A researcher discovered an insecure server (that is, accessible without a password), which contained a US government anti-terrorism watchlist. It includes the sublist of individuals banned from flying in the United States.
” This watchlist is assumed to be classified. On July 19, 2021, Bob Diachenko, director of research at Comparitech, obtained access to an unprotected server, as he sees dozens of them per month. In the vast majority of cases, the data that these exposed servers hosts is not meant to be publicly accessible. This time, they were even supposed to be highly protected.
Inside the server, the researcher found a list of 1.9 million individuals. For each of them, it details several information including: surname and first name, nationality, gender, passport number or even the date of birth. After a quick analysis, Diachenko concluded that he had just found the watch list of ” Terrorist Screen Center , An institution administered by the FBI, which brings together the efforts of several branches of the US government.
The people on the list are ” suspected Of terrorism, but have not necessarily been convicted of felony or delinquency before. It is this point which makes it a controversial tool and which justifies its access to be very limited, at least in theory. Only certain employees from a handful of US government agencies have access to the list, in order to conduct entry selection procedures ( screenings, in English). For example, the list distinguishes a subset of individuals banned from flying by plane (the famous “no-fly list”) that the immigration authorities can deport at the airport. Since 2015, the government has said that it informs individuals added to the list individually if they reside in the United States, but this is still not the case for those outside the borders.
” In the wrong hands, this list can be used to oppress, harass and persecute those on the list and their families. His leak could cause a number of personal and professional problems for the innocent people whose names are included in the list ”, worries Bob Diachenko. Discrimination in recruitment, harassment, unjustified exclusion, the list of potential excesses is long… and could go as far as endangering individuals. ” It There have been several stories of US authorities recruiting informants in exchange for removing their names from the ‘no-fly’ list. The identities of informants past and present may have been leaked. “
On the day of his discovery, Diachenko notified the Department of Homeland Security (the US equivalent of the Home Office), which immediately acknowledged the incident and thanked him for his work. Problem: The server was surprisingly taken offline only 3 weeks later. ” It’s hard to know why it took so long, and I’m not sure for sure if unauthorized parties accessed it. », Comments the researcher.
This delay is cause for concern. In detail, the server discovered by Diachenko is an Elasticsearch. This technology, commonly compared to a giant Excel, is renowned for its ease of use and its ability to handle large volumes of data. But it is also known for the configuration errors of its users. If they are not careful enough, they can forget (or disable) the server protections. Result: instead of being accessible only with a username and password, the data will be visible to anyone who finds the server’s IP address. We then speak of leakage, since in theory private information becomes publicly accessible.
An exposed server rarely goes unnoticed
The phenomenon is so well known that several researchers (like Diachenko), but also cybercriminals, specialize in spotting these types of leaks. To find them, they “scan” the web for open ElasticSearch. Concretely, they test thousands of IP addresses to see if they are properly protected. These scans are also done by search engines, the most famous being Shodan.io. According to Diachenko, the server which hosted the list on a Barhein IP address was indexed by two such tools, Censys and ZoomEye.
Because of this system, a leak from an Elasticsearch server rarely goes unnoticed unless it is fixed within the hour. Comparitech researchers had also conducted an experiment in 2020 to see how quickly an open Elasticsearch would be found. Conclusion: less than 9 hours after the machine was put online, a first visitor scrutinized its content. 5 days later, the server was indexed by search engines, and it had already been consulted more than 40 times. In all, the researchers’ demo server was visited 175 times in 11 days.
In other words, if this experience reflects, if only partially, an underlying trend, there is no doubt that the server that hosted the watchlist was consulted by people other than Diachenko, since it remained online without protection for at least 3 weeks.