The Transportation Security Administration’s no-fly list is one of the most important ledgers in the United States, containing the names of individuals perceived to be such a threat to national security that they are not allowed on planes. You would have been forgiven then for thinking that list was a closely guarded state secret, but lol, no.
A Swiss hacker known as “maia arson crimew” got hold of a copy of the list, albeit a version from a few years ago, not by breaking through layers of fortress-like cybersecurity, but by… finding a regional airline that had its data on unprotected servers. They announced the discovery with the photo and screenshot above, in which the Sprigatito Pokémon looks awfully pleased with itself.
Like them explain in a blog post detailing the processCrimew was poking around online when he discovered CommuteAir’s servers were there:
like many other of my tricks, this story begins when I get bored and surf Shodan (or well, technically zoom eyeChinese shodan), looking exposed Jenkins servers that may contain some interesting products. At this point, I’ve probably clicked through about 20 boring exposed servers with very little interest, when all of a sudden I start seeing some familiar words. “SOME CARS”, many mentions of “crew” and so on. many words I’ve heard before, most likely while binge-watching mentor pilot Youtube videos. boat. an exposed jenkins server belonging to SwitchAir.
Among other “sensitive” information on the servers was “NOFLY.CSV,” which was amusingly exactly what it says on the box: “The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” Erik Kane, CommuteAir Corporate Communications Manager. told the daily pointwho worked with crimew to leak the data. “In addition, certain information on CommuteAir flights and employees was accessible. We have sent a notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
That “employee and flight information” includes, as crimew writes:
taking sample documents from various s3 buckets, reviewing flight plans and dumping some dynamodb tables. At this point, he had found almost all of the PII imaginable for every member of his crew. full names, addresses, phone numbers, passport numbers, pilot’s license numbers, when your next line check is due and much more. I had trip sheets for every flight, the ability to access all flight plans, a bunch of image attachments for refund flight bookings that once again contained more PII, aircraft maintenance data, you name it.
The government is now investigating the leak, with the TSA telling the daily point They are “We are aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners.”
If you’re wondering how many names are on the list, it’s hard to tell. Crimew account Kotaku that in this version of the records “there are about 1.5 million entries, but since there are many different aliases for different people, it is very difficult to know the actual number of unique people in it” (a 2016 estimate had the numbers in “2,484,442 records, consisting of 1,877,133 individual identities”).
Interestingly, since the list was uploaded to CommuteAir’s servers in 2022, that was assumed to be the year the records came from. Instead, crimew tells me “the only reason why [now] know [it] it is from 2019 it is because the airline keeps confirming it in all its press releases, before that we assumed it was from 2022”.
You can check the crimew blog herewhile the daily point publication—which says the names on the list include IRA members and an eight-year-old boy—it’s here.
#Nofly #list #leaked #TSA #investigating #cybersecurity #incident