Hacker finds copy of TSA no-fly list on exposed cloud storage

SECURITY

A copy of the U.S. Transportation Security Administration’s “no-fly list” has been found by a Swiss hacker exposed on the open internet in yet another case of misconfigured cloud storage.

First reported by The Daily Dot, the exposure of the database was found by a Swiss hacker known as “maia arson crimew” on a server run by regional airline CommuteAir LLC. The hacker spotted the exposed data using Shodan, a search engine used to locate servers exposed to the internet.

The server run by CommuteAir, which primarily runs regional flights for United Airlines Inc., was found to be exposing the private information of almost 1,000 employees along with a file labeled “NoFly.csv.” The file contained 1.5 million records in total, including names and dates of birth, although allowing for aliases, the total number of unique records in the database is believed to be lower.

Notable entries in the database include Russian arms dealer Viktor Bout, the same arms dealer handed over to Russia in return for a basketball player Brittney Griner, including 16 aliases he is believed to use. Other records included suspected members of the Irish Republican Army.

In response to the report, CommuteAir said that it had taken down the database and does not believe that any customer information was exposed based on an initial investigation. “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” a spokesperson said. “In addition, certain CommuteAir employee and flight information was accessible.”

The news, which broke over the weekend, has not been well-received. Dan Bishop, a Republican congressman who serves on the House Homeland Security Committee, said on Twitter that Congress “will be coming for answers” and noted that “besides the fact that the list is a civil liberties nightmare, how was this info so easily accessible?”

The answer to his question was yet another case of an Amazon Web Services Inc. user not securing storage. The explanation may seem simple, but the hacker details it on a blog. It happens so often that it’s impossible to keep up with cases, be it that they don’t usually expose the TSA no-fly list.

“Unsecured public-facing servers are an attacker’s bread-and-butter and an organization’s nightmare,” Sammy Migues, principal scientist at Synopsys Software Integrity Group, told SiliconANGLE. “This is especially true when the server is unsecured long enough to appear in connected-device search engines such as Shodan and ZoomEye.”

In this case, he added, it appears that the unsecured server was running Jenkins, which provides automation for software development toolchains. “With some exploration and lateral movement, it appears there was access to production systems that held sensitive information, including an older version of a U.S. no-fly list,” he said.

Photo: Michael Ball/Wikimedia Commons