Terrorist watchlist exposed via misconfigured Elasticsearch cluster

&gt; “The terrorist watchlist is made up of people who are suspected of terrorism but who have not necessarily been charged with any crime,” Diachenko wrote. “In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list.”<p>I’m curious how many journalists are on the list. Now that we are pulling out of Afghanistan, we should reevaluate the other actions we took after 9&#x2F;11. The patriot act deserves another look and possible edit.

Wikipedia says the no fly list only had 47k people on it. The terror watch list had about 1.9M though, so this must be the terror watch list.<p>1.9M people is a massive number of people<p>&gt; The No Fly List is different from the Terrorist Watch List, a much longer list of people said to be suspected of some involvement with terrorism. As of June 2016, the Terrorist Watch List is estimated to contain over 2,484,442 records, consisting of 1,877,133 individual identities.<p><a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;No_Fly_List" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;No_Fly_List</a>

You know, I can understand why the Terrorist Watch List is secret ― but not why the No Fly list is. If there is a list that governmental agencies and&#x2F;or commercial companies are <i>obliged</i> to check you&#x27;re not on before providing you with their service, then <i>surely</i> such list must be public or at the very least, one should be able to easily inquire about whether he&#x2F;she is on it or not.<p>For a related example, Russian government maintains a list of banned Internet resources. The list is not public — at least in theory — but there is an official web site where you can input an URL or a domain name and it would response either with &quot;no, it&#x27;s not on the list&quot;, or with &quot;yes, it&#x27;s on the list, here&#x27;s who ordered it and when&quot;.

&gt;The researcher considers this data leak to be serious, considering watchlists can list people who are suspected of an illicit activity but not necessarily charged with any crime.<p>&quot;In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.&quot;<p>I&#x27;d imagine being on a list that limits your personal freedom without being charged with a crime and convicted falls pretty squarely within the definition of being oppressed &amp; persecuted before even considering any second order effects of the list being leaked.

As expected, it is only a matter of time untill all the intensely private data collected by NSA and pals is leaked or stolen and used by criminals for fraud and extortion.

It&#x27;s amazing how many hacks and data breaches all come down to dangerous default settings. Elasticsearch defaulted to no security, anyone hitting the IP has full access to the cluster. MongoDB is another infamous example. Even today, one of my sites is being DDoSed by a bunch of 2007-era Ubiquiti network devices which use ubnt &#x2F; ubnt as the root login and naturally got exposed to the internet. Bad defaults linger for a long time.

I wonder if this will end up on haveibeenpwned?<p>&quot;The FBI leaked your name as a terrorist&quot;

Just an hour ago I was having a dialogue with someone on Hacker News saying we needed a national ID system after the T-Mobile hack. I said that the US Government should not be trusted to be any more secure than T-Mobile with such a system.<p>I rest my case.

What really bugs me about these lists isn&#x27;t just that they exist, but that there&#x27;s continuous clamoring to expand the scope in which they are applied. For example:<p><a href="https:&#x2F;&#x2F;www.theatlantic.com&#x2F;politics&#x2F;archive&#x2F;2015&#x2F;12&#x2F;no-fly-list-inverted-politics&#x2F;419172&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theatlantic.com&#x2F;politics&#x2F;archive&#x2F;2015&#x2F;12&#x2F;no-fly-...</a><p>So, basically, politicians have found it to be a convenient tool to skirt due process concerns in general when pushing for their favorite agenda.

It is amazing what the hunt for terrorism has done to modern countries. They only look fearful and weak, exactly what professional terrorists always wanted them to be.<p>Anyone who knows bureaucratic behavior knows that even in the absence of real terrorists, people will find their way onto lists like these.<p>I hope the lists will leak to a wide audience. Find the cases that are wrong and sue those responsible behind the desks. This is the only way this can stop.<p>The website is extremely horrible. Did use a dev browser without adblock. Grave mistake.

<i>&gt; [cybersecurity researcher Bob Diachenko] was able to find about 1.9 million records detailing individuals’ no-fly statuses, full names, citizenship, genders, passport numbers, and more. </i><p><i>&gt; “it seems plausible that the entire list was exposed” </i>

Out of curiosity, how can I search myself?

