Re: FAA hacked... repeatedly

Much like love, concern for IT security seems to come in spurts. At least it does for the bureaucrats. I think that if IT professionals were just left alone without bureaucrats getting involved we'd have everything taken care of.

I do think that there's a lot of fearmongering going on right now, I have my own theories as to why it's happening, but they are beyond the accepted scope of the Defcon forum.

Re: FAA hacked... repeatedly

Sure, more money for infosec is great and yes there are some serious issues that need to be tackled. I just don't think creating hysteria so that people throw money at it is the greatest solution. What I fear is someone coming in, collecting the money, and going "yeah sure i've got this covered. it's secure now, you betcha!" while they do 1/10th of the job that should be done. Let's make it so that every user has to have an ultrasecure password and then not spend time securing the server. A whole lot of good that did you right there. Then the next time a concern arises about a security issue (like that pesky server not being secure) the bureaucrats in charge will say "well we already paid for it to be secured in fiscal year XXXX, it's secure, they told us so." Then what? This idea that security can be taken care of in large spikes is what I think is wrong. In my opinion, security is something that evolves over time, and is constantly changing. If you're in the mindset that a giant influx of resources once ever X number of years will solve all your problems, it seems to be just asking for trouble during those in between years. It's like saying "i'm only going to patch my system once a year, when I pay a lot of money to have some guy come in and do them all for me"

Reports and stories like this are what cause these hysteria's and this mentality that security is only something you take care of in spurts. Sure maybe the nation needs this kick in the butt to get our act together. Then again this just feels like the swine flu situation to me. People are instructed to do things that you should do on a day to day basis such as wash your hands, cover your mouth, and don't go into public if you're sick. Then again what would I know? I'm just some silly person at a university that was recently quarantined, shut down, and cleansed like raccoon city....at least that's what twitter told me happened.

Re: FAA hacked... repeatedly

Yes, I agree with this, but look at what happened in the late 90's with this idea when Y2k was threatening to end the world as we know it. The MSCE mills were pushing out useless people who expected to make $120k/y just for having a piece of paper with their name on it.

I would hope that the IT managers of today are smarter than they were, but I doubt it highly.

Re: FAA hacked... repeatedly


You mean you can't take control and fly the plane from the seat back terminals? (rolls eyes) Dam I was so looking forward to entertaining myself with some 1g barrel rolls on the way to Defcon this year.

xor

Actually a little irrational earth person hysteria mite be good for Infosec. Budgets go up, more jobs get created, better standards and accounting; security comes from the back burner to the front. You are no longer the little paranoid computer guy you are the wise IT Sage. This enables you to consolidate your power, crush the vexing naysayer competition, and get the corner office with the door.

Re: FAA hacked... repeatedly

This is another report where bad reporting is going to cause people to over react. The actual air traffic control network is not connected to the internet at the moment. While they are working on making the network IP enabled, currently there is no link to the internet. The TRACON's and such are all linked via an old network from the 1960s that's been slightly upgraded (imagine racks of IBM PS/2 terminals with modems stuffed in them). The new IP based network is using dedicated network runs and only uses the internet for site to site tunneling. Even if someone were to get on the network, and if they were able to forge an alert, that's only the flight strip information on a plane. The real data is all local to the center, fed from the local radar dishes. If they were to DoS the link, all it takes is a phone call. Remember, this data used to be transmitted over dedicated phone lines using modems. The amount of planes transferring from zone to zone is so small, you don't need massive amounts of data transfer....

What they're talking about is access to the organization's office network. Most of whats on that network is just emails about where everyone is going that night. These reporters tend to be really good recently at causing hype by neglecting to mention key facts...

Re: FAA hacked... repeatedly

I read about this...

I'm wondering if it stands as much as the power grids being hacked. 'Cause from what I'm told, they weren't.