Apple plans to scan US iPhones for child abuse imagery

Security researchers raise alarm over potential surveillance of personal devices

Apple intends to install software on American iPhones to scan for child abuse imagery, according to people briefed on its plans, raising alarm among security researchers who warn that it could open the door to surveillance of millions of people’s personal devices.

Apple detailed its proposed system — known as “neuralMatch” — to some US academics earlier this week, according to two security researchers briefed on the virtual meeting. The plans could be publicised more widely as soon as this week, they said.

The automated system would proactively alert a team of human reviewers if it believes illegal imagery is detected, who would then contact law enforcement if the material can be verified. The scheme will initially roll out only in the US.

Apple declined to comment.

(Paywall)
https://www.ft.com/content/14440f81-d405-452f-97e2-a81458f5411f

#usa #apple #iphones #childabuse #surveillance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Operating Systems: Timeline and Family Tree

Includes over 830 operating systems so far

In this post you'll find a family tree and timeline of operating systems. I have tried to include all operating systems, no matter how old or obscure. Of course, a complete list is virtually impossible, as there is no way to catalogue all the tiny hobby and embedded systems that may exist somewhere.

Please also note that I only included a few selected Linux/BSD/Solaris distributions (it is arguable whether these should count as an OS on their own or not).

Currently, the family tree includes between 800 and 900 different operating systems. Tip: use Ctrl+F (Cmd+F on Mac) to search for a system.

https://eylenburg.github.io/os_familytree.htm

#os #familytree
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The Intolerance Network

Today, 5th August 2021, WikiLeaks publishes "The Intolerance Network" over 17,000 documents from internationally active right wing campaigning organisations HazteOir and CitizenGO. The documents date from 2001 to 2017 and cover the founding of CitizenGO and early activities of both organisations. The documents are from their internal systems and cover things like: spreadsheets of donors and members, strategy and planning documents, letters, financial charts and legal and training documents.

HazteOir was first founded in 2001 in Spain to campaign for right wing values, in 2013 it founded CitizenGO to spread its work beyond Spanish speaking countries. This dataset includes the founding of CitizenGo, and documents from HazteOir organising, along with US based The Howard Center for Family, Religion and Society, the 2012 World Congress for Families (WCF) in Madrid. The WCF brings together right wing organisations that promote opposition to LGBTQI+ and reproductive rights, it has been labeled as a hate group by the Southern Poverty Law Center and a 2014 Human Rights Campaign report stated "The World Congress of Families (WCF) is one of the most influential American organizations involved in the export of hate".

Tying all these organisations together is Ignacio Arsuaga, founder of HazteOir and on the board of CitizenGo and was awarded the 2013 WCF "Man of the Year Award". The WCF President, Brian Brown - an American campaigner against LGBTQI+ rights, is also on the board of CitizenGo. Both HazteOir and CitizenGo are part of a larger global network of right wing organisations that work together to push their values in grassroots and political spheres.

CitizenGo partners to push campaigns with a number of organisations, for example it ran a petition with the Population Research Institute "Abortion is NOT a Human Right!". They work to mobilize grassroot support, and are keen to stress this is their base, however it is clear through the dataset that they aim to raise large funds and influence policy at a high level. A 2019 undercover investigation by OpenDemocracy confirmed ties between Spanish HazteOir and CitizenGo with right wing political parties across Europe in Spain, Italy and Hungary. There have also been reports regarding ties to El Yunque, a secret militant Mexican Group, a tie which HazteOir has tried to rid itself of.

https://nitter.snopyta.org/YourAnonOnline/status/1423594689249386497

https://wikileaks.org/intolerancenetwork/press-release

#CitizenGo #spain #italy #hungary #intolerancenetwork #WCF #HazteOir #OpenDemocracy #hatespeach #wikileaks
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Capture Wi-Fi Passwords From Smartphones with a Half-Handshake Attack

In this episode, we show how hackers can abuse convenience features of Wi-Fi to extract passwords from nearby smartphones belonging to Wi-Fi networks they've connected to in the past.

https://www.youtube.com/watch?v=5guDKTc6Hak

#hak5 #video #wifi #passwords #smartphones
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

"Incognito Mode is not a great method of ensuring privacy, because it's still very easy to track what you're doing online."

Yep. Want real browsing privacy and tracking protection?

