Firewall failures ground Southwest Airlines

CNN (and many others) are reporting a ground stop of Southwest Airlines flights, initiated by the FAA at the request of the the airline after "a vendor-supplied firewall went down and connection to some operational data was unexpectedly lost," according to spokesman Dan Landson (quoted from [5]). Many news articles remind readers of the airlines meltdown last December, when they cancelled nearly 17,000 flights over 10 days.[1,2,3] Southwest was not alone in cancelling flights then; the initial challenge was winter weather. However they were noteworthy in the reason and magnitude of their disruption, which was blamed in part on outdated crew scheduling software.[4]

Both of these failures are cybersecurity issues. I've mentioned the CIA triad before:

• Confidentiality: Data should access should be limited to those parties who are authorized to access it
• Integrity: Data integrity should be maintained; data should be complete and correct
• Accessibility: Data should remain accessible to those parties who are authorized to access it

Both cases represent failures of Accessibility: data that Southwest needed to meet its business goals was not accessible. In December, outdated software meant that the airline didn't know where its flight crews were. In some cases, personnel had to phone in their locations because they couldn't notify the airline electronically.[5] The airline used in-house software to manage its crews.[6] While doing so may enable a finely tailored result, it also means that they must be entirely self-reliant for any maintenance, expansion, upgrades, and security for that software - no one else uses it, no one else is familiar with it to offer insight. New employees enter entirely naive to the software, and have to learn it form the ground up. Legally, there may be more liability in providing their own software rather than outsourcing to a professional. Thus, though there may be short-term financial gains in in-house development, the aggregate picture becomes murky.

Today, the culprit appears to involve off-the-shelf software. Where the culpability lies is not yet clear, though. Setting up and maintaining the software may have been part of Southwest's responsibility. For the moment, we'll have to wait and see.

Sources:

1. Ivanova, Irina, "More than 2,000 Southwest Airlines flights delayed after temporary ground stop" CBS News (cbsnews.com). Accessed 4/18/2023 at https://www.cbsnews.com/news/southwest-flights-grounded-over-computer-issue/

2. Josephs, Leslie, "More than half of Southwest Airlines flights delayed after technology problem paused departures" CNBC (cnbc.com). Accessed 4/18/2023 at https://www.cnbc.com/2023/04/18/southwest-airlines-departures-pause.html

3. Baio, Ariana, "FAA briefly grounds all Southwest Airlines flights nationwide" Independent (independent.co.uk). Accessed 4/18/2023 at https://www.independent.co.uk/news/world/americas/southwest-airlines-ground-stop-faa-b2321980.html

4. Koeng, David, "US investigating December flight cancellations at Southwest" Independent (independent.co.uk). Accessed 4/18/2023 at https://www.independent.co.uk/news/ap-southwest-airlines-dot-dallas-b2269417.html

5. Wallace, Gregory et. al. "Hundreds of Southwest Airlines flights are delayed after FAA lifts nationwide ground stop" CNN (cnn.com). Accessed 4/18/2023 at https://www.cnn.com/travel/article/southwest-airlines-flight-delays/index.html

6. Arnold, Kyle, and Natalie Walters, "Holiday meltdown exposes Southwest Airlines’ technology woes" Dallas Morning News, The. Accessed 4/18/2023 at https://www.dallasnews.com/business/airlines/2022/12/29/holiday-meltdown-exposes-southwest-airlines-technology-woes/

Design for security

I recently got a new keyboard. My checkboxes were:

• ergonomic
• wireless, and sharing a dongle with my wireless ergonomic mouse
• full-sized, including number pad; arrow key cluster, and the cluster of keys for delete, home, and page-up, page down
• easy-type keys, which probably has an official name that I don't know. These are keys that don't havce to be pushed deeply into the keyboard to register, and can tollerate a certain amount of sideways push - they're buttons, really, more than keys

I ended up getting the Logitech K860. I've had it for a few weeks, so I'm still in the learning curve for the keyboard layout (I've had several ergonomic keyboards over the years, and each has it's keys layed out differently), but one feature stands out. I's the key at the top right, which features a lock symbol, and when pressed, it locks the computer, putitng up the lock screen and requiring me to enter my password if I want to resume using the computer. A year ago, I doubt I would have thought about this key, or ever used it, but I completed a cybersecurity bootcamp in the second half of 2023 and one of the many things I learned was the value of security habits. Being in the habit of locking my computer every time I step away from it closes one avenue of attack against my computer and my network, since no one else can sneak on to my computer during the several minutes that elapse between my last keystroke or mouse movement and when the computer automatically locks.

At home, the liklihood of a threat actor sneaking onto my machine is limited. However, I do recal a colleague of mine whose cat managed to blast her resume out onto a listserve by leaping up onto the keyboard and striking just the right set of keys. Security is about more than just protection against threat actors, and as much as I love my cats, I don't see benefit in giving them free reign over my keyboard.

At work, it's a different situation, of course, and for a several months I had been using a different wireless keyboard there, Logitech's K350. This keyboard also has a lock key, in the same location as the K860. This keyboard belonged to me, however, and was only intended as a stopgap, so when my department got me a new keyboard it came home. And then the value of that lock key really struck me, because my new keyboard doesn't have that key. I had developed the habit of hitting that key every time I stood up from my desk, but now I had to either use [CTRL] + [ALT] + [DELETE], then [ENTER]. or use the mouse to engage the start menu, then select user options, then select lock.

In truth, the extra time and effort is not large. But if you've ever seen someone toss recycling into the garbage can they're standing next to rather than crossing to the recyling bin three steps away, you know that many people are going to take the easiest route. Having a single button to press to lock the computer, and having that button be in a corner (you don't have to hunt for it), is about as easy as you can get. If we want our community members to lock their computers when they leave them unattended (and as security professionals, we do), the few extra dollars for a keyboard that does this is money well spent.

Don't advertise the IP address of your devices

Earlier today, I snapped the photo above. Clearly seen, on the side of the camera, is the camera's ip address (I've obscured the last two octets). Note also that this is not a private ip - the address that a device uses on a network - but a public ip: the camera appears to be connected to the internet directly. Assuming that the address is correct, I see a few issues here worth mentioning.

1. Anything on the internet is directy in the line of fire to attackers. Though the camera might have a username and password to protect it, we could add an additional layer of security by moving the camera behind the firewall of a network. Then, an attacker would first have to penetrate the firewall before they could address the username and password security. Placing the camera on the internet denies it of a layer of security. Granted, there are times when this is necessary or beneficial (e.g. traffic cams and raptor cams) but a security camera should probably have security.
2. Since this camera was installed in this way, I'm led to wonder about the security posture of the rest of this facility. Just on this camera, is the security still running on the default settings? There look to be manufacturer stickers on the bottom of the camera - if I could determine the make and model, a Google search might reveal the default username and password. More generally, have there been other flaws in creating the local network? In other words, the setup here advertises a loose security posture, inviting a hacker to take a stab at breaking in. It's a little like parking a car in a bad neighborhood with the doors locked but the key in the ignition.
3. Alternately, perhaps the address shown is not the address of the camera, but the address that the camera conncets to (the address of the security company, for instance). IN this case, the label may have been placed to enable the camera to be set up properly. In this case, the address is likely to be firewall protected, but there's still no reason to publically display it - keep that info need-to-know.