Tag: unsecured
How to avoid billion-dollar fines due to unsecured messaging apps
Daily Crunch: Pentagon locks down unsecured email server that exposed sensitive military data
Hello, friends, and welcome to Daily Crunch, bringing you the most important startup, tech and venture capital news in a single package.
Daily Crunch: Pentagon locks down unsecured email server that exposed sensitive military data by Christine Hall originally published on TechCrunch
A hacker stumbled upon TSA’s no-fly list via unsecured airline server
Everybody makes mistakes at work but, leaving the no-fly list exposed on the internet seems like a really bad mess-up.
That’s reportedly what happened with the U.S. airline CommuteAir. The Daily Dot reported that a Swiss hacker known as “maia arson crimew” found the unsecured server while using the specialized search engine Shodan. There was apparently a lot of sensitive information on the server, including a version of the no-fly list from four years ago. Somewhat hilariously that was reportedly found via a text file labeled “NoFly.csv.” That is…not hard to guess.
A blog post from crimew titled “how to completely own an airline in 3 easy steps” cited boredom as the reason for finding the server. They were just poking around and found it.
“At this point, I’ve probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words,” crimew says in their blogpost. “‘ACARS’, lots of mentions of ‘crew’ and so on. Lots of words I’ve heard before, most likely while binge-watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”
CommuteAir, a regional US airline headquartered in Ohio, confirmed the info on the server was authentic to the Daily Dot. The server has been taken offline.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told the Daily Dot. “In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
The info from the server has already been poured over, with some researchers saying it shows how the list is heavily biased against Muslim people. According to Daily Dot, while there is no official number to how many names are on the no-fly list, Sen. Dianne Feinstein (D-Calif.) suggested in 2016, that over 81,000 people were on the list.
US Airline Accidentally Exposes ‘No Fly List’ On Unsecured Server
The list, according to crimew, appeared to have more than 1.5 million entries in total. The data included names as well as birth dates. It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million. […] In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes. CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation. CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the “federal no-fly list” from roughly four years prior. […] The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed.
Read more of this story at Slashdot.