It's possible with Tor Browser. 👉🏽 https://torproject.org/download.

https://nitter.pussthecat.org/torproject/status/1423688216184426496

via Twitter

💡 Read as well:
Your Google and Safari Incognito mode is EXPOSING you online – here’s how
https://www.the-sun.com/tech/3410416/google-chrome-incognito-mode-safari-exposing-data-online/

#online #privacy #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Connect-app (CDU) Version: 3.8 - Cross Site Scripting

app: connect-app (cdu) (version: 3.8)

cross-site scripting in the registration form name variables. Remote attackers can inject js payloads as name variables to exploit the frontend in the profile view and potentially execute in the backend via the preview. Uncertainty in validating object names in outbound emails, causing the context to be validated insecurely. This allows reflected execution in the message body of the email where the name variable is visible. You can see in the main validation how the developers have tried to parse and encode the content with backslashes and other characters. In this way, the type of validation can easily be bypassed by using simple frames with a source that points to a external link.

We have tested this in the portal where the code is executed, we have tested it in the outgoing service emails that insert the name variably in the email body, and we have also tested the stored content that was submitted via the API. All contents was transmitted insecurely and can be manipulated to trigger simple cross-site scripting payloads, hijack user session credentials or manipulate outbound emails with reflected malicious content on the application side.

We decided to bring the issue directly to the public after the CDU opened a court case to criminalise a German hacker following a Whitehat report. Normally we wanted to report the vulnerabilities directly via Responsible Disclosure, but were deterred by incidents mentioned above. These did not stop us but we therefore chose another way to make noise.

👉🏽 ref: https://www.golem.de/news/connect-app-cdu-verklagt-offenbar-hackerin-nach-melden-von-luecken-2108-158647.html

👉🏽 ref: https://www.golem.de/news/connect-app-cdu-nimmt-wahlkampf-app-nach-datenleck-offline-2105-156471.html

greetz to cdu
by team smackback

https://seclists.org/fulldisclosure/2021/Aug/4

#cdu #germany #disclosure
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

No matter how well-intentioned, @Apple is rolling out mass surveillance to the entire world with this. Make no mistake: if they can scan for kiddie porn today, they can scan for anything tomorrow.

They turned a trillion dollars of devices into iNarcs—*without asking.*

https://nitter.pussthecat.org/Snowden/status/1423469854347169798

via Twitter

#usa #apple #iphones #childabuse #surveillance #snowden
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

How to keep your smartphone safe from spying

This post discusses four personas, the technical threats to them and their information via their smartphone, and some theory on how to defend against an increasingly capable and focused threat actors.

If you find yourself matching one of these personas, following the recommendations below may serve you well if you feel that is proportionate to your individual threat profile.

If you provide IT or cybersecurity services to other people who may fit these personas, double check that what you offer and how you offer it is proportionate to the threats you’re helping to protect them from. Hopefully you have all of our recommendations covered!

💡 This is definitely not an exhaustive guide and is developed based on article(s) linked and our combined years working in technology and cyber security.

👉🏽 Greg, your average internet user using a modern smartphone for online banking, internet browsing and social media

👉🏽 Jane, an IT consultant, worried about keeping their client/organisational information safe

👉🏽 Emma, a management consultant who travels regularly for work. Emma’s company works with governments and large financial institutions

👉🏽 Roberto, an investigative journalist working on a big negative story about a nation state and it’s top leadership

The capability of threat actors and the probability of targeting varies enormously from indiscriminate sms/email phishing through to individual targeting using commercial spyware such as NSO Group’s Pegasus, ‘zero day’ exploits and physical tampering of the device. The level of effort and complexity rapidly increases, as do the inconveniences of trying to deter, defend and limit the impact of such attacks.

https://joelgsamuel.medium.com/how-to-keep-your-smartphone-safe-from-spying-d7d50fbed817

#smartphone #security
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

NixNet - Away from prying eyes…

We host a variety of services that are available for anyone to use free of charge. Below is a list with descriptions of each.

NixNet is a network of websites and services hosted by the pseudonymous Amolith (me) and a close friend of his, Manton. The main reason we run these sites is because we like to be in control of our own data where feasible. The easiest way to accomplish that is to host the services we use. We make them public and maintain them simply because we want to; the Linux and FLOSS community has completely changed ours lives and we feel like this is a small way we can do our part and give back.

https://nixnet.services/

#nixnet
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

One Bad Apple

My in-box has been flooded over the last few days about Apple's CSAM announcement. Everyone seems to want my opinion since I've been deep into photo analysis technologies and the reporting of child exploitation materials. In this blog entry, I'm going to go over what Apple announced, existing technologies, and the impact to end users. Moreover, I'm going to call out some of Apple's questionable claims.

💡 Disclaimer: I'm not an attorney and this is not legal advice. This blog entry includes my non-attorney understanding of these laws.

