[HN Gopher] Bypassing airport security via SQL injection
___________________________________________________________________
Bypassing airport security via SQL injection
Author : iancarroll
Score : 1004 points
Date : 2024-08-29 15:53 UTC (7 hours ago)
(HTM) web link (ian.sh)
(TXT) w3m dump (ian.sh)
| rez0__ wrote:
| > Now that we are an administrator of Air Transport
| International...
|
| LOL
|
| > Unfortunately, our test user was now approved to use both KCM
| and CASS
|
| smh...
| voiceblue wrote:
| Not surprised that they deny the severity of the issue, but I
| _am_ quite surprised they didn 't inform the FBI and/or try to
| have you arrested. Baby steps?
| preciousoo wrote:
| This should be news lol, I'm surprised a bored year 17 year old
| with a fake id hasn't made a TikTok sneaking on board a plane.
| Sql injection ffs
| woodruffw wrote:
| The author made the right move by doing this through FAA and
| CISA (via DHS), rather than directly via TSA. It's not
| inconceivable that a direct report to TSA would have resulted
| in legal threats and bluster.
| dmd wrote:
| Those kind of wheels turn very slowly. I will bet any takers
| $50 that Ian will be prosecuted.
| reaperman wrote:
| I'll take that bet. How long of a time window? 1 year, 2
| years?
| dmd wrote:
| Lets say 2 years. Email in profile.
| preciousoo wrote:
| This was a wild read, that something like this could be so easy,
| but the later part describing the TSA response is incredibly
| alarming
| justmarc wrote:
| A good old SQL injection negates the entire security theatre
| worth probably billions a year, hilarious, but probably not all
| too surprising.
| aftbit wrote:
| Does anyone remember Bruce Schneier and his faked boarding
| passes? The TSA scribble used to be the weak point of the
| entire system.
| woodruffw wrote:
| The TSA's response here is childish and embarrassing, although
| perhaps unsurprising given the TSA's institutional disinterest in
| actual security. It's interesting to see that DHS seemingly
| (initially) handled the report promptly and professionally, but
| then failed to maintain top-level authority over the fix and
| disclosure process.
| macNchz wrote:
| What was surprising to me was that they didn't immediately do
| pre-dawn raids on the pentesters' homes and hold them without a
| lawyer under some provision of an anti-terror law.
| garyfirestorm wrote:
| that is apparently not a popular move anymore since people
| keep logs and have credentials, strong social media presence
| and readily available cloud enabled cameras. one email to any
| news org and whoever authorizes the raid will probably face
| some music. but knowing TSA, we can expect this any minute
| now...
| tracker1 wrote:
| They just add you to a secret watch list to annoy you when
| you travel when you're critical of them... or the current
| administration, so it would seem.
| smsm42 wrote:
| Why bother if they could just put everyone involved on the
| "dangerous terrorist" list which has zero controls and zero
| accountability because "national security"?
|
| That's what happened to Tulsi Gabbard:
| https://www.racket.news/p/the-worm-turns-house-senate-
| invest...
| woodruffw wrote:
| That's not really how this works. TSA is maliciously
| incompetent, but there _is_ a reporting pipeline and
| procedure for these things that 's formalized and designed to
| protect exactly this kind of good-faith reporting[1].
|
| (It's very easy to believe the worst possible thing about
| every corner of our government, since every corner of our
| government has _something_ bad about it. But it 's a
| fundamental error to think that _every_ bad thing is _always_
| present in _every_ interaction.)
|
| [1]: https://www.cisa.gov/report
| macNchz wrote:
| Is there any sort of assurance that this wouldn't turn into
| a prosecution, though? It's not obvious to me on that site.
| Perhaps the CISA doesn't want to deter researchers, but do
| they get to make the final call?
|
| The DoJ announced in 2022 that they would not prosecute
| "good faith" security researchers, but it's not binding,
| just internal policy:
| https://www.scmagazine.com/analysis/doj-wont-prosecute-
| good-...
|
| The policy (https://www.justice.gov/jm/jm-9-48000-computer-
| fraud) explicitly states at the end that it's for guidance
| only / does not establish rights, and it includes a
| provision for additional consultation on cases involving
| terrorism or national security-terms which have both been
| overloaded by the government to justify overreach in the
| past.
|
| Personally, given the history of the CFAA, I wouldn't want
| to be in a position to test out this relaxed guidance on
| prosecuting good-faith researchers, but perhaps I'm
| unnecessarily averse to the idea of federal prison.
| woodruffw wrote:
| > Is there any sort of assurance that this wouldn't turn
| into a prosecution, though? It's not obvious to me on
| that site. Perhaps the CISA doesn't want to deter
| researchers, but do they get to make the final call?
|
| I don't think any sort of absolute assurance is possible,
| and if it was given I wouldn't trust it to be permanently
| binding :-)
|
| This is my intuition from having interacted with CISA,
| and my impression from talking to policy people: it's not
| 1993 (or even 2013) anymore, and there's a _much_ better
| basal understanding of security researchers vs. someone
| trying to secure a "get out of jail free" card for doing
| something they shouldn't have. That doesn't mean the
| government _can 't_ mess up here, but I can't remember a
| prominent example of them throwing the book at a good
| faith report like this in the past decade.
|
| (Swartz is who I think of as an example of an extreme
| miscarriage of justice under an overly broad
| interpretation of the CFAA. And, of course, there could
| be facts in this situation that I'm not aware of that
| would motivate a criminal or civil CFAA investigation
| here. But "pre-dawn raids" aren't really it in situations
| like this one.)
| macNchz wrote:
| I guess... at the end of the day without some reform to
| the CFAA I just wouldn't ever feel comfortable using
| exploits to gain access to a random website-particularly
| one related to air travel security-that I had no
| engagement with, even if there are enlightened folks in
| government who want to protect good-faith research. The
| downsides are just way too serious in the case someone,
| somewhere decides there's something worth prosecuting.
|
| The FBI did raid this guy in 2016 after what was
| seemingly an attempt at responsible disclosure of leaked
| medical records: https://arstechnica.com/information-
| technology/2016/05/armed...
|
| And this journalist last year, though the facts of this
| story are less clear and obviously not responsible-
| disclosure related:
| https://www.cjr.org/the_media_today/tim-burke-florida-
| journa...
| fredgrott wrote:
| the more safe way is to have a US congress member read the
| report into a hearing....as the funny thing is that US has
| a law and rule that a congress person is not breaking the
| law if reading something into a hearing...sort of US
| Congresses own SQL injection....
| kchr wrote:
| I can't decide whether it would be considered an SQL
| injection or a SSRF attack, actually. I'm leaning towards
| the latter. Or maybe even a reflected XSS?
| noinsight wrote:
| Yeah, I don't know if I would go testing such systems and
| then reporting the results under my own name (presumably)...
|
| I didn't see any comment about them being contracted to do
| this at least.
| sixothree wrote:
| There's still _plenty_ of time for that to happen. I wouldn't
| want to be this person right now. I like my dog alive.
| garyfirestorm wrote:
| > It's interesting to see that DHS seemingly (initially)
| handled the report promptly...
|
| I think DHS mid level manager yelled at a TSA mid level manager
| who reported this to the senior TSA officials and then their
| usual policy kicked in... deny/deflect/ignore
| laweijfmvo wrote:
| TSA is DHS, though. At some point, it's the same high-level
| manager...
| dylan604 wrote:
| Since they actually went past the SQL injection and then created
| a fake record for an employee, I'm shocked that Homeland did not
| come after and arrest those involved. Homeland would have been
| top of the list to misinterpret a disclosure and prefer to refer
| to the disclosure as malicious hacking instead of responsible
| disclosure. I'm more impressed by this than the incompetence of
| the actual issue.
| beaglesss wrote:
| The statute of limitations is long and HSI often delays their
| indictment until the investigation is mostly wrapped up.
| dylan604 wrote:
| So you're suggesting they're not out of the woods?
