Hackers get 1 million miles for telling United about IT security gaps

Two hackers have scored a million frequent-flier miles each on United Airlines for finding security holes in the airline’s computer systems.

The awards were made under a security program that United started in May. Technology companies have offered so-called bug bounties, but they are unusual in the transportation industry.

United spokesman Luke Punzenberger said Thursday that two people have received the maximum award of 1 million miles each and others got smaller awards. A million miles is enough for several first-class trips to Asia or up to 20 round-trips in the U.S.

Punzenberger declined to say what kinds of flaws the hackers found but said their information had been turned over to company researchers. “We’re confident that our systems are secure,” he said.

USA TODAY

Technical glitch disrupts United flights nationwide

USA TODAY

Reservation system glitch slows United Airlines fliers

United has suffered several major problems with technology systems since 2012, when it switched passenger-reservations and other systems over to those that had been used at its smaller merger partner, Continental Airlines. Last week, all United flights were briefly grounded and more than 1,000 delayed after one such breakdown, which the airline blamed on a faulty computer router. A smaller outage occurred in June.

Airlines “take all necessary precautions” to keep customer data secure, and most if not all have internal programs that continuously check systems for intrusions, said Jean Medina, a spokeswoman for the industry trade group Airlines for America. She said, however, that the group isn’t aware of any other airline offering a bug bounty.

Bounties are common in the tech world. Companies use them to enlist so-called white-hat hackers with enough specialized skill to spot security gaps before cybercriminals use them to steal customer information or crash websites.

USA TODAY

United now flying its Dreamliners to six continents

Chris Petersen, chief technology officer and co-founder of LogRhythm, a Boulder, Colo.-based security intelligence company, said bug bounties are growing in popularity, as companies race to shut all the backdoors into their systems before the black-hat hackers find them.

But there just aren’t that many people out there with the needed abilities.

“It’s very specialized and there aren’t that many people (who) are very good at it,” Petersen said. “Those that are, are very expensive to hire.”

Google, Yahoo, Microsoft and others publish bounty rules on their sites.

Facebook, for example, asks hackers for “reasonable time” before going public with their findings. It promises not to sue or call law enforcement on tipsters if they do their best to avoid privacy violations and service interruptions during their research.

United Airlines pulling out of JFK

In a major shift in strategy, United Airlines is relocating all its transcontinental flights from New York JFK to its Newark hub.

Due to take effect in October, the premium cross-country flights will depart and arrive at Newark, made possible by a slot swap with Delta Air Lines.

United has agreed to trade its JFK landing slots with Delta in exchange for more slots at Newark, subject to regulatory approvals.

United says it has been losing money at JFK for years, losing lucrative business traffic as it did not offer any onward connections at JFK.

Travellers had to head over to Newark to board transatlantic flights or other mainline connections.

United also plans to upgrade its Terminal C lobby and renovate airport lounges at Newark and from October 25 will add more Boeing 757s to its Newark-California fleet which could grow to 32 flights a day by mid-2016.

“It makes us even stronger in the New York-New Jersey market,” said Jim Compton, United’s chief revenue officer.

“Our customers have asked for this service into our premier hub. We are investing in the three critical components of the travel experience for our customers – our network, our product and our facilities.”

Scary in-flight hacking details come to light in FBI probe

FBI: Security researcher took over controls of plane

The security researcher booted from a United Airlines flight last month had previously hacked into a plane’s flight deck systems to momentarily alter its course, according to FBI search warrant.

Chris Roberts, a security researcher with One World Labs, told the FBI in February he had hacked the in-flight entertainment system and re-coded the plane’s Thrust Management Computer allowing him to alter its course.

“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley said in the warrant application.

“He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks to monitor traffic from the cockpit system.”

Roberts was taken off a United Airlines flight following a joke Tweet about its security vulnerabilities and questioned by FBI agents for several hours.

He also told investigators he had accessed in-flight systems on more than a dozen previous occasions between 2011 and 2014.

Some in the information security industry have expressed doubt about the claims while others disbelief at his actions.

“You cannot promote the idea that security research benefits humanity while defending research that endangered hundreds of innocents,” said Alex Stamos, chief information security officer of Yahoo.

Roberts also told WIRED the media attention has irked One World’s investors who have pulled out, resulting in half of its workforce being laid off.