AircraftNews.Com » Security

Darwinian Defence

mgiles — Fri, 04 Sep 2009 02:54:28 +0000

Security screening

At every level there is doubt about the efficacy and indeed the common sense of the security regulations and responses we now have to deal with since 911 and Osama unless he is in his grave must be laughing his head off at the enormous cost he has been able to get us to inflict on ourselves as a society.
As I suspect everyone has ruminated at some time or another as they have had some innocent object confiscated by some officious goon or gooness (in my case a small shifting spanner about 2 inches long) always with the excuse “I am just following rules” it is obvious that much silliness goes on in the name of security.
The absurdly extreme measures which exist serve, as is so often correctly stated, only to inconvenience the law abiding in society without doing more than give minor pause to the destructive amongst us.
So far there has not been much of a bite back from the public because they can usually be scared into submission by saying “terrorism” but sooner or later simple economics may lead to a search for a better paradigm.
In what may perhaps be the beginnings of a movement in the direction of sanity a recent speech by an American professor of Biology has suggested that a different take might be very rewarding.
The basic concept is that organisms constantly face security threats and they respond in an adaptable and flexible local level and so are able to respond very quickly and appropriately.
The top down – it has been ruled that nail clippers are not allowed onto aircraft (whereas plastic coat hangers which when broken make much better weapons than nail clippers are) approach is so predictable that it is easily circumvented. Whereas an appropriately empowered and savvy local defence security apparatus might be much more effective
In a piece titled Take A Darwinian Approach To A Dangerous World Ecologist, Rafe Sagarin an assistant research professor of marine science and conservation in Duke University’s Nicholas School of the Environment preaches ‘Natural’ Security For Homeland Defense
In nature, the threat level is always at least orange: Predators and plagues are an unrelenting menace to the well-being (and successful reproduction) of every living thing.
So does your body make every gulp of air take off its shoes before entering your lungs to ensure that it’s not smuggling pathogens?
Of course not, says Sagarin, , and it would be ridiculous to try. If you didn’t suffocate first, the microbes would simply find another way to get in. That’s what natural threats do.
Sagarin, an ecologist who’s normally more concerned with the urchins and starfish in tide pools, got to thinking about these things as a Congressional science fellow less than a year after the 9/11 terrorist attacks. He saw Washington building an expensive new shell, erecting large barriers around buildings and posting guards and cameras in every doorway.
“Everything was about more guards, more guns, and more gates,” he said. “I was thinking, ‘If I’m an adaptive organism, how would I cope with this?’ ”
Pretty simply, as it turns out. “If they’re checking every trunk, I’ll put the bomb in the back seat.”
Sagarin thinks this way because he’s a biologist, not a cop. And, he says, it’s a mode of thinking—informed by Charles Darwin’s insights into life’s struggle for survival and fecundity—that more security analysts would be wise to adopt.
At the annual meeting of the American Association for the Advancement of Science in Chicago, Sagarin has organized a 90-minute symposium on the subject, to be held Friday morning, Feb. 13.
Sagarin is also the editor of “Natural Security: A Darwinian Approach to a Dangerous World” (University of California Press, 2008), which convened a national committee of experts from related fields like biology, anthropology, and virology, as well as security, psychology, and math to think about ways that Homeland Security could act more like an immune system and less like a tough-talking Texas sheriff.
In nature, a threat is dealt with in several ways. There’s collectivism, where one meerkat sounds the alarm about an approaching hawk, or camouflage, where the ptarmigan hides in plain sight. There’s redundancy, like our wisdom teeth, or unpredictable behaviour, like the puffer fish’s sudden, spiky pop.
Under the unyielding pressure of 3.5 billion years of evolution, the variety of defences is beyond counting. But they all have a few features in common. A top-down, build-a-wall, broadcast-your-status approach “is exactly the opposite of what organisms do,” Sagarin says.
An immune system, for example, is not run by a central authority. It relies on a distributed network of autonomous agents that sense trouble on the local level and respond, adapting to the threat and signalling for backup without awaiting orders from HQ.
Sagarin’s brand of “natural security” may take some getting used to. “Organisms do not try to get rid of risk in their environment,” he says. “They learn to live with it.”
The total elimination of risk is far more costly than the organism could bear, and probably futile, since the threats adapt. But by being responsive and adaptable and not putting every last bit of its budget into defence, an organism stands a far better chance of being able to handle an unforeseen risk in an escalating arms race, he says.
“Almost everything organisms do is, in some way, about security.”
See http://www.sciencedaily.com/releases/2009/02/090213114158.htm

