Posted on

Airports “hacked” by ransomware gang

I’m looking at media reporting of the disruption caused to airports by the latest ransomware attack and I’m once again struct by the lack of detail. The victims are, as always, tight-lipped about it and this translates to the media as “we don’t know what happened apart from it was an attack”.

Anyone who knows how this stuff works will have a pretty good idea what went down. So let’s look at the Collins Aerospace system at the heart of it: It’s reported as being MUSE but it’s actually cMUSE

cMUSE stands for common-use Multi-User System Environment, and it allows airlines to share check-in desks. It’s what’s known as a common-use passenger processing system, or CUPPS. When the self-loading cargo presents itself a the check-in it tracks their bags using integration with systems like BagLink, sorts out boarding stuff and so on. It’s main competitor, if you look at it that way, is SITA’s BagManager, but this only handles and tracks luggage.

Now here’s the thing – cMUSE makes a big thing of being cloud based. It runs on AWS. A SaaS product. It is possible to run it on your own infrastructure, but they sell the benefits of not needing your own servers and expensive IT people to manage it – just let them do it for everyone on AWS.

So what went wrong? They haven’t said, but a penny to a pound it’s the AWS version that got hit. This is why so many airlines got their check-in hijacked in one go. A nice juicy target for the ransomware gangs.
At Heathrow, I believe it’s deployed on over 1,500 terminals on behalf of more than 80 airlines. It’s used in over 100 airports worldwide, which isn’t a huge share of the total number (there are over 2000 big ones according to the ACI), but it’s been sold extensively to the big european ones – high-traffic multi-carrier hubs. The ones that matter. Heathrow renewed for another six-year contract this April.

Collins claims it will save $100K per airport going to AWS, but that must seem like a false economy right now. Its predecessor, vMUSE, dates before cloud-mania and users of the legacy system must be feeling quite smug. Many airports have a hybrid of cMUSE and vMUSE and it’s hard to know the mix.

Ottawa International went cloud with a fanfare in 2017, and Shannon Airport chugged down the kool-aid, renewing for cloud-only in 2025. Heathrow is likely mostly cloud. Cincinnati/Northern Kentucky, Indira Gandhi International (Delhi) are publicly know to be cloud users. What bet Brussel and Berlin Brandenburg are on the list? Lesser problems at Dublin and Cork, which use the system, suggest they’re hybrid or still on vMUSE.

Subscribing to a cloud service for anything important is such a bad idea. You’re only as safe as your cloud provider. There’s no such thing as a virtual air-gap and large-scale attacks are only possible because everyone’s using the same service. If airports save $100K by switching, they’d be much better off having servers on-site and paying someone to look after them – part-time if it’s such a small amount in question.

If you want a games server in the cloud go ahead. If my business depended on it, I’d want to know where my data was and who could get at it.

Posted on

M A G Airports web site exploitable for mailbombing attacks

Last July I was surprised to receive an email of “special offers” from Manchester Airport. I’ve only ever been to Manchester once, and I drove. It was actually sent to a random email address; was the company just sending out random spam?

I checked, and visiting their web site produced a JavaScript pop-up asking you to enter your email address to receive special offers. I wondered if I’d accidentally confirmed acceptance to be added to the wrong mailing list, so I checked. No. Apparently this sign-up doesn’t bother to confirm that you actually own the email addressed entered; it just starts spamming whoever you ask it to.

It got worse. A look at the code showed it was easy for someone to make a load of calls to their site and add as many bogus addresses as they liked at the rate of several every second.

And it gets even worse – a quick look at the sites for other airports operated by MAG had identical pop-up sign-ups (Stansted, Bournemouth and East Midlands).

Naturally I called them to let them know what a bunch of silly arses they were. After being passed around from one numpty to another, I was promised a call back. “Okay, but I’ll go public if you don’t bother”.

Guess what? That was last July and they haven’t bothered. They did, however, remove the pop-up box eventually. They didn’t disable it, however. The code is still there on a domain owned by MAG Airports, and you can still use it to do multiple sign-ups with no verification.

So what are they doing wrong? Two things:

  1. Who in their right mind would allow unlimited sign-ups to a newsletter without verifying that the owner of the email address actually wanted it? Were they really born yesterday? Even one of the MD’s kids writing their web site wouldn’t have made such an elementary mistake.
  2. Their cyber-security incident reporting mechanisms need a lot of work. Companies that don’t have a quick way of hearing about security problems are obviously not doing themselves or the public any favours.

One assumes that MAG Airports doesn’t have any meaningful cybersecurity department; nor any half-way competent web developers. I’d be delighted to hear from them otherwise.

