Boeing's Poor Information Security Threatens Passenger Safety, National Security, Says Researcher

itwbennett writes: Security researcher Chris Kubecka has identified (and reported to Boeing and the Department of Homeland Security back in August) a number of security vulnerabilities in Boeing's networks, email system, and website. "[T]he company's failure to remedy the security failures she reported demonstrate either an unwillingness or inability to take responsibility for their information security," writes JM Porup for CSO online.

The vulnerabilities include a publicly exposed test developer network, a lack of encryption on the boeing.com website, failure to use DMARC for email security, and, perhaps most notably, an email server infected with malware.

For its part, Boeing says that the vulnerabilities Kubecka reported are "common IT vulnerabilities — the type of cyber-hygiene issues thousands of companies confront every day" and that the company has "no indication of a compromise in any aviation system or product that Boeing produces." What Porup's reporting and Kubecka's research clearly shows, however, is how poor information security practices can become aviation security risks.

Boeing's response is typical for big business

[Indy1]

ignore IT problems until it becomes a massive disaster that costs you hundreds of millions if not billions, then hire a pile of over priced consultants from IBM, Booz Allen, etc.

Then ignore all your IT problems again, until the next disaster.

Re:

[gweihir]

Indeed. The larger, the worse this gets.

Re:

[0100010001010011]

Other companies/industries have kept up, mostly, because of money. Either there was money to be made being competitive or because not keeping up would cost them directly.

IBM

You haven't 'lived' until you've had to deal with IBM DOORS, DOORS NextGeneration, or JAZZ SCM. We had maybe 90% uptime, pushing and pulling files would move at a blistering 500kB/s (on LAN). But look here at these pointless certifications we convinced your midlevel managers you need.

Onboarding was fun: "Well, I spent Monday pulling the rep

Re:

[nnull]

I walk into a lot of facilities and I see this problem all the time. The IT guy is some contractor that they have on call that they never call for in years. I've already had multiple customers get hit by phishing schemes because they're constantly sending me invoices to pay that have the address changed.

Maintenance is the same way now. Rarely do facilities do PM cycles as they see it as losing production, until something major breaks down and they're down for months because they can't source parts fast enou

I Kinda Doubt

[OYAHHH]

What happens on the http homepage of Boeing's website is really that critical to what happens behind the scenes on the backend servers.

Re:

[r2kordmaa]

True, but if the can't be arsed to enable https on their website it says a lot about their overall IT management. If they are not fixing things everybody can see, why do you think they fix things nobody sees? And the list of problems reported is not short and they are going unfixed.

Re:

[whoever57]

https appears to be working on their website now, but the cert was issued in October, so this is a recent update.

Their website does not do what is standard for many: redirect from http to https.

However, the article greatly exaggerates the value of DMARC -- as if it is some kind of magic anti-phishing tool, instead of a not very effective anti-SPAM tool.

Re:

[tlhIngan]

Their website does not do what is standard for many: redirect from http to https.

The value of which is questionable. After all, the redirect still relies on the insecurity of HTTP at the beginning, so any problems you were hoping to avoid by using HTTPS has been nullified because only in a properly working case would HTTP get redirected to HTTPS. If even one thing "bad" happens, you wouldn't know, and that could involve hijacking the redirect to your own site with proper certificate thus making it appear th

Re:

[grep -v '.*' *]

True, but if the can't be arsed to enable https on their website it says a lot about their overall IT management. If they are not fixing things everybody can see, why do you think they fix things nobody sees?

Ahhh, but this is the HONEYTRAP Boeing you see. They're diverting all of the hackers towards this system to protect the ACTUAL system, which is ... connected ... over there .... to .....

I'LL BE RIGHT BACK.

American Aerospace: Straight out of 1990.

[0100010001010011]

Since I've harped on terrible design decisions that go into the aircraft, the supporting infrastructure is bad or even worse when it comes to actual security and other bits.

