Travel sector's poor security exposed it to hacking risks

The hacking attacks against three leading travel and ferry operators have highlighted just how far the travel industry needs to...

The hacking attacks against three leading travel and ferry operators have highlighted just how far the travel industry needs to go to improve its computer security, experts said this week.

Software suppliers to the industry routinely use X.25 networks, rarely protected by firewalls, to provide remote maintenance services to their customers 24 hours a day. "Some of the largest travel system software providers routinely go into their customer's systems every day just to check that they are functioning well," said Paul Richer, partner at travel technology consultancy Genesys.

Good security practice suggests that if businesses want to allow their suppliers access into their systems through X.25 they should make sure their suppliers at least install systems that are capable of distinguishing between a genuine maintenance call and an attack from a potential hacker.

This can be done by limiting the times when suppliers can have access to systems, using a router that will filter out calls from unknown numbers, or modems that will call the supplier back on a pre-agreed phone line.

"It is a bit like checking the credentials of a meter-reader when he comes to your door," said Peter Dorrington, fraud expert at the SAS Institute. "You phone the gas board to check them out. It should be the same routine with software maintenance."

Yet many firms have little or no security beyond a simple password. At least two of the companies that fell victim to the hacker did not have ring-back facilities, Computer Weekly has learned, although they have since added more sophisticated security.

Without adequate protection any business relying on remote software maintenance runs the risk of attacks from professional hackers, or from former members of staff with a grievance. The problem is particularly acute for companies going through mergers and acquisitions or forced to lay people off.

Investigators at NatWest's credit card acquisition service, Streamline, now part of Royal Bank of Scotland, and Anite Travel Systems, are assessing whether former staff from Anite or companies which it acquired could be involved in the attacks.

Anite laid off a significant number of technical staff when it bought rival software house FSS last year. In 1999, FSS also lost support staff when it bought Travellog, the original developer of the Res 2000 booking system used by the hacking victims.

Dorrington advises companies to be particularly vigilant when making redundancies or taking part in mergers and acquisitions.

"Three things provide the motivation for fraud - greed is the first, need the second. But the third is malice, and that is on the increase. You mix those three together when you have someone who has been made redundant," he said.

Employers should review their security policies at such times, make sure they delete logon accounts used by former members of staff and change company passwords, Dorrington added.

Read more on IT risk management