Apparently, the US government’s terrorist watch list was found to be open to the public on the Internet.
Security researcher Bob Diachenko Exposure Reported Elasticsearch clusters and lists to the FBI. Then it was deleted.
according to LinkedIn post The list by Diachenko, Cyber Threat Intelligence Research Director at Discover Security, contained basic information about both US and international citizens who were considered government-interested in the risk of terrorism. According to Diachenko, the server was discovered and reported on July 19th and was completely removed on August 9th.
A database of about 1.9 million records was stored on the Elasticsearch server. Password protection.. The record contains basic information such as name, date of birth, and country of citizenship, as well as more sensitive information such as the passport number and whether the individual was on the Transport Security Agency’s flight ban list. Was included.
Diachenko said in a LinkedIn post that the database was originally created by the FBI-led terrorist screening center. The Department of Homeland Security (DHS) is also involved in this operation. The DHS queried the FBI for comment requests, but an FBI spokesperson was unable to comment on this issue.
Diachenko told Search Security that it’s difficult to know exactly when a database was published online, and it’s hard to know exactly who could access it before it was deleted.
“It’s hard to know how long this list was up before it was indexed by search engines,” he explained. “But until it was removed by the authorities or the hosting provider itself (after my responsible disclosure), it definitely lasted for more than three weeks, so it’s quite possible to hit someone else’s radar.”
If there is good news for individuals whose information has been disclosed by the leak, they often knew they were already on the list. According to the 2015 policy change, DHS needs to notify US citizens that they have been added to the watchlist. This is not the case for foreigners, but many people outside the United States may not have had a formal notice that they are on this list.
The FBI was not the first government agency to suffer a data breach due to a misconfigured cloud server. In 2017, in the published AWS S3 bucket US Department of Defense data It was discovered. Poorly configured storage buckets and databases are also one of the number one source of customer data loss, and companies are losing hundreds of millions of account records thanks to servers without password protection or authentication requirements. ..
FBI watchlist published by misconfigured Elasticsearch cluster
Source link FBI watchlist published by misconfigured Elasticsearch cluster