| beaglesss wrote:
| Depends. If no one currently cares, there is no significant
| structure or personnel or political change in the future
| several years, and they don't have any assets worth taking,
| and the government doesn't get any more desperate for
| assets to seize -- then they're out of the woods.
| dylan604 wrote:
| I doubt asset seizure is what they'd be after. I was
| thinking more of the "make an example out of them"
| mentality as an attempt to prevent others from being
| curious. Government entities don't tend to do well with
| knowing the difference of malicious hacking and
| responsible disclosure. The infamous governor and the
| View Source is a fun one to trot out as exhibit A.
| beaglesss wrote:
| Both are definitely valid. I think saving face and cash
| grabs are the two fastest way to get in deep shit with
| the government.
| garyfirestorm wrote:
| don't even need to make an example... they probably have
| a warning/welcome pop up that says 'unauthorized access
| to this system will result in...' because the TSA lawyer
| is going to follow this simple train of thought - were
| the 'accused' authorized to access the system - _gotcha_!
| smsm42 wrote:
| Asset seizure is not because the government needs the
| money. It's because you need the money to pay for
| lawyers, legal experts, etc., and if your assets are
| seized, you can't - so you are much easier to pressure
| into making a quick guilty plea and get another
| successful prosecution added to the list. Of course, the
| whole process is the punishment as usual, but the asset
| seizure also plays an important coercive role there.
| aftbit wrote:
| You're not wrong, but I would have a hard time as a jury member
| convicting them of a CFAA violation or whatever for creating a
| user named "Test TestOnly" with a bright pink image instead of
| a photo.
|
| If they had added themselves as known crewmembers and used that
| to actually bypass airport screening, then yeah, they'd be in
| jail.
| beaglesss wrote:
| What if they incremented a number in a url on a publicly
| available website?
| debo_ wrote:
| Is this a reference to a past event? I don't get it.
| hyperhello wrote:
| It's an incredibly basic form of pen testing. For
| example, this reply page URL refers to id=41393364, which
| is presumably your comment. So what happens if I replace
| it with a different number? Probably something innocent,
| but maybe not.
| qup wrote:
| Yes. https://www.reddit.com/r/IAmA/comments/1ahkgc/i_am_w
| eev_i_ma...
| bjoli wrote:
| Jeez, I just read about him. Was he the first who went
| down the alt right pipeline? What happened there?
|
| From goatse security to the Daily Stormer.
| beaglesss wrote:
| In part yes but inevitably devolves into an ad hominem
| attack against the most high profile case of a guy who
| did it, who is now hiding in Ukraine on a Prednistrovian
| passport after having his conviction overturned
| (temporarily) giving him an escape window.
| fnfjfk wrote:
| > hiding in Ukraine
|
| Huh. Uh, weird choice, given, well, you know...
| bjoli wrote:
| Before he spent some time in Transnistria as well, which
| is also a weird choice.
| beaglesss wrote:
| It's an excellent choice IMO from his perspective. They
| grant citizenship after 1 year with not a lot of
| questions and have a cash economy. And they don't
| extradite to the US.
| pbhjpbhj wrote:
| Maybe not. If you claim to be living in an active warzone
| and go missing who would look for you?
|
| Flee to Western Europe under an assumed identity, get
| taken in as a refugee?
| debo_ wrote:
| Thanks for all the references / replies, folks. I
| appreciate it.
| mmsc wrote:
| Another one from Australia from over a decade ago:
| https://amp.smh.com.au/technology/super-bad-first-state-
| set-...
| aftbit wrote:
| Yeah I wouldn't have convicted weev either. There is a
| difference though. He used that incremented number to
| access actual user PII. These guys created a user with no
| PII and no actual malicious use.
| rawling wrote:
| It looks like they got access to a list of names of
| existing users.
| mrguyorama wrote:
| >You're not wrong, but I would have a hard time as a jury
| member
|
| Which is why Jury selection usually removes people who
| understand the situation.
| IshKebab wrote:
| Yeah so best case you spend tens of thousands on lawyers and
| _probably_ win.
|
| Doing this under your own name is insane.
| aftbit wrote:
| Best case, assuming you even get charged, your case gets
| picked up by the EFF, ACLU, IFJ, etc. You spend nothing,
| you win, and you get a lot of free publicity for your pen
| testing company.
|
| Worst case, nobody comes to help you, you spend all of your
| money, still lose the case, end up in a shitty US prison,
| and get stabbed in the shower by some guy driven crazy by
| spending months in solitary.
|
| Personally, I would not mess with security research on
| anything even distantly related to US Gov.
| smsm42 wrote:
| That's what jury instructions are for. The judge can instruct
| the jury to ignore pretty much any facts and consider any
| subset of what really happened that they want. So they'd just
| instruct "did they access the system? Were they authorized?
| If the answer to the first question is yes, and to the second
| is no, the verdict is guilty, ignore all the rest". The jury
| won't be from the HN crowd, it would be random people who
| don't know anything about CFAA or computer systems, it will
| be the easiest thing in the world to convict. Those guys got
| so lucky DHS exhibited unusually sensible behavior, they
| could have ruined their lives.
| mariodiana wrote:
| As my good fortune would have it, I'm called to jury duty
| two weeks from now. I doubt I'll be sat though. Should I
| be, I'll keep the above in mind.
| linuxftw wrote:
| If it's a criminal case, be sure to checkout the
| innocence project to inform yourself on some of the junk
| science police and prosecutors like to use.
| SpaceNoodled wrote:
| They tend to specifically choose against people with
| critical thinking skills.
| Spivak wrote:
| Everyone says this but when people say "critical thinking
| skills" it really means "is obvious they will willfully
| disobey the instructions given to them by the judge and
| hold their own moral/ethical code above the law."
|
| You're literally describing jury nullification in a
| situation where by the hypothetical judge's instructions
| they're obviously guilty. I might agree with you that the
| law is bullshit but by right you and I should be
| dismissed.
| feoren wrote:
| > hold their own moral/ethical code above the law ... I
| might agree with you that the law is bullshit
|
| This is the _entire reason_ that we have trial by _jury_
| and not trial by _judge_. I 'm not sure how this got lost
| over the centuries. If 12 of your peers think you did it
| but the law is bullshit and you shouldn't have your life
| destroyed because of some stupid technicality in a
| bullshit law, then you should walk free! I'm aware this
| has been used to horrible ends in the past (e.g. 12 white
| jurors nullifying a lynching) but that's a problem with
| jury selection (and those so-called peers), not with
| nullification.
|
| > You're literally describing jury nullification in a
| situation where by the hypothetical judge's instructions
| they're obviously guilty
|
| Yes, that is the only time nullification is relevant. If
| a judge can lead the jury to one verdict or another via
| his instructions, then it's not a trial by jury at all.
| It's a trial by judge. The founders understood that --
| they didn't want a trial by judge. The jury is a check on
| the judge's power!
| beaglesss wrote:
| Jury is peer, not subordinate of judge, and they should
| keep each other in check. Some tyrannical judges don't
| understand this. Sometimes the judge has to be reminded
| he is wrong in a way he can't prove he's been reminded,
| however.
| okwhateverdude wrote:
| If you don't want to be sat, just mention Jury
| Nullification. Courts really hate that sanity check on
| the process.
|
| https://en.wikipedia.org/wiki/Jury_nullification
| feoren wrote:
| I once got called into jury duty and sat through jury
| selection. On that day, protesters were outside the
| courthouse calling awareness to jury nullification, so
| the judge brought it up. He said something like: "jury
| nullification is a constitutional right, but you waive
| those rights when you take the oath of a juror. It is not
| an option to you." I really wanted to say "but that
| constitutional right is not _my_ right, it 's the
| _defendant 's_ right. How can I waive the defendant's
| constitutional right to a trial where jury nullification
| is a possible outcome?" However, it was a rape trial,
| where nullification would be an awful outcome (basically
| saying: yeah, he raped her, but that shouldn't be illegal
| in this case ... yuck), so I kept my mouth shut. But it
| still bothers me that the judge was so glib about
| "waiving" the constitutional rights of the defendant.
