[ISN] Airline Web sites seen as riddled with security holes

From: InfoSec News (isnat_private)
Date: Wed Feb 06 2002 - 00:38:55 PST

  • Next message: InfoSec News: "[ISN] CodeCon schedule announced, deadline for preregistration approaching"

    February 04, 2002
    Increasing concerns about the potential for hackers to manipulate
    critical back-end administrative systems through security holes
    commonly found in corporate Web sites have prompted at least one major
    airline to take preventive measures.
    "We are trying to defend our Web sites," said David Yaacobi,
    information systems security manager at El Al Israel Airlines at
    Ben-Gurion International Airport in Lod, Israel. "Hackers could go
    inside your Web sites and inject wrong or malicious code."
    El Al has deployed Sanctum Inc.'s AppShield 3.1 Web application
    firewall technology. That deployment comes on the heels of a security
    audit of a major U.S. airline conducted by the Santa Clara,
    Calif.-based vendor. According to Sanctum CEO Peggy Weigle, during
    that audit the airline's Web-based systems were breached. The security
    team that conducted the audit managed to make its way into the
    airline's back-end systems, including the reservation and maintenance
    systems, Weigle said.
    "Through a hole in the [front-end] application code, we were able to
    get to the back-end systems and able to download the source code of
    the entire application," said Weigle. "We could have obviously
    obtained passenger manifests, maintenance systems and whatever was
    there." The airline, which Weigle refused to identify for security
    reasons, still hasn't fixed the problems, she said.
    Dan Meehan, CIO of the Federal Aviation Administration, said he
    received a briefing on the audit from Weigle and noted that the FAA is
    working with the White House to develop a more aggressive outreach
    program focused on the airlines. "We want to take this specific piece
    of information and compare notes with a few other airlines to see if
    this is an isolated case or not," said Meehan. However, he said, it's
    too early to tell whether the audit did in fact uncover a significant
    breach of security.
    For his part, Yaacobi isn't taking any chances. Although El Al's
    reservation systems run on protocols that are "totally different than
    [standard Internet protocols] and are very difficult to hack," Yaacobi
    said the potential is still there, and El Al does whatever is
    necessary to protect them.
    "Since Sept. 11, any illegal access to data or transactions through
    our company Web site is viewed by us as a terrorist act," said
    Yaacobi. "With regular attempted attacks on our site, we view Web
    application security critical to our overall security plan ensuring
    the safety of our customers."
    Various Israeli government agencies deployed AppShield during the 2000
    cyberconflict between pro-Palestinian and Israeli hackers.
    John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., said
    Web application security is a serious problem for two-thirds of all
    corporate Web sites.
    "The current generation of firewalls focuses on the network level,
    kind of like the walls of a fort stopping direct attack," said
    Pescatore. "However, close to 75% of today's attacks are tunneling
    through applications. Application-level firewalls are something that
    any critical infrastructure company needs to look at."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 04:07:39 PST