The “No Fly List” Has Become Publicly Available

The American airline CommuteAir accidentally left on an insecure server a list of persons who should not be allowed on board aircraft flying to or from the United States (the so-called “No Fly List”).

Let me remind you that we wrote that Attackers Are Selling Secret NATO Documents Stolen from the Portuguese Military on the Dark Web, and also that DDoSecrets Activists Published 269 Gb of US Law Enforcements Data.

This database, containing more than 1.5 million records, was discovered by the researcher.

The Swiss hacker maia arson crimew, who considers himself a hacktivist, reported his discovery to The Daily Dot. In the past, this person was known as Tillie Kottmann, but recently officially changed his name to the above.

Let me remind you that in 2021, the US authorities filed charges against arson crimew, claiming that the hacker was involved in hacking more than 100 companies and leaking confidential data (for example, the incident with Nissan was strange). Although Switzerland does not have an extradition treaty with the United States, now arson crimew cannot leave his native country, fearing an international warrant, which, most likely, has already been issued by Interpol.

The researcher told reporters that he was just bored and rummaged through the IoT search engine Zoomeye (Chinese equivalent of Shodan) when he discovered another unsecured Jenkins server, of which there are plenty on the Internet.

On this particular server, the abbreviation ACARS (Airborne Communications Addressing and Reporting System) and numerous references to the word “crew” (“crew”) attracted the attention of arson crimew, after which it turned out that the unprotected car belonged to CommuteAir.

No Fly List

The server, open to the public, stored a variety of data, including the personal information of approximately 9,000 CommuteAir employees, flight directions, and the researcher found that he could easily access flight plans, aircraft maintenance information, and other data.

Also, there was eventually found a file containing a copy of the so-called “No Fly List”, dated 2019. This list contains over 1.56 million entries and includes names and dates of birth, although many entries are duplicated.

Such bases appeared in the early 2000s, after the September 11 terrorist attacks. At first, they contained only a few dozen names (mostly people who are “known or reasonably suspected of involvement in terrorist activities”), but after the attacks and the creation of the Department of Homeland Security, the lists began to grow rapidly.

The exact number of people currently on the No Fly List is unknown, and the lists contain multiple entries per person, but the latest estimate is between 47,000 and 81,000 people.

This is a twisted product of American law enforcement and the US police state in general. Just a list without any due process… Mostly [people get on it] just because they know someone or [live] in the same village with someone. It has such a scale… It seems to me that there should be no place for such a thing anywhere.arson crimew says.

Representatives of CommuteAir confirmed that the leak did indeed take place and was due to an incorrectly configured development server.

The researcher had access to files, including an outdated 2019 version of the federal no-fly list, which included names, surnames, and dates of birth. In addition, thanks to the information found on the server, the researcher discovered access to a database containing personal information of CommuteAir employees. According to the preliminary investigation, customer data was not affected. CommuteAir immediately shut down the affected server and began investigating the incident.the company said in a statement.
In his blog, arson crimew promises to provide the list to journalists and human rights organizations for the “public good”. At the same time, the researcher still considered it wrong to publish the list in the public domain.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button