Jump to content

Fly You Fools – U.S. airline accidentally exposes ‘No Fly List’ and Private info of ~1000 Employees on unsecured server

Lightwreather

Summary

It appears the US Aviation Industry just can't take a break. Following the Heels of the FAA's NOTAM system Failure and Southwest's Operational meltdown, An unsecured server used by CommuteAir (also operates certain flights as United Express)  contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List."  It also revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.

 

In a statement to the Daily Dot, TSA said that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”

The FBI declined to answer specific questions about the list to the Daily Dot.

In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.

CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation.

CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the “federal no-fly list” from roughly four years prior.

“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane said. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”

 

Quotes

Quote

An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.” 

Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet. It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.

Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

From VICE, on How the "Hacker" gained access:

Quote

As first reported by The Daily Dot, a Swiss hacker known as maia arson crimew discovered the list on an unsecured Jenkins server one night while poking around on Shodan, a search engine that lets people look through servers connected to the internet. 

“Like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, Chinese shodan), looking for exposed jenkins servers that may contain some interesting goods,” crimew said in a blog about the leak. “At this point I've probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on. Lots of words I've heard before, most likely while binge watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”

 

My thoughts

So, it appears that while Safety is a large priority in the Aviation Industry, IT infrastructure and security does not. That being said, the server was taken offline prior to the Publication of the Original article and it appears no one has taken advantage of this vulnerability. As a customer, you needn't worry either. However, exposed servers are still a big issue on the wider web, and unfortunately, they can only be handled by the person running the server.

 

Sources

TheVerge [I'm sorry Verge, but does really count as an article?]

The Daily Dot

VICE

"A high ideal missed by a little, is far better than low ideal that is achievable, yet less effective"

 

If you think I'm wrong, correct me. If I've offended you in some way tell me what it is and how I can correct it. I want to learn, and along the way one can make mistakes; Being wrong helps you learn what's right.

Link to comment
Share on other sites

Link to post
Share on other sites

-= Moved to GD =-

Your topic is well written (good example of a TN outline though 👍), but the context doesn't meet the definition of Tech news. This article is focused on a company's lack of security discipline rather than actual technology being used or improved. 

COMMUNITY STANDARDS   |   TECH NEWS POSTING GUIDELINES   |   FORUM STAFF

LTT Folding Users Tips, Tricks and FAQ   |   F@H & BOINC Badge Request   |   F@H Contribution    My Rig   |   Project Steamroller

I am a Moderator, but I am fallible. Discuss or debate with me as you will but please do not argue with me as that will get us nowhere.

 

Spoiler

  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

Reputation is a Lifetime to create but seconds to destroy.

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "to teach is to learn"

 

 CHRISTIAN MEMBER 

 

 
 
 
 
 
 

 

Link to comment
Share on other sites

Link to post
Share on other sites

The list should be public so that we all can see that the government infringes on people's right WITHOUT a trial or other legal protection. I'm not against preventing people that actually try to blow up the plane up from flying. But this should be based on actual court-proof evidence and not just a claim by the government.  

 

If the person is so bad to not be allowed to fly (or has to be imprisoned in Guantanamo Bay, or killed by a drone), there should should be some evidence that would hold up in court, right? If we don't use courts to punish people, we would be like China.... 

 

Benjamin Franklin once said: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."

 

 

AMD 9 7900 + Thermalright Peerless Assassin SE

Gigabyte B650m DS3H

2x16GB GSkill 60000 CL30

Samsung 980 Pro 2TB

Fractal Torrent Compact

Seasonic Focus Plus 550W Platinum

W11 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

 

 

Summary

Maia arson crimew, said she was clicking around on an online search engine full of unprotected servers on January 12 when she accessed a jenkins server one maintained by a little-known airline and found the highly sensitive documents, along with what she called a "jackpot" of other information. The list is from 2019 and contains over 1.56m people. Prior to her finding the no-fly list while she was looking around she started trying to find journalists interested in a probably pretty broad breach of US aviation. She unfortunately got peoples hopes up in thinking she was behind the TSA problems and groundings a day earlier. she said "but unfortunately im not quite that cool."

 

Quotes

Quote

While browsing files in the company's server, "it dawned on me just how heavily I had already owned them within just half an hour or so," crimew wrote in a blog post detailing the hack. The credentials she found, which gave her access to the files, would also allow her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members — if she were so inclined, she wrote.

 

My thoughts

 

The information out this is huge there is no way the TSA or any homeland security organization in the U.S is going to let this run by but of course this is a story of how one of the most secretive documents in the United States one of the most important documents when it comes to the safeguarding of the country and making sure that the right people are the wrong people in the eyes of the government of course can access U.S airspace that ended up being leaked through a company that ended up having one of the most UNS insecure servers hanging out for the world.

 

Sources

https://maia.crimew.gay/posts/how-to-hack-an-airline/ blog post from hacker

https://www.businessinsider.com/hacktivist-finds-us-no-fly-list-reveals-systemic-bias-surveillance-2023-1 Insider article

Link to comment
Share on other sites

Link to post
Share on other sites

Your first source is very funny. First time I've seen a ".gay" domain used for... stuff I can talk about on the forums. 

 

I'll request the list, saying I'm a researcher - next time there's a fly in my room, I'll just open the Word document and poof, no fly. 

Link to comment
Share on other sites

Link to post
Share on other sites

Waiting for someone to release it publicly. Seems to require proper credentials to prove you are who you claim to be to obtain the list.

CPU: AMD Ryzen 3700x / GPU: Asus Radeon RX 6750XT OC 12GB / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 10 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, TetraSky said:

Waiting for someone to release it publicly. Seems to require proper credentials to prove you are who you claim to be to obtain the list.

I hope no one does, I would imagine there’s a tremendous amount of PII data on a document like that. 

Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, TetraSky said:

Waiting for someone to release it publicly. Seems to require proper credentials to prove you are who you claim to be to obtain the list.

If the data were to become publicly available, I wonder if typing in your phone number is enough to check whether you are on the no-fly list.

have i been pwned verifies whether your account has been breached by phone number or email address.

AMD Ryzen 5 3600 | AsRock B450M-Pro4 | Zotac GTX 3070 Ti

Shure SRH840A | Sennheiser Momentum 2 AEBT | LG C9 55"

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, mononymous said:

If the data were to become publicly available, I wonder if typing in your phone number is enough to check whether you are on the no-fly list.

have i been pwned verifies whether your account has been breached by phone number or email address.

You can also just call an airline and ask if you can fly or not. Just like asking for your own SSN information or filing a FOIA request on your own name with a specific agency is easy to do.

 

The article calls the list ‘one of the most secretive documents’ but the truth is more likely mundane. IE the information is mostly PII with the justification for any specific name being on the no fly list possibly being sensitive.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×