Update: Version 1.1.0 can be found via PDF here. This is Version 1.0.0 on this page currently.
Now that we’ve cleared through all of that (thank you if you’re still here) we’re beginning to get at the fun stuff. I’d like to remind folks to be safe, don’t do anything stupid, and everything I’m writing is for informative purposes. Also if you blame me for doing something stupid I will throw the ugliest stuffed animals at you for the rest of eternity.
On a recommendation I got for any example I provide I’ll also list things that airlines can prevent the issue or at least alleviate it. Also anytime I refer to any airline on this page I’m just going to do: [airline]. I’m very or pretty familiar with four airlines so feel free to guess which one.
Disclaimer: Everything here was done either in research, observance, Google-ing, there’s no SSI.
- Things to know about airlines
- Airline Culture and Common Issues
- Inner Airline Employee Views and Issues
- Airline Employees Views
- USB ports
- Old legacy entries
- Insider Threat
- Why are we still using legacy systems?
- Fun things observed
- Passenger walk through
What is airportitus?
“The condition of a passenger immediately becoming incapable of rational or logical thinking upon entering the airport including 1337 hackers. Symptoms with this include severe irritability, anger, confusion, loss of oneself and their surrounding, crying, screaming, shouting, stop doing basic opsec. People forget things like who their airline is, go to the wrong areas, wrong gates, leave IDs, boarding passes, wallets, laptops, tablets, phones, etc., leave them unsecured. They are dazed out, lost their soul at the airport via TSA, the aircraft, gate areas, that type of thing.”
Airline folks feel like they are safe and secure in their world from passengers who don’t know what they’re doing. That and with all the federal fines and prison time allotted to virtually anything that happens at the airport they’re pretty confident on things.
No one understands us since they’re all afflicted with airportitus so it’s our private world.
Airline Employees Views
Agents really view their world as being impossible as an outsider to understand. They don’t view themselves as targets, especially if they’re ticket or gate agents. They’re low fish in the system outside of seniority, why would they get targeted?
- Don’t make another dull boring online training thing they have to click through on this. Sit down with your folks. Get this into their heads: They are targets.
I chased folks down for an entire year regardless as to which airline they were at because of passwords.
At [airline] in the legacy system it is really easy to shoulder surf someone typing in their login as it’s just their two digit alphanumerical public sine (this is what you see on boarding passes if someone prints it for you) and four numbers. Yes, the thing preventing them from getting onto the system is literally four numbers and there’s no attempt at even obfuscating the physical view of it.
- Obfuscate at least entering credentials that are supposed to be private, it should be an automatic thing to do. Not doing at least that as a bare minimum is just a lot of, “Wat,” to things.
At most airlines the password requirements are hideous, worse if you have to use multiple systems for different job duties. Some systems allow special characters, some you can’t use any at all, others say you must do a minimum of 8 with special characters so you make attempt it for an hour only to realise in the end not only are you only allowed very limited choices of special characters but the cap is at… 8.
Did I also mention the wild policy of how frequent the passwords are changed? Some places even require a change weekly. There’s no consistency in the expiry across the systems. It makes it hard for employees to keep creating new unique passwords that fit the requirement for each system they’re on that they end up making passwords like this:
- LASDCA95 - Las Vegas to Washington, DC flight route they work, 95 for year of birth
- XXX#1229 - The three letter airline code, flight number they work on
- 4160mi#29 - The miles of a flight they work, flight number
If you’re optimistic like me you’re probably hoping I made up some shitty passwords.
These are real exact set ups and the only way some folks have found a manageable consistent set up to do so long as they don’t run out of unique flights to turn into passwords.
If that wasn’t all pretty clear this really, really, frustrates people. To the point where it is actively encouraged amongst airline employees to write down their passwords. This is highly suggested even. Non-technical folks think it is clever to text their password to themselves. I call this the password epidemic because their passwords are virtually everywhere. Their passwords and login information are on sticky notes, taped to the back of their lanyard cards, put onto their non-protected phones, typed up in e-mails… I really wasn’t joking on everywhere.
This doesn’t even go into people being frustrated enough they hand over their credentials to someone else.
Or forget to log out. Log ins are persistent in a lot of legacy systems. Aka unless you check for sure you’re under your own sine you may be doing all of your work and transactions… under someone else. Oops.
Agents absolutely love to be clever or at least think they are. It helps with the boredom when there’s nothing to do and there’s no more gossip left to talk about until something else happens. Passwords happen to be one specific area of that.
