Security Lapse Exposed New York Airport's Critical Servers For a Year

An anonymous reader quotes a report from ZDNet: A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found. The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents. Since April last year, the airport had been inadvertently leaking its own highly-sensitive files as a result of the drive's misconfiguration. Vickery, who also posted an analysis of his findings, said the drive "was, in essence, acting as a public web server" because the airport was backing up unprotected copies of its systems to a Buffalo-branded drive, installed by a contract third-party IT specialist. When contacted Thursday, the contractor dismissed the claims and would not comment further. Though the listing still appears on Shodan, the search engine for unprotected devices and databases, the drive has since been secured. The files contained eleven disk images, accounting for hundreds of gigabytes of files and folders, which when mounted included dozens of airport staff email accounts, sensitive human resources files, interoffice memos, payroll data, and what appears to be a large financial tracking database. Many of the files we reviewed include "confidential" internal airport documents, which contain schematics and details of other core infrastructure.

Stewart = ConAir departure point

I've been flown out of Stewart a couple of times. It's the departure point for New York area Federal prisoners bound for FTC Oklahoma City and other points. The US Marshals drive buses and vans from all over the area (MDC Brooklyn, MCC Manhattan, Danbury, Ft. Dix, etc.) every Tuesday and Thursday afternoon to Stewart to meet a white, unmarked JPATS jet (737 or MD-80). Prisoners are usually in paper jumpsuits, shackled ankles, wrists, and waist, and are patted down on the apron next to the jet.

Transfer takes place next to the NY Air National Guard helicopter hangars. Perimeter security consists of four or five US Marshals with 12-gauge shotguns or M4/M16 rifles and sidearms. Transfer time takes about 90 minutes, unless there's a mechanical problem with the plane, which is more often than not.

High-value prisoners (e.g., a Whitey Bulger or a convicted terrorist) are not transported with the general population.

BTW, the buses are unmarked intercity (i.e., Greyhound) buses. You can tell they're FBOP because there's a separate door on the left side at the back for a US Marshall who sits in a caged seat with a shotgun, along with a GPS antenna in an external dome on the roof over the drivers' compartment. Side windows are tinted black.

k.