January 22, 2023

TSD #025: Dear US Govt, I found your data.

Hello friend 👋

I almost spat out my coffee when I saw the news:

A security researcher found the U.S. Government’s Terrorist Screening Database and No Fly List on an unsecured Jenkins server.

A Swiss hacker called "maia arson crimew" found a server which is run by a U.S. airline called CommuteAir. Stored on this server is/was a file name “NoFly.csv”. The No Fly List is a subset of the Terrorist Screening Database and has details on people who have been banned from air travel because of their ties to terrorist organisations.

Crimew reported that they found the server whilst using Shodan (I've got a video coming out soon on Shodan) to search for Jenkins servers. If you've never heard of Shodan it's well worth checking out. They usually sell lifetime access for $5 on Black Friday too - add that to your calendar!

This server holds/held the passport numbers, addresses, and phone numbers of around 900 CommuteAir employees as well as, wait for it...

...user credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir.


So back to the terrorist data. The list has 1.5 million entries in total and includes names, birth dates and even aliases. Shockingly, an 8-year-old was on the list, based on their birth year.

CommuteAir said that it was an exposed development server that was used for testing purposes. If you need to test something with data, don't use real data. Use something like Mockaroo.

If you're interested in hunting for exposed data online, check out Bob Diachenko (Twitter & LinkedIn). He's been doing it for years - he even found the Terrorist Screening Centre database a few years ago himself!

You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.

Until next week,

Gary ✌️

Fun Things This Week

🎙My Latest Video

Find Social Media accounts FAST using this tool! OSINT is fun. Googling your way to find information on people, companies and more. It can also be time consuming searching for people's profiles online. This tool searches roughly 400 sites in a minute.

📝 My Latest Article

Last week I wrote about what Cyber Threat Intelligence is and why you need it. This week I wrote an article on the Intelligence Cycle. If you're interested in how intelligence agencies work, and how businesses should manage intelligence, this article is right up your street! Read on my website

👾 Cool Tools

Automated Penetration Testing Reporting System is an automated reporting tool in Python and Django. The tool allows penetration testers to create a report directly without using Microsoft Word etc. It also provides an way of keeping track of the projects and vulnerabilities.

🎙️ Products

I've been making upgrades to my studio and finally pulled the trigger on a Røde Videomic NTG which is a shotgun mic. It'll keep the audio quality high, but you won't see the mic anymore in my videos because it'll be off-camera.

I also bought a Smallrig 72" tripod. This will make it much easier to frame shots and give me more control over artifical lighting etc. I was always a Manfrotto tripod user, but this Smallrig one is surprisingly well made. If you're in the market for a tripod, I'd recommend this in a heart beat.

Whenever you’re ready, there are a few ways I can help you:

1. If you'd like to learn how to create content to raise your online profile, I have a free email crash course and a whole series of video workshops.

2. If you want to land a career in cyber security but don't know where to start, your best bet is through my SWITCHFIRE guide.

3. If you'd like to promote yourself or your business and help keep this newsletter free to its readers, you can sponsor it by dropping me an email.

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.