| aftbit wrote:
| I had a very similar situation when I was called. The
| trial subject was systematic elder abuse and neglect by a
| person in a position of power at a hospital. I was very
| glad to not be chosen. I would not have nullified and I
| did not want to spend weeks hearing about how this woman
| basically tortured helpless people.
| RHSeeger wrote:
| But would it really matter if they were convicted, after
| being in jail for who knows how long awaiting trial, losing
| their job, etc?
| cabaalis wrote:
| If anyone from there reads the parent, they should know they
| have created an atmosphere where the worry of possible
| prosecution over responsible disclosure has the potential to
| scare away the best minds in our country from picking at these
| systems.
|
| That just means the best minds from other, potentially less
| friendly countries, will do the picking. I doubt they will
| responsibly disclose.
| smsm42 wrote:
| I personally don't comprehend how these people are taking
| such a huge risks. Once bureaucrat wakes one morning in the
| wrong mood and your life is ruined at least for the next
| decade, maybe forever. Why would anyone do it - just for the
| thrill of it? I don't think they even got paid for it?
| mpaco wrote:
| The timeline mentions the disclosure was made through CISA, and
| on their website there is an official incident report form.
|
| I can imagine an email to some generic email address could have
| gone down the way you describe, but I guess they look at these
| reports more professionally.
|
| https://myservices.cisa.gov/irf
| Enginerrrd wrote:
| I mean... they still might if the wrong people end up getting
| embarrassed by this. The wheels of bureaucracy are slow.
| neilv wrote:
| Good catch. Of course, different people wear different shades
| of hat, and I guess the author might have good rationale for
| going quite as far as they did, I don't know.
|
| Kudos to the author for alerting DHS. Methodology questions
| aside, it sounds like the author did a service, by alerting of
| a technical vulnerability that would be plausible for a bad
| actor to seek out and successfully discover.
|
| But regardless, I hope any new/aspiring security researchers
| don't read this writeup, and assume that they could do
| something analogous in an investigation, without possibly
| getting into trouble they'd sorely regret. Some of the lines
| are fuzzy and complicated.
|
| BTW, if it turns out that the author made a
| legality/responsibility mistake in any of the details of how
| they investigated, then maybe the best outcome would be to
| coordinate publishing a genuine mea culpa and post mortem on
| that. It could explain what the mistake was, why it was a
| mistake, and what in hindsight they would've done differently.
| Help others know where the righteous path is, amidst all the
| fuzziness, and don't make contacting the proper authorities
| look like a mistake.
| lyu07282 wrote:
| In some countries where this is the norm, like Germany, the
| usual route is to report the issue to journalists or to non-
| profits like the CCC and those then report the issue to the
| government agency/company. This way you won't get prosecuted
| for responsible disclosure. Alternatively an even safer route
| is to write a report and send it to them anonymously with a
| hard deadline on public/full disclosure, won't get any credit
| for the discovery this way of course.
| hypeatei wrote:
| I hate the TSA with every ounce of my being and these articles
| reinforce why. Incompetent and useless agency that only serves to
| waste people's time. Can't believe it still exists; 9/11 and the
| Bush administration really did a number on this country.
| grishka wrote:
| We as a civilization are terrible at getting over things, it
| seems.
| dgfitz wrote:
| Oh it gets even more amusing. By the logic of the GP, Bush
| must have impersonated every member of the house and senate
| because they're not aware of how the TSA came into
| existence/how a law is created. The Aviation and
| Transportation Act garnered broad bipartisan support.
| hypeatei wrote:
| It was referring more to the time period and general power
| grab that the federal government was involved in (Patriot
| Act, Protect America Act, etc..)
|
| Also, Bush had to sign the ASTA into law (checks and
| balances) which he did so he's part of the problem.
| bigstrat2003 wrote:
| He certainly was part of the problem, but I think that
| the way it was phrased originally implied he was the
| majority of the problem. In truth, these measures had
| broad support from not only our elected representatives,
| but from the people themselves. Turns out that people do
| not actually give a shit about civil liberties, and our
| representative democracy acted accordingly.
| rootusrootus wrote:
| It doesn't seem particularly unique to TSA. Flying elsewhere in
| the world has essentially identical security screening, with
| all the same stupidity.
|
| I'm a little butthurt right now, in particular, about the
| security at Heathrow. They confiscated a bottle of whisky that
| we got in Edinburgh. After 10 minutes of head-scratching and
| consulting with a supervisor, they concluded that "it does not
| say 100ml" (it had "10cl" cast into the glass) and "even then,
| that is just the size of the bottle, not the liquid inside it."
| What an incredible demonstration of intelligence there.
|
| They gave us a receipt and said we could have it shipped. We
| checked when we got home. 130 GBP with shipping. Ended up just
| buying a 700ml bottle from an importer, cost about half as
| much.
| anal_reactor wrote:
| The problem boils down to two issues:
|
| 1. Ok, security is bad, what are you going to do? Go to
| different, competing security?
|
| 2. Nobody wants to be the politician that relaxes the
| security right before an accident, even if the accident
| wouldn't be prevented with tighter security anyway.
| cyberax wrote:
| > 1. Ok, security is bad, what are you going to do? Go to
| different, competing security?
|
| Amazingly, you can do that. SFO doesn't use the TSA, for
| example.
| rachofsunshine wrote:
| Does it not? I fly out of SFO all the time and the
| experience is very similar. I guess I never checked if it
| was officially the TSA, but I never noticed any
| difference.
| rst wrote:
| SFO security is run by some company "under contract" to
| TSA -- probably required to follow all the same
| procedures, so it's not clear the business arrangement
| makes that much difference to the passengers. I've been
| through there a few times, and haven't found it any more
| organized or pleasant...
|
| https://www.flysfo.com/about/airport-operations/safety-
| secur...
| jen20 wrote:
| You can only do that if there are competing airports that
| are equally usable for where you want to go. Perhaps SFO
| vs SJC if you're going to the peninsula, JFK vs EWR or
| LGA, or the various Los Angeles airports but that's
| pretty much it that I can think of.
| ravenstine wrote:
| They're one of the most seemingly incompetent agencies I am
| forced to deal with every year.
|
| For one, why does is it that every TSA checkpoint feels like it
| was scrambled together? 9/11 was a long time ago. There's no
| reason why checkpoints can't have better signage, clearer
| instructions for what should or shouldn't go on a conveyor
| belt, an efficient system for returning containers (I've lost
| count of how many times the line was held up because employees
| didn't feel like bringing over a stack of containers in clear
| view), and so on. The checkpoints do seem to go a bit faster
| than they used to a long time ago, but it's still a frustrating
| process that makes me feel like an imbecile every time I use
| it. I do my best to follow directions, but directions are often
| lacking so I have to use my best judgment from past experience,
| and often get yelled at anyway. Do does the TSA _want_ to be
| hated?
|
| Secondly, there's been multiple occasions where I've made it
| through the security checkpoint with items that should
| obviously set off red flags. I recently made it through with a
| humongous center punch which, while not sharp like a knife,
| could do some serious damage to another person if used as a
| weapon. Got it through with no questions asked. I've also
| gotten through with scissors, knives, strangely shaped
| electronics, a custom build electronic device that a naive
| person could see as suspicious, and so on. Never have I been
| stopped for those things.
|
| But laptops and e-readers? I'd better not forget one of them in
| my carry-on bag or I'm gonna get shouted at and be forced to
| re-run the bag through the scanner again. I can get through
| with sharp metallic tools and weird unlabeled boxes with wires
| hanging out of them, but I can't leave my kindle in my
| backpack? And what about the humongous battery packs I carry?
