It’s not too often that we get an honest evaluation of the security of a corporate network let alone a government network. But that’s exactly what David Bowen, the Federal Aviation Administration’s Assistant Administrator for Information Services and Chief Information Officer gave IT execs in Dallas last week. In a very frank speech, he disclosed that the FAA has more Internet access points than they can manage, more systems than they can secure and generally a network that they know is insecure but don’t have the time and budget to do anything about.
I doubt there are many security professionals that are surprised that the FAA network is insecure, but the sheer scope of what Mr. Bowen is facing is scary in the extreme. They lost information on 45,000 employees in February and even though they deny that other systems, such as air traffic control, are affected, how can they know for certain when they have a network with so few security controls in place? Unless there’s an air gap of some sort between the rest of the FAA systems and the air traffic control systems, the answer is they can’t.
This isn’t a rogue IT professional disclosing the dirty secrets of an organization, this is the CIO publicly admitting that he doesn’t have a handle on the security of his organization with full acknowledgment by his superiors. You can read entire transcript of the speech on the FAA site, something you wouldn’t be able to do if the higher ups in the organization were trying to keep this from getting out. To me that means that this isn’t just an admission of guilt, it’s a plea for help from Federal government to help supply the resources needed to secure his networks.
Statistically, flying is one of the safest ways to travel. Usually when we hear about an airplane accident it’s because what happened was spectacular and unusual. But if the FAA networks are really as insecure as Mr. Bowen is indicating, it’s not inconceivable that we could have a scene that looks like something out of a Die Hard movie at sometime in the not too distant future. I don’t even think this is a case of crying wolf or exaggerating the potential consequences, I believe this a real threat we could face in the future if the FAA systems aren’t secured.
If you want a good place to spend TSA and Homeland Security money, I’m willing to bet securing the FAA network would be a lot better place to put it than making travelers take off their shoes when they’re trying to board a flight. True, it wouldn’t be as flashy and noticable as taking away people’s pen knives and baby formula, but securing the computers that guide each and every flight taking place in the United States would save more lives than every shoe x-ray combined.
When we started planning the Security Bloggers Meetup last October, one of the comments I made was “We’re not starting too early, are we?” If nothing else, I’ve learned since then that there’s no such thing as starting too early for an event like this. In fact, for the 2010 meetup we may start even earlier, like some time in May of 2009. I’m mostly kidding, but not entirely.
The meetup is going to be huge this year, mostly thanks to the awesome sponsors who’ve stepped up to the plate and given us the money to put on an event of this magnitude. F5, Fortinet, Microsoft and Websense are the main sponsors and they’ve been very generous, which is even more amazing when you think of the hard economic times we’re in. Seagate has also contributed BlackArmor drives to be given out to the winners of the Social Security Awards as well as a BlackArmor NAS 420 for the door prize at the meetup (more information on how to enter the drawing). I almost wish I was attending instead of being involved in the planning so I’d have a chance to get the NAS 420 myself. Not that I need another drive on my home network that badly, but more geek toys are always lusted after.
The invites with the uber-secret location of the Meetup will be going out just a few days before RSA starts, but if you’re a security blogger who’s going to be at RSA please drop a line to Jennifer Leggio (jleggio_at_fortinet.com) to get on the list. The list will be closing a couple weeks before RSA starts, so even if you don’t have your travel schedule solidified yet, get on the list now. It’s always better to not make an event you RSVP’d for than be turned away because you tried to sign up too late.
It’s been another incredibly busy week and a lot of tabs have accumulated in my Firefox browser bar. I kept meaning to blog about a number of these stories but between work, kids and discovering a ton of anime on Hulu, it never happened. So once again, I’m cleaning up my browser by creating a quick blog post to reference these sites later. As if that ever really happens. But the intent is there.
I have to say, it’d be a bad week to be Diebold/Premier; they’re under attack here in California because they’ve admitted to a number of problems in their audit logs of their e-voting devices and their ATM’s are under attack in Russia. I’m not a big fan of electronic voting machines in the first place, but when you have to admit that your machines can have votes deleted wholesale without any record of the vote existing in the first place, you shouldn’t be in the business to begin with. Which is probably why Diebold spun the e-voting machine business off in the first place. It’s crazy stupid that such a mistake happened in the first place, but the fact that they made it through the audit process with a vulnerability like this means that there’s a lot in the process of certifying electronic voting machines that’s broken. Paper ballots aren’t perfect either, but at least they always leave physcial evidence that can be referred back to later.
Twitter, I mean TinyURL, had some major issues this week as well, exposing some of the functionality behind the tool. Fox News’ Twitter stream exposed some SQL code which turned out to be caused by TinyURL improperly securing their systems. I use both services a lot, so this was more than a little disturbing. If someone had been able to use this exposure to compromise TinyURL, it could have been used to send bogus links to millions of people. And while we’re on the topic of shortened URL’s, take a look at LongURL.org, a tool that lets expand a most of the shortened URL’s so that you can know where you’re going before you actually follow the link.
More stories from this week:
Now to go back to my streaming anime and kids. If I can pry the kids away from creating new games of their own using Scratch that is. Geeks in training, that’s my boys. I’m not sure whether to be proud of them or to chase them away from the computer.
I’m sometimes amazed at how quickly people forget that Twitter and all social media platforms are public forums. The ‘social’ in social media means that what you post is out there in the public for all of your friends, as well as people who aren’t your friends, to read. It’s like standing in a crowded room, talking to a group of your friend, with other people on the fringes listening to the conversation. You never know who’s in that fringe group and what they’ll do with what you say.
Yesterday a job seeker got a very graphic example of the dark side of social media on Twitter; they’d been offered a job by Cisco and made the mistake of tweeting the following:
Cisco just offered me a job! Now I have to weigh the utility of a fatty paycheck against the daily commute to San Jose and hating the work.
Someone associated with Cisco saw the tweet and responded. I don’t know if the job offer was rescinded, but given the popularity of the meme, it’s quite likely they’ll at least have to explain themselves to the hiring manager and fight an uphill battle to keep the job. Or maybe they’ll be too embarrassed to face the hiring squad at Cisco again. In any case, it’s not a position anyone wants to be in with the current economy or any economy.
I’m no stranger to this effect and I’m sure we’ve all posted things online that we wish we could remove from the the semi-permanent record that is the Internet. It’s easy to forget that the little group of highly interactive followers you have on Twitter is also backed by a much larger group of followers who never post, just take in what we’re tweeting. It’s even easier to forget that there are a number of ways people can search on key words, like ‘Cisco’, even if they aren’t on Twitter and following you. It’s a public forum and everything you say is being recorded and read by someone and that someone might be you’re boss, the guy who’s thinking about hiring you for your next job or your mother. Would you say some of the things you do on Twitter or Facebook if you knew your mother would read it?
Making your conversations on social media sites private is no guarantee they’ll remain private. You might make a mistake and make your conversation public, the site might make a mistake, a friend might repeat what you’ve posted or any number of other ways for the information to become public. It’s social media, it’s meant to be broadcasted and it’s entirely too easy to lose control of who is receiving your message. If you really want to have a private conversation with someone, pick up the phone and give them a call. That way, at least you know the only people who might be listening in are in a small room of an AT&T building in San Francisco.
If you’re using social media tools, you’re living a public life. What you say can and will affect your future prospects. It may be a virtual soapbox, but you’re still stepping on a stage and shouting to a crowd every time you tweet or post on Facebook. Learn to live your life like someone’s listening to everything you say, because they probably are.