Since they actually went past the SQL injection and then created a fake record for an employee, I'm shocked that Homeland did not come after and arrest those involved. Homeland would have been top of the list to misinterpret a disclosure and prefer to refer to the disclosure as malicious hacking instead of responsible disclosure. I'm more impressed by this than the incompetence of the actual issue.
Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes into reading about web programming- and that every decent quality web framework automatically prevents.
It is really telling that they try to cover up and deny instead of fix it, but not surprising. That is a natural consequence of authoritarian thinking, which is the entire premise and culture of the TSA. Any institution that covers up and ignores existential risks instead of confronting them head on will eventually implode by consequences of its own negligence- which hopefully will happen to the TSA.
Hilarious that the entire TSA system is vulnerable to the most basic web programming error that you generally learn to avoid 10 minutes
The article mentions that FlyCASS seems to be run by one person. This isn't a matter of technical chops, this is a matter of someone who is good at navigating bureaucracy convincing the powers that be that they should have a special hook into the system.
What should really be investigated is who on the government side approved and vetted the initial FlyCASS proposal and subsequent development? And why, as something with a special hook into airline security infrastructure, was it never security audited?
The problem is deeper and simpler than that.
Authentication should not need to be re-implemented by every single organization. We should have official auth servers so that FlyCASS doesn't need to worry about identity management and can instead just hand that off to id.texas.gov (or whatever state they operate from) the same way most single-use tool websites use Google's login.
This seems like exactly the sort of work the US Digital Service should take on.
Would still need an audit to make sure sites are actually using the shared auth and not rolling their own.
I'm not saying anyone should be disallowed to run their own authentication.
I'm saying we need the digital equivalent of "show me your driver's license".
This exists in some European countries, in Hungary for example you have an identity service (KAU) which authenticates you and operates as an SSO provider across a number of different government properties.
Someting I’ve been thinking about, esp since that crowdstrike debacle. Why do major distributors of infrastructure (msft in case of crowdstrike, DHS/TSA here) not require that vendors with privileged software access have passed some sort of software distribution/security audit? If FlyCASS had been required to undergo basic security testing, this (specific) issue would not exist
They often do. The value of those kinds of blanket security audits is questionable, however.
(This is one of the reasons I'm generally pro-OSS for digital infrastructure: security quickly becomes a compliance game at the scale of government, meaning that it's more about diligently completing checklists and demonstrating that diligence than about critically evaluating a component's security. OSS doesn't make software secure, but it does make it easier for the interested public to catch things before they become crises.)
In the case of msft/crowdstrike isn't this exactly the opposite of what HN rallies against? The users installed crowdstrike on their own machines. Why should microsoft be the arbiter of what a user can do to their own system?
Money. Eventually the lobbyists would make it so cumbersome to get the certification that only the defense industry darlings would be able to do anything. Look at Boeing Starliner for an example of how they run a “budget”.
We know that backdoors can be intentional for use by 3-letter agencies. And there is plausible deniability of the bureaucracy when they can pass blame onto a single individual.
Or it's beuracracy being beuracracy. The TSA is a lot of security theater anyways.
This is a bit of ridiculous comment. Who in the right mind would say a sql injection is a backdoor for a 3LA?
Added, why would they use FlyCass when they could just access the data directly?
To move someone from one place to another without an official record of the person?
Honeypot? Legit logins are logged differently than non-legit?
yes, they _definitely_ need to access flycass to achieve this. Almost certainly no other way.
FlyCASS seems to be run by one person
Is their name Jia Tan, by chance?
Having done software development with other federal agencies, they probably outsourced maintenance of critical national security mandates to Deloitte who has a team with managers in India running everything with a completely counterproductive culture of hubris solely to make the two managers look good, and anybody that questions that gets terminated in a week
Hilarious that the entire TSA system is vulnerable to the most basic web programming error
Because it's a scam and the system is a grift.
I'm a pilot and own a private aircraft. Landing at any airport, even my home airport which is restricted by TSA is legal without any special requirement or background check. In fact, I have heard horror stories where TSA wouldn't let a pilot retrieve their aircraft for some bullshit administrative reason or another, so they enlisted a friend with a helicopter to drop them into the secure area to fly it out. Perfectly legal. The fact that the system can be brought down with a SQL attack is the least of it.
For an overtly authoritarian institution it actually surprises me they do the old delete and pretend it never happened approach to basic security.
The TSA's response here is childish and embarrassing, although perhaps unsurprising given the TSA's institutional disinterest in actual security. It's interesting to see that DHS seemingly (initially) handled the report promptly and professionally, but then failed to maintain top-level authority over the fix and disclosure process.
