Posted on January 23, 2023 at 4:54 PM
A hacker going by the handle maia arson crimew has managed to take the world by surprise. The 23-year-old hacker has managed to successfully breach US security and obtained the complete No-Fly List of the US government. A total of 1.5 million known or suspected terrorists were revealed on the List. The best part about this story is that there was no agenda, no goal. The List was accessed by maia out of sheer boredom.
A Bored Hacker Causes Stir
As one would imagine, this has caused a spectacular stir across many circles. While the no-fly List was from 2019, a notable republican congressman in the US is already highly upset about the matter. That’s not even mentioning the arrest warrant issued out to maia, real name Tillie Kottmann.
As for how the List was accessed is a winding story in and of itself. It was revealed by maia through her blog that the entire venture started because she was bored. She decided to browse through exposed Jenkins servers to alleviate this boredom, doing so through zoomeye, a research tool. Through this casual exploration, she stumbled upon a server of CommuteAir, a national US airline. This server, once maia dug into it, revealed an absolute treasure trove of personal user data.
Exposed For Anyone TO Access
In her blog, she explained she managed to gain access to CommuteAir’s build workspaces, and went to work from there. She was capable of accessing various build repositories of the airline. In her blog, she highlighted that when she managed to find ACARS traffic, she was already in the process of contacting media outlets to try and get this story public.
As she was searching through the work, she stumbled on data pertaining to the No Fly List, and after searching through various files, she eventually managed to track down a file holding the entire US No-Fly list of 2019. Eventually, she managed to send the information about the matter to the DailyDot, who wrote an exclusive article about the information.
People Are Rather Upset
In maia’s own words, she had managed to breach CommuteAir in less than a day, procuring the No-Fly List. She didn’t even use all that technical skill. In her words, it was more an exercise of patience.
Rep. Dan Bishop stands as a US congressman, and was less than pleased when the entire discovery came to light. He described the leaked List as a “civil liberties nightmare” and was extremely upset about the fact that this information was lying around in an unsecured Jenkins server. The only reason it was breached is quite literally because no one cared to secure it, even in the most marginal of degrees.
The spokespeople of CommuteAir were quick to try and bat at the raging flames of this mess. They quickly assured the public that no customer information was leaked, although employee information was exposed entirely through maia. They further emphasized the outdated nature of the no-fly List, trying to soften the inevitable hammer drop as much as they could.
A Common Occurance
It seems that exposed Jenkins servers occur more often than one might think. A number of cybersecurity experts comment on the debacle of the No-Fly List leak, highlighting that the practice of forgetting to secure Jenkins servers used for testing is a regrettably common occurrence.
Sammy Migues, Synopsys Software Integrity Group principal scientist, stated that public-facing servers such as the ones maia accessed represent the bread and butter of hackers, being one of the most accessible avenues to gain sensitive information. Migues explains that it’s doubly so when it’s been unsecured for so long that it appears on Zoomeye or Shodan.
Migues highlighted that a large number of companies utilize cloud technology without involving individuals with the skills and knowledge to keep them safe while doing it. He described a misconfigured server to be just as good as leaving your front door open for criminals to walk in, and maia proved him right.
Murphy’s Law states that anything that can go wrong, will go wrong given enough time. That being said, the likelihood that someone has been very thoroughly reprimanded for this mistake internally is quite high. The no-fly List, while not available for all to read, can be accessed by journalists should they contact maia about the matter. Either way, this has caused an uproar, and will do so for a while, no doubt. A public-facing exposed server of such importance typically needs to be secured, and someone’s job they probably no longer have was to do that.