lunedì 29 marzo 2010

Vulnerabilità (controllo traffico aereo negli States)

No comment. Leggere con calma. Il linguaggio è neutro ma, ahimé, chiarissimo.

On May 4, 2009, we issued our report on Federal Aviation Administration (FAA) web applications security and intrusion detection in air traffic control (ATC) systems, requested by the Ranking Minority Members of the full House Transportation and Infrastructure Committee and its Aviation Subcommittee. We found that web applications used in supporting ATC systems operations were not properly secured to prevent attacks or unauthorized access. During the audit, our staff gained unauthorized access to information stored on web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks. In addition, we found that FAA had not established adequate intrusion–detection capability to monitor and detect potential cyber security incidents at ATC facilities. Intrusion–detection systems have been deployed to only 11 (out of hundreds of) ATC facilities. Also, cyber incidents detected were not remediated in a timely manner.

Estratto da pg. 3:
We tested 70 Web applications, some of which are used to disseminate
information to the public over the Internet, such as communications frequencies
for pilots and controllers; others are used internally within FAA to support eight
ATC systems.

Our test identified a total of 763 high-risk, 504 medium-risk, and
2,590 low-risk vulnerabilities, 4 such as weak passwords and unprotected critical
file folders.

By exploiting these vulnerabilities, the public could gain unauthorized access to
information
stored on Web application computers. Further, through these
vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.)
could gain unauthorized access to ATC systems
because the Web applications
often act as front-end interfaces (providing front-door access) to ATC systems. In
addition, these vulnerabilities could allow attackers to compromise FAA user
computers by injecting malicious code onto the computers
. During the audit, ௰
Posta un commento