| No problem having 2 or 3 of those in my bag. I guess my Macbook
| Air or my e-reader possess uniquely dangerous powers I don't
| comprehend. Even if I try to comply with the "laptops out of
| your bag" rule, I might _still_ get shouted at if I place it in
| a container instead of right on the conveyor belt... or if I
| place it in a container with some other belongings next to it.
|
| Maybe the TSA stops terrorists that are as stupid as they are,
| which I guess is a good thing. But how good can stupid people
| be at catching other stupid people? Is it really worth it to
| waste everyone else's time and to treat them like crap in the
| process?
|
| Yup, not surprised that the TSA also reacts with as much
| stupidity to cybersecurity flaws. If I became supreme leader
| overnight, I would work to completely dismantle the TSA and
| rebuild it from scratch. There doesn't appear to be any value
| in that agency that can't be easily replaced with something
| better.
| pwg wrote:
| > I can get through with sharp metallic tools and weird
| unlabeled boxes with wires hanging out of them, but I can't
| leave my kindle in my backpack?
|
| Because _all_ airport security is _reactionary_. They don 't
| try to anticipate what an attacker might do, and how they
| could prevent that. They simply add one more item to a check-
| list of "no good" items or of "must be separately screened"
| items.
|
| Therefore, because, one time, someone tried to ignite their
| shoes, there's now a checkbox that says: "shoes must be
| scanned separately".
|
| As well, because, one time, someone purportedly tried to mix
| together two liquids into an explosive that they brought on
| board in bottles, you are now limited to 100ml max in any
| bottle, but you can freely walk in with a 7-11 64oz Big Gulp
| cup and they won't blink an eye. The "bottles" are on the
| check-list, but the check-list has no entry (yet) for "64oz
| 7-11 Big Gulp".
| jerf wrote:
| You know it's bad when it's so bad that as I write this no one
| has even bothered talking about how bad storing MD5'd passwords
| is. This even proves they aren't even so much as salting it,
| which is _itself_ insufficient for MD5.
|
| But that isn't even relevant when you can go traipsing through
| the SQL query itself just by asking; wouldn't matter how well the
| passwords were stored.
| AntonyGarand wrote:
| The md5 part of the sqli is added by the pentester, likely
| because they needed a call that would end in a parenthesis
| within the injection parameter
| 0x0 wrote:
| The screenshot in the article shows MD5() is returned as part
| of the error message from the web server, so it is probably
| also a part of the original server-side query.
| tomsmeding wrote:
| There is already a call to MD5 in the original query; see the
| first image in the article, which they apparently obtained by
| submitting ' as the username: https://images.spr.so/cdn-
| cgi/imagedelivery/j42No7y-dcokJuNg...
| rachofsunshine wrote:
| This used to be a question on the Triplebyte interview almost
| verbatim, and a huge percentage of (even quite good) engineers
| got it wrong. I'd say probably <20% both salted and used a
| cryptographically-secure hash; MD5 specifically came up all the
| time. And keep in mind that we filtered substantially before
| this interview, so the baseline is even worse than that!
| wkirby wrote:
| Honestly, this is the most shocking part:
|
| > We did not want to contact FlyCASS first as it appeared to be
| operated only by one person and we did not want to alarm them
|
| It's incredible (and entirely too credible) that this kind of
| "high security" integration could be built in such an amateur
| way: and a good reminder why government projects often seem to be
| run with more complexity than your startup devs might think is
| necessary.
| UniverseHacker wrote:
| Hilarious that the entire TSA system is vulnerable to the most
| basic web programming error that you generally learn to avoid 10
| minutes into reading about web programming- and that every decent
| quality web framework automatically prevents.
|
| It is really telling that they try to cover up and deny instead
| of fix it, but not surprising. That is a natural consequence of
| authoritarian thinking, which is the entire premise and culture
| of the TSA. Any institution that covers up and ignores
| existential risks instead of confronting them head on will
| eventually implode by consequences of its own negligence- which
| hopefully will happen to the TSA.
| VyseofArcadia wrote:
| > Hilarious that the entire TSA system is vulnerable to the
| most basic web programming error that you generally learn to
| avoid 10 minutes
|
| The article mentions that FlyCASS seems to be run by one
| person. This isn't a matter of technical chops, this is a
| matter of someone who is good at navigating bureaucracy
| convincing the powers that be that they should have a special
| hook into the system.
|
| What should really be investigated is who on the government
| side approved and vetted the initial FlyCASS proposal and
| subsequent development? And why, as something with a special
| hook into airline security infrastructure, was it never
| security audited?
| preciousoo wrote:
| Someting I've been thinking about, esp since that crowdstrike
| debacle. Why do major distributors of infrastructure (msft in
| case of crowdstrike, DHS/TSA here) not require that vendors
| with privileged software access have passed some sort of
| software distribution/security audit? If FlyCASS had been
| required to undergo basic security testing, this (specific)
| issue would not exist
| bronco21016 wrote:
| Money. Eventually the lobbyists would make it so cumbersome
| to get the certification that only the defense industry
| darlings would be able to do anything. Look at Boeing
| Starliner for an example of how they run a "budget".
| vips7L wrote:
| In the case of msft/crowdstrike isn't this exactly the
| opposite of what HN rallies against? The users installed
| crowdstrike on their own machines. Why should microsoft be
| the arbiter of what a user can do to their own system?
| preciousoo wrote:
| Microsoft determines who they give root access signing
| keys to
| snarfy wrote:
| Because the EU required them to.
| preciousoo wrote:
| I've read that story, it inspired my question. Such a
| requirement wouldn't be out of bounds with the regulation
| advael wrote:
| They automatically occupy that position because in
| practice no user of a microsoft system can audit the
| entire "supply chain" of that system, unlike one built
| from open-source components. Any "control" someone has
| over "their own" system is ultimately incomplete when
| there is a company that owns and controls the operating
| system itself and has the sole power to both fix and
| inspect it
| woodruffw wrote:
| They often do. The value of those kinds of blanket security
| audits is questionable, however.
|
| (This is one of the reasons I'm generally pro-OSS for
| digital infrastructure: security quickly becomes a
| compliance game at the scale of government, meaning that
| it's more about diligently completing checklists and
| demonstrating that diligence than about critically
| evaluating a component's security. OSS doesn't make
| software secure, but it _does_ make it easier for the
| interested public to catch things before they become
| crises.)
| deepsun wrote:
| Well, the value is ok, if considered seriously.
|
| Also, any certificate bears a certificator company name.
| We can always say "company A was hacked despite having
| its security certified by company B". So that company B
| at least share some blame.
| ethbr1 wrote:
| In practice, most commercial attestations/certifications
| contain enough weasel language that the certifier isn't
| responsible for anything missed (i.e. reasonable effort
| only).
|
| But yes, there are many standards for this (e.g. SOC Type
| 2 reports).
|
| In defense of their utility, the good ones tend to focus
| on (a) whether a control/policy for a sensitive operation
| exists _at all_ in the product /company & (b) whether
| those controls implemented are effectively adhered to
| during an audited period.
| r00fus wrote:
| We're talking about getting a judgement in the court of
| public opinion not a court of law, and no one is exempt
| from the former.
| ipaddr wrote:
| Many live in a special labelled class that cannot be
| criticized
| AmericanChopper wrote:
| That's not really how they work. The auditor attests that
| they were provided with evidence that the
| systems/business units audited were compliant at the time
| of auditing. That doesn't mean that the business didn't
| intentionally fake the evidence, or that the business is
| compliant at any time subsequent to the assessment.
|
| An auditor would certainly have some consequences if they
| were exposed for auditing negligently.
|
| This is how the PCI SSC manages to claim that no
| compliant merchant/service provider has ever been
| breached, because they assume being breached means that
| the breached party was non-compliant at the time of the
| breach. Which is probably a technically true statement,
| but is a bit misleading about what they're actually
| claiming that means.
| doctorpangloss wrote:
| > The value of those kinds of blanket security audits is
| questionable,
|
| You're totally right. Why are people afraid to say that
| they're worthless? Why caveat or equivocate?
