Truth About Computer Security Hysteria
Inferior computer security threatens Continental Airlines!
Rob Rosenberger, Vmyths co-founderWednesday, 2 July 2003 [Editor's note: new visitors to our site may not recognize the sarcasm in this column. Mr. Rosenberger trusts Continental Airlines' flight safety record.] LET'S FLASH BACK to a January 2003 story posted on CNN. In it, Continental Airlines admitted the Slammer worm forced them to cancel & delay some flights as a result of their poor computer security:
| Continental Airlines admits they cannot stop hackers who would cancel or delay flights on a whim. |
Continental said the worm attack caused its difficulties. Spokesman Jeff Walt said agents reverted to "the old fashioned way" — phones, and pen and paper — to record reservations and electronic tickets. "[That is] more time consuming, so we had some scattered delays around the system and some cancellations of regional flights," said Walt, adding that the airline experienced few problems on its national flights. "It looks like we're getting close to [having] everything resolved." Walt said Continental's hub at Newark, New Jersey, was the most affected by the problems, but problems were also reported in Houston, Texas, and Cleveland, Ohio. No delays lasted more than 30 minutes, he said.Now let's flash forward to a Ziff-Davis newswire early last month. "During an enterprise customer panel [at a TechEd conference], Nathan Hanks, the managing director of technology for Continental Airlines, admitted that the worm hit the company hard as it brought down its gate check-in systems." Basically, Hanks reiterated in June what Walt said in January. Continental cannot stop hackers who would cancel or delay flights on a whim. "We cannot have undocumented servers that are responding to anonymous queries on DDP that allow buffer overruns," Hanks wailed. "CIOs need people in place to figure out why port 1434 is open on publicly exposed firewalls." Hanks apparently didn't tell the TechEd audience if he planned to resign for January's debacle. (He is the managing director of technology, after all.) Reading between the lines of the Ziff-Davis newswire, it appears Hanks blamed everyone but Continental for Continental's inferior computer security. I'm not the only one who can read between the lines — Hanks took a serious, well-deserved beating from others who noticed he "again demonstrates his ignorance of security." Even Continental Airlines distanced itself from his myopia, saying "the comments attributed to Mr. Hanks do not represent the feelings, policies or practices of Continental Airlines." Well, you know me: I wanted to see just how badly this worm devastated the airline. First I scoured Continental's press release archive. Then I talked to a Continental check-in clerk. You'll love the clerk's comments; we'll get to those in a moment. Right now I want to talk about those boring press releases... Continental's press release archive doesn't mention the operational economic impact of the Slammer worm in January. Mind you, Slammer "brought down" Continental on the 26th of January. Surely you'd expect them to mention such a devastating event in their end-of-month operational performance statistics for January!
| Continental's managing director of technology apparently blamed everyone but Continental for their inferior computer security. |
CONTRAST THIS WITH early February — just a few days after Slammer — when Continental announced their efforts to prepare for a winter storm in the Northeast. Weeks later, their end-of-month statistics for February made clear mention of weather problems:
Operational results for February were adversely impacted by severe weather across Continental's system for 23 days in February, including the winter storm that paralyzed the northeastern United States over the Presidents' Day weekend.This stuns me. A virulent worm "brought down" Continental at the end of January and it received plenty of media exposure, yet Continental's end-of-month press release doesn't mention it. A winter storm in February during an outdated U.S. holiday gets mentioned weeks later in Continental's end-of-month press release. To the untrained eye, it would seem the Slammer worm didn't really harm Continental. So I drove to the regional airport in Cedar Rapids, Iowa. (Check out the parking receipt if you don't believe me.) I quickly cased the Continental ticket counter, where I spied an all-too-helpful check-in clerk. I enchanted the clerk with the black arts of "social engineering." I asked the clerk to see if my {ahem} business colleague would arrive on a different flight than the one I {ahem} expected. It took awhile to check the passenger manifests. "Nope, he's not on any flights today," came the reply. Cedar Rapids is a great airport: you can blab with a check-in clerk for five minutes before another person walks up to the counter. I struck up a casual conversation about the check-in computer. "Could this thing be wrong? I mean, could my guy be on the flight and you don't know it?" The clerk told me all airlines know every passenger's name on every flight since 9/11. "Ah. Well, how often does your system go down? Is it reliable?" The check-in clerk's reply stunned me. Continental suffers a system-wide failure "a couple of times a year." System-wide, I asked? "Yep, everything goes out." What do you do then? "Everybody does everything by hand and we enter all of the data when the system comes back up." [The previous sentence may not be a direct quote, but its context is accurate.] The clerk also noted the fact Continental's check-in system will regularly "go down" at any given airport due to things like power outages or telecommunication problems. The impacted airport will do everything manually until technicians correct the problem and get them back online. Localized system outages happen "a couple of times" each year at many airports.
| A Continental employee revealed their check-in system will "go down" four times per year on average at many airports. |
| The employee did not seem fazed by this atrocity! |
SO THERE YOU have it. Twice a year on average, Continental may cancel & delay flights due to system-wide computer failures. Flight cancellations & delays may occur another two times per year on average at any given airport due to localized computer glitches. Two plus two equals four. (Actually, in computer economics, we can prove 2+2=5 for very large values of 2. But we're talking airline economics here, so let's not digress.) To paraphrase CNN, the check-in clerks at Continental revert "to 'the old fashioned way' — phones, and pen and paper — to record reservations and electronic tickets" on an average of once a quarter. Then again, Cedar Rapids is a tiny regional airport where cows sometimes wander onto our dirt runway (we hope to pave it in 2007). It's not a large international multi-runway airport. Cedar Rapids can easily shrug off a computer malfunction, but I suspect Houston & Newark can barely survive their routine quarterly system glitches. Hmmm. Could a fifth computer glitch per year in Newark hurl the oh-so-fragile Continental Airlines into Chapter 11 bankruptcy protection? The Slammer worm canceled & delayed Continental's flights in January. We know this because the company admits their inferior computer security threatens every scheduled departure. Believe it: a more powerful variant of Slammer could leave Continental's passengers stranded for days at airports around the country! This realization forces us to confront some nagging questions:
- If a computer worm caused one system-wide outage this year, what caused all of those other system-wide outages in previous years?
- How can Continental survive its routine system-wide failures and its routine regional/local system outages?
- Do hackers secretly cause these routine failures & outages under the very noses of Continental's inept computer security team?
- Why didn't Continental identify the devastating economic impact of a computer worm in their end-of-month report for January?
[Continued in part 2]