Day Tripping and FAA Amateur Hour

I don’t normally go for cute kid videos, but this one includes some post-dentist  “day-tripper” action that I enjoyed a lot.

[youtube]txqiwrbYGrs[/youtube]

On a personal note it was reiterated again what a bunch of amateurs work in FAA administration/information technology.

That fact is highlighted by videos such as this and this.

I (as well as many of my air traffic colleagues) admittedly have a great deal of intolerance for incompetence in FAA management and administration as air traffic controllers get zero leeway to make mistakes in their jobs.

And if air traffic controllers make mistakes while working the situation is scrutinized in great detail afterwards (Monday morning quarterbacking by office people or to quote a friend, “Use your best judgment; you’ll be second-guessed later), whereas other people in the same agency are allowed to routinely make grievous errors with little or no consequence.  How nice for them…

It made the news that about a week ago someone in Turkey hacked into an FAA administrative server and made off with the names and social security numbers of some 45,000 FAA employees, as well as encrypted medical information for employees.

The story seems to have originated from union leaders of FAA employees rather than the FAA itself.  Over 24 hours after the breach was announced I’ve still yet to be formally advised by my employer of the breach.

The FAA was quick to point out in its press release that the servers that were compromised weren’t air traffic computers; only administrative ones, as if it were a trivial matter to the 45,000 employees whose information was stolen.

The server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system, and the FAA has no indication those systems have been compromised in any way.

Now history as shown that the hackers are usually more wily than the security guys and the way many security issues get discovered/highlighted and/or fixed is after a breach.  So I normally wouldn’t have a problem with the breach if that was the only issue.

But there are two bigger problems I have with what happened.

First, and foremost, is anyone with even the most basic common sense could figure out that the best security is to keep confidential information off servers that could be breached.

I have no idea why the FAA had/has confidential employee information on servers accessible to the Internet to begin with!  The FAA has its own (allegedly) secure intranet/network for such purposes, so what possible purpose would having personnel information accessible via the Internet serve?!

As it is an obvious security risk it seems inexcusable that this information was online to begin with.

And to top it off, apparently this data was there because the FAA was using it for testing!

From an email from the Acting FAA Administrator, Lynne Osmus:

Most of the 48 breached files were test files used for application
development.  Two of these files contained names and social security   numbers.  One of them contained information on more than 45,000  employees and retirees who were on FAA rolls as of the first week of  February 2006.  Medical information from the hacked files was encrypted and not identifiable.

Now what moron uses real employee data for testing?!  (Beside the FAA, I mean…)  Would it have been that difficult to generate 45,000 fake social security numbers and names for testing?

Even though I view this as a egregious cluster-fuxk I’m sure nothing will come of this other than the potential problems for anyone whose information was stolen.

But I’m sure the FAA is really sorry, so that makes up for it, right?

Thanks a lot, FAA!

2 comments

  1. Tim…actually, they sent out a notice to your faa email account to warn you of the breach. The email states…

    Dear Colleagues:

    I want to alert you that the Cyber Security Management Center identified some unusual activity from an FAA administrative server last week. An investigation revealed that the server was breached by a hacker.

    Most of the 48 breached files were test files used for application development. Two of these files contained names and social security numbers. One of them contained information on more than 45,000 employees and retirees who were on FAA rolls as of the first week of February 2006. Medical information from the hacked files was encrypted and not identifiable.

    We are moving swiftly to identify short-term and long-term measures – procedural and technological – to prevent such incidents from recurring. All current and former employees who are affected will receive a letter shortly alerting them to this event.

    In addition, we are posting information in the form of FAQs on the employee and public web sites, and we will update that information, via the web and other channels, should the investigation reveal more information. We also are setting up a toll-free hotline to answer employee calls related to this event.

    We will continue our efforts to further protect our computer security systems and will keep you informed as the investigation continues.

    Lynne Osmus
    Acting FAA Administrator

    I’d like to think that they’ll scrutinize this every which way to find who is responsible for allowing this to happen but the cynic in me believes that no manager type will hang for this. Possibly a worker bee will.

    There’s no un-ringing this bell. The damage has been done. Our names and SSN’s are out there and there’s no changing that. Steve W. said he spent 3 hours this morning changing accounts and going through a lot of hassles to try and secure his privacy. Do you suppose the faa will compensate him for those 3 hours? Not likely.

    Speaking of cute kid videos. Here’s one for you.

  2. Kev,

    I have a copy of that email that I got elsewhere, but I don’t read my FAA email account as it’s too crammed with FAA spam. I resolved that I would only use that account if ordered to, as I don’t have the inclination or time to weed through all the garbage they spam out to everyone.

    Regardless, I don’t believe an email is an acceptable notification method for such an occurrence. If someone stole your bank account number and your bank found out about it, would you be happy if they only notified you with an email?

    The FAA needs to make sure that every affected employee is briefed on the situation. Considering they seem to be able to brief us on all the other stuff they think is important (and have us sign for it for that matter) either with computer based instruction (CBI) or briefings the fact that their only attempt at notification was to spam out an email to accounts they know most air traffic controllers don’t bother to read isn’t even worth mentioning.

    And it says volumes to me about how the FAA views this breach and/or those affected by it. Apparently it’s not important enough to bother with anything more than a spam email; no big deal, have a nice day.

    So as far as I’m concerned, I still haven’t been notified, at least not properly.

Leave a Reply

Your email address will not be published. Required fields are marked *