- Make password requirements consistent.
People really love to plug in things all the time. Don’t get me wrong, most of the computers don’t have access to USBs especially out in the ticket counter or gates area without a key. That’s really good. Though everyone who works in those areas have access to said keys plus when you’re in the office areas in the back we’re now in USB port wonderland.
Airports clearly have a lot of lost items due to airportitus. So what do people do when they see a USB on the ground? They plug it in to the dismay of a frantic Avi trying to grab the USB someone found from nearby a gate podium to which they smugly put it into the desktop saying, “See there’s nothing wrong with it you’re overreacting.”
No matter what the policy is, no matter what other people tell them, people will plug things in. Sometimes it’s because they really do want to help find out whose item it is but other times it’s their phones, random other things they find.
- Secure those USB ports. If an employee must use a USB issue a company USB for them. It’s not enough to just tell people, “Don’t plug in a USB,” stop them from being able to do it at all. The few pages of training on this isn’t enough. Prevent it from happening at all.
Old legacy entries
Back to airline folks feeling like they’re in a different world that no one else can understand? It goes to saying legacy system commands out loud. If you pick up on the language you can figure out exactly what they’re doing. Not really useful without access to a machine but if you want to pick up on the pattern and understand the lingo it’s a great place to begin with.
- This is really a personal thing for employees and mostly just those who know the legacy systems. New employees from the last two years on the other hand have essentially no exposure to the legacy systems at this point which is great since the new systems tend to be very intuitive. Except for the generations who’ve only known the old system and now don’t want to change.
Insider threat is a massive issue whether passively or maliciously. What do I mean by passively or maliciously?
Overriding the system to give people better seats by either evading the company’s logging system and/or understanding the rules to back themselves up with ‘correct’ documentation (against corporate policy which states you should be charging for all upgrades for revenue, etc).
This, to passengers and to a lot of employees, is a good thing. It’s stupid airlines charge for seats right? Except if an employee can evade the logging system because they have or found a specific entry that doesn’t trigger it to log what happened a lot more things are possible.
- This is already being cracked down at many airlines but of course if you’re observant and see what ticks the logs or not it doesn’t take much to figure out the rest. Move people away from the raw legacy systems. That’s where all the access is at. Limiting it and implementing checks and balances like [airline] did to their employees on various interactions is really good. Also developers for the new systems may not have all of the possible entries I’ve observed which folks with the older entries used to evade the logging due to repeated and multiple mergers over time.
Someone booking themselves out of the country. This would take someone less than a minu- okay so maybe 2-3 minutes for an average typer who already knew the information necessary and how to make a fully functional reservation and print a boarding pass on [airline]. Basically on [airline] you need to just find flight segments, grab the availability, get some very specific seats I hope that two years later they’ve fixed the issue with but anyways, 6-7 lines total of the actual PNR information, override payment by selecting cash, enter in their APIS data, override baggage tags or use manual tags, go through security and leave the country.
Clearly this creates logs in the systems that go to several different departments but at this point you really wouldn’t care anymore. Why not use flight benefits? Well what if you didn’t have buddy passes and wanted to get someone out? Or find a way to automate it. Plug in a USB somewhere that’s open. Do tons of free flights. Make templates because you already know how to do this. Who knows.
Use your imagination. It doesn’t take much to say this is an issue.
- Repeating again: get people away from the raw legacy system that has no restriction. Thank goodness with the new systems they really did well with limiting access albeit with all the new security issues.
- Secure those USB ports. I can’t stress this enough: stop folks from being able to plug things in. 99% of the employees do not need the USB ports.
Why are we still using legacy systems?
Airlines use legacy reservation systems that were built in the 1970s (e.g. SABRE, SHARES). They’re all very similar with mostly syntax differences. Most of them are now going ‘in-house’ for their new systems which typically means that the backend is the legacy system with a GUI over it. Unfortunately what folks created in the ‘70s is deeply rooted everywhere and now no one wants to get out of it because of the hassle, the training costs, and so forth.
If you’re able to read and understand the full legacy system entries and logs you can read and get a lot more PII (e.g. ending credit card numbers, credit card types, on [airline] the address is there randomly at times too, etc.) than the agent needs.
As we already learned though everyone knows things are constantly changing but a lot of people don’t like change. Seniority and how it works at the airline creates a toxic environment reinforcing the usage of very open systems.