Aerospace Daily
January 24, 2002
As more measures are taken to tighten physical security in domestic airports,
U.S. airlines remain highly vulnerable to cyberattack, according to Internet security
analysts.
Airlines make particularly attractive targets for cybercriminals - whose crimes
can run the gamut from simple vandalism to identity theft and financial espionage - since
so much of their business has migrated online, according to Izhar Bar-Gad, chief
technology officer at Sanctum, Inc.
An online security company, Sanctum often performs "audits" for companies, in which
they run experiments to see how vulnerable their clients' web operations are, Bar-Gad said.
"We've audited quite a few airlines in the U.S., and the situation with them is
certainly not good," he told The DAILY. "We've been able to do many things,
starting from downloading all of the source code of their site, [to] gaining access
to their employee accounts, changing aspects of their pricing, etc. The results are
very, very frightening."
The potential dangers to airlines include lost revenue due to ticket forging and price
manipulation, as well as graver threats, Bar-Gad said, including "looking at records of
their employees, and thereby gaining access to their employees, which is something that
is extremely dangerous."
Sanctum, along with other cybersecurity companies such as KaVaDo Inc. and Stratum8 Networks,
are involved in the emerging field of "application security," in which programs
running on a company's website are protected, in addition to protecting the server
itself.
"In the early days of the Internet, what the hackers were going against was the operating
systems of the servers," John Pescatore, research director for Internet security at
Gartner Group, told The DAILY. "These days we're more likely to find them going
after the applications, like, say in a shopping site - the shopping cart application. Or
on a travel site - the application that presents you with itineraries and books
the reservation. This is software that's written specifically to run on top of
the web server, and those are where we find huge, gaping holes [in security]."
A determined cybercriminal could use the Internet to gain information not only about
airline customers and employees, but also critical information about the aircraft
themselves - "all of the information about [the planes], all their plans for them,
where they keep them, where they fly them, at what times, etc.," Bar-Gad said.
Despite all the emphasis on increased physical security after the Sept. 11 terrorist
attacks, Pescatore isn't sure that the threat of cyberattack has "sunk in" with
most U.S. airlines yet.
"The reason I say I'm not sure that it's really sunk in is, I've seen a lot of proposed
use of wireless networks by the airlines at airports for ground communications and
the like, and [in] the proposals I've seen, they look like they've been leaving them
wide open. Now that's not the Internet, necessarily, but it's wireless networks that
any passenger in the airport with a laptop with a wireless interface could try to
take advantage of."
Although most known use of the Internet by terrorists so far has been "legitimate"
- i.e., e-mail, research, and online shopping or banking - Pescatore thinks it's only
a matter of time before they branch out into cyberattack.
"The Internet lets terrorists take a shot in the safety of their own country,
so we know it's inevitable," he said.
|