|
| Adversaries in computer security do not mince words.
| pinkmuffinere wrote:
| "Worthless" is quite a strong claim. There isn't much
| work I've encountered that's truly "worthless", even
| though bad work can make me quite upset. Anyways, that's
| why I would often caveat.
| woodruffw wrote:
| I'd rather understate a medium-confidence opinion than
| overstate it.
| irundebian wrote:
| Because it's better than nothing when independent
| organizations are reviewing systems or other
| organizations. It's like saying that penetration tests
| are useless because you cannot prove security with
| testing.
| kva-gad-fly wrote:
| Even if these govt. security audits are checkboxes, dont
| they require some nominal pentesting and black box
| testing, which test for things like SQL injection?
|
| That shoudl have caught these types of exposures?
| sandworm101 wrote:
| They do. But market forces have pushed the standards down.
| Once upon a time a "pen test team" was a bunch of security
| ninjas that showed up at your office and did magic things
| to point out security flaws you didn't know were even a
| thing. Now it is a online service done remotely by a
| machine running a script looking for known issues.
| bbarnett wrote:
| "I made my fortune with nmap, you can too."
| ethbr1 wrote:
| Great, now my YouTube recommendations are also on HN...
| advael wrote:
| Unfortunately we're in kind of the worst of all possible
| worlds here too. Not only do we want to "automate" these
| kinds of tests, but governments have bought into the
| "security through obscurity" arguments of tech giants, so
| the degree to which these automations can even be
| meaningfully improved is gated in practice by whoever
| owns the tech itself approving of some auditor (whether
| automated or human) even looking at it. The author of
| this article takes the serious risk of retaliation by
| even looking into this
| paulddraper wrote:
| Of course they require that.
|
| Now, why wasn't the requirement enforced? Or why didn't the
| audit turn this up? Good questions.
|
| But all of those are going to have some kind of
| requirement, e.g. FedRAMP.
| preciousoo wrote:
| Good to know, didn't know this program existed, but makes
| a lot of sense that it does. Why it wasn't enforced is an
| incredibly huge question now
| niklasrde wrote:
| Part of the reason why Crowdstrike have access, why MS
| wasn't allowed to shut them out with Vista was a regulatory
| decision, one where they argued that somebody needs to do
| the job of keeping Windows secure in a way that biased
| Microsoft can't.
|
| So, I guess you could have some sort of escrow third party
| that isn't Crowdstrike or MS to do this "audit"?
|
| Or see this for a much better write up:
| https://stratechery.com/2024/crashes-and-competition/
| preciousoo wrote:
| Replied in another comment, but I'm aware of the
| regulation that made msft give access. To my knowledge
| though, there's nothing in the regulation that stops them
| from saying "you have to pass xyz (reasonable) tests
| before we allow you to distribute kernel level software
| to millions of people"
| not2b wrote:
| MS could have provided security hooks similar to BPF in
| Linux, and similar mechanisms with Apple, rather than
| having Crowdstrike run arbitrary buggy code at the
| highest privilege level.
| IcyWindows wrote:
| Crowdstrike configured Windows to not start if their
| driver could not run successfully.
|
| That's not the default option for kernel drivers on
| Windows, so this was an explicit choice on Crowdstrike's
| part.
| cratermoon wrote:
| They could have, however the timeline the regulators gave
| Microsoft to comply was incompatible with the amount of
| work required to build such system. With a legal deadline
| hanging over their heads Microsoft chose to hand over the
| keys to their existing tools.
| cratermoon wrote:
| Oh they usually do require some kind of proof of security
| certification. However the checkbox audits to get those
| certs and the kinds of solutions employed to allow them to
| check off the boxes are the real problem.
| hn72774 wrote:
| We know that backdoors can be intentional for use by 3-letter
| agencies. And there is plausible deniability of the
| bureaucracy when they can pass blame onto a single
| individual.
|
| Or it's beuracracy being beuracracy. The TSA is a lot of
| security theater anyways.
| seanthemon wrote:
| This is a bit of ridiculous comment. Who in the right mind
| would say a sql injection is a backdoor for a 3LA?
|
| Added, why would they use FlyCass when they could just
| access the data directly?
| hn72774 wrote:
| To move someone from one place to another without an
| official record of the person?
|
| Honeypot? Legit logins are logged differently than non-
| legit?
| seanthemon wrote:
| yes, they _definitely_ need to access flycass to achieve
| this. Almost certainly no other way.
| woodruffw wrote:
| The US (and almost every government) has reliable ways to
| covertly move a person that don't involve putting SQLi in
| their own codebases.
|
| The classic way to covertly move a person is to give them
| a new passport to travel under, and have them move around
| like every other schlub on the planet. Competent
| intelligence services make sure that this isn't easy to
| detect by making the fake passport's identifier
| indistinguishable from real ones. Russia has prominently
| failed to do this several times[1][2].
|
| [1]: https://www.bellingcat.com/news/uk-and-
| europe/2019/11/07/how...
|
| [2]:
| https://www.bellingcat.com/news/2022/08/25/socialite-
| widow-j...
| fortran77 wrote:
| I think a TLA would jsut generate the proper flight crew
| credentials.
| shuntress wrote:
| The problem is deeper and simpler than that.
|
| Authentication should not need to be re-implemented by every
| single organization. We should have official auth servers so
| that FlyCASS doesn't need to worry about identity management
| and can instead just hand that off to id.texas.gov (or
| whatever state they operate from) the same way most single-
| use tool websites use Google's login.
| VyseofArcadia wrote:
| This seems like exactly the sort of work the US Digital
| Service should take on.
|
| Would still need an audit to make sure sites are actually
| using the shared auth and not rolling their own.
| shuntress wrote:
| I'm not saying anyone should be _disallowed_ to run their
| own authentication.
|
| I'm saying we need the digital equivalent of "show me
| your driver's license".
| elliottcarlson wrote:
| I think that is the goal of https://id.me
| AceJohnny2 wrote:
| Would that be https://id.me ?
|
| It's what the IRS uses.
| groby_b wrote:
| That's of course the stupidest possible domain for a
| government website. (Or at least it's up there)
|
| Fundamentally, it has given control over the DNS records
| to a different country (.me == Montenegro).
|
| It's training people that really, any domain could be a
| government domain, you'll never know.
| techsupporter wrote:
| It's also not a government web site. It's a private
| company who, for some reason, my own government
| outsources identity verification to. Meanwhile, the
| authorization system the US government has built
| (login.gov) is deemed "insecure" by the IRS and Social
| Security for some inexplicable reason. (But it's fine for
| Trusted Traveler Programs.)
| snowwrestler wrote:
| Social Security has implemented Login.gov integration.
| IRS returned detailed feedback that GSA is working on.
| ericjmorey wrote:
| This is good news. Thanks for sharing.
| cratermoon wrote:
| > It's a private company who, for some reason, my own
| government outsources identity verification to
|
| Welcome to the neoliberal wet dream.
| Spivak wrote:
| Because it's not a government website, it's a company the
| government contracts with.
| groby_b wrote:
| Yes. I know how this works. This doesn't change that's
| it's stupid. You can't outsource stupid and then claim
| it's not your problem.
| aardshark wrote:
| Yes, welcome to the rest of the world.
| groby_b wrote:
| You're aware that there's a registry per country, no? And
| that that each country can choose to set aside a
| subdomain for all government services?
|
| Yes, it's unfair that the US gets naked .gov - but that
| doesn't preclude the rest of the world from doing the
| right thing, and it certainly doesn't excuse the US
| government doing the stupid thing.
| mardifoufs wrote:
| The US government can still basically yoink any ccTLD
| very very easily. It won't, but it could.
| ericjmorey wrote:
| It's not a government website.
|
| It's the company providing the service that the
| government could provide on its own, but that service is
| being provided by a private company through a lucrative
| contract agreement.
| hedvig23 wrote:
| Apparently Venmo also has a option to look up an image of
| any person, we could use that too.