In the meantime, if you want to add all your enemies to their spamming list, here’s the URL format to do it:

Okay, perhaps not but if it’s not fixed by the next time I’m speaking at a conference, it’s going on the demo list.

 

Posted on

Governments’ hacking fantasies

It’s silly season again.

Yesterday George Osborne warned that Islamists were tooling up and planning deadly cyber-attacks against the UK, targeting critical systems like ATC and hospitals, as he announced government spending on countermeasures would double from about £200M to £400M a year. Mr Osborne shown a rather tenuous grasp of technology in the past, and I fear he’s been watching too many Hollywood movies when forming his current opinion.

I know a bit about ATC, and the chances of a jihadi disrupting NAS over the internet are slight. Damaging aviation is much easier by more direct means.

Likewise, while I have little time for the design of NHS computers systems, even they’d be hard to seriously disrupt. So difficult that it really wouldn’t be worth the bother. If you want to knock out a hospital, blow up the generators and electricity feed – it’s obvious. About the only systemic damage you could do remotely would be to mess up central databases, but these seem to get messed up regularly anyway, and the world goes on.

But this seems positively sane and sensible compared to today’s report from the “US-China Economic and Security Review Commission”. They’re all exercised about those nasty Chinese guys pinching trade secrets by hacking in to US companies and their government agencies. I’m sceptical about the idea that the Chinese government is behind this, and the Commission has weakened the credibility of their claims with their suggested response to the activity:

Yes folks, their suggestion is that Americans hack in to the Chinese systems and steal back or delete the stolen data. How exactly does one steal back data? And do they really think it’s possible to locate, identify and delete stolen data found in a foreign country. Deleting all copies of data from a local system is hard enough, and if the IT department knows its stuff, it’s impossible as it won’t all be on-line.

Whilst there’s plenty of evidence that people in China, and possibly the military, are engaged in cyber-espionage, this idea reads like the plot of another Hollywood movie of the type George Osborne seems to have been watching. Everyone in the security world knows that the majority of criminal activity on the Internet actually comes from…. the USA. This doesn’t mean the US government is behind it – by the sound of the advice they’re getting, they wouldn’t know how.

People like me have been saying that cyber-crime is (going to be) a big problem for many years now, and I welcome governments waking up and taking it seriously at last. The private sector has done spectacularly badly, as the money is in the superficial stuff, and real security gets in the  way of profits. It’s just a shame that governments have woken up and are groping groggily around in the dark.

Posted on

Is Northolt Aerodrome Dangerous?

Biggin Hill, a rival airfield to Northolt chasing executive jet traffic for London, has got hold of a 2012 report that says Northolt  doesn’t meet current CAA standards for obstacle clearance, especially at the east end of the runway. Northolt has been there for a hundred years, so shame on the local council for allowing this alleged dangerous development to have taken place.

It wouldn’t be the only airfield to lose its CAA license since new rules came in (e.g. Sandown and Bembridge on the IoW) but then again it’s a military/government field and is regulated by the MAA instead. The civil operators of Biggin Hill and Oxford reckon the CAA should take over regulation, and (presumably) shut their rival down. They would say that, wouldn’t they?

Of course, a cynic like me may wonder whether the value of a huge plot of land next to the A40 had a bearing on what interested parties have to say on the subject.

 

Posted on

Blackbushe Cybersquatting Club

Today the nice people at Blackbushe Flying Club decided to register the ICAO airfield designator for Popham Airfield in Hampshire (eghp.co.uk) and redirect it to their flying school at Blackbushe. Nominet claims to have validated Blackbushe Flying Club Ltd as the rightful owners, which is interesting.

I used to be a member of the flying club at Popham for many years, but I’m not now. Still friendly though. I’m also a member of Nominet. If anyone from Popham would like to get in touch for backup in getting these juvenile scallywags at Blackbushe dealt with appropriately, I should be flying in some time tomorrow morning.

FWIW, here’s chapter and verse:

Domain name:
 eghp.co.uk
Registrant:
 Blackbushe Flying Club
Registrant type:
 UK Limited Company, (Company number: 00000)
Registrant's address:
 11 The Close
 College Town
 Sandhurst
 Berkshire
 GU47 0RE
 United Kingdom
Data validation:
 Registrant contact details validated by Nominet on 08-Apr-2015
Registrar:
 Mesh Digital Limited t/a Domainmonster.com [Tag = MONSTER]
 URL: http://www.domainmonster.com
Relevant dates:
 Registered on: 08-Apr-2015
 Expiry date: 08-Apr-2017
 Last updated: 08-Apr-2015

Update 13-Apr-2015

I did some investigating and I know exactly who is behind this, and it was nothing to do with Popham or a joke. It looks like something that seemed like a good idea at the time to someone. It’s not actually Blackbushe airfield that’s behind it, it’s an outfit calling itself Blackbushe Flying Group (and I won’t get personal by naming the individual).

