Todos
← Back to Squawk list
Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly
A 26-year old woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school's airplanes. In some cases, planes that previously had maintenance issues had been "cleared" to fly, according to a police report. The hack, according to the school's CEO, could have put pilots in danger. (www.vice.com) Más...Sort type: [Top] [Newest]
Security, security, security. Login's disabled as soon as someone leaves. Update passwords for all remaining staff. Store electronic back-up in the cloud AND on devices that can be removed. Monitor logins from remote sites. Inexpensive solutions to a potentially dangerous problem.
Too true and so easy to do
Superficially these solutions might be appear practical in small companies in a non time critical environment. But in a large organisation with locations across the globe it is much more difficult. One example: For events such as people leaving almost each week, having protocols mandating frequent password changes is very difficult and leads to password resets when the user forgets their latest and locks their account by exceeding the permitted retries.
Removable backup devices are dependent on data volumes. Again an administrative difficulty for a large organisation. But also keeping track of the backup devices and restoration procedures demands a competent, disciplined, approach. Its one thing to "run the backups" but its another thing to know what generation to restore and how to do it. As for "the cloud", you need to be sure that you can reach your data out there when you need it.
With remote users "working from home" and other locations such as a truck stop or medical facility's waiting room etc, or someone using a vpn, how do your systems monitor logins from remote sites ? In large organisations, or using contractors, especially overseas, this issue is exacerbated.
Security is a very tricky issue and even for a small organisation with only one or two key systems personnel what happens when one of your key people is suddenly unavailable through accident or illness ?
Solutions to security are not inexpensive.
Removable backup devices are dependent on data volumes. Again an administrative difficulty for a large organisation. But also keeping track of the backup devices and restoration procedures demands a competent, disciplined, approach. Its one thing to "run the backups" but its another thing to know what generation to restore and how to do it. As for "the cloud", you need to be sure that you can reach your data out there when you need it.
With remote users "working from home" and other locations such as a truck stop or medical facility's waiting room etc, or someone using a vpn, how do your systems monitor logins from remote sites ? In large organisations, or using contractors, especially overseas, this issue is exacerbated.
Security is a very tricky issue and even for a small organisation with only one or two key systems personnel what happens when one of your key people is suddenly unavailable through accident or illness ?
Solutions to security are not inexpensive.
Smaller organizations are the ones less likely to have "good" security. Larger organizations have economy of scale going for them, along with more at risk. Standard security practice is to use a distributed directory system (such as Microsoft's Active Directory) for identification/authentication, disallow (through policy and audits) the use of "group logins" (accounts with passwords shared amongst a group of users), and to have an automated process that disables a person's login credentials when they are terminated. If electronic key cards are used to control physical access, then the same automated process can block the key card as well.
Smaller organizations tend to have people wearing multiple hats, a higher level of implicit trust amongst employees, and a lack of will when it comes to having and enforcing the information security policies that mitigate the risk of a terminated employee sneaking back in and causing problems (through electronic or physical access). They also have a smaller number of people between which to distribute key responsibilities.
In this case I would not be surprised if the one user's password was either easily guessable or in fact was shared or easily discoverable and unchanged from when the ex-employee worked there. Writing down passwords on post-its stuck to the bottom of keyboards is a trope because it happens all too often, especially with people who are focused on the business and not overly concerned with being fussy about security details.
I would not use the verb "hacked" to describe what happened, any more than I would use the term "breaking and entering" to describe someone who used a key hidden under a mat to get into my house. Unauthorized entry is a better term.
Determining whether the individual in question's actions posed a significant risk to health and safety depends on other variables including how readily detectable and correctable the changes made were by the existing employees.
Smaller organizations tend to have people wearing multiple hats, a higher level of implicit trust amongst employees, and a lack of will when it comes to having and enforcing the information security policies that mitigate the risk of a terminated employee sneaking back in and causing problems (through electronic or physical access). They also have a smaller number of people between which to distribute key responsibilities.
In this case I would not be surprised if the one user's password was either easily guessable or in fact was shared or easily discoverable and unchanged from when the ex-employee worked there. Writing down passwords on post-its stuck to the bottom of keyboards is a trope because it happens all too often, especially with people who are focused on the business and not overly concerned with being fussy about security details.
I would not use the verb "hacked" to describe what happened, any more than I would use the term "breaking and entering" to describe someone who used a key hidden under a mat to get into my house. Unauthorized entry is a better term.
Determining whether the individual in question's actions posed a significant risk to health and safety depends on other variables including how readily detectable and correctable the changes made were by the existing employees.
"I'm going to get back my previous evil employer by killing innocent pilots and their passengers! Then they'll blame the flight school, hahaHAHAHA!!"
This is much more serious than just unauthorized computer access.
This is much more serious than just unauthorized computer access.
I imagine the Feds will get involved. Hope little missy wasn’t looking at a career in aviation!
This does violate the federal computer crimes act, so she should expect a federal prosecution.