| imroot wrote:
| I think they (quietly) turned that off after a researcher
| exposed it earlier this week.
| brendoelfrendo wrote:
| Ah, but there are third-party services that provide
| identity verification, such as id.me. And now that there
| are for-profit entities involved in a government service,
| you will never be able to convince the government to
| implement their own solution. It's telling that id.me is
| headquartered in McLean, Virginia; gotta be in the DC
| metro area so your lobbyists have easy access to
| Congress.
| ericjmorey wrote:
| I want you to be wrong, but you probably aren't.
| d1sxeyes wrote:
| This exists in some European countries, in Hungary for
| example you have an identity service (KAU) which
| authenticates you and operates as an SSO provider across a
| number of different government properties.
| reaperducer wrote:
| _This exists in some European countries, in Hungary for
| example you have an identity service (KAU) which
| authenticates you and operates as an SSO provider across
| a number of different government properties._
|
| The United States has it, too: https://login.gov
|
| But with a government as large as America's it's going to
| take time to get everyone converted to the new system.
| raddan wrote:
| FWIW, as a regular user of login.gov, from the outside,
| it looks like a well-designed system. I am able to add
| strong forms of 2FA (e.g., security keys or biometric
| authenticators), it requires strong passwords, etc. It
| also has decent developer documentation, has a support
| process, and comes with a vulnerability disclosure form
| baked into the main website. However, I have not used
| their API, nor have I seen any of the code (although I
| wonder if a FOIA request would actually compel them to
| give it to you).
| cratermoon wrote:
| Americans as a whole are so allergic to government doing
| anything that we can't even get a national ID system nor
| a centralized database of gun sales or ownership. The
| bogeyman of evil Big Government, privacy, and censorship
| gets invoked. It's fine if the Free Market does it, so
| Google, Facebook, Amazon, Twitter, Microsoft, et al get a
| free pass.
| juunpp wrote:
| The "free" market, i.e., government-funded market.
| bborud wrote:
| Authentication and authorization, and especially on the
| web, is one of those things that has _never_ been
| implemented well. I hate every single piece of software,
| every standard, every library, every approach I have come
| into contact with from this domain. I am so glad I have
| nothing to do with this field anymore. It makes me angry
| even thinking about it.
| paulddraper wrote:
| Be the change you want to see in the world.
| jjav wrote:
| > single-use tool websites use Google's login
|
| Topic drift, but no tools should use google login. Doing
| that means handing over to google the authority to decide
| who can and can't use your tool. And we all know google
| support is nonexistent and unreachable, so once it fails
| it's forever.
|
| If you market a tool, you'd really want to own the decision
| on who you can sell it to.
|
| For a government organization though, I'd agree it makes
| sense to use a government-run login service. (government
| run, not outsourced so some for-profit third party!)
| mrbluecoat wrote:
| > FlyCASS seems to be run by one person
|
| Is their name Jia Tan, by chance?
| timdorr wrote:
| Based on the language on their site about requiring an
| existing CASS subscription, my guess is there was no approval
| at all. It appears this person has knowledge of the CASS/KCM
| systems and APIs, and built a web interface for them that
| uses the airline's credentials to access the central system.
| My speculation is that ARINC doesn't restrict access by
| network/IP, so they wouldn't directly know this tool even
| exists.
|
| Some quick googling shows the FlyCASS author used to work for
| a small airline, so this may piggyback off of his prior
| experience working with these systems for that job. He just
| turned it into a separate product and started selling it.
|
| The biggest failure here is with ARINC for not properly
| securing such a critical system for flight safety.
| AndrewKemendo wrote:
| This right here people need to pay attention to gut the
| following reason:
|
| One person can make a lot of impact
|
| The most common thing I hear people say with respect to
| their jobs is: "I'm just one person, I can't actually do
| anything to make things better/worse..."
|
| But it's just wrong and there's thousands of examples of
| exactly that over and over and over
|
| In this case, if this is true, it's both amazing that:
|
| One person, or a small number of people, could build
| something into the critical path as a sidecar and have it
| work for a long time and
|
| And second, the consequences of "hero" systems that are not
| architecturally sound, prove that observability has to
| cover all possible couplings
| feoren wrote:
| Oh, everyone knows that one single person can make things
| a lot _worse_. That 's all that's happening here. That
| doesn't say anything about how much one single person can
| make things _better_. In the former case, your powers are
| amplified by the incompetence of everyone else involved;
| in the latter case, they are diminished.
| _puk wrote:
| Better / worse for whom?
|
| Given the nature of these systems, this 1 person likely
| made the day to day lives of a lot of people better,
| providing an (arguably) snappier web interface to
| existing systems.
|
| Granted, they've probably made someone's day a lot worse
| with this discovery, but..
| amelius wrote:
| Yeah but this is not very actionable. It is like saying
| that one person can win the lottery.
|
| You have to be in the right place at the right time.
| kva-gad-fly wrote:
| If this were the case, then it seems quite plausible that
| the website itself was just a passthrough, and the APIs
| provided by ARINC would be exposed.
|
| THis then begs the question of how ARINC passed security
| audit.
| Simon_ORourke wrote:
| For an overtly authoritarian institution it actually surprises
| me they do the old delete and pretend it never happened
| approach to basic security.
| mmsc wrote:
| >pretend it never happened
|
| I'm not suggesting this is what they have done here, but this
| is exactly what authoritarian governments do. Straight from
| the pneumatic into the furnace.
| oceanplexian wrote:
| > Hilarious that the entire TSA system is vulnerable to the
| most basic web programming error
|
| Because it's a scam and the system is a grift.
|
| I'm a pilot and own a private aircraft. Landing at any airport,
| even my home airport which is restricted by TSA is legal
| without any special requirement or background check. In fact, I
| have heard horror stories where TSA wouldn't let a pilot
| retrieve their aircraft for some bullshit administrative reason
| or another, so they enlisted a friend with a helicopter to drop
| them into the secure area to fly it out. Perfectly legal. The
| fact that the system can be brought down with a SQL attack is
| the least of it.
| stronglikedan wrote:
| Just goes to prove that old saying true: "With friends with
| helicopters, who needs more friends!"
| richdougherty wrote:
| So it's also vulnerable to a Helicopter Injection Attack?
| yieldcrv wrote:
| Having done software development with other federal agencies,
| they probably outsourced maintenance of critical national
| security mandates to Deloitte who has a team with managers in
| India running everything with a completely counterproductive
| culture of hubris solely to make the two managers look good,
| and anybody that questions that gets terminated in a week
| pstuart wrote:
| Being that CISA is under the same parent org of TSA that there
| should be ongoing internal evaluation/remediation of sibling
| services.
|
| https://www.cisa.gov/
| nunez wrote:
| It might have been an insanely old application that predates
| SQL injection being common knowledge (or required to be
| protected against) and has been forgotten about/poorly
| maintained.
|
| There are oodles and oodles of apps like this powering our
| daily lives.
| game_the0ry wrote:
| That's bc TSA is all theatre. They fail Homeland Security
| audits more often then they pass. [1]
|
| It's supposed to give you the illusions of security while
| giving a DHS a bigger budget, and it employs a lot of low
| skilled workers.
|
| It is what you should think of when you think "big, dumb
| government."
|
| [1] https://abcnews.go.com/US/tsa-fails-tests-latest-
| undercover-...
| samstave wrote:
| TBF, TSA =/= _' Trained SQL Administrator'_ - so we can't hold
| __that__ against them...
| 4gotunameagain wrote:
| The safety of airports and air travel compromised by a simple SQL
| injection ?
|
| What is it, the year 2000 ?
|
| It should be a criminal offence for whoever developed that
| system.
| mdorazio wrote:
| Does anyone know how the KCM barcodes differ from employee IDs?
| Seems like TSA is indexing pretty heavily on those.
| jrochkind1 wrote:
| > We had difficulty identifying the right disclosure contact for
| this issue. We did not want to contact FlyCASS first as it
| appeared to be operated only by one person and we did not want to
| alarm them.