The Announcement:
In an announcement titled "Expanded Protections for Children", Apple explains their focus on preventing child exploitation.

The article starts with Apple pointing out that the spread of Child Sexual Abuse Material (CSAM) is a problem. I agree, it is a problem. At my FotoForensics service, I typically submit a few CSAM reports (or "CP" -- photo of child pornography) per day to the National Center for Missing and Exploited Children (NCMEC). (It's actually written into Federal law: 18 U.S.C. § 2258A. Only NMCEC can receive CP reports, and 18 USC § 2258A(e) makes it a felony for a service provider to fail to report CP.) I don't permit porn or nudity on my site because sites that permit that kind of content attract CP. By banning users and blocking content, I currently keep porn to about 2-3% of the uploaded content, and CP at less than 0.06%.

According to NCMEC, I submitted 608 reports to NCMEC in 2019, and 523 reports in 2020. In those same years, Apple submitted 205 and 265 reports (respectively). It isn't that Apple doesn't receive more picture than my service, or that they don't have more CP that I receive. Rather, it's that they don't seem to notice and therefore, don't report.

Apple's devices rename pictures in a way that is very distinct. (Filename ballistics spots it really well.) Based on the number of reports that I've submitted to NCMEC, where the image appears to have touched Apple's devices or services, I think that Apple has a very large CP/CSAM problem.

[Revised; thanks CW!] Apple's iCloud service encrypts all data, but Apple has the decryption keys and can use them if there is a warrant. However, nothing in the iCloud terms of service grants Apple access to your pictures for use in research projects, such as developing a CSAM scanner. (Apple can deploy new beta features, but Apple cannot arbitrarily use your data.) In effect, they don't have access to your content for testing their CSAM system.

If Apple wants to crack down on CSAM, then they have to do it on your Apple device. This is what Apple announced: Beginning with iOS 15, Apple will be deploying a CSAM scanner that will run on your device. If it encounters any CSAM content, it will send the file to Apple for confirmation and then they will report it to NCMEC. (Apple wrote in their announcement that their staff "manually reviews each report to confirm there is a match". They cannot manually review it unless they have a copy.)

While I understand the reason for Apple's proposed CSAM solution, there are some serious problems with their implementation.

https://www.hackerfactor.com/blog/index.php?/archives/929-One-Bad-Apple.html

#usa #apple #iphones #childabuse #surveillance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The Pirate Bay Switches to a Brand New V3 Onion Domain

The Pirate Bay has moved to a new onion domain as the old one will cease to be supported by the official Tor client in a few weeks. The new v3 domain is more secure and the TPB-team encourages users to make the switch. Bookmarking the domain may be wise as well, as v3 onion domains have 56 characters.

When The Pirate Bay first came online during the summer of 2003, its main point of access was thepiratebay.org.

Since then the site has burnt through more than a dozen domains, trying to evade seizures or other legal threats.

The torrent site eventually returned to the .org domain which remains the official home today. While there are hundreds of Pirate Bay proxies online, none of these are operated by the TPB-team.

https://torrentfreak.com/the-pirate-bay-switches-to-a-brand-new-v3-onion-domain-210809/

#piratebay #onion #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Anti-Piracy Firm Asks Google to Block 127.0.0.1

Ukrainian TV channel TRK has sent a rather bizarre takedown request to Google. The company's anti-piracy partner Vindex asked the search engine to remove a search result that points to 127.0.0.1. Tech-savvy people will immediately recognize that the anti-piracy company apparently found copyright-infringing content on its own server.

While search engines are extremely helpful for the average Internet user, copyright holders also see a massive downside.

The fact that “infringing sites” show up in search results has become a source of frustration. As a result, Google and other search engines are facing a steady stream of DMCA takedown notices.

Google alone has processed more than five billion takedown requests and millions of new URLs are reported every week. While the majority of these correctly point to problematic links, there are plenty of mistakes too.

Some copyright holders flag perfectly legitimate websites as piracy havens, which others shoot themselves in the foot by targeting their own websites. The latter happened to the webtoon subscription service Toomics just recently.

‼️Please Take 127.0.0.1 Offline

This week we saw yet another problematic DMCA notice, which is perhaps even worse. TV channel TRK Ukraine asked Google to remove content hosted on the IP-address 127.0.0.1, which is the localhost of a device or server.

https://torrentfreak.com/anti-piracy-firm-asks-google-to-block-127-0-0-1-210808/

#trk #ukraine #dmca #takedown #google
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

DEFCON 29 - Uncomfortable Networking

https://y.com.cm/watch?v=jmShE38mqNY

#defcon #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Apple Open to Expanding New Child Safety Features to Third-Party Apps

Apple today held a questions-and-answers session with reporters regarding its new child safety features, and during the briefing, Apple confirmed that it would be open to expanding the features to third-party apps in the future.

