Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Transportation Encryption The Internet

Boeing's Poor Information Security Threatens Passenger Safety, National Security, Says Researcher (csoonline.com) 21

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing's networks, email system, and website. "[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security," writes JM Porup for CSO online.

The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware.

For its part, Boeing says that the vulnerabilities Kubecka reported are "common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day" and that the company has "no indication of a compromise in any aviation system or product that Boeing produces." What Porup's reporting and Kubecka's research clearly shows, however, is how poor information security practices can become aviation security risks.

This discussion has been archived. No new comments can be posted.

Boeing's Poor Information Security Threatens Passenger Safety, National Security, Says Researcher

Comments Filter:
  • by Indy1 ( 99447 ) on Saturday November 09, 2019 @05:02PM (#59398236)

    ignore IT problems until it becomes a massive disaster that costs you hundreds of millions if not billions, then hire a pile of over priced consultants from IBM, Booz Allen, etc.

    Then ignore all your IT problems again, until the next disaster.

    • by gweihir ( 88907 )

      Indeed. The larger, the worse this gets.

    • Other companies/industries have kept up, mostly, because of money. Either there was money to be made being competitive or because not keeping up would cost them directly.

      IBM

      You haven't 'lived' until you've had to deal with IBM DOORS, DOORS NextGeneration, or JAZZ SCM. We had maybe 90% uptime, pushing and pulling files would move at a blistering 500kB/s (on LAN). But look here at these pointless certifications we convinced your midlevel managers you need.

      Onboarding was fun: "Well, I spent Monday pulling the rep

    • by nnull ( 1148259 )

      I walk into a lot of facilities and I see this problem all the time. The IT guy is some contractor that they have on call that they never call for in years. I've already had multiple customers get hit by phishing schemes because they're constantly sending me invoices to pay that have the address changed.

      Maintenance is the same way now. Rarely do facilities do PM cycles as they see it as losing production, until something major breaks down and they're down for months because they can't source parts fast enou

  • What happens on the http homepage of Boeing's website is really that critical to what happens behind the scenes on the backend servers.

    • Re: (Score:3, Insightful)

      by r2kordmaa ( 1163933 )
      True, but if the can't be arsed to enable https on their website it says a lot about their overall IT management. If they are not fixing things everybody can see, why do you think they fix things nobody sees? And the list of problems reported is not short and they are going unfixed.
      • https appears to be working on their website now, but the cert was issued in October, so this is a recent update.

        Their website does not do what is standard for many: redirect from http to https.

        However, the article greatly exaggerates the value of DMARC -- as if it is some kind of magic anti-phishing tool, instead of a not very effective anti-SPAM tool.

        • by tlhIngan ( 30335 )

          Their website does not do what is standard for many: redirect from http to https.

          The value of which is questionable. After all, the redirect still relies on the insecurity of HTTP at the beginning, so any problems you were hoping to avoid by using HTTPS has been nullified because only in a properly working case would HTTP get redirected to HTTPS. If even one thing "bad" happens, you wouldn't know, and that could involve hijacking the redirect to your own site with proper certificate thus making it appear th

      • True, but if the can't be arsed to enable https on their website it says a lot about their overall IT management. If they are not fixing things everybody can see, why do you think they fix things nobody sees?

        Ahhh, but this is the HONEYTRAP Boeing you see. They're diverting all of the hackers towards this system to protect the ACTUAL system, which is ... connected ... over there .... to .....

        I'LL BE RIGHT BACK.

  • by 0100010001010011 ( 652467 ) on Saturday November 09, 2019 @05:41PM (#59398304)

    Since I've harped on terrible design decisions that go into the aircraft, the supporting infrastructure is bad or even worse when it comes to actual security and other bits.

    Aerospace, in my experience, is the place where IT is least valued. Everything comes down to return on 'investment'. IT brings no profit to the table so why spend money on it? /s

    Not to mention the Aerospace engineers that never worked in any industries push back hard enough that sometimes IT gives up. Because 2FA is "hard" and they already have enough to learn.

    IT also suffers from the 'grandfather' clauses plugging the airplane design. Actual secure systems aren't used because they're not certified. But the certified systems are 20 years old and "already certified". GE Aerospace's entire Git/etc infrastructure is external facing: https://vault.geaviation.com/ [geaviation.com] Everything up to ITAR is protected by that https. You actually had to disconnect from the 2FA VPN to connect to The Vault because internally they couldn't plumb the traffic correctly. But the Vault is ITAR certified and certified for DO-178 work. So the vault is what gets used.

    It's not just the big companies that have this problem. All of their sub-contractors used to money just flowing in haven't put any work into bettering their setup either. GitLab's 2FA was failing because of a slight time error. IT couldn't be bothered to fix it. So an ITAR, functional safety, Aerospace GitLab server is just sitting on a Cox cable modem (wsip-*.ph.ph.cox.net), forward facing the world without 2FA. Their IT/security departments have grown with the company and just not needed to do anything 'right' because 'it works why fix it'.

    It all comes down to liability for the company, I have a family member that works brokerage company. They have everything locked down to the 9s. Because if they screw up their company is on the hook for millions. If Boeing gets hacked and it takes down a future plane we see a human life is $150k a head. Proper IT security would cost way more than that, so nothing gets done.

  • by DCFusor ( 1763438 ) on Saturday November 09, 2019 @05:51PM (#59398340) Homepage
    One wonders if they've gotten too fat on cost plus fixed fees for defense and NASA work, and if their IT is as sloppy there. Oh, of course it is. Subsidies do that to lazy MBA types. Heck, they even have the Exim bank to subsidize their customers for overseas sales, something even big normal companies don't get the benefit of. MIC at work, you tax dollars at play.
  • Sorry, Boeing, you've earned yourself a whole metric shit-ton of scrutiny. How could that have happened?

    Whether or not these security lapses have anything to do with product safety, we've all seen how profit trumps safety throughout your organization. Small wonder that you're under the microscope. And my, it sure looks germy.

  • this really looks like a shake down from my point of view... I don't think Boeing employee's did the wrong thing it's just that Boeing.com is fairly weird :

    EXECUTIVE SUMMARY : implement DNSSEC and DANE you have zero changes to the email systems and its required for contracts in EU

    Engineering take :

    The website and domain boeing.com is setup weirdly first of all it sets the session ID (JSESSIONID) over plain HTTP
    it does not have HTTP Strict Transport Security (HSTS) header and presently cannot be set, as site

  • by Sqreater ( 895148 ) on Sunday November 10, 2019 @10:05AM (#59399562)
    "...Aviation Industry Corporation of China (AVIC), a subsidiary AVIC Aircraft, maker of China’s warplanes; and China Shipbuilding Industry Corporation, which is building China’s first indigenous aircraft carrier and other advanced military systems. As revealed in chapter 6, AVIC subsidiaries were the beneficiaries of the massive cyber espionage against Boeing that compromised vital technology from the C-17, F-35, and F-22 aircraft." Gertz, Bill. Deceiving the Sky (p. 144). Encounter Books. Kindle Edition. This is a book every tech person here should read.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...