Bob Diachenko, a security researcher, claims to have discovered an unencrypted Elasticsearch database holding 1.9 million records relating to what seemed to be a US government terrorist blacklist.
Diachenko discovered what he thought was a no-fly list maintained by the FBI’s Terrorist Screening Center, a multi-agency body. The no-fly list is just one aspect of the US Department of Homeland Security’s bigger terrorism watchlist.
The watchlist contains information on individuals suspected of being involved in terrorism, even if they have not been charged with a crime. Only particular authorised personnel should have access to the list.
The exposed watchlist’s Elasticsearch cluster was accessible through the Internet without authentication. A Bahrain IP address was used to store the database.
Names, birth dates, citizenship, gender, no-fly indicators, passport numbers, TSC watchlist ID, and other facts were included in the disclosed list.
Diachenko discovered the watchlist on July 19 and reported it to the DHS the same day. Despite the fact that the Department acknowledged the event, the watchlist remained online for another three weeks, until August 9.
On July 19, search engines Censys and ZoomEye indexed the unprotected server, according to Diachenko.
“The Open Web Applications Security Project (OWASP) recommends avoiding unauthorised access to data and applications in two of its recommendations. Given that this search was identified using commercial Open Source Intelligence and discovery technologies, cyber criminals are likely to have seen and downloaded it,” James McQuiggan, security awareness advocate at KnowBe4, stated in an emailed remark.
As Diachenko points out, the list “may be used to oppress, harass, or persecute those on the list and their families” if it falls into the wrong hands. This is especially true for those on the list who are completely innocent.
“To decrease the risk of a sensitive data breach, whenever companies upload data to be accessible via the cloud, all data must be encrypted and restricted to authorised users. Developers can comprehend and apply strong access and identity management rules, which complement the organization’s policies to safeguard all uploaded data, with comprehensive and robust security education and training, according to McQuiggan.