Airports Critical Servers Exposed for 1 Year

[straycat19]

A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found.

 

The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents.

 

The airport, about 60 miles north of Manhattan, serves hundreds of thousands of passengers each year, and is regularly used by the military. The airport is known for accommodating charter flights of high-profile guests, including foreign dignitaries.

 

But since April last year, the airport had been inadvertently leaking its own highly sensitive files as a result of the drive's misconfiguration.

 

Chris Vickery, lead security researcher of the MacKeeper Security Center, who helped to analyze the exposed data and posted his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist.

 

When contacted Thursday, the contractor dismissed the claims and would not comment further.

 

Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured.

"You cannot expect one person to maintain an airport network infrastructure. Doing so is a recipe for security lapses," said Vickery.

"This is a classic example of what can go wrong with privatization. For-profit companies have every incentive to, all too often, prioritize revenue over best practices," he said.

 

The files contained 11 disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database.

 

Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

 

Others belonging to Homeland Security agencies were marked "sensitive" but not classified, including comprehensive security plans, screening protocols, and arrival procedures for private jet passengers.
 

Source