Hacker: Excuse me while I change your flight plan

mgiles — Sat, 01 Aug 2009 23:15:52 +0000

Not what I planned

In a scary presentation at the Defcon hacker conference, a security researcher showed how easy it is to compromise the Federal Aviation Administration’s air traffic control system.

Righter Kunkel was careful not to show exactly how to bring aircraft out of the sky. But he showed how its easy to shut down information going into an air traffic control tower, jam radar, submit a fake aircraft flight plan, get recognized as a pilot even if you aren’t a pilot, and stop planes from taking off at an airport.
Kunkel laid out the process. You could get a fake identification (which is illegal). Go to the doctor and get an aviation medical certificate which shows you are fit to fly. With that, you can get a student pilot’s certificate number. Then you can log into the FAA’s pilot registration site. Then you can submit yor own flight plans.

You would think this stuff would be impossible in the age after 9/11. But then, it’s easy to believe, considering the plodding place at which the government is embracing new technologies, such as those that make government computer systems more secure. And the FAA’s priority has been keeping planes safe in the sky, not necessarily shoring up its network security.Each tower prints every submitted flight plan. The system essentially treats you as a trusted user, but that user could theoretically submit an extremely large number of flight plans that could overwhelm the system — essentially a denial of service attack. That could bog down the whole system. Kunkel said the FAA itself has said that some of its networks are improperly linked. He found that one system uses Telnet.

Kunkel said he wouldn’t talk about the significance of that fact, but the implication was it could be used to launch a cyber attack. The FAA found in its own report, issued in May, that there were 763 vulnerabilities in 70 web applications that are used internally at the FAA. It’s a damning report, Kunkel said, but the FAA says it is working on fixing some problems, including some fixes that will go into place by February, 2010.

Kunkel said that he wasn’t encouraging people to take down the system. He is a pilot himself and realizes the FAA is under-funded. Rather, he was pointing out that the system needs fixing. The next-generation

system for air traffic control is coming soon and is being tested in Alaska. But Kunkel is concerned that the system has been designed without enough computer safeguards. He said he hasn’t heard from the FAA yet.

I’m on their side,” he said.
Original at http://deals.venturebeat.com/2009/08/01/defcon-hacker-excuse-me-while-i-change-your-aircrafts-flight-plan/

GA terror threat mostly imaginary

mgiles — Wed, 24 Jun 2009 01:58:05 +0000

Airport Security?

Why are we not surprised. In a classical case of lets find a bogie that can’t defend itself and lets make a huge fuss of how we are going to cope with it GA has been targeted globally with onerous and lets admit it ridiculous security measures that have cost many dearly, caused much aggravation and inefficiency and made our enemies laugh.
A recent report tells us what we all knew and also highlights the not entirely innocent role of sections of the media embroiled in the shock horror end of the industry..

In an important finding The Homeland Security Department’s inspector general said Wednesday the national security threat posed by general aviation is “limited and mostly hypothetical.”

General aviation accounts for 77 percent of all domestic flights and includes air cargo transport, emergency medical flight operations, flight school training, and corporate and private aviation.

Rep. Sheila Jackson Lee, D-Texas, asked the IG to investigate after a Houston television station alleged “security breaches” occurred at three local airports when reporters were able to approach airfields or aircraft without identifying themselves.

In a direct reference to the television report, titled, “Is Houston a Sitting Duck for Terrorism?” the watchdog’s report contains a section titled “Houston Is Not a ‘Sitting Duck for Terrorism.’ ”

“We reviewed the allegations and determined that they were not compelling,” wrote Homeland Security IG Richard Skinner. Reporters were unaware of some passive security and monitoring measures the airports had taken, such as 24-hour video surveillance, locked or disabled planes, and controlled fuel access.

