In my last post, I took that LastPass attack as inspiration to write about how security tools can not only be less secure than advertised but can actually become threats in and of themselves. LastPass password vaults were supposed to keep all user’s passwords safe in one place – instead, the vaults allowed hackers to steal all those passwords at once. The defense caused the damage, as much or more than the attackers did.

I began thinking about this concept again today as flights across America were canceled due to an outage in a Federal Aviation Administration (FAA) computer system. The obscure but essential system, called Notice to Air Missions (NOTAM), provides pilots with information about potential flight hazards such as icy runways, high-elevation construction, or migrating birds. NOTAM went down, pilots couldn’t get this data, and thousands of flights had to be grounded as a result. It would have been a huge risk to fly otherwise.

The situation is only a few hours old at this point, so the cause of the outage hasn’t been reported. Officials have said it wasn’t a cyber attack – but whether they could know that for certain already is questionable, as is whether officials would admit to an attack being the true cause of the outage. Officials have the means and motive to obfuscate the cause, especially if a foreign government was somehow behind the outage. But even if the outage was not the result of an attack, as reported, it does not bode well, either for the FAA, the airline industry, or for any of us, frankly.

Watching a Trend Emerge

The airline industry is known for sudden, large-scale problems. It’s almost a cliché. But recent events still feel remarkable. Today’s FAA outage comes shortly after a technical glitch forced Southwest Airlines to cancel hundreds of flights at the peak of the holiday travel season.

That glitch happened in their staffing system. When a major winter storm hit the East Coast, forcing many Southwest staffers to call out, the airline had to scramble to redirect resources and reroute flights. Unfortunately, the staffing system couldn’t keep up with making changes on that scale and collapsed under the pressure, leaving Southwest without a way to send staff where they were sorely needed.

In the wake of the staffing system going down, blame has been pointed at aging technology that couldn’t keep up with the speed, scale, or sophistication of today’s computing requirements. We don’t know the cause of the NOTAM outage, but FAA insiders have suggested that decades-old technology may be responsible. There hasn’t been a similar flight stoppage since 9/11, so the NOTAM technology has a history of reliability. If it wasn’t a cyber attack that brought it down, the next most logical conclusion is that the system itself is starting to show its age.

That can only mean one thing: what happened today will start to happen more often. We can already see the trend in progress. Unfortunately, I think we will start to see it progress even further, accelerating and extending to other industries because the problem of expired technology controlling key systems is hardly reserved for the airline industry only.

System at Risk of Collapse

Look deep enough into just about any system, structure, or supply chain and you will find a piece of legacy technology controlling a critical process. They have persisted longer than anyone anticipated. And at this point, they are so deeply entrenched that some (or maybe even most) seem impossible to root out and replace.

It has been well documented that legacy systems are harder to make secure and keep secure, consuming more security resources while still creating more security risk. Less discussed, however, is that no amount of security can prop up a system that is approaching or past the brink of collapse. And when that point arrives, the damage is as bad (or worse) as any attack. Just look at what’s happened to airlines in recent weeks – massive damage to revenues and reputations all because old software started to act its age.

I think we will start to see similar collapses happen more often, more disruptively, and more unexpectedly in the near future. In so many areas, we have not so much replaced the old with the new as balanced the latter on top of the former. And now the foundation is crumbling.

As with my piece on the LastPass attack, my point is not to be defeatist about the future of technology. Rather, I want to take a more expansive view of cybersecurity – one focused less exclusively on defense and more on risk and resilience. How we get there is a massive question (leave your thoughts in the comments). But if there’s any silver lining to today’s airline apocalypse, it’s that maybe it pushes us one step closer to making change.

#cybersecurity #airline #FAA #Mainframe #Legacy

Several weeks ago, one of my news feeds served me an article about how people continue to pick the very worst passwords possible: everything from ABC123 to their own first and last name. Considering how easy it is for hackers to guess, buy, or break passwords, the bar for picking strong passwords is getting higher than ever – meaning the difference between bad and very bad passwords is non-existent.

Password strength wasn’t what was interesting about this article. What stuck out for me was how persistent the password problem has been – years of training, explaining, pleading, and sometimes even incentivizing haven’t done much to get people to use stronger passwords.

A password manager like LastPass was supposed to be the solution. It offered a streamlined way to turn every password into a strong password, enter the login details automatically, and keep everything safe inside an encrypted vault. LastPass seemed like a win-win: stronger security plus streamlined access. But then we learned through a story that’s been unfolding in recent weeks that attackers managed to steal some of those vaults. And if they manage to crack them open, they will have access to the login credentials for many thousands of personal accounts.

I had originally planned to write about the LastPass attack as a sign that passwords are on their last legs and woefully in need of replacement. But I think most people held that opinion even before the LastPass attack. What’s more, alternatives to passwords have never been more numerous or viable, so I’m confident the era of password protection is coming to a close (whether or not I write about it).

Something besides the password angle stood out to me as I read more about the LastPass attack. Specifically, I was struck by how much LastPass bungled things at every turn, first with their own security, and then with their response to the attack. The problem was not passwords (they were the victim, really). Rather, the problem was LastPass, which promised to protect passwords and then failed at the one thing it was supposed to excel at.

Which leads to an uncomfortable but unavoidable line of inquiry: What other protections are less secure than they seem? Have other vendors made promises that they can’t or won’t honor? Is there any way to know for sure whether you’re as safe as you think? Can anyone really count on cybersecurity?

Vendors are a Weaker Link Than You Think

There has been growing awareness that the IT products a company uses could get weaponized as part of supply chain attacks, which have received a lot of attention lately. And while companies understand that some vendors are stronger than others and some products are weaker than alternatives, we tend to see any protection as better than nothing. The LastPass attack reveals that’s a dangerous line of reasoning.

Reports suggest that security standards and practices at LastPass have been slipping for years, but the extent of that was not apparent until the attack (plus another attack 6 months prior) forced the company to make disclosures. Effectively, the company spent years cultivating trust, then used its positive reputation to let security slide without people noticing.

If it can happen at LastPass, it can conceivably happen anywhere. And with the pandemic and its aftereffects putting so many companies through internal turmoil, who knows where else has become a shell of its former self, waiting for an attack to expose formidable security measures as brittle defenses. And if it can happen to something as fundamental to security as a password vault (the crown jewels for attackers), logically any asset could currently be exposed because of the potentially bogus defenses around it.

If that sounds hyperbolic, take a quick mental review of the security stack. Can you be confident that all of the vendors included therein are taking security as seriously as necessary, particularly when it may conflict with the bottom line? My point is that strong defenses can turn into weak ones without anyone noticing.

Of course, SLAs and other contractual obligations can help mitigate this. But even with those obligations in place, sometimes companies go south – suddenly, swiftly, and surprisingly. And when they are involved with cybersecurity, users often get caught up in the collapse.

The possibility that you’ve surrounded yourself with paper tigers is certainly a frightening thought. But, I must admit, it’s remote (LastPass is an outlier). And there’s a silver lining: it takes less time to vet and review vendors than it does to detect and respond to threats.

#Cybersecurity #Authentication #LastPass #Vendor #Password