It seems as if the federal government’s good name suffers more damage each week, these days, and continues with the actions of a hacker in Switzerland being only the latest blow to law enforcement’s once stellar reputation for security.
On Thursday, a security researcher posted a blog entry showing how she allegedly easily hacked an unsecure server and was able to gain access to the U.S. government’s Terrorist Screening Database and its controversial “No Fly List,” which contains the names of hundreds of thousands of people suspected of ties to terrorism or other illegal activities.
The server was apparently under the control of the U.S. national airline CommuteAir and her hacking led her to the government files.
In her blog post, the hacker, known as “maia arson crimew,” said that within a half hour, she had uncovered the names and schedules of CommuteAir’s crews and found security credentials that would allow her to access the Transportation Safety Administration’s (TSA) No Fly list.
The list that she found had more than 1.5 million names on it, along with the lists of aliases under which they may travel, and names that the federal government tagged as banned from U.S. air travel, the Daily Dot reported.
“On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him,” the Daily Dot added.
The list had a huge number of people with Arab and Middle Eastern-sounding names, as well as suspected members of the Irish paramilitary force, the IRA, and other terrorists. One individual was eight years old according to the corresponding date of birth associated with the name.
“It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” crimew told Daily Dot.
The TSA released a statement merely saying they are “aware of a potential cybersecurity incident” with the airline’s servers and the FBI did not comment at all on the incident.
For its part, CommuteAir said that the server the hacker breached was not its working server, but was a “development server,” one used to store training materials and programs.
CommuteAir added that the server, which they have since taken offline, also contained no customer information.
The airline also noted that the No Fly list the hacker found was an outdated one.
“The server contained data from a 2019 version of the federal no-fly list that included first and last names and dates of birth,” CommuteAir Corporate Communications Manager Erik Kane told Daily Dot.
“In addition, certain CommuteAir employee and flight information was accessible. We have submitted notification to the Cybersecurity and Infrastructure Security Agency and we are continuing with a full investigation.”
While that may be true, the server did contain the names, addresses, and even the passport numbers of around 900 CommuteAir employees and it also offers a problem for airport security.
Activists have blasted the No Fly list for its bias against Arab and Middle Eastern names, and crimew also made note of the seeming bias, telling Business Insider, “Looking at the files, it just confirmed a lot of the things me, and probably everyone else, kind of suspected in terms of what biases are in that list. Just scrolling through it, you will see almost every name is Middle Eastern.”
Interestingly, the No Fly list is not considered a classified document due to the vast number of agencies and companies that need to have access to it. Still, this is one of the first times it has ever been revealed by people outside the travel industry and law enforcement. But it has also become even more controversial lately when airlines began adding names of customers who would not wear a mask during the pandemic.
Business Insider noted that the hacker is a “staunch self-described leftist and anti-capitalist,” who was previously “indicted for conspiracy, wire fraud, and aggravated identity theft related to a previous hack in 2021.” The case of the hacking of U.S. security camera is still pending.
“The DOJ alleges she and several co-conspirators ‘hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web.'” Insider added.
As it happens, CommuteAir was hacked back in Nov., as well. That fact spurred crimew to dryly note that this second security breach may finally get the company to get serious about its cybersecurity.
“Even the fact that they had already been hacked before apparently wasn’t enough for them to really invest in it. And that really just shows like where the priorities lie,” crimew said, adding, “I just hope they maybe learned their lesson the second time.”
Whether the list crimew exposed was “outdated” or not, though, is entirely beside the point. The fact that the hacker was able to find such sensitive information and access points that would allow her to conduct further breaches is the real problem. It shows that far too many companies with access to government servers and information do not take their computer security seriously enough, a fact that makes us all vulnerable to attack.