Guidelines and alerts the Transportation Security Administration issued, “coupled with voluntary measures taken by owners and operators of aircraft and facilities, provide baseline security for aircraft based at general aviation sites,” Skinner wrote.

Besides the three Houston-area airports approached by the television reporters, the IG’s staff visited a number of large and small, public and privately owned general aviation facilities in metropolitan areas where people could be at risk in the event of a terrorist attack launched from the airports.

The IG noted TSA has tailored its security strategy to the range of airfield environments and classes of aircraft and operators, rather than introducing overly broad regulations that are costly to implement. The agency also analyzes credible intelligence information to prioritize existing threats and identify practical, targeted measures to reduce risks in the aviation sector.

“Although [TSA's Office of Intelligence] has identified potential threats, it has concluded that most [general aviation] aircraft are too light to inflict significant damage, and has not identified specific imminent threats from [general aviation] aircraft,” the IG stated.

“Significant regulation of the industry would require considerable federal funding,” Skinner added.

The watchdog did not make any recommendations to TSA, and agency officials did not submit formal comments in response to the report.

“The current status of [general aviation] operations does not present a serious homeland security vulnerability requiring TSA to increase regulatory oversight of the industry,” the IG concluded.
See http://www.govexec.com/dailyfed/0609/061709kp1.htm for report

Cyber Attack possible on US ATC

mgiles — Fri, 08 May 2009 04:20:25 +0000

May 08, 2009

U.S. air traffic control systems are at high risk of attack due to their links to insecure Web applications run by

aviation authorities around the country, according to a U.S. Department of Transportation audit.

Penetration testers found 763 high-risk vulnerabilities in 70 Web applications used for functions such as

distributing communications frequencies for pilots and controllers to the public and other applications used for

internal air traffic control (ATC) systems within the U.S. Federal Aviation Administration (FAA), the report said.

A high-risk vulnerability is classified as one where an attacker could take control over a computer, modifying

systems or stealing data. Testers also found 504 medium-risk and 2,590 low-risk vulnerabilities, such as the use of

weak passwords and unprotected critical file folders, the report said.

“In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems

encounter attacks that do serious harm to ATC operations,” the report concluded.

FAA officials could not immediately be reached. But the agency has acknowledged the problems in the report and made

plans for more rigorous patching of Web applications and increased use of intrusion-detection systems.

The FAA uses commercial software programs to distribute information over the Internet, but the agency has failed to

install enough intrusion-detection systems needed for protection, the report said. Web application systems in use

often act as a front door to other sensitive systems and information stored elsewhere.

The nation’s ATC systems are spread out at hundreds of facilities, but intrusion-detection systems have been

installed at only 11.

“Cyber incidents were not effectively monitored at ATC facilities,” the report said. “To identify potential cyber

incidents, FAA needs IDS sensors installed at key locations to collect critical information for security analyses.”

More than 800 computer-related security incidents were reported in fiscal 2008 to the Air Traffic Organization

(ATO), the part of the FAA that handles the management of some 50,000 aircraft moving through U.S. airspace per day.

By the end of the year, the problems behind 150 of those incidents had still not been fixed, “including critical

incidents in which hackers may have taken over control of ATO computers,” the report said.

Hackers have already done damage. In February, attackers gained access through a weak Web application to an internal

FAA database, which held names, birth dates, Social Security numbers, pay grades and addresses for some 48,000

current and former agency employees.

In August 2008, hackers compromised critical network servers and could have shut them down, “which could have caused

serious disruption to FAA’s mission-support network,” the report said.

During the audit, officials from consultancy KPMG and the U.S. Department of Transportation’s Office of the

Inspector General gained unauthorized access to computers associated with the Traffic Flow Management Infrastructure

system, the Juneau Aviation Weather System and the Albuquerque Air Traffic Control Tower, the report said.

The access was possible due to misconfigured Web applications, some of which were unpatched despite publicly

available fixes from software vendors, it said.

See original at http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf