FAA network hacked
By Layer 8 on Tue, 02/10/09 - 10:09am.
The Federal Aviation Administration has joined the growing list of government agencies that have had their supposedly safe systems hacked. The agency this week notified about 45,000 employees that one of its servers was hacked into and employee personal identity information was stolen.
The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system. It did say two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA's rolls as of the first week of February 2006.
On the agency's Web site it states: The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information. The agency is also providing a toll-free number and information on the employee website for those who believe they may be affected by the breach.
Such breaches are seemingly commonplace on government networks. A Government Accountability Office report last year found that only 2 of 24 agencies it had implemented all of the security requirements mandated by the Office of Management and Budget last year to protect personal information.
According to the GAO report the Treasury Department and the Department of Transportation had implemented the strongest security while National Science Foundation and the Small Business Administration were worst.
The federal government has seen significant exposures of personally identifiable information in the past few years. According to a 2006 congressional staff report, since January 2003, 19 departments and agencies reported at least one loss of personally identifiable information that could expose individuals to identity theft.
According to the GAO report, a series of data breaches at federal agencies have involved system intrusion, phishing scams, and the physical loss or theft of portable computers, hard drives, and disks. During fiscal year 2006, federal agencies reported a record number of incidents to the US Computer Emergency Readiness Team (US-CERT). For example, in 2006 there were 5,146 incident reports-a substantial increase over the 3,569 incidents reported in 2005. During this period, US-CERT recorded a dramatic rise in incidents where either physical loss or theft or system compromise resulted in the loss of personally identifiable information.
In January, the GAO targeted the IRS saying that while the agency has made some progress in protecting and securing its data, the IRS continues to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information.
Also in January, the GAO stated: Federal agencies have made progress in strengthening information security. The administration has also launched several initiatives that are intended to improve security over federal systems, such as establishing security configurations for desktop computers and reducing the number of federal access points to the Internet. However, most agencies continue to experience significant deficiencies that jeopardize the confidentiality, integrity, and availability of their systems and information. For example, agencies did not consistently implement effective controls to prevent, limit, and detect unauthorized access or manage the configuration of network devices to prevent unauthorized access and ensure system integrity. Until agencies implement the hundreds of recommendations made by GAO and their inspectors general to resolve identified deficiencies and fully implement effective security programs, a broad array of federal assets and operations will remain at unnecessary risk of fraud, misuse, and disruption.
Layer 8 in a box
Check out these other hot stories:
FTC kills fraudulent online check-processing operation
Tiny, powerful lasers sculpt optical devices for giant telescopes
Google, NASA, X Prize team to form "humanity's grand challenges" university
FBI: On-line employment scams rising
911 fraudsters provoke, endanger public, law officers
"Magnetic tornado" spins data storage techniques
FBI: Digital billboards have helped capture 14 scoundrels
Web site turns up heat on hot cars
Machine machinations: Smart robot capable of hunting for its own "food"
- About Layer 8
- Layer 8 is written by Michael Cooney, an online news editor with Network World
- Archives
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
Sponsored Links
- Connexion saves costs with Microsoft & Novell- Novell Microsoft
- Masters of Virtualization and Cloud Computing- Trend Micro
- Hitachi IT Operations Analyzer—30-day free trial- Hitachi Data Systems
- Are you gambling with your data? It is at risk. Find out and protect it.- Ultrium LTO
- CA ARCserve r12.5 is More Than Backup! Download Trial Version Today- CA
- Take the Netezza TwinFin TestDrive!- Netezza
- Getting to One 10-minute Webcast, Cloud Computing: Beyond the Hype- Novell
- Watch a step-by-step demo of how Chinese hackers compromised brand name US high-tech companies like Google. - Zscaler
- Cisco Webcast: Leveraging 802.11n, Is your WLAN ready for Enterprise Video?- Cisco
- Turn your desk phone and mobile phone into one with Sprint Mobile Integration.- Sprint
-
Network World, Inc
The Leader in Network Knowledge
Correction
The FAA has advised all of its employees that 45,000 employees and retirees have potentially been affected, but the 45,000 do not yet know who they are. They will be receiving a nice leter in the post.
The server in question evidently was a "test" server that for some reason had names and SSNs of real employees and retirees on it. PHI data was also on the server, but the FAA claims that that data was encrypted, whatever that means. I don't suppose they've ever heard of creating bogus test data for a test server.
Freaking morons.
RE: Correction
I'm right there with you. No test or Dev server should ever have real data on it. For God sakes, hasn't anyone in government heard of data stewardship. Say it three time really slow and it will sink in maybe.
Air Traffic Control Systems not hacked?
LOL - who would/could hack into the 1960's era COBOL ATC system? Hold on, let me dig up my 300 baud modem...
It's YET ANOTHER Microsoft Security Breach
Why do these stories never say which platform was cracked. It's the bus/desktop side, which by decree of the previous/devious overlord was made to go Microsoft - which since it's MY government, I want them to use Linux.
Credit/Fraud protection
I am assuming that the FAA will be paying for credit/identity fraud protection for at least a year if my name is found to be one of the 45,000 who were compromised
RE: Credit/Fraud Protection
The acting director sent out an email at 6:48 Wednesday evening stating that the FAA would be offering a free year of credit monitoring. I thought that was a good start after nearly a week of doing nothing.
Then I read that the FAA management didn't come up with that on their own. No, it took Rep. Frank LoBiondo, R-N.J. to push them into doing the right thing. These folks just don't get it. The V.A. just lost a class action lawsuit over the exact same thing and they are having to pay for Veterans credit monitoring and fraud prevention expenses...as well as the medical bills for those stressed out over all of this. The remaining money will go to a charity to house veterans families while they visit their military person in the hospital.
So, when forced to do it, they did the "right" thing. Ok, what happens next year? They are only offering credit monitoring for a year. Will our SSNs no longer be public in a year? Will the thieves give the data back? The VA lost my data twice. Now the FAA has lost it to thieves, yet again. I might as well take out a front page add and post my SSN! I will have to look over my shoulder and be inconvenienced for the REST OF MY LIFE because these idiots couldn't take the most basic precautions. Why were they using real data on a test bed? Why was real data accessable to the internet? Why weren't the SSNs and personnel data encrypted? Why was this processor allowed access outside the FAA Domain, let alone the DOT Domain? These are not difficult or novel approaches to cyber security. This isn't new. A first year IT student knows this much!!! This is negligence. It may be CRIMINAL negligence. Regardless, it was entirely avoidable.
Was this done by FAA personnel or contractors? I am pretty sure that this was outsourced to save a buck. Great job!
stolen
employee personal identity information was stolen.
Why were the thieves so interested in personal identity information?
24 Days and Still No Letter From FAA
It has been 24 days since the FAA Dev Server was hacked and our SSNs were compromised...and still no letter telling us what data was stolen or how to protect ourselves from ID theft or sign up for credit monitoring.
Post new comment