What was surprising to me was that they didn't immediately do pre-dawn raids on the pentesters' homes and hold them without a lawyer under some provision of an anti-terror law.
that is apparently not a popular move anymore since people keep logs and have credentials, strong social media presence and readily available cloud enabled cameras. one email to any news org and whoever authorizes the raid will probably face some music. but knowing TSA, we can expect this any minute now...
They just add you to a secret watch list to annoy you when you travel when you're critical of them... or the current administration, so it would seem.
Why bother if they could just put everyone involved on the "dangerous terrorist" list which has zero controls and zero accountability because "national security"?
That's what happened to Tulsi Gabbard: https://www.racket.news/p/the-worm-turns-house-senate-invest...
That's not really how this works. TSA is maliciously incompetent, but there is a reporting pipeline and procedure for these things that's formalized and designed to protect exactly this kind of good-faith reporting[1].
(It's very easy to believe the worst possible thing about every corner of our government, since every corner of our government has something bad about it. But it's a fundamental error to think that every bad thing is always present in every interaction.)
Yeah, I don't know if I would go testing such systems and then reporting the results under my own name (presumably)...
I didn't see any comment about them being contracted to do this at least.
It's interesting to see that DHS seemingly (initially) handled the report promptly...
I think DHS mid level manager yelled at a TSA mid level manager who reported this to the senior TSA officials and then their usual policy kicked in... deny/deflect/ignore
TSA is DHS, though. At some point, it's the same high-level manager...
I hate the TSA with every ounce of my being and these articles reinforce why. Incompetent and useless agency that only serves to waste people's time. Can't believe it still exists; 9/11 and the Bush administration really did a number on this country.
It doesn't seem particularly unique to TSA. Flying elsewhere in the world has essentially identical security screening, with all the same stupidity.
I'm a little butthurt right now, in particular, about the security at Heathrow. They confiscated a bottle of whisky that we got in Edinburgh. After 10 minutes of head-scratching and consulting with a supervisor, they concluded that "it does not say 100ml" (it had "10cl" cast into the glass) and "even then, that is just the size of the bottle, not the liquid inside it." What an incredible demonstration of intelligence there.
They gave us a receipt and said we could have it shipped. We checked when we got home. 130 GBP with shipping. Ended up just buying a 700ml bottle from an importer, cost about half as much.
The problem boils down to two issues:
1. Ok, security is bad, what are you going to do? Go to different, competing security?
2. Nobody wants to be the politician that relaxes the security right before an accident, even if the accident wouldn't be prevented with tighter security anyway.
1. Ok, security is bad, what are you going to do? Go to different, competing security?
Amazingly, you can do that. SFO doesn't use the TSA, for example.
We as a civilization are terrible at getting over things, it seems.
Oh it gets even more amusing. By the logic of the GP, Bush must have impersonated every member of the house and senate because they're not aware of how the TSA came into existence/how a law is created. The Aviation and Transportation Act garnered broad bipartisan support.
It was referring more to the time period and general power grab that the federal government was involved in (Patriot Act, Protect America Act, etc..)
Also, Bush had to sign the ASTA into law (checks and balances) which he did so he's part of the problem.
They're one of the most seemingly incompetent agencies I am forced to deal with every year.
For one, why does is it that every TSA checkpoint feels like it was scrambled together? 9/11 was a long time ago. There's no reason why checkpoints can't have better signage, clearer instructions for what should or shouldn't go on a conveyor belt, an efficient system for returning containers (I've lost count of how many times the line was held up because employees didn't feel like bringing over a stack of containers in clear view), and so on. The checkpoints do seem to go a bit faster than they used to a long time ago, but it's still a frustrating process that makes me feel like an imbecile every time I use it. I do my best to follow directions, but directions are often lacking so I have to use my best judgment from past experience, and often get yelled at anyway. Do does the TSA want to be hated?
Secondly, there's been multiple occasions where I've made it through the security checkpoint with items that should obviously set off red flags. I recently made it through with a humongous center punch which, while not sharp like a knife, could do some serious damage to another person if used as a weapon. Got it through with no questions asked. I've also gotten through with scissors, knives, strangely shaped electronics, a custom build electronic device that a naive person could see as suspicious, and so on. Never have I been stopped for those things.