Would love to know how the FBI dealt with transliteration deduplication of non-Latin names, cf. the many spellings of Muammar Gaddafi. Although I guess they would just use whatever’s on the passport?

&quot;In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.&quot;<p>Teetering on the brink of an epiphany.

So somebody found the terrorist watchlist and <i>didn&#x27;t</i> upload it anywhere or start a torrent, but instead took some screenshots and gave vague descriptions of the data to journalists?<p>I&#x27;d like my reality unmediated, please

Suggestion:<p>Take the Facebook leak from earlier. Create hundreds of collections if 1.9M people. Release it to the dark web.<p>Just flood then zone with noise. FBI can still keep their list (and know it’s legit), and peoples privacy will be ensured.<p>Otherwise this is going to 100% get integrated into various social credit systems we have in the US.

Among the basic concepts of American Civil Rights used to be Sixth Amendment right to confront accusers.<p>Legal weenies may engage in mental gymnastics to rationalize the evil of no-fly lists.<p>They deserve the receiving end of their perfidy.

These people are morons! They claimed to be crème de la crème and watch. Few years ago they wanted to force Apple to create a &quot;secure backdoor&quot;. Hope we gonna get more details.<p>Sorry for the rant

Elasticsearch is like the security breach gift that keeps on giving...

Awaiting future headline <i>“Secret CSAM hash list leaks online”</i>.<p>Keeping lists secret appears to be something the human race is really really bad at.

&gt; Additionally, the researcher noticed some elusive fields such as &quot;tag,&quot; &quot;nomination type,&quot; and &quot;selectee indicator,&quot; that weren&#x27;t immediately understood by him.<p>I&#x27;m not sure about the others, but &quot;selectee indicator&quot; might be whether the individual is on the Selectee list used for SSSS flagging[1].<p>[1]: <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Secondary_Security_Screening_Selection" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Secondary_Security_Screening_S...</a>

I’m curious if anyone who is on the leaked list now has standing in court to litigate their status, whereas they could not prove their status&#x2F;data before.<p>One of my biggest complaints with national security programs is that they tend to argue that transparency (even to the voters and elected representatives whom these programs ostensibly protect) threatens the program. Sometimes when leaks happen, it gives the citizens a tool they didn’t previously have to challenge those programs.

&quot;Misconfigured Elasticsearch cluster&quot;<p>Doubly so. No passwords _and_ it was exposed. There&#x27;s no real reason to ever directly expose a database to the internet for 0.0.0.0&#x2F;0. Heck, there&#x27;s no reason to expose to any routable address.<p>Yeah sure zero trust or whatever. Still, why even risk it? Layers.

At least last time I looked at it, ElasticSearch is shockingly insecure by default (as are Mongo, Cassandra, Hadoop, and everything else that&#x27;s popular in the relatively recent Java ecosystem).

Can someone post the list?

Where is the torrent, dammit? Internet ain&#x27;t what it used to be.

Where is this alleged list then? Very convenient that this guy is not disclosing a link to this supposed leak. I think someone wants notoriety.

Did some perusing - can&#x27;t find it anywhere you&#x27;d normally find these things. Let me know if anyone does!

Source of this convoluted blog spam: <a href="https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;americas-secret-terrorist-watchlist-exposed-web-report-diachenko&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.linkedin.com&#x2F;pulse&#x2F;americas-secret-terrorist-wat...</a>

Once government agencies are given approval from congress they typically have very little oversight from that point on including from congress. Its why we get abusive behavior from so many of them.<p>NSA: Prism<p>DEA: Asset forfeiture<p>FBI&#x2F;CIA: Abusing fisa and using five eyes to spy domestically<p>IRS: Political targeting<p>etc etc etc

I figure the FBI is using ES, with all its default insecurity and RCE features, as a honeypot.

With 1.9 million people,there must be plenty of people here whose data is in this list.<p>Any of you care to comment?

Why &quot;misconfigured&quot; Elastichsearch being reason appears this often?

So this is definitely going to be used for character assassinations right?

Perhaps yet another unsecured MongoDB?

The fact this wasn&#x27;t protected by a VPN is amazing

Where can I get the list? This should definitely public (unless they just put random people on the list).