Judging from the hit-count on this page, and a the result of a few phone calls, “someone” has realised the error of his ways and changed it to a redirect sending all traffic to Popham’s real web site. If that someone wishes to get in touch I can help make it right permanently, at least as far as Popham is concerned. His landlord, Blackbushe Airport Ltd, may be less forgiving as, in addition to associating the Blackbushe name in some skulduggery, he’s only gone and registered eglk.co.uk too. Ouch.

If the idea behind the wheeze was there’s no such thing as bad publicity, I’d say that was only partly true.

 

Posted on

Sad to hear of aircraft down at Popham

So sad to hear of the loss of life at Popham today when a small light aircraft came down south of the A303 in poor weather, almost certainly attempting a descent to land on runway 26. One of the three on board survived, and was driven to Southampton hospital in critical condition. Apparently the aircraft wasn’t based at Popham, but had left from Bembridge and was presumably diverting there due to the weather.

Another aircraft came down in about the same place in September 2012, but with no loss of life.

I was flying yesterday in a similar aircraft but thought better of today due to visit; and it’s both sad and sobering. My thoughts are with their relatives and everyone else at the Spitfire Club.

 

Update: 04-Jan-2015

The names of the occupants have been released as Lewis and Sally Tonkinson, with their six-year-old son as the sole survivor. Looking at the photographs of the crash site in the Isle of Weight County Press, the aircraft in question appears to be very “light”, consistent with a Pioneer 300 Hawk registration G-OWBA, of which Mr Tonkinson is a connected and on which 37 hours have been logged. Curiously, this is a two-seater with a 20Kg luggage capacity. LAA registration number is LAA 330-15155

Update 07-Jan-2015
I’ve seen reported elsewhere that the aircraft in question was a Pioneer 400 G-CGVO, but can’t tie this to Mr Tonkinson. The 400 is a “stretched” 300, with four seats, which would make more sense, but I’ve seen no official confirmation. There’s an AAIB report on G-CGVO (door opened on takeoff), but it was in Herefordshire, and the aircraft was based in Wales. It’s obviously possible that it subsequently changed hands.

Posted on

Malaysian flight MH17 “shot down” over Ukraine?

Updated 17th July at 2320

Since writing this, I’ve been watching the superior BBC journalism on Newsnight where they had the sense to interview someone from Jane’s. Apparently the separatists do have Buk missile launchers in the area, which is surprising. Did the Russian government really provide such a dangerous weapon? And apparently (I didn’t know this) a single launcher can operate in autonomous mode using on-truck forward-facing radar. Basically a goon with no overall tactical view – watching a blip on the radar can decide to shoot down the blip. There are rumours that the US tracked such a missile. This is scary, and derails the following conjecture. I’ve kept it for historical interest.

I’ve just been listening to the BBC reporting that “someone” in the Ukraine has shot down a Malaysian airliner flying overhead at 35,000′. Okay, it’s possible, and the fact it’s crashed is certainly a tragedy, but are any of these hacks aware that this is a long way up?

There are basically three kinds of Surface to Air Missiles. Before blaming the separatists, you have to realise that the hand-portable types (MANPADS) you’d associate with rebels aren’t really any good at shooting down much apart from attack helicopters or slow things close to the ground. Basically, don’t bother if it’s more than 10,000′ up. It’s possible that they have Igla Russian systems, but they couldn’t have used them.

There are portable systems that can hit targets that high – such as the Russian Buk. These are big beasts, built in to a truck. The separatists may have got tanks from somewhere, possibly with a nod and a wink from the Russian military – but are they going to really going to let a bunch of rebels have a Buk (SA-24)? It’s not something you’re going to miss like an old tank.

Could the Ukrainian government have done it? I don’t know whether the Ukrainian military has such a system; it probably does. But again, it’s not the kind of thing you’d fire off by mistake. Shooting at high-altitude jets isn’t going to be an accident, and why would they do it in purpose? Did they think it was a Russian military aircraft? I think not, but if they did, there are some complete idiots with dangerous weapons out there.

That leaves the Russian government – did they order it shot down? The same applies – why would they do that deliberately, and if it was an accident, it beggars belief.

The BBC is talking about missiles, but it could have been shot down “old school” with a fighter. Are the Ukrainians or Russians really going to shoot down a Malaysian airliner filling the windscreen of their MiG? That’d be crazy.

