Have a scoop about the data center industry? Email it to us at [email protected] or send us a Signal at 571-535-4518.
Last night the U.S. Federal Aviation Administration (FAA) announced new details on the cause of last week’s Notice to Air Mission (NOTAM) system outage that caused the delay or cancellation of more than 8,400 flights. The FAA’s initial reports pointed to a corrupt file as the cause of the outage. The FAA announced that a contractor “deleted files while working to correct synchronization between the live primary database and a backup database.”
When asked if last night’s statement is a supplement to the previous admission that the outage was caused by a corrupted file or if the latest update is a replacement of the initial causation report, the FAA did not immediately respond.
We’re looking to find out if the contractor deleted the corrupt file or if the contractor deleted several files in response to the outage caused by the corrupt file. When or if the FAA responds, Data Center Knowledge will let you know.
Coordinated Cyberattack or Coincidence?
Also of note, while the FAA still insists the outage on Jan. 11 was not caused by a cyberattack, new details have come to light that contradict those assertions. Here’s why:
On the same day as the FAA outage, Canada also experienced an outage of the very same system their country uses to alert pilots to safety issues both on the ground and in the air, known as NOTAM. Unlike the FAA outage, the outage in Canada didn’t cause any flight delays, according to AVweb, an independent aviation news resource, but the outages in the U.S. and Canadian systems overlapped by at least two hours. That’s according to NAV Canada, a private organization that runs Canada’s civil air navigation system.
“NAV CANADA’s Canadian NOTAM entry system experienced an outage affecting newly issued NOTAMs at approximately 10:20 a.m. ET and was restored approximately at 1:15 p.m. Mitigations were in place to support continued operations,” Vanessa Adams, spokesperson for NAV Canada, told Global News on Jan. 11.
“We are still investigating the root cause of the failure. At this time, we do not believe the cause is related to the FAA outage experienced earlier today.”
The downtime of the same systems at roughly the same time has led some to believe the outage of both the U.S. and Canadian air safety notices amounted to a coordinated attack on the North American aviation system.
“Taking down both primary and backup systems in two countries on the same day suspiciously sounds like ransomware attacks which have proliferated in the past 2 years,” says Lucian Niemeyer, CEO of Building Cyber Security on LinkedIn.
Mitigation of MFA Cyberattacks on Data Centers
While some speculate on the true cause of the Jan. 11 outages in the U.S. and Canada, the present danger of cyberattacks on data centers is quite real and immediate for enterprises, cloud solutions providers, colos, and MSPs alike.
Here’s an excerpt from our previous coverage on how bypassing MFAs has emerged as a threat to data center operations:
Last August, attackers tricked a Cisco employee into accepting an MFA request and were able to access critical internal systems.
In September, attackers bought the password of an Uber contractor on the dark web, and repeatedly tried logging in the stolen credentials, Uber reported. At first, the login attempts were blocked by MFA, but eventually the contractor accepted the request and the attackers got in. They were able to access a number of company tools, including G-Suite and Slack.
More embarrassingly, in August, attackers were able to compromise Twilio’s widely used MFA service. They did so by tricking multiple Twilio employees into sharing their credentials and MFA authorizations. More than a hundred Twilio customers were compromised, including Okta and Signal.
Adversary-in-the-Middle Attacks
In addition to compromising MFA platforms and tricking employees into approving illegitimate access requests, attackers are also using adversary-in-the-middle attacks to bypass MFA authentication, according to a report released by Microsoft’s Threat Intelligence Center this summer. More than 10,000 organizations have been targeted by these attacks over the past year, which work by waiting for a user to successfully log into a system, then hijacking the ongoing session.
Password-less Sign-in Standard
Last spring, Apple, Google, and Microsoft all committed to a common password-less sign-in standard.
The new approach, which is based on the FIDO security standard, promises to be more secure than traditional multi-factor security, such as one-time passwords sent over text messages. It is expected to become widely available sometime this year.
In a recent statement, Jen Easterly, director of the Cybersecurity & Infrastructure Security Agency, urged every organization to put FIDO on their MFA implementation roadmap.
“FIDO is the gold standard,” she said. “Go for the gold.”
In particular, she urged system administrators to begin using MFA, noting that fewer than 50% currently use it.
Controls for Legacy Data Center MFA Systems
Even when new password-less technologies do become mainstream, some of these additional controls, like user behavior analytics, will continue to be useful.
For most security teams, these compensating controls will be the standard approach, said Gartner vice president and analyst Ant Allan.
For example, a check to confirm that the login is coming from the same geographical location as the user’s phone will reduce phishing risks, he said.
“And choking the number of failed mobile push authentications can mitigate prompt bombing,” he added. Prompt bombing is an attacker strategy where they keep trying to log in, and users get so many MFA requests that they get annoyed and accept the requests out of sheer frustration.
