XPost: alt.fan.rush-limbaugh, alt.os.security, sac.politics
XPost: talk.politics.guns
https://news.yahoo.com/bored-hacktivist-browsing-unsecured-airline- 064239703.html
A Swiss hacker says she found a copy of the FBI's "no-fly" list on an
unsecured server.
The 2019 list, with over 1.5 million entries, includes an overwhelming
number of Muslim passengers.
The server, maintained by CommuteAir, also held private employee data,
such as passport numbers.
The FBI Terrorism Screening Center's secret "no-fly" list just got a lot
less mysterious thanks to a bored Swiss hacker exploring unsecured servers
in her free time.
Maia arson crimew, described by the Department of Justice as a "prolific" hacker in an unrelated indictment, said she was clicking around on an
online search engine full of unprotected servers on January 12 when she accessed one maintained by a little-known airline and found the highly sensitive documents, along with what she called a "jackpot" of other information.
The Daily Dot first reported on Thursday that the server, hosted by
CommuteAir, a regional airline that partners with United Airlines to form United Express routes, contained among its files a redacted 2019 version
of the anti-terrorism "no-fly" list.
The file "NoFly.csv," found by crimew, contains over 1.5 million entries including names and dates of birth of people the FBI identifies as "known
or suspected terrorists," who are prevented from boarding aircraft "when
flying within, to, from and over the United States." A second file, titled "selectee.csv," contains 251,169 entries of names of people who are
subject to additional screening while flying. The lists contained
alternate spellings and aliases for included people, making the number of unique entries lower than the number of included names.
A representative for the airline confirmed the authenticity of the files
to Insider and said personally identifiable information belonging to
employees was also found in the hack, but the person declined to answer detailed questions about the hack.
"Based on our initial investigation, no customer data was exposed," Erik
Kane, a representative for CommuteAir, said in a statement to Insider. "CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has
reported the data exposure to the Cybersecurity and Infrastructure
Security Agency, and also notified its employees."
The Transportation Security Administration confirmed to Insider that it
had been made aware of the incident.
"We are investigating in coordination with our federal partners," Lorie Dankers, a TSA representative, said in a statement to Insider. The TSA,
which enforces the "no-fly" list, declined to answer detailed questions
about the list and its leak, referring Insider to the FBI — the federal
agency that maintains the list.
In a statement emailed to Insider, a representative for the FBI would
neither confirm nor deny any individual names on the list but said people
were included "in a manner consistent with protecting privacy and civil liberties."
Easily accessible secrets
Crimew told Insider it took just minutes for her to access the server and
find credentials that allowed her to see the database. She said she was exploring the servers as a way to combat boredom while sitting alone and
didn't intend to discover something with US national security
implications.
While browsing files in the company's server, "it dawned on me just how
heavily I had already owned them within just half an hour or so," crimew
wrote in a blog post detailing the hack. The credentials she found, which
gave her access to the files, would also allow her access to internal interfaces that controlled refueling, canceling and updating flights, and swapping out crew members — if she were so inclined, she wrote.
"It's disturbing to see such information revealed to people that are not
with the need-to-know for that," Kenneth Gray, a retired FBI agent who
served for 24 years, told Insider. "There's a number of reasons why a
person on that list may not actually be a terrorist. But the thing is,
there are also people on there that are suspected of being a terrorist or
are known to be a terrorist. And so, if that information is released, then
the public becomes aware of ongoing investigations. And those
international terrorism cases, those ongoing investigations are normally classified. And so revealing this kind of information could lead to those individuals becoming aware that they are under investigation."
The massive files, reviewed by Insider, contain more than a dozen aliases
for Viktor Bout, the Russian "Merchant of Death" who was traded in a
prisoner swap for the basketball player Brittney Griner, as well as a
large number of names of people suspected of organized crime in Ireland. However, crimew said there was a notable trend among the names.
"Looking at the files, it just confirmed a lot of the things me, and
probably everyone else, kind of suspected in terms of what biases are in
that list," crimew told Insider. "Just scrolling through it, you will see almost every name is Middle Eastern."
Edward Hasbrouck, an author and human-rights advocate, wrote in his
analysis of the documents that the lists "confirm the TSA's (1)
Islamophobia, (2) overconfidence in the certainty of its pre-crime
predictions, and (3) mission creep."
"The most obvious pattern in the data is the overwhelming preponderance of Arabic or Muslim-seeming names," Hasbrouck wrote in an essay published
Friday by Papers, Please, an advocacy group dedicated to addressing
creeping identity-based national travel rules.
However, the FBI maintains its procedures for including people on the list
are not indicative of bias.
"Individuals are included on the watchlist when there is reasonable
suspicion to believe that a person is a known or suspected terrorist," an
FBI representative said in a statement. "Individuals are not watchlisted
based solely on race, ethnicity, national origin, religious affiliation,
or any First Amendment-protected activities such as free speech, the
exercise of religion, freedom of press, freedom of peaceful assembly, and petitioning the government for redress of grievances."
Though the recent news about the list has prompted a resurgence of
accusations of Islamophobia levied against the FBI, the "no-fly" list has
long faced criticism and legal challenges from civil rights groups over
its targeting of Muslim and Middle Eastern people.
The targeting of people from Arab nations was not limited to federal restrictions on travel, as the entire nation faced a spike in anti-Muslim discrimination and hate crimes across the country following the 9/11
attacks, according to the DOJ.
