Pricing
Contact
Login
Start Free Trial
Back

When the Target is Also the Threat

Jan 11, 2023

In my last post, I took that LastPass attack as inspiration to write about how security tools can not only be less secure than advertised but can actually become threats in and of themselves. LastPass password vaults were supposed to keep all user's passwords safe in one place – instead, the vaults allowed hackers to steal all those passwords at once. The defense caused the damage, as much or more than the attackers did.


I began thinking about this concept again today as flights across America were canceled due to an outage in a Federal Aviation Administration (FAA) computer system. The obscure but essential system, called Notice to Air Missions (NOTAM), provides pilots with information about potential flight hazards such as icy runways, high-elevation construction, or migrating birds. NOTAM went down, pilots couldn’t get this data, and thousands of flights had to be grounded as a result. It would have been a huge risk to fly otherwise.


The situation is only a few hours old at this point, so the cause of the outage hasn’t been reported. Officials have said it wasn’t a cyber attack – but whether they could know that for certain already is questionable, as is whether officials would admit to an attack being the true cause of the outage. Officials have the means and motive to obfuscate the cause, especially if a foreign government was somehow behind the outage. But even if the outage was not the result of an attack, as reported, it does not bode well, either for the FAA, the airline industry, or for any of us, frankly.


Watching a Trend Emerge


The airline industry is known for sudden, large-scale problems. It’s almost a cliché. But recent events still feel remarkable. Today’s FAA outage comes shortly after a technical glitch forced Southwest Airlines to cancel hundreds of flights at the peak of the holiday travel season.


That glitch happened in their staffing system. When a major winter storm hit the East Coast, forcing many Southwest staffers to call out, the airline had to scramble to redirect resources and reroute flights. Unfortunately, the staffing system couldn’t keep up with making changes on that scale and collapsed under the pressure, leaving Southwest without a way to send staff where they were sorely needed.


In the wake of the staffing system going down, blame has been pointed at aging technology that couldn't keep up with the speed, scale, or sophistication of today’s computing requirements. We don’t know the cause of the NOTAM outage, but FAA insiders have suggested that decades-old technology may be responsible. There hasn’t been a similar flight stoppage since 9/11, so the NOTAM technology has a history of reliability. If it wasn’t a cyber attack that brought it down, the next most logical conclusion is that the system itself is starting to show its age.


That can only mean one thing: what happened today will start to happen more often. We can already see the trend in progress. Unfortunately, I think we will start to see it progress even further, accelerating and extending to other industries because the problem of expired technology controlling key systems is hardly reserved for the airline industry only.


System at Risk of Collapse


Look deep enough into just about any system, structure, or supply chain and you will find a piece of legacy technology controlling a critical process. They have persisted longer than anyone anticipated. And at this point, they are so deeply entrenched that some (or maybe even most) seem impossible to root out and replace.


It has been well documented that legacy systems are harder to make secure and keep secure, consuming more security resources while still creating more security risk. Less discussed, however, is that no amount of security can prop up a system that is approaching or past the brink of collapse. And when that point arrives, the damage is as bad (or worse) as any attack. Just look at what’s happened to airlines in recent weeks – massive damage to revenues and reputations all because old software started to act its age.


I think we will start to see similar collapses happen more often, more disruptively, and more unexpectedly in the near future. In so many areas, we have not so much replaced the old with the new as balanced the latter on top of the former. And now the foundation is crumbling.


As with my piece on the LastPass attack, my point is not to be defeatist about the future of technology. Rather, I want to take a more expansive view of cybersecurity - one focused less exclusively on defense and more on risk and resilience. How we get there is a massive question (leave your thoughts in the comments). But if there’s any silver lining to today’s airline apocalypse, it’s that maybe it pushes us one step closer to making change.

#cybersecurity #airline #FAA #Mainframe #Legacy

A software failure grounded thousands of flights today, raising a complicated question - how do you secure an unstable system? The answer has never been more urgent.

Tags

  • #cybersecurity

  • #vicarius_blog

  • #airline

  • #FAA

  • #Mainframe

  • #Legacy

users/photos/cl63q9kls03si09n2e51cdpu2.jpeg

Written by

Paul Lighter

Recent Posts

  • 1

    Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)

    j00sean (https://twitter.com/j00sean) July 11, 2023
  • 2

    CVE-2021-38294: Apache Storm Nimbus Command Injection

    Zeyad Abdelazim June 20, 2023
  • 3

    CVE-2023-21931 & CVE-2023-21839 RCE via post-deserialization

    Mohammad Hussam Alzeyyat June 19, 2023
  • 4

    Have you missed them? The new reports feature is here!

    Noa Machter May 14, 2023
  • 5

    CVE-2021-45456 Apache Kylin RCE Exploit

    Mohammad Hussam Alzeyyat April 30, 2023

Related Posts

By j00sean (https://twitter.com/j00sean)
Jul 11, 2023

Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape vulnerability (CVE-2022-44666) (0day)

Write-up for another forgotten Windows vulnerability (0day): Microsoft Windows Contacts (VCF/Contact/LDAP) syslink control href attribute escape, which was not fully fixed as CVE-2022-44666 in the patches released on December, 2022.
By Zeyad Abdelazim
Jun 20, 2023

CVE-2021-38294: Apache Storm Nimbus Command Injection

Command Injection vulnerability that affects Nimbus server in apache storm.
By Mohammad Hussam Alzeyyat
Jun 19, 2023

CVE-2023-21931 & CVE-2023-21839 RCE via post-deserialization

RCE via post-deserialization was found in Weblogic Server and has been found and registered as CVE-2023-21839 & CVE-2023-21931 both have the same idea. We are going to go through some of the code, reproduce the vulnerability, explain the exploitation and do some network traffic analysis
last_chanse_02.png

Start Closing Security Gaps

  • Risk reduction from Day 1
  • Fast set-up and deployment
  • Unified platform
  • Full-featured 14-day trial
Start Free Trial!

Have questions?

By submitting this form, you agree to be contacted about vRx and other Vicarius products.

Vicarius develops an autonomous vulnerability remediation platform to help security teams protect their assets against software exploitation. Consolidating vulnerability assessment, prioritization, and remediation, Vicarius strengthens cyber hygiene and proactively reduces risk.
We're hiring!

Support

support@vicarius.io

Sales

sales@vicarius.io

Marketing

info@vicarius.io
Product
Product Overview
Vulnerability Management
Patch Management
Patchless Protection
Auto Actions
Reporting
Network Scanner
xTags
0-Day Detection
Solution
Solution Overview
Case Studies
Knowledge
Research Center
Apps & OS Patch Catalog
Videos
Articles
Docs
Company
About
Investors
vconnect
Trust
Careers
Pricing
Pricing
Compare
vRx vs. Automox
vRx vs. ManageEngine
vRx vs. Rapid7
vRx vs. Tenable
vRx vs. Tanium
vRx vs. RMMs
vRx vs. Vulcan
vRx vs. PDQ
vRx vs. Qualys
vRx vs. SentinelOne
vRx vs. BigFix

Copyright © Vicarius. All rights reserved 2022. Privacy Policy and Terms of Use