So I’m taking all this “shot down” news with a pinch of salt. Perhaps it suffered a failure and crashed; perhaps it was an on-board terrorist or bomb.

I think the BBC thinks the separatists (whom they don’t like) dunnit with a Stinger.

Posted on

MH370 – One week later, wreckage found. Really?

So, an Australian satellite has potted debris in the Indian Ocean at the far end of the arc MH370’s engine data fixed the aircraft on for seven hours. There’s now going to be a rush to find it, no doubt.

Fuzzy picture of what Australia hopes is wreckage of MH370
Its it a plane? Is it a wave? It is a statistical certainty

Apparently these images are four days old and have only just come back from analysis.

I think this could well be a wild goose. What we’re looking at is a cluster of white dots in a texture of black and white. Experts have declared this likely debris; to me it looks more like waves. Or perhaps it’s a container washed off a ship, or who knows what? That’s it’s part of MH370 seems very unlikely. Probability is against it.

Let’s look at that probability. Firstly, why is the aircraft presumed to be on this arc leading north and south from Malaysia? It’s actually the line of equal distance (more or less) from the Inmarsat satellite collecting the data from the engines, and this is based on a 1d fix; namely the elevation. I believe it’s known to be 40 degrees declination from the satellite. That’s sound.

The arc ends where the aircraft stopped transmitting, which is also when it is likely to have run out of fuel, and the maximum distance it could have flown along the arc.

However, to get to the far end of the arc, someone would have to have flown it there – or set the autopilot to follow THAT course. Not any of the other courses it could have taken from the point, but that precise arced course. It’s not impossible; it could have taken this course. But is it likely? Probability says “no”.

What seems more probable to me is that the aircraft hung around in a holding pattern close to where it was lost. That’s where to look. If the satellites have found it, great – and the explanation as to why it followed that precise course will be interesting, but I’m not hopeful.

If you’re working on a conspiracy theory, the data sent to Inmarsat could have come form a ground-based transmitter; it could be fake to throw investigators off the scent.

Posted on

Missing Malaysian Airliner

I’ve got more interest than usual in this, as I happened to be on a ‘plane in the same airspace a few hours afterwards. It makes you think while waiting to board in Singapore.

Three days later, no wreckage has been found and there are rumours of the aircraft changing course. Hijack? That’s what it looks like to me, based on the facts released. First off, there was no distress call. The same was true of the Air France 477 in 2009 (discounting the automated transmissions), but that was way out over the ocean a long way in to the flight; MH370 had only recently departed and was in crowded airspace, in range of ATC and showing up on civil radar.

Much was made of the passengers travelling on stolen passports; given that part of the world I’d be surprised if there weren’t several on every flight out of KL. If it was a terrorist attack, someone would have claimed it by now anyway. And if it was external hijackers, the crew would have raised the alarm.

So what could have happened? The release of the final radio message is a huge clue – they were handing over from Malaysia to Vietnam, mid-way across the sea. Hand-overs are important – they say goodbye, change frequency and says hello. Only the goodbye happened.

If the aircraft had suffered a very sudden and catastrophic failure, the wreckage would be floating on the ocean below at that point. So that leaves the aircrew. They could have turned off the transponder and done what they liked.

If external agents had hijacked an aircraft the pilots would have triggered the hijack alarm on the transponder and made a distress call. They were in radar range, and radio range. And the security on the cockpit door would have allowed them time.

If I was flying an aircraft and wanted to take it over, mid-sea on ATC handover would be the obvious place to do it. Malaysia wouldn’t expect contact because they’d left; Vietnam wouldn’t notice loss of contact because none had been made; they’d assume they were still talking to Malaysia. Just speculating out loud…

Only military radar would be taking any interest in the aircraft, and in that part of the world you bet they were watching but don’t really want to talk about it.

Posted on

Airbus A319 Emergency Landing at Heathrow

It’s all over the news, with mobile phone pictures and everyone being interviewed. Although it’s clear one engine was in flames, one of the interviewees mentioned something really interesting that the main news media hasn’t picked up on yet…

Apparently the engine cowling became detached from both engines, after which the pilot assessed the situation with both engines running properly without covers. Only after one of the engines caught fire was the emergency landing made back at Heathrow. (This is reasonable – there are other places to land for less of an emergency and the crew might have wanted to assess the situation as to why they’d lost the covers before landing).

To lose one cover is unfortunate; to lose both is starting to look like carelessness.

It could be that the passenger being interviewed was a poor observer, or it could be that the covers were simply not latched on properly. It’s been said by the BBC people that “the covers were blown off” – engine explosion? Not likely, as apparently the engines remained running.