Airline Web sites seen as riddled with security holes

Increasing concerns about the potential for hackers to manipulate critical back-end administrative systems through security holes commonly found in corporate Web sites have prompted at least one major airline to take preventive measures.

“We are trying to defend our Web sites,” said David Yaacobi, information systems security manager at El Al Israel Airlines at Ben-Gurion International Airport in Lod, Israel. “Hackers could go inside your Web sites and inject wrong or malicious code.”

El Al has deployed Sanctum Inc.’s AppShield 3.1 Web application firewall technology. That deployment comes on the heels of a security audit of a major U.S. airline conducted by the Santa Clara, Calif.-based vendor. According to Sanctum CEO Peggy Weigle, during that audit the airline’s Web-based systems were breached. The security team that conducted the audit managed to make its way into the airline’s back-end systems, including the reservation and maintenance systems, Weigle said.

“Through a hole in the [front-end] application code, we were able to get to the back-end systems and able to download the source code of the entire application,” said Weigle. “We could have obviously obtained passenger manifests, maintenance systems and whatever was there.” The airline, which Weigle refused to identify for security reasons, still hasn’t fixed the problems, she said.

Dan Meehan, CIO of the Federal Aviation Administration, said he received a briefing on the audit from Weigle and noted that the FAA is working with the White House to develop a more aggressive outreach program focused on the airlines. “We want to take this specific piece of information and compare notes with a few other airlines to see if this is an isolated case or not,” said Meehan. However, he said, it’s too early to tell whether the audit did in fact uncover a significant breach of security.

For his part, Yaacobi isn’t taking any chances. Although El Al’s reservation systems run on protocols that are “totally different than [standard Internet protocols] and are very difficult to hack,” Yaacobi said the potential is still there, and El Al does whatever is necessary to protect them.

“Since Sept. 11, any illegal access to data or transactions through our company Web site is viewed by us as a terrorist act,” said Yaacobi. “With regular attempted attacks on our site, we view Web application security critical to our overall security plan ensuring the safety of our customers.”

Various Israeli government agencies deployed AppShield during the 2000 cyberconflict between pro-Palestinian and Israeli hackers.

John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., said Web application security is a serious problem for two-thirds of all corporate Web sites.

“The current generation of firewalls focuses on the network level, kind of like the walls of a fort stopping direct attack,” said Pescatore. “However, close to 75 per cent of today’s attacks are tunnelling through applications. Application-level firewalls are something that any critical infrastructure company needs to look at.”