But laptops and e-readers? I'd better not forget one of them in my carry-on bag or I'm gonna get shouted at and be forced to re-run the bag through the scanner again. I can get through with sharp metallic tools and weird unlabeled boxes with wires hanging out of them, but I can't leave my kindle in my backpack? And what about the humongous battery packs I carry? No problem having 2 or 3 of those in my bag. I guess my Macbook Air or my e-reader possess uniquely dangerous powers I don't comprehend. Even if I try to comply with the "laptops out of your bag" rule, I might still get shouted at if I place it in a container instead of right on the conveyor belt... or if I place it in a container with some other belongings next to it.
Maybe the TSA stops terrorists that are as stupid as they are, which I guess is a good thing. But how good can stupid people be at catching other stupid people? Is it really worth it to waste everyone else's time and to treat them like crap in the process?
Yup, not surprised that the TSA also reacts with as much stupidity to cybersecurity flaws. If I became supreme leader overnight, I would work to completely dismantle the TSA and rebuild it from scratch. There doesn't appear to be any value in that agency that can't be easily replaced with something better.
Not surprised that they deny the severity of the issue, but I am quite surprised they didn't inform the FBI and/or try to have you arrested. Baby steps?
The author made the right move by doing this through FAA and CISA (via DHS), rather than directly via TSA. It's not inconceivable that a direct report to TSA would have resulted in legal threats and bluster.
This should be news lol, I’m surprised a bored year 17 year old with a fake id hasn’t made a TikTok sneaking on board a plane. Sql injection ffs
Those kind of wheels turn very slowly. I will bet any takers $50 that Ian will be prosecuted.
You know it's bad when it's so bad that as I write this no one has even bothered talking about how bad storing MD5'd passwords is. This even proves they aren't even so much as salting it, which is itself insufficient for MD5.
But that isn't even relevant when you can go traipsing through the SQL query itself just by asking; wouldn't matter how well the passwords were stored.
The md5 part of the sqli is added by the pentester, likely because they needed a call that would end in a parenthesis within the injection parameter
There is already a call to MD5 in the original query; see the first image in the article, which they apparently obtained by submitting ' as the username: https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNg...
The screenshot in the article shows MD5() is returned as part of the error message from the web server, so it is probably also a part of the original server-side query.
A good old SQL injection negates the entire security theatre worth probably billions a year, hilarious, but probably not all too surprising.
Does anyone remember Bruce Schneier and his faked boarding passes? The TSA scribble used to be the weak point of the entire system.
Honestly, this is the most shocking part:
We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them
It’s incredible (and entirely too credible) that this kind of “high security” integration could be built in such an amateur way: and a good reminder why government projects often seem to be run with more complexity than your startup devs might think is necessary.
Now that we are an administrator of Air Transport International...
LOL
Unfortunately, our test user was now approved to use both KCM and CASS
smh...
This was a wild read, that something like this could be so easy, but the later part describing the TSA response is incredibly alarming
Does anyone know how the KCM barcodes differ from employee IDs? Seems like TSA is indexing pretty heavily on those.
The dudes who did this are going to probably be visited by homeland security or FBI. Not sure what they thought they will get out of this. I don't think the government cares about security, but they are vengeful.
We had difficulty identifying the right disclosure contact for this issue. We did not want to contact FlyCASS first as it appeared to be operated only by one person and we did not want to alarm them.
Wait, what? Is this a euphemism for they didn't believe they would take it seriously? Reporting it over their heads to DHS was probably not less "alarming" to anyone...
05/17/2024: Follow-up to DHS CISO about TSA statements (no reply)
06/04/2024: Follow-up to DHS CISO about TSA statements (no reply)
There should be a public Shitlist of Organisations that don't get the Benefit of Responsible Disclosure anymore, just a Pastebin drop linked to 4chan.
This shows that anyone with the slightest motivation to do harm would have zero difficulty replaying 911.
The reason there aren't more terrorist attacks isn't because various security agencies around the world protect us from them. It's because there are extremely few terrorists.
i wonder if TSA will audit the entire list, also it opens up more questions too like how long accounts remain active? are they simply assuming each airline will update pilot status? they clearly haven't been treating this sytem as important it seems.
... and that was the last time Ian was allowed to fly without a printed boarding pass with SSSS on it.
The safety of airports and air travel compromised by a simple SQL injection ?
What is it, the year 2000 ?
It should be a criminal offence for whoever developed that system.
You're not wrong, but I would have a hard time as a jury member convicting them of a CFAA violation or whatever for creating a user named "Test TestOnly" with a bright pink image instead of a photo.
If they had added themselves as known crewmembers and used that to actually bypass airport screening, then yeah, they'd be in jail.
What if they incremented a number in a url on a publicly available website?
Is this a reference to a past event? I don't get it.