Apple's New Child Safety Features

First, an optional Communication Safety feature in the Messages app on iPhone, iPad, and Mac can warn children and their parents when receiving or sending sexually explicit photos. When the feature is enabled, Apple said the Messages app will use on-device machine learning to analyze image attachments, and if a photo is determined to be sexually explicit, the photo will be automatically blurred and the child will be warned.

Second, Apple will be able to detect known Child Sexual Abuse Material (CSAM) images stored in iCloud Photos, enabling Apple to report these instances to the National Center for Missing and Exploited Children (NCMEC), a non-profit organization that works in collaboration with U.S. law enforcement agencies. Apple confirmed today that the process will only apply to photos being uploaded to iCloud Photos and not videos.

Third, Apple will be expanding guidance in Siri and Spotlight Search across devices by providing additional resources to help children and parents stay safe online and get help with unsafe situations. For example, users who ask Siri how they can report CSAM or child exploitation will be pointed to resources for where and how to file a report.

Expansion to Third-Party Apps

Apple said that while it does not have anything to share today in terms of an announcement, expanding the child safety features to third parties so that users are even more broadly protected would be a desirable goal. Apple did not provide any specific examples, but one possibility could be the Communication Safety feature being made available to apps like Snapchat, Instagram, or WhatsApp so that sexually explicit photos received by a child are blurred.

Another possibility is that Apple's known CSAM detection system could be expanded to third-party apps that upload photos elsewhere than iCloud Photos.

https://www.macrumors.com/2021/08/09/apple-child-safety-features-third-party-apps/

#usa #apple #iphones #childabuse #surveillance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Phishing Sites Targeting Scammers and Thieves

I was preparing to knock off work for the week on a recent Friday evening when a curious and annoying email came in via the contact form on this site:

“Hello I go by the username Nuclear27 on your site Briansclub[.]com,” wrote “Mitch,” confusing me with the proprietor of perhaps the underground’s largest bazaar for stolen credit and identity data. “I made a deposit to my wallet on the site but nothing has shown up yet and I would like to know why.”

Several things stood out in Mitch’s message. For starters, that is not the actual domain for BriansClub. And it’s easy to see why Mitch got snookered: The real BriansClub site is currently not at the top of search results when one queries that shop name at Google.

Also, this greenhorn criminal clearly had bought into BriansClub’s advertising, which uses my name and likeness in a series of ads that run on all the top cybercrime forums. In those ads, a crab with my head on it zigs and zags on the sand. This is all meant to be a big joke: Krebs means “crab” or “cancer” in German, but a “crab” is sometimes used in Russian hacker slang to refer to a “carder,” or a person who regularly engages in street-level credit card fraud. Like Mitch.

In late 2019, BriansClub changed its homepage to include doctored images of my Social Security and passport cards, credit report and mobile phone bill information. That was right after KrebsOnSecurity broke the news that someone had hacked BriansClub and siphoned information on 26 million stolen debit and credit accounts. The hacked BriansClub database had an estimated collective street value of $566 million, and that data was subsequently shared with thousands of financial institutions.

Mitch said he’d just made a deposit of $240 worth of bitcoin at BriansClub[.]com, and was wondering when the funds would be reflected in the balance of his account on the shop.

https://krebsonsecurity.com/2021/08/phishing-sites-targeting-scammers-and-thieves/

#phishing #scammer
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Elementary OS 6 Odin Available Now

It’s finally here, and it’s the biggest update to the platform yet

It’s been a long road to elementary OS 6—what with a whole global pandemic dropped on us in the middle of development—but it’s finally here. elementary OS 6 Odin is available to download now. And it’s the biggest update to the platform yet!

https://blog.elementary.io/elementary-os-6-odin-released/

#elementary #os #odin #linux
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Flaws in John Deere Systems Show Agriculture's Cyber Risk

John Deere, Researchers Spar Over Impact of Vulnerabilities

An Australian researcher who goes by the nickname Sick Codes remotely presented his latest findings on Sunday at the Def Con security conference in Las Vegas. He's part of an independent security research group called Sakura Samurai, which hunts and responsibly discloses security vulnerabilities.