"It's no secret to anyone that the years following 9/11, measures that the government claimed were in the name of our national security wrongly,
unfairly and discriminatorily impacted Muslims and people who appear to be Muslim," Hina Shamsi, the director of the ACLU's National Security
Project, told Insider. "That's the very definition of bias and it appears
to be the case, the list that you have continues to reflect that bias and
it just shows the need for reform and change is as urgent as it ever was."
'No-Fly' mission creep
The federal "no-fly" list was created under the George W. Bush
administration, originally beginning as a small list of people prevented
from flying on commercial flights because of specific threats. The list
was formalized and vastly expanded in scope after the 9/11 terrorist
attacks, when Al Qaeda-affiliated hijackers crashed commercial flights
into the World Trade Center and the Pentagon, killing 2,977 people.
"What you've got to remember is that the purpose of this list is part of
the entire movement that tried to stop another 9/11 from happening," Gray
told Insider. "In the case of 9/11, terrorists came into the country, some
of the terrorists took flight lessons here in the country. Others came
into the country to be the muscle on board the aircraft so that they can
hijack the aircraft to turn them into weapons. And so the purpose of this
is to stop another 9/11 from happening."
Inclusion on the list prevents people the FBI identifies who "may present
a threat to civil aviation or national security" from boarding planes
flying within, to, from, or over the United States. They do not need to
have been charged or convicted of a crime to be included, just "reasonably suspected" of aiding or planning acts of terrorism.
"This was part of the US government's response to the tragedy of 9/11,"
Shamsi told Insider. "And from the beginning, we were gravely concerned
about the civil liberties and rights impacts given how watchlists have
been used in this country's history in the past. And, unfortunately,
virtually all the things that we warned against have happened and are
becoming entrenched."
She added: "What that means is that we've got a massive and ever-growing watchlisting system that can stigmatize people — including Americans — as
known or suspected terrorists, based on secret standards, secret evidence, without a meaningful process to challenge government error and clear their names."
In the years since the original "no-fly" list was formed, it has gained official federal recognition and grown from just 16 individual names,
according to the ACLU, to the 1,807,230 entries of names and aliases
contained in the documents found by crimew.
"The ever-expanding scope of these lists are due to the revelations of
people in the course of investigations," Gray told Insider. "And it
couldn't help but expand because of the fact that more and more people
become suspected, just through the course of their activities — which
could be misinterpreted, for instance. There are many reasons why the list continues to expand."
Gray added that, with limited procedures for challenging a wrongful
inclusion on the list, it's exceptionally difficult to get your name off
if it has been incorrectly added.
"People who are on the no-fly list are denied the ability to be with
family members at funerals, sickbeds, weddings, graduations, all of life's
big and small events, because the ability to fly is necessary to the
modern era," Shamsi told Insider. "The negative and harmful impact of
wrongful placement on the no-fly lists is hard to overstate."
When looking at the list, crimew told Insider, "you start to notice just
how young some of the people are." Among the hundreds of thousands of
names on the list are the children of suspected terrorists including a
child whose birth date indicates they would have been four years old or
five years at the time they were included.
In the early 2000s, there were many reports of people being wrongly placed
on the "no-fly" list, including then-Sen. Ted Kennedy and the peace
activists Rebecca Gordon and Jan Adams. In 2006, the ACLU settled a
federal suit over the list, prompting a release of its then 30,000 names
and the TSA's creation of an ombudsman to oversee complaints.
Despite the existing ombudsman process, Shamsi and Gray said it was
difficult to navigate and remained challenging to remove your name from
the list, causing substantial trouble for people who have not committed an
act of terrorism.
"What problem is this even trying to solve in the first place?" crimew
told Insider. "I feel like this is just a very perverse outgrowth of the surveillance state. And not just in the US, this is a global trend."
Not the first hack
Crimew, a staunch self-described leftist and anti-capitalist, was indicted
on suspicion of conspiracy, wire fraud, and aggravated identity theft
related to a hack in 2021. The DOJ alleges she and several coconspirators "hacked dozens of companies and government entities and posted the private victim data of more than 100 entities on the web."
The outcome of the 2021 case is still pending, crimew told Insider. Though
she hasn't been contacted by law enforcement in relation to the latest
hack, she said she wouldn't be surprised that she had once again caught
the attention of federal agencies.
"This will become the subject of a cybersecurity investigation looking
into who is responsible," Gray told Insider. "The person who committed
this hack, who got this information, may have done this for bragging
rights, may have done this not with the intent of using this information
for bad purposes. However, that information, since it's out in the public
now, in the public domain, it may eventually cause problems. This could be
of potential use for a terrorist group, even if that was not the original intent for the hack."
For that reason, crimew told Insider she chose to release the list through journalists and academic sources instead of freely publishing it on her
blog.
"It's just a whole lot of personally identifiable information that could
be used against people, especially in the hands of non-US intelligence agencies," crimew wrote in a statement to Insider. For that reason, she
said, she chose to release the list through journalists and academic
sources instead of freely publishing it on her blog. "I just feel iffy
about publicly releasing a list full of people some government entity
considers 'bad.' (Not that the US doesn't use it against people, it just doesn't need to get in the hands of even more people doing harm)."
CommuteAir faced a similar data breach in November, CNN reported, after an "unauthorized party" accessed information that included names, birthdates,
and partial Social Security numbers held by the airline.
"I just hope they maybe learned their lesson the second time," crimew told Insider.
January 25, 2023: This story has been updated with additional comments and context from the FBI, the TSA, the ACLU, and a retired FBI agent.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)