dragging the term out derisively is a merely a rhetorical crutch.

              A basic process of elimination, which is the only specific instance of common sense that I mentioned, is "hard-won esoteric knowledge"? I just can't go along with that.

              I'm not really deriding anyone. I'm expecting better of them. There's a difference and it's a huge one. Derisive would amount to believing that they can't handle basic problem-solving because they are inferior to me; even when it appears to be humorous, derision always has this type of negative comparison as a core component. Instead,

          • Actually they call tech support and ask "where is the "any" key, I can't find it". I've had the joy of answering one or two of those calls.
          • by Ironica (124657)

            If what you're saying were the crux of the problem, then such a user might have this problem one time. It wouldn't take very long to exhaustively perform a visual search of the keyboard and conclude that there is no key labelled "ANY". At that point, this theory that the prompt refers to a specific key has been falsified and it's time to abandon it. Isn't that simple?

            If users' general experience with computers was that software and hardware were universally compatible and all computers had the same interface design, then it would be that simple. But what of the user who is told to use the right mouse button when he's on a Mac? Or to use the Windows key when his keyboard predates that invention? Or to use the number pad on a laptop?

            Users have, sadly, been trained to jump to the conclusion that, when the hardware or software doesn't perform according to their initial e

    • by MadKeithV (102058)
      Control Tower - Alt - Delete to log in.
    • Making a Blue Screen of Death a much more meaningful phrase...
  • by ZxCv (6138)

    If the readership and editors of /. can't seem to correctly grasp the difference between 'hacked' and 'cracked', how do we expect the mainstream press to ever come even close to getting it?

    • by ShinmaWa (449201) on Wednesday February 11, 2009 @02:10PM (#26815829)

      Oh get off your 133tist high-horse.

      You know, or should know at any rate, that language changes over time. The correct definition of a word is the one that people actually understand. Like it or not, when people say "hacked" in this context, people understand that it means "illicitly and illegally accessing a computer system". I understand that, everyone else understands that, and therefore -- like it or not -- it is now the definition of the word.

      When are YOU ever going to get that the definition has evolved and changed? YOU are the one clinging to a deprecated and archaic definition of the word that only a very small percentage of the population knows, and an even smaller percentage actually cares about.

      P.S. Same goes for "piracy".

      • by causality (777677)
        I should preface this by saying that I agree with you, and that if a person is going to expend energy trying to change the consensus view of something, there are far more worthy challenges than "hacker vs. cracker". What I will mention here is related to your point but does not directly address it; this is more of a side issue.

        You know, or should know at any rate, that language changes over time. The correct definition of a word is the one that people actually understand. Like it or not, when people say "h

    • by Macrat (638047)
      The movie "Hackers" had the wrong title?
  • Thanks Bill - enjoy your retirement.

  • by Anonymous Coward on Wednesday February 11, 2009 @11:39AM (#26813147)
    Dear Colleagues: I want to alert you that the Cyber Security Management Center identified some unusual activity from an FAA administrative server last week. An investigation revealed that the server was breached by a hacker. Most of the 48 breached files were test files used for application development. Two of these files contained names and social security numbers. One of them contained information on more than 45,000 employees and retirees who were on FAA rolls as of the first week of February 2006. Medical information from the hacked files was encrypted and not identifiable. We are moving swiftly to identify short-term and long-term measures â" procedural and technological â" to prevent such incidents from recurring. All current and former employees who are affected will receive a letter shortly alerting them to this event. In addition, we are posting information in the form of FAQs on the employee and public web sites, and we will update that information, via the web and other channels, should the investigation reveal more information. We also are setting up a toll-free hotline to answer employee calls related to this event. We will continue our efforts to further protect our computer security systems and will keep you informed as the investigation continues. Lynne Osmus Acting FAA Administrator
  • by yl_mra (809735)
    Another illustration of how safe our government made the internet by making it a major crime to hack our networks. It used to be that we could find our way into networks and heckle the administrators. By the rules of the game, we let the admins know what we did and how. That was fun :) and kept our networks secure. Now, it can land you in prison. With all of this safety, how many of you know of middle school kids that got caught hacking into 'secure' systems within the past 10 years? What will happen
  • I really should get off my butt and get those glasses/contacts like I keep saying I will. For a second there I thought some foreign entity discovered our method of raising young kids to be farmers and how to determine if your cow had been eating from onion patches by merely drinking the milk the cow produces.
    Vote for Pedro!
  • This is on the same day Microsoft announced you could take control of an Exchange server by sending an email to it? [slashdot.org]

  • Why would anyone want to hack FAAngband [angband.oook.cz] ?

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...