This is our second blog post of the week and it’s a bit different to the content we normally publish on the Security Ninja blog!
My colleague Angel Alonso will be writing today’s blog post so before I hand you to over Angel I wanted to give you a bit more information about his knowledge and experience:
Angel Alonso works as the Head of Operations Security for Realex Payments in Dublin. During his professional career he has worked in many different security roles in both the private and public sectors. Angel used to work as an associate teacher at several Spanish Universities teaching Cryptography and Security protocols to the students of computer science and telecommunication engineering degrees.
Angel has had his work published in security magazines like Hakin9 and the Spanish security magazine revistasic, he has also presented at security conferences and delivered security training courses. He holds an MSc/Bsc in computer Science, a Bsc in telecommunication engineering and is currently working towards a Security and Forensics Master at Dublin City University. In addition to his academic qualifications Angel holds many leading information security certifications.
I will hand over to Angel now; I hope you enjoy his first Security Ninja blog post!
Over the past few days both IT and mainstream media has reproduced the news published in the Spanish newspaper El pais which stated that a piece of malware could have contributed to the Spanair crash in August 2008 which left 158 people dead.
I am not an aerospace engineer or a pilot but the aerospace industry is one of the most safety, quality and security conscious industries which is backed up by very strong legislation. Terms like high-availability, redundancy and security controls have been part of the aerospace industry for a long time. One clear example of this is how the information systems of modern planes are designed and developed by different teams of engineers to avoid the same human mistakes being made by individuals or teams in multiple areas of the system. This should give you an idea about the importance of security and quality in the aerospace industry.
The approach to implementing information security controls should follow the same principle; design a set of controls and countermeasures in such a way that if one of the controls fails there is another to prevent a potentially catastrophic failure. A simple example is the principle of defense in-depth, where different security layers are implemented when designing a secure network with redundancy and high availability.
I always like to compare the news stories produced by different media outlets because often the same story will be completely different depending on the subject knowledge and agenda of that outlet. The recent news stories about the Spanair crash is a good example of this, with some media outlets linking the accident to malware. Understandably this has caused quite a stir in the information security community with many people taking this news to be 100% true and proof that malicious software has caused a large loss of life.
However having read the official crash investigation report it’s clear that the accident was caused by a series of both technical and human errors. The official crash investigation report about the possible root causes and factors of the accident was published by the commission in charge of the investigation (CIAIAC).
I want to get back to the recent news stories linking the accident to malware which were published on the 20th of August 2010, exactly 2 years after the accident. El pais published a new story that stated that the ‘system that monitors the failures in the plane might have been infected by a Trojan’. When I read the news in Spanish, I was very skeptical about it and I was surprised to see that many security blogs published the same news quoting El pais as a source and placing full trust in the news story as a source. Several media outlets even said in their headlines that the root cause of the accident was the Trojan itself which is completely different to what El pais actually published.
The reasons I am skeptical about the story are listed below:
- El pais used a new internal report created by Spanair as its source. There is no independent auditor or external expert input or even verification that this report exists.
- If the information is true, the system that would have been compromised by the Trojan was not the system on the plane itself but an external system that monitors the planes.
- The news story says that there is a delay of 24 hours between the time any failure happens in the plane and the time it takes to be entered in the external system.
- If the system had been compromised, there should have been a forensic investigation carried out on the compromised system to determine the impact of the compromise.
- The new story says that the judge asked Spanair for audit logs from the system for the days leading up to the accident; this means there probably hasn’t been an official forensic investigation carried out.
When talking about incidents of this nature, we must stick to the facts and avoid sensationalizing the story, particularly when we are not aware of the full facts, and we should be even more cautious when we are taking about the loss of human life. I know I’m probably more skeptical than most people but I can’t imagine myself doing a report about an intrusion without evidence, logs or any kind of proof. I wouldn’t reach a conclusion just because someone has told me that there is a report that says “something” about how the intrusion happened.
The judge in this case has requested that an additional investigation be carried out based on the audit logs from the suspected compromised system. We will need to wait until an updated crash investigation report is published to see whether the malware played any part in this accident. If such a report is released we will be able to see whether this malware had any part to play in the accident, with details that explain the evidence found, what analysis has been performed, who has performed it, how they have correlated their findings, who has been involved in this investigation, etc. But in the meantime, I don’t think it is prudent to say that the suspected system compromise had anything to do with the Spanair plan crash – not until all the facts are known.
As always we look forward to hearing any feedback from the readers of this blog so please get in touch by leaving a comment, sending me a message on Twitter or by sending me an email.