BEST OF THE WEB

Hacker uncovers ‘No Fly List’ on unprotected server

A Swiss hacker known as “maia arson crimew” discovered an unprotected server maintained by a U.S. national airline that contained the personal information of hundreds of thousands of people on the federal “No Fly List” and terrorism database.

The identities of nearly 1,000 CommuteAir employees were also compromised, according to the airline. According to the hacker, who first revealed the news to the Daily Dot, the exposed infrastructure could have allowed a bad actor to “completely own” the airline.

In a blog post titled “How to Completely Own an Airline in 3 Easy Steps and Grab the TSA No Fly List Along the Way,” the author detailed how boredom led to a search for exposed open-source automation Jenkins servers on the internet.

Crimew claimed it took her only minutes to connect to the server and find the credentials that allowed her to view the database. She stated that she was exploring the servers to relieve boredom while sitting alone and had no intention of discovering anything with US national security implications. The credentials she discovered that granted her access to the files also granted her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members, she added.

The total number of entries on the list appeared to be more than 1.5 million. The information included names and birth dates. It also included multiple aliases, bringing the total number of unique people to far less than 1.5 million.

The server was taken offline prior to publication after the Daily Dot alerted CommuteAir, which stated in a statement that it was used for testing and development. The TSA stated that it was “aware of a potential cybersecurity incident with CommuteAir, which we are investigating in collaboration with our federal partners.”

The sources for this piece include an article in BusinessInsider.

IT World Canada Staff
IT World Canada Staffhttp://www.itworldcanada.com/
The online resource for Canadian Information Technology professionals.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web