At a glance.
- Hacker finds US no-fly list left exposed on the web.
- Update on the LAUSD ransomware attack.
- ICE releases victims of recent data breach.
Hacker finds US no-fly list left exposed on the web.
Air travel is having a bad month. On the heels of a holiday flight cancellation crisis that left travelers and lost baggage stranded at airports, a hacker is claiming to have accessed the US Transportation Security Administration’s (TSA) no-fly list. Composed of known or suspected terrorists who are barred from flying in the US, the no-fly list apparently being stored on the public internet in an unsecured computer server hosted by regional airline CommuteAir. “TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” TSA told CNN. CommuteAir, based out of the US state of Ohio, says the data in question was “an outdated 2019 version of the federal no-fly list” that included names and birthdates of the subjects. The airline added that the leak was the result of a misconfigured development server, and that the data was removed from the web after the hacker informed them of the exposure.
As Vice explains, the researcher, who goes by the handle “maia arson crimew,” found the list on an unsecured Jenkins server while exploring the Shodan search engine. The hacker, a 23-year-old Switzerland resident who also claims to be a cybersecurity researcher, stated, “It should never be this easy to just completely (breach) an entire airline.” “Maia” also questioned whether the list should exist at all, calling it “a perverse outgrowth of the U.S. police and surveillance state.” As Live and Let's Fly notes, the breach revealed that the no-fly list has grown to 1.5 million names (though some are aliases belonging to one individual), which has caused some experts to question whether all of the list’s targets deserve to be on it.
Sammy Migues, principal scientist at Synopsys Software Integrity Group, commented that this problem isn't confined to the public-sector, still less to TSA or the airlines. It's a more general problem. “Unsecured public-facing servers are an attacker’s bread-and-butter and an organization’s nightmare. This is especially true when the server is unsecured long enough to appear in connected-device search engines such as Shodan and ZoomEye. In this case it appears that the unsecured server was running Jenkins, which provides automation for software development toolchains. With some exploration and lateral movement, it appears there was access to production systems that held sensitive information, including an older version of a US no-fly list.”
Update on the LAUSD ransomware attack.
As we’ve previously discussed, the Los Angeles Unified School District (LAUSD), the second largest K-12 system in the US, suffered a ransomware attack last year, after which the threat group Vice Society published over 500 gigabytes of stolen district data on the dark web. According to a breach notification letter the district sent to former contract employees earlier this month, the stolen files included Social Security numbers and other personal information belonging to contract workers employed by LAUSD, StateScoop reports. The district says the hackers had access to the district’s networks from last July 31 to September 3, 2022, and the exposed servers included labor compliance documents related to facilities contracts. LAUSD has responded to the attack by establishing an IT task force focused on the district cybersecurity, as well as resetting passwords for all network users. In addition, a board vote granted Superintendent Alberto Carvalho with emergency spending powers to issue no-bid contracts without going through the usual financial disclosure procedures.
Stephan Chenette, Co-founder and CTO at AttackIQ, points out that the data schools hold make them an attractive target. He also points out that school security programs are often resource poor:
“Educational institutions continue to be an attractive target for cybercriminals because they store large amounts of valuable Personally Identifiable Information (PII) and often lack critical resources for proper security measures. It is unknown how the adversary gained access to the school district’s systems, but it is nonetheless critical for educational organizations to implement security solutions that monitor and scan the organization’s owned and managed assets for potential vulnerabilities in order to prevent disruption.
“School districts’ lack of staff and resources to defend against cyber threats make them an attractive target for cybercriminals. The aftermath of a ransomware attack on underfunded school systems can be crippling, both financially and in loss of data. To prevent another similar attack, school districts should study the common tactics, techniques, and procedures used by common threat actors, which will help them build more resilient security detection, prevention, and response programs mapped specifically to those known behaviors. Organizations should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to better prepare for the next threat.”
ICE releases victims of recent data breach.
Governing.com reports that US Immigration and Customs Enforcement (ICE) officials have released nearly three thousand immigrants whose personal data were inadvertently posted on the web. The exposed data, which include birth dates, nationalities, and detention locations, were accidentally posted to the ICE website by government officials in November 2022, and immigration experts say the leak could put the victims at the mercy of the governments or individuals from which they’ve escaped. ICE has agreed not to deport any of the individuals impacted by the breach until they have a chance to raise the issue in immigration court. Unfortunately, over one hundred of the victims had already been deported by the time the leak was discovered, and a handful more were deported shortly after the exposure occurred. ICE says they will assist any of the deported individuals who would like to return to the US.
Heidi Altman, director of policy of immigration advocacy organization the National Immigrant Justice Center, says ICE should go a step further and guarantee the safe return of the deported individuals. “Although inadvertent, ICE put lives at risk through this data breach,” Altman explains. “The commitments ICE has made to those impacted will go a significant way toward mitigating the harm done, but only if ICE is diligent and transparent in making good on its promises.” The breach led several members of Congress to question ICE’s dedication to protecting the data of asylum seekers. In a letter sent to ICE leadership in December, the officials stated, "We believe that ICE's failure to comply with simple regulations to protect asylum-seekers have potentially endangered the lives of these vulnerable individuals and their families and urge you to take immediate action to ensure the privacy of this and other sensitive information held by the agency.” An ICE spokesperson commented, “Though unintentional, this release of information is a breach of policy and the agency is investigating the incident and taking all corrective actions necessary.”