[iwar] [fc:Transportation.agencies.called.vulnerable.to.cyberattacks]

From: Fred Cohen (fc@all.net)
Date: 2001-09-28 16:13:22


Return-Path: <sentto-279987-2501-1001718804-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 28 Sep 2001 16:14:08 -0700 (PDT)
Received: (qmail 16958 invoked by uid 510); 28 Sep 2001 23:13:37 -0000
Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 28 Sep 2001 23:13:37 -0000
X-eGroups-Return: sentto-279987-2501-1001718804-fc=all.net@returns.onelist.com
Received: from [10.1.4.56] by fk.egroups.com with NNFMP; 28 Sep 2001 23:13:24 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 28 Sep 2001 23:13:23 -0000
Received: (qmail 93695 invoked from network); 28 Sep 2001 23:13:23 -0000
Received: from unknown (10.1.10.142) by l10.egroups.com with QMQP; 28 Sep 2001 23:13:23 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 28 Sep 2001 23:13:23 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA17544 for iwar@onelist.com; Fri, 28 Sep 2001 16:13:22 -0700
Message-Id: <200109282313.QAA17544@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 28 Sep 2001 16:13:22 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Transportation.agencies.called.vulnerable.to.cyberattacks]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Transportation agencies called vulnerable to cyberattacks 
By Joshua Dean, Government Executive, 9/28/2001 http://www.govexec.com/dailyfed/0901/092701j1.htm

The Transportation Department and its operating agencies are vulnerable
to computer attacks, according to a newly released report from the
department's inspector general. 

"This report presents the first big picture on security at DOT," said
David Barnes, spokesman for the IG's office.  The report focuses
primarily on security deficiencies in the Federal Aviation
Administration's air traffic control system and on the Coast Guard's
disaster recovery capabilities. 

The report was required under the 2001 Government Information Security
Reform Act, which mandated "an annual independent evaluation of
agencies' information security programs."

Investigators were most concerned about the FAA's planned upgrade to its
telecommunications system and its repercussions on information security. 
"The most significant network security issue we identified concerns
FAA's plans to place its air traffic control systems, which now operate
on a dedicated network, and its administrative systems on one integrated
network with direct connections to the Internet," the report said.  "We
found that while FAA asked vendors to propose security solutions for the
integrated network, it did not adequately evaluate security for air
traffic control systems."

Of the FAA's 400 air traffic control systems, the IG found FAA planned
only to certify 40 of those as being secure before awarding a contract
to connect the agency to the Internet.  The IG agreed with the FAA's
goal of integrating all networks supporting air traffic control. 
However, the report encouraged the FAA to keep its administrative
network separate from the air traffic control network. 

The FAA has since deferred awarding one contract pending resolution of
the security issue, the report said. 

The IG's report also concluded that the Transportation Department as a
whole was deficient in protecting information systems.  "We identified
weaknesses in firewall security that allowed us to gain unauthorized
access from the Internet to about 270 computers located within DOT's
private networks," said the report. 

The IG also expressed concern about weaknesses in safeguarding access to
computers at DOT agencies.  The report identified numerous access
weaknesses, such as systems that allowed unlimited password attempts or
failed to make passwords expire on pre-established dates, a failure to
prevent unauthorized remote access, a lack of encryption of financial
data and weak oversight of contractors working on DOT information
systems. 

Barnes noted that while the FAA has made significant strides in
conducting background checks on contractors, other Transportation
agencies have not.  The FAA reported it has conducted background checks
on 85 percent of its contractors, while the department's other agencies
averaged just 25 percent. 

The report criticized Transportation's critical infrastructure
protection efforts and said its disaster recovery and system contingency
plans were inadequate.  The IG's office singled out the Coast Guard as a
prime offender.  "If its main data center experiences prolonged service
disruptions, [the] Coast Guard would have difficulty in recovering its
search and rescue system," the report said. 

The IG's office acknowledged that the department has made strides in
cybersecurity and protecting privacy.  "However," the report said, "as
evidenced by the recent Code Red worm attack, which caused service
disruptions to more than 100 DOT computers, including Web sites,
maintaining Web security and privacy protection remains a challenge."


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:51 PDT