In part yes but inevitably devolves into an ad hominem attack against the most high profile case of a guy who did it, who is now hiding in Ukraine on a Prednistrovian passport after having his conviction overturned (temporarily) giving him an escape window.
Huh. Uh, weird choice, given, well, you know…
Yes. https://www.reddit.com/r/IAmA/comments/1ahkgc/i_am_weev_i_ma...
It's an incredibly basic form of pen testing. For example, this reply page URL refers to id=41393364, which is presumably your comment. So what happens if I replace it with a different number? Probably something innocent, but maybe not.
Thanks for all the references / replies, folks. I appreciate it.
Yeah I wouldn't have convicted weev either. There is a difference though. He used that incremented number to access actual user PII. These guys created a user with no PII and no actual malicious use.
That's what jury instructions are for. The judge can instruct the jury to ignore pretty much any facts and consider any subset of what really happened that they want. So they'd just instruct "did they access the system? Were they authorized? If the answer to the first question is yes, and to the second is no, the verdict is guilty, ignore all the rest". The jury won't be from the HN crowd, it would be random people who don't know anything about CFAA or computer systems, it will be the easiest thing in the world to convict. Those guys got so lucky DHS exhibited unusually sensible behavior, they could have ruined their lives.
As my good fortune would have it, I'm called to jury duty two weeks from now. I doubt I'll be sat though. Should I be, I'll keep the above in mind.
Which is why Jury selection usually removes people who understand the situation.
But would it really matter if they were convicted, after being in jail for who knows how long awaiting trial, losing their job, etc?
Yeah so best case you spend tens of thousands on lawyers and probably win.
Doing this under your own name is insane.
The statute of limitations is long and HSI often delays their indictment until the investigation is mostly wrapped up.
So you're suggesting they're not out of the woods?
Depends. If no one currently cares, there is no significant structure or personnel or political change in the future several years, and they don't have any assets worth taking, and the government doesn't get any more desperate for assets to seize -- then they're out of the woods.
I doubt asset seizure is what they'd be after. I was thinking more of the "make an example out of them" mentality as an attempt to prevent others from being curious. Government entities don't tend to do well with knowing the difference of malicious hacking and responsible disclosure. The infamous governor and the View Source is a fun one to trot out as exhibit A.
Asset seizure is not because the government needs the money. It's because you need the money to pay for lawyers, legal experts, etc., and if your assets are seized, you can't - so you are much easier to pressure into making a quick guilty plea and get another successful prosecution added to the list. Of course, the whole process is the punishment as usual, but the asset seizure also plays an important coercive role there.
don't even need to make an example... they probably have a warning/welcome pop up that says 'unauthorized access to this system will result in...' because the TSA lawyer is going to follow this simple train of thought - were the 'accused' authorized to access the system - gotcha!
Both are definitely valid. I think saving face and cash grabs are the two fastest way to get in deep shit with the government.
If anyone from there reads the parent, they should know they have created an atmosphere where the worry of possible prosecution over responsible disclosure has the potential to scare away the best minds in our country from picking at these systems.
That just means the best minds from other, potentially less friendly countries, will do the picking. I doubt they will responsibly disclose.
I personally don't comprehend how these people are taking such a huge risks. Once bureaucrat wakes one morning in the wrong mood and your life is ruined at least for the next decade, maybe forever. Why would anyone do it - just for the thrill of it? I don't think they even got paid for it?
Good catch. Of course, different people wear different shades of hat, and I guess the author might have good rationale for going quite as far as they did, I don't know.
Kudos to the author for alerting DHS. Methodology questions aside, it sounds like the author did a service, by alerting of a technical vulnerability that would be plausible for a bad actor to seek out and successfully discover.
But regardless, I hope any new/aspiring security researchers don't read this writeup, and assume that they could do something analogous in an investigation, without possibly getting into trouble they'd sorely regret. Some of the lines are fuzzy and complicated.
BTW, if it turns out that the author made a legality/responsibility mistake in any of the details of how they investigated, then maybe the best outcome would be to coordinate publishing a genuine mea culpa and post mortem on that. It could explain what the mistake was, why it was a mistake, and what in hindsight they would've done differently. Help others know where the righteous path is, amidst all the fuzziness, and don't make contacting the proper authorities look like a mistake.
The timeline mentions the disclosure was made through CISA, and on their website there is an official incident report form.
I can imagine an email to some generic email address could have gone down the way you describe, but I guess they look at these reports more professionally.
https://myservices.cisa.gov/irf
I mean... they still might if the wrong people end up getting embarrassed by this. The wheels of bureaucracy are slow.