|
| Wait, what? Is this a euphemism for they didn't believe they
| would take it seriously? Reporting it over their heads to DHS was
| probably not less "alarming" to anyone...
| gmueckl wrote:
| This is confusing to me as well. You could always escalate
| later, right?
| magic_man wrote:
| The dudes who did this are going to probably be visited by
| homeland security or FBI. Not sure what they thought they will
| get out of this. I don't think the government cares about
| security, but they are vengeful.
| defparam wrote:
| And what will homeland security or the FBI get out of it after
| concluding that that these "dudes" are two well known talented
| security researchers trying to conduct responsible disclosure
| to make air travel safer?
| lyu07282 wrote:
| These aren't two dudes acting ethically, these are "two
| hackers arrested by the FBI for breaking into TSA security",
| good job FBI!
| SG- wrote:
| i wonder if TSA will audit the entire list, also it opens up more
| questions too like how long accounts remain active? are they
| simply assuming each airline will update pilot status? they
| clearly haven't been treating this sytem as important it seems.
| dtx1 wrote:
| > 05/17/2024: Follow-up to DHS CISO about TSA statements (no
| reply)
|
| > 06/04/2024: Follow-up to DHS CISO about TSA statements (no
| reply)
|
| There should be a public Shitlist of Organisations that don't get
| the Benefit of Responsible Disclosure anymore, just a Pastebin
| drop linked to 4chan.
| bambax wrote:
| This shows that _anyone_ with the slightest motivation to do harm
| would have zero difficulty replaying 911.
|
| The reason there aren't more terrorist attacks isn't because
| various security agencies around the world protect us from them.
| It's because there are extremely few terrorists.
| dawnerd wrote:
| It's also just one of those hard things to prove: is TSA
| actually stopping attacks like 9/11? The simple presence of
| them might be enough of a deterrent or we might just be
| extremely lucky. Seems these days the real threat is drunk
| passengers attacking flight attendants.
| macNchz wrote:
| > The simple presence of them might be enough of a deterrent
|
| The planning for 9/11 took several years, $500k in financing,
| and had a lot of moving parts between recruiting, research,
| travel/visas, flight training etc. It's hard to believe that
| people motivated at that level would truly be deterred by
| what you see happening at the typical American airport these
| days.
| digging wrote:
| Well, the TSA has been tested for their ability to detect
| weapons being brought through security screenings, and they
| were absolutely horrible at it. Can't grab a link at the
| moment, but if you search for it, you'll easily find the
| report published... by the TSA.
|
| So are they stopping anything serious? It's a safe bet
| they're not.
| booleandilemma wrote:
| Have they caught and arrested any would-be bad guys? Should
| be pretty easy to verify.
| mulmen wrote:
| Well Guantanamo Bay still exists.
|
| From https://en.m.wikipedia.org/wiki/Guantanamo_Bay_detenti
| on_cam...:
|
| > As of August 2024, at least 780 persons from 48 countries
| have been detained at the camp since its creation, of whom
| 740 had been transferred elsewhere, 9 died in custody, and
| 30 remain; only 16 detainees have ever been charged by the
| U.S. with criminal offenses.
|
| Given what we do know about the secretive and illegal
| activities of the federal government during the War on
| Terror I don't think it's a reasonable assumption that
| everyone accused of terrorist activity got their day in
| court.
| cg5280 wrote:
| Maybe I am a naive idiot, but I would assume that other
| agencies like the FBI provide _some_ protection even if TSA is
| not great. I occasionally see notable examples, like the CIA
| being responsible for discovering planned attacks on the recent
| Taylor Swift concert in Vienna that was then canceled.
| soneil wrote:
| I believe the biggest increase in security since 9/11, is that
| passengers are no longer expected to sit down and behave.
|
| Pre-9/11, the expectation was you don't draw attention to
| yourself, wait it out, you're going to have a long day and a
| story to tell. Post-9/11, the expectation is you fight for your
| life.
|
| Better cockpit doors and access hygiene probably come second.
| function_seven wrote:
| I've written this comment here before, but I'll do it again.
|
| "Post-9/11" began minutes after the first planes found their
| targets. Flight 93--the one that crashed in Pennsylvania--
| never made it because the passengers revolted after hearing
| about the other planes.
|
| It only took a few minutes for the calculus to change.
| Knowing what was up, those passengers flipped from wait-and-
| see mode to fuck-you mode. This is pretty good evidence that
| you're right: the biggest increase in security was and still
| is that passengers will not be meek anymore.
| tantalor wrote:
| It was a paradigm shift.
|
| This recent video by RealLifeLore drives it home:
| https://www.youtube.com/watch?v=550EdfxN868&t=1504s
| the last time in history that Sovereign American territory
| was invaded and occupied by a hostile foreign power
| was between 1942 and 1943 when the Japanese occupied the
| small and sparsely populated Alaskan islands of ATU and
| Kisa which they struggled to reinforce with supplies and
| were only able to hold on to for a year before getting
| overrun by much better supplied American and Canadian
| soldiers
|
| Up until 9/11, the US people had forgotten what it was like
| to be on defense.
|
| Later in the video:
| https://youtu.be/550EdfxN868?si=gpTplY4Z36tJPxLv&t=2706
| that doesn't mean that the US cannot be hurt or have its
| interests disrupted in other ways the US Mainland can
| obviously still become the subject of major attacks from
| hostile foreign powers if not outright invasions and the
| biggest and worst attack that ever befell the US on its own
| territory happened recently only 23 years ago
| partiallypro wrote:
| Pilots are also now told to not open the cockpit door, no
| matter what's happening in the cabin and to land the plane.
| There is a near 0 change you could take control of the plane.
| I would be more concerned about someone bringing a bomb on
| board.
| jen20 wrote:
| > zero difficulty replaying 911.
|
| The attacks of September 11th 2001 are fundamentally not
| reproducible irrespective of whether there is _any_ security
| screening at airports.
|
| The default assumption before that morning was that a hijacked
| plane would fly around for a bit, then land. The default
| assumption afterwards is that it will be crashed if a hijacker
| is allowed to gain control, so the calculus on passenger
| intervention is quite different.
| Hikikomori wrote:
| We'll never have another golden age of hijacks thanks to
| 9/11.
| jltsiren wrote:
| The real reason is that people make mistakes all the time.
| There is no shortage of potential mass murderers, are there are
| plenty of successful ones. But if their plans are too ambitious
| or involve too many people, they tend to fail due to stupid
| mistakes. And when those stupid mistakes happen, security
| agencies (and even ordinary police) have a good chance of
| catching them.
| OneLeggedCat wrote:
| ... and that was the last time Ian was allowed to fly without a
| printed boarding pass with SSSS on it.
| mariodiana wrote:
| So, the trick here would be to purchase a ticket with a major
| airline, pack a no-no in your carry-on, and then bypass TSA
| security by adding yourself to the Known Crew Member list of a
| small airline using the third-party FlyCASS system, via the SQL-
| injection. You'd then board the major airline with the no-no. Is
| that the vulnerability?
| asynchronous wrote:
| Pretty much, although most TsA check lines no longer require
| even a boarding pass- so in theory you could pack a bomb with
| you then bypass all the security theater with this.
| returningfory2 wrote:
| My presumption was that when you give TSA your ID and they
| scan it, their systems check that there's a boarding pass in
| your name (and DOB)?
| pbhjpbhj wrote:
| Sounds like you get to sit in the cockpit too?
| sergiotapia wrote:
| yeah i would not mess around with this and get put into a for-
| life no fly list dude. you even wrote data to the prod system,
| christ!
| qazxcvbnmlp wrote:
| Accessing CASS is a big deal, and should be fixed but you're
| gonna need more than this to board an aircraft.
