Airline Web sites seen as riddled with security holes

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO67973,00.html

By DAN VERTON 
February 04, 2002

Increasing concerns about the potential for hackers to manipulate
critical back-end administrative systems through security holes
commonly found in corporate Web sites have prompted at least one major
airline to take preventive measures.

"We are trying to defend our Web sites," said David Yaacobi,
information systems security manager at El Al Israel Airlines at
Ben-Gurion International Airport in Lod, Israel. "Hackers could go
inside your Web sites and inject wrong or malicious code."

El Al has deployed Sanctum Inc.'s AppShield 3.1 Web application
firewall technology. That deployment comes on the heels of a security
audit of a major U.S. airline conducted by the Santa Clara,
Calif.-based vendor. According to Sanctum CEO Peggy Weigle, during
that audit the airline's Web-based systems were breached. The security
team that conducted the audit managed to make its way into the
airline's back-end systems, including the reservation and maintenance
systems, Weigle said.

"Through a hole in the [front-end] application code, we were able to
get to the back-end systems and able to download the source code of
the entire application," said Weigle. "We could have obviously
obtained passenger manifests, maintenance systems and whatever was
there." The airline, which Weigle refused to identify for security
reasons, still hasn't fixed the problems, she said.

Dan Meehan, CIO of the Federal Aviation Administration, said he
received a briefing on the audit from Weigle and noted that the FAA is
working with the White House to develop a more aggressive outreach
program focused on the airlines. "We want to take this specific piece
of information and compare notes with a few other airlines to see if
this is an isolated case or not," said Meehan. However, he said, it's
too early to tell whether the audit did in fact uncover a significant
breach of security.

For his part, Yaacobi isn't taking any chances. Although El Al's
reservation systems run on protocols that are "totally different than
[standard Internet protocols] and are very difficult to hack," Yaacobi
said the potential is still there, and El Al does whatever is
necessary to protect them.

"Since Sept. 11, any illegal access to data or transactions through
our company Web site is viewed by us as a terrorist act," said
Yaacobi. "With regular attempted attacks on our site, we view Web
application security critical to our overall security plan ensuring
the safety of our customers."

Various Israeli government agencies deployed AppShield during the 2000
cyberconflict between pro-Palestinian and Israeli hackers.

John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., said
Web application security is a serious problem for two-thirds of all
corporate Web sites.

"The current generation of firewalls focuses on the network level,
kind of like the walls of a fort stopping direct attack," said
Pescatore. "However, close to 75% of today's attacks are tunneling
through applications. Application-level firewalls are something that
any critical infrastructure company needs to look at."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.