Root Causes 275: No Fly List Stolen

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about a news article. You can pick this up in a bunch of places. The one that happens to be in front of me right now is a January 2023 article by Tech by Vice. Matthew Gault wrote it and the headline reads: U.S. No Fly List Leaks After Being Left in an Unsecured Airline Server. So, Jason, what’s the gist of what happened here?

• 

  Jason Soroko

  Looks like some bad guys got a hold of “the” no-fly list. Wow. That’s something. What I read in the article was that it was a single comma separated value file, a CSV file, which is wow and apparently it was unencrypted. Wow.

• 

  Tim Callan

  And on an unsecured server.

• 

  Jason Soroko

  And by the way, Tim, this is 2023 and here we go. It just never ends does it?

• 

  Tim Callan

  So this list, it’s the no-fly list. It has 1.5 million entries, which actually struck me as a surprisingly large number for the no-fly list but that’s probably a conversation for another time. It did include names and birthdates. So it had PII. So it’s not just a matter of knowing who is on the no-fly list but there is also PII for these people and, like you said, a completely unencrypted file. So it is 2023, Jason. What the heck is going on?

• 

  Jason Soroko

  What it shows you is that there is still a lot of ground to cover. I was reading articles just recently about the number of users, customers, that would be enterprise users of something like Microsoft 365, which we used to call Microsoft Office, and the number of companies out there that were using shared Microsoft 365 resources amongst their employees and were not using any form of multifactor authentication. In fact, not even any form of stronger authentication whatsoever. Just straight up user name and password. And the numbers – I don’t have them in front of me – but they were high enough where it was just eye popping. It’s like my God, there’s a lot of work to do here. And that even included things of course with Microsoft 365 access to things like Microsoft Outlook and a whole lot of important things that are gonna be sitting inside of there. But when we take a look at those kinds of customers those are sometimes smaller shops. Everything to mom and pop all the way to very, very large organizations. So you might argue, well, the long tail of mom and pop is gonna account for that. Well, that’s fine but what about a no-fly list. That’s not a mom and pop shop that’s responsible for that and aren’t we supposed to be concerned about PII? Hasn’t the U.S. Federal Government been really big on protecting that at least in terms of lip service. It’s like, it really does show that not every I has been dotted and T has been crossed in terms of looking at things that are fairly critical or at least PII extremely sensitive and saying, well how are we managing that? Is it encrypted? Is it protected behind some sort of strong authentication and it shows that even organizations that do have not just the resources but also the flat-out mandate as dictated from on high to do it properly just are missing the boat and it’s 2023 and we are still sitting here with an enormous amount of work to do, Tim.

• 

  Tim Callan

  And what’s interesting particular is this going on in the airline industry which is SO regulated, SO policed, right? We have talked in the past about how every single thing, every single machine that interacts with the airplane in every way has to have a certificate on it, by way of example and the airplane is just full of all of these checks and every one of us has been sitting on the tarmac for 45 minutes after we were supposed to push back because there is a light that won’t go off. Like we’ve all experienced this and so there’s so much attention to this industry in particular, to see something like this happen is really startling to me.

• 

  Jason Soroko

  It is startling and I think there was a really analogy the other day about think about the amount of security that goes on to board an airplane and by the time you come off the airplane and get your luggage it’s like free for all. Anybody can just take it. And I’ve suffered from that. In fact, a few times.

  So, it’s funny what is overlooked and something like a no-fly list you think that’s pretty sensitive stuff. But it doesn’t affect me and my job at the whatever government organization is responsible. So whatever. I’m sure that the reason why it’s even in a CSV is because as these things are shared with computer systems that belong to airlines it’s just easy to feed. It might have been just a DBA at United or whatever that said, hey can you just send me that in a CSV file and I’ll plug it into my computer database.

• 

  Tim Callan

  The airline was actually Commute Air. Just to be clear, we are not bashing United for this. It was Commute Air. But go on, Jay.

• 

  Jason Soroko

  But my goodness, we gotta do better. We gotta do better and I think one of the ways we gotta do better is not to overlook things that just don’t affect you and your job. So if you are in any kind of government big enterprise, small enterprise, I think that it just goes back to a problem that I have talked about on this podcast, Tim. It’s one of the fallacies on our fallacy list. Which the fallacy of the underdog.

• 

  Tim Callan

  Real quick. Fallacy of the underdog in two sentences. What is it, Jay?

• 

  Jason Soroko

  Two sentences. There is a whole lot of people out there who think no attacker is gonna come after me because I’m small and no attacker is gonna come after me because the thing I have really isn’t that important to a bad guy. No bad guy would want this.

• 

  Tim Callan

  I’m not a worthwhile target so I don’t need to worry about it.

• 

  Jason Soroko

  You got it. I’m not a worthwhile target. My crown jewels aren’t “jewely” enough. They aren’t valuable enough. And maybe the no-fly list maybe somebody who works with it is like look I just gotta get my job done. I need to hand this out to an airline and even if somebody got a hold of this whatever because whatever and it’s behind a server that I have to log into and so therefore who in the world could ever get access to this. And there it is. There’s the fallacy underdog. Basically, who is looking at me. I’m a government department or I’m some back office of an airline and I’m not a target and this information I don’t think is valuable. I tell you, that’s why we have the idea of Risk Officers and CISOs and CIOs who think bigger picture and think about let’s actually take inventory of crown jewels. Let’s take inventory of if you lost this information, if it went public, would it be bad and the answer in this case is yeah. It’s bad. And so therefore, all those tasks we talked about before – encryption, strong authentication, taking inventory of your crown jewels. It's 2023 guys. I’m sure that there are many of you out there who are bored to death of, oh my God, I’ve heard this a million times that I have to encrypt. I have to authenticate stronger. But, you do. It’s 2023 and you do.

• 

  Tim Callan

  You do. So probably not a lot more to be said about this. I think for both of us this was kind of a WOW story and we thought we had to share it for that reason but I think what went wrong here is pretty clear.

• 

  Jason Soroko

  Tim, this is almost a compare and contrast to an episode we did very recently which was about automotive security and there was a whole page of gigantic wows about taking over fleets and doing all kinds of crazy things but the argument could be made, well, computers are hard and cars are harder. Well, in this case, this is the basics, folks. This is a sensitive file filled with PII that had no security. Back to basics.