|
| Also... you can fix all the SQL issues, but you're still not
| going to be able to fix the "men in hoodies with a big wrench
| talk to an authorized administrator (while their kids are
| kidnapped in Mexico)"
| brendoelfrendo wrote:
| You'd need more than this to board an aircraft, but who's to
| say that the goal of an attacker is to board an aircraft?
| mikeocool wrote:
| > We did not want to contact FlyCASS first as it appeared to be
| operated only by one person...
|
| It seems pretty remarkable that airlines are buying such a
| security sensitive piece of software from a one person shop. If
| you make it very far into selling any piece of SaaS software to
| most companies in corporate America, at the absolute minimum
| they're going to ask you for your SOC2 audit report.
|
| SOC2 is pretty damn easy to get through with minimal findings as
| far as audits go, but there are definitely several criteria that
| would should generate some red flags in your report if the
| company is operated by a single person. And I would have assumed
| that if your writing software that integrates with TSA access
| systems, the requirements would be a whole lot more rigorous than
| SOC2.
| structural wrote:
| The "airlines" that are using something like FlyCASS are
| themselves smaller operations and typically running on razor
| thin margins (if not just unprofitable and wishfully thinking
| that money will suddenly appear and make their business
| viable). Literally everything on their backend is held together
| with more duct tape than the average small business.
|
| You could be an "airline" by purchasing a couple of older
| airliners and converting them to cargo use. Is it valuable for
| new airlines to get started? Should we force them out of
| business because they don't already have the systems in place
| that take years to decades to build out? Should they pay $$$
| for boutique systems designed for a large passenger airline
| when they have 2 aircraft flying 1 route between nowhere and
| nowhere?
|
| Requirements and audits really aren't the answer here. The
| fundamental design problem is that the TSA has used
| authentication "airline XXX says you're an employee" with a
| very large blanket authorization "you're allowed to bypass all
| security checks at any airport nationwide" without even the
| basic step of "does your airline even operate here?"
| morpheuskafka wrote:
| I'm curious why a small cargo airline would even need to use
| the KCM system. If they don't fly passengers, then wouldn't
| their crew access the aircraft from the cargo ramp (with a
| SIDA badge) and never need to enter the passenger
| terminal/sterile area?
| mikeocool wrote:
| I mean, yes, in this particular situation it seems like there
| is many layers of screw ups from several different
| organizations.
|
| Though given that airlines are responsible for the safety of
| their crew, passengers, and anyone in the vicinity of their
| aircraft, requiring them to do some basic vetting of their
| chosen vendors related to safety and security doesn't seem
| unreasonable.
| lysace wrote:
| > KCM is a TSA program that allows pilots and flight attendants
| to bypass security screening, even when flying on domestic
| personal trips.
|
| This program seems like the root cause of the security issue.
|
| (Outside of the US) I've often gone through security screenings
| just before or after crew groups in fast track, but otherwise
| normal security screening lanes.
| stuff4ben wrote:
| Security Theatre 3000... keeping us entertained
| qwertox wrote:
| Straight to jail, if this would have happened in Germany.
|
| The TSA would have been the one suing you and would easily win.
| dyingkneepad wrote:
| Only malicious foreign actors are encouraged to survey the
| security of systems of national interest, since they can't
| easily get prosecuted. Systems working as intended.
| bahmboo wrote:
| Other issues aside my biggest takeaway is that no one at TSA
| employed even the most basic auditing of external systems
| accessing their secure process.
| system2 wrote:
| I feel like TSA is downplaying it to avoid public backlash. This
| is not childish or amateur. They are just doing what any
| government agency would do. If you speak up louder you will get
| arrested or screwed by some random agency knocking on your door,
| FYI.
| harha_ wrote:
| How can this even be possible? What the hell...
| adamsb6 wrote:
| What's so special about bar codes that the testers couldn't
| create one themselves?
|
| Are they cryptographically signed by a system that was
| inaccessible?
|
| Or is it just a matter of figuring out the bar code format and
| writing out some KCM id?
| samch wrote:
| Little Bobby Tables strikes again:
|
| https://xkcd.com/327/
| permo-w wrote:
| really feels like SQL should have never been written in such a
| fundamentally insecure manner, or immediately fixed once it was
| discovered that it was
| tacker2000 wrote:
| SQL was devised far before web apps or the internet were even
| a thing...
| kchr wrote:
| SQL in itself is not the weak point in this case (or any of
| the other cases of a successful SQLi attack). The problem is
| the treatment of user-controllable input data and using that
| data as part of a SQL query without properly
| sanitising/escaping special characters first.
| akoboldfrying wrote:
| How would you "fix" it, while still allowing people to write
| ad hoc queries?
| killjoywashere wrote:
| Love reading this while sitting in the MCO terminal waiting to go
| home after the fourth non-stop flight in a week.
| 77pt77 wrote:
| Why do people even attempto to disclose this?
|
| These guy are going to end up with some serious federal charges.
| pbhjpbhj wrote:
| They should just leave the system wide open?
| dimensi0nal wrote:
| post it on 4chan from behind seven proxies and let full
| disclosure do its thing
| eduction wrote:
| I'm glad they uncovered and reported this but I'd be super
| reluctant to actually log in using purloined credentials if I
| were them. As macNchz says elsewhere in this discussion,
| CISA/TSA/DHS does not appear to make any assurances that they
| won't prosecute what appears to be a facial CFAA violation just
| because someone is doing valid security research.
|
| To be clear, I really hope they don't, but they are also clearly
| trying to spin this in a way at odds with the researchers, and
| I'd hate to be in a position where they want to have leverage
| over me if I'd done this.
|
| Brave that they did so though and I do think the severity of the
| vuln warrants this.
| systemvoltage wrote:
| If NYTimes or WSJ had any backbone or journalistic integrity,
| they would write a front page piece on this to fix our agencies
| from being defensive to bug reports, shed light to the horrid
| incompetency in these agencies and how there was no oversight to
| any of this. They would also protect the two individuals as white
| hat hackers and teach non-technical people that these are good
| guys. You know, the job of the press.
| h_tbob wrote:
| Guys, I think you should not have done this. You can really piss
| a lot of people off doing that kind of stuff.
| ProllyInfamous wrote:
| Reminds me of the guy that created a simple one-page website to
| make fake boarding passes, _only to get into controlled areas
| of airports_ (not to actually fly).
|
| <knock> <knock>'d
| cratermoon wrote:
| Of course the worst part is TSA and Homeland Security trying to
| sweep everything under the rug and ignoring the problem.
| d4mi3n wrote:
| Bobby Tables strikes again!
|
| https://xkcd.com/327/
|
| I'm continually amused, amazed, and exasperated at how classes of
| software defects older than I am continue to be a problem.
| yoaviram wrote:
| > FlyCASS seems to be run by one person
|
| Bobby is growing up
| urbandw311er wrote:
| > We did not want to contact FlyCASS first > as it appeared to be
| operated only by one person > and we did not want to alarm them
|
| I'm not buying this. Feels more like they knew the site developer
| would just fix it immediately and they wanted to make a bigger
| splash with their findings.
| conroydave wrote:
| Agreed that they wanted to fully understand the extent of the
| hack before disclosing
| almog wrote:
| Whatever their motive was, the engineering process that allowed
| such a common bug to sneak in is broken. If the sole developer
| immediately fixed it, it would have been hard to escalate the
| issue so that maybe someone up the chain can fix this
| systematically. I'm not sure such overhaul would really happen
| but it's more likely that it won't if not escalated.
| robswc wrote:
| What mind-melting levels of incompetency. I would love to suggest
| pay raises so the Government can hire better individuals... but I
| worry the problem is so systemic it wouldn't do any good.
|
| Everyone dropped the ball... and kept dropping it. The part where
| its handed to them on a silver platter and its essentially
| smacked away. Maddening.
| tonymet wrote:
| this isn't a "weakest link breaks the chain" this is a chain with
| 10000 weak links and we found one.
| ppeetteerr wrote:
| How is this a thing in 2024?
___________________________________________________________________
(page generated 2024-08-29 23:00 UTC)