Aerospace, in my experience, is the place where IT is least valued. Everything comes down to return on 'investment'. IT brings no profit to the table so why spend money on it? /s

Not to mention the Aerospace engineers that never worked in any industries push back hard enough that sometimes IT gives up. Because 2FA is "hard" and they already have enough to learn.

IT also suffers from the 'grandfather' clauses plugging the airplane design. Actual secure systems aren't used because they're not certified. But the certified systems are 20 years old and "already certified". GE Aerospace's entire Git/etc infrastructure is external facing: https://vault.geaviation.com/ [geaviation.com] Everything up to ITAR is protected by that https. You actually had to disconnect from the 2FA VPN to connect to The Vault because internally they couldn't plumb the traffic correctly. But the Vault is ITAR certified and certified for DO-178 work. So the vault is what gets used.

It's not just the big companies that have this problem. All of their sub-contractors used to money just flowing in haven't put any work into bettering their setup either. GitLab's 2FA was failing because of a slight time error. IT couldn't be bothered to fix it. So an ITAR, functional safety, Aerospace GitLab server is just sitting on a Cox cable modem (wsip-*.ph.ph.cox.net), forward facing the world without 2FA. Their IT/security departments have grown with the company and just not needed to do anything 'right' because 'it works why fix it'.

It all comes down to liability for the company, I have a family member that works brokerage company. They have everything locked down to the 9s. Because if they screw up their company is on the hook for millions. If Boeing gets hacked and it takes down a future plane we see a human life is $150k a head. Proper IT security would cost way more than that, so nothing gets done.

How about those pentagon contracts?

[DCFusor]

One wonders if they've gotten too fat on cost plus fixed fees for defense and NASA work, and if their IT is as sloppy there. Oh, of course it is. Subsidies do that to lazy MBA types. Heck, they even have the Exim bank to subsidize their customers for overseas sales, something even big normal companies don't get the benefit of. MIC at work, you tax dollars at play.

Target painted on

[marcle]

Sorry, Boeing, you've earned yourself a whole metric shit-ton of scrutiny. How could that have happened?

Whether or not these security lapses have anything to do with product safety, we've all seen how profit trumps safety throughout your organization. Small wonder that you're under the microscope. And my, it sure looks germy.

Boeing.com is just weird - examples

[johnjones]

this really looks like a shake down from my point of view... I don't think Boeing employee's did the wrong thing it's just that Boeing.com is fairly weird :

EXECUTIVE SUMMARY : implement DNSSEC and DANE you have zero changes to the email systems and its required for contracts in EU

Engineering take :

The website and domain boeing.com is setup weirdly first of all it sets the session ID (JSESSIONID) over plain HTTP
it does not have HTTP Strict Transport Security (HSTS) header and presently cannot be set, as site

Re:

[notdecnet]

“Boeing test development networks are publicly exposed to the internet, Kubecka said, and at least one of Boeing's email servers is infected with multiple strains of malware."

“Boeing, through back channels at DEF CON, threatened her with legal action and a public relations smear campaign to prevent her from going public."

“Boeing told CSO .. none of the issues Ms. Kubecka identified are unique to aviation"

“According to emails seen by CSO, A-ISAC employee Doug Blough, who also

Re: Kubecka is a moron

[johnjones]

the strains of malware identified by virustotal seem like a simple compromised account that was able to send a email before it got shut down, plenty of accounts means plenty of problems that antivirus's dont always catch straight away

connecting any network to the internet means they are public thats the very nature of the internet...

they offered models of responsible disclosure and why anyone would meet in a hotel room seems bizarre...

It indicates a serious Boeing problem of attitude

[Sqreater]

"...Aviation Industry Corporation of China (AVIC), a subsidiary AVIC Aircraft, maker of China’s warplanes; and China Shipbuilding Industry Corporation, which is building China’s first indigenous aircraft carrier and other advanced military systems. As revealed in chapter 6, AVIC subsidiaries were the beneficiaries of the massive cyber espionage against Boeing that compromised vital technology from the C-17, F-35, and F-22 aircraft." Gertz, Bill. Deceiving the Sky (p. 144). Encounter Books. Kindle Edition. This is a book every tech person here should read.