The findings are serious. A combination of issues enabled root access to John Deere's Operations Center, a comprehensive platform for monitoring and managing farm equipment.

https://www.bankinfosecurity.com/flaws-in-john-deere-systems-show-agricultures-cyber-risk-a-17240

https://www.youtube.com/watch?v=zpouLO-GXLo

#JohnDeere #vulnerabilities #defcon #video
🎥@cRyPtHoN_INFOSEC_FR
🎥@cRyPtHoN_INFOSEC_EN
🎥@cRyPtHoN_INFOSEC_DE
🎥@BlackBox_Archiv

Did America just lose Afghanistan because of WhatsApp?

In the middle of a conflict, good analysis is hard to come by. Because adversaries do not telegraph their plans to one another, plans depend greatly on the fact patterns surrounding their execution, and no human mind can possibly observe, much less comprehend, the movements of all players on the battlefield, the course of a war, no matter how meticulously planned and no matter how eminently credentialed the planners, frequently defies the plan.

This phenomenon is known as the “Fog of War,” a phrase which originated with Prussian military theorist Carl von Clausewitz in his magnum opus, On War:

"War is the realm of uncertainty; three quarters of the factors on which action in war is based are wrapped in a fog of greater or lesser uncertainty. A sensitive and discriminating judgment is called for; a skilled intelligence to scent out the truth."

...(....)

So what the hell happened?

I’m a tech guy, not a military guy. And in terms of the kind of tech I’m into it’s that weird decentralized crypto tech like Bitcoin, not SaaS.

I do know enough about the war to know that when the Taliban went toe to toe with American and NATO soldiers, the Taliban got its ass kicked basically every single time. No air force, no navy, and no artillery meant that whenever the Taliban revealed themselves on the battlefield they were guaranteed to be cut to pieces by various pieces of intimidating American hardware like A-10 Warthogs or .50-caliber rifles.

It appears the Taliban tried something different this time around. Open source reporting shows that rather than rocking up and going toe to toe with the Afghan national army, they appear to have simply called everyone in the entire country, instead, told them they were in control, and began assuming the functions of government as they went:

https://prestonbyrne.com/2021/08/15/did-america-just-lose-afghanistan-because-of-whatsapp/

#usa #afghanistan #taliban #whatsapp
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Hospitals hamstrung by ransomware are turning away patients

The ransomware epidemic continues to grow.

Dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances following a ransomware attack that has knocked out staff access to IT systems across virtually all of their operations.

The facilities are owned by Memorial Health System, a nonprofit network of services that represents 64 clinics, including hospitals Marietta Memorial, Selby, and Sistersville General in the Marietta, West Virginia, metropolitan area. Early on Sunday, the chain experienced a ransomware attack that hampered the three hospitals’ ability to operate normally.

Beginning at midnight on Sunday, the three hospitals started diverting emergency patients to Camden Clark Medical Center. The facility is an hour's drive from Selby, which has 25 beds. Camden Clark is about a 25-minute drive from the other two Memorial Health System hospitals hit by the breach. Another affected facility providing critical care includes a freestanding emergency room at Belpre Medical Campus in Belpre, Ohio.

Most of the Memorial Health System facilities have also canceled all urgent surgeries and radiology exams for Monday and are advising patients who have an appointment with a surgeon or specialist on Monday to call ahead.

“We will continue to accept: STEMI, STROKE, and TRAUMA patients at Marietta Memorial Hospital,” officials said in a statement. “Belpre and Selby are on diversion for all patients due to radiology availability. It is in the best interest of all other patients to be taken to the nearest accepting facility. If all area hospitals are [on] diversion, patients will be transported to the emergency department closest to where the emergency occurred. This diversion will be ongoing until IT systems are restored.”

https://arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/

#usa #ransomware #healthsystem #hospitals
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

America's secret terrorist watchlist exposed on the web without a password

On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.

The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country's no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.

I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.

💡 Timeline of the exposure

On July 19, 2021, The exposed server was indexed by search engines Censys and ZoomEye. I discovered the exposed data on the same day and reported it to the DHS.

The exposed server was taken down about three weeks later, on August 9, 2021. It's not clear why it took so long, and I don't know for sure whether any unauthorized parties accessed it.
What data was exposed?

The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

💡 Each record in the watchlist contained some or all of the following info:

Full name
TSC watchlist ID
Citizenship
Gender
Date of birth
Passport number
Country of issuance
No-fly indicator

The data also included a couple of categorical fields that I was unable to identify, including "tag," "nomination type," and "selectee indicator".

https://www.linkedin.com/pulse/americas-secret-terrorist-watchlist-exposed-web-report-diachenko/

#leak #exposed #terrorist #watchlist
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv