Wednesday, March 1, 2017
Transportation Security Administration documents reveal security lapses at Stewart International Airport (KSWF)
NEW YORK — Sensitive documents leaked after a data exposure at an upstate New York airport have revealed several major security lapses in recent years.
Dozens of files seen by ZDNet list a catalog of security failings over the past few years at Stewart International Airport, about 60 miles north of Manhattan, which serves hundreds of thousands of passengers each year, including high-profile guests and private charter flights.
The cache build up a unique picture of insider threats, breaches, and lapses that acknowledge the difficulty in keeping airside security to a high standard, even at smaller airports.
In one such instance, documents seen by ZDNet show how airport staff was for an unknown period in 2010 unable to screen names against the U.S. government’s watchlist of suspected terrorists who were forbidden from flying in its airspace.
A response letter by the airport manager confirmed that the airport “did not have access to the list,” and therefore badge-holding staff at the airport were not being screened properly.
The airport had to enlist the help of neighboring Westchester County Airport to carry out the checks, the letter added.
The government’s “no-fly” list currently prevents around 47,000 passengers from flying within, into, or out of U.S. airspace, according to leaked documents, a figure that rocketed during the Obama administration.
But the list has proven controversial, not least because it’s shrouded in secrecy. Only a select few people who have challenged their membership are even aware that they have been on the list, which includes regular citizens, diplomats and politicians. CBS News obtained a copy of the no-fly list in 2006, which showed that the list was riddled with mistaken identities, wrongly added names, and even dead people.
It’s not clear what led to the screening mishap, but emails found in the cache of exposed file show one security-cleared employee of AVPorts, a third-party operations provider that manages the airport, regularly downloaded the no-fly list from a secure Homeland Security portal.
A former head of the Transportation Security Administration (TSA) explained that both passengers and airport staff are checked against the no-fly list centrally, making it more difficult to slip through the cracks.
“All airline passengers are screened for the no-fly list automatically by TSA centrally when a flight reservation is made,” said Kip Hawley, who helped to found the agency following the September 11 attacks. “It looks like the airport is supposed to screen badge-holders against the no-fly list, and maybe they weren’t doing that so they got the notice of violation,” he said.
But Hawley said that the so-called “insider threat” remains a concern.
One email seen by ZDNet showed that the airport was concerned about the issue following an arrest of a Long Island, New York resident, which resulted in the discovery of a counterfeit badge for LaGuardia Airport. The email said that had staff not properly checked the badge, it may have allowed an uncleared person to enter the airport’s secure area.
“Please keep in mind that this could happen at any airport and we must be vigilant,” read the email sent by a senior security official at Stewart Airport.
Federal agencies continue to put greater scrutiny on the security protocols and policies of smaller airports, including Stewart, in light of the threat posed by the so-called Islamic State, or ISIS.
Among the concerns are that potential fighters who try to join the terror group on the ground in Syria and Iraq may aim to travel through smaller, regional airports in order to avoid detection by the authorities.
One field intelligence note found among the exposed files, published by Homeland Security in April 2016, said terrorists “may continue to choose smaller airports… as preferred, more attractive departure points for foreign fighter travel,” because security is perceived to be not as strict as at larger international airports.
That makes the risks greater and the need to ensure tight security controls all the more important.
A review of various letters of investigation received by the airport over the past decade point to as many as 15 separate investigations carried out by the TSA each year as a result of security lapses at the airport.
TSA inspectors wrote in one letter of investigation in 2010 that card readers installed in the airport’s corporate transit zone allowed direct access to the Air Operations Area, a highly restricted area of the airside tarmac where aircraft depart, arrive, and maneuver.
Another letter of investigation from 2011 found an unsecured baggage carousel key, which provides direct access to the airport’s secure area. The key was lent by a member of one airline’s staff to another, but it was later left on a ticket counter when the borrower returned the key.
And, a letter of investigation from mid-2012 detailed a list of multiple claimed violations, including unsupervised and unescorted access to non-cleared contractors and visitors to highly sensitive and restricted parts of the airport, known as Security Identification Display Areas.
But a concerted effort by the airport to improve security over the past three years has paid off.
One email sent by the airport’s security manager earlier last year confirmed that the TSA had not sent any letters of investigation during 2015.
Also, a comprehensive security review by TSA inspectors in the same year concluded with no findings of concern, the email said.
In a statement provided to CBS News, the TSA said:
“The documents we’ve seen referenced appear to be copies of old inspection reports that demonstrate that TSA has been performing our mission of security oversight at the airport. When we find issues that need to be addressed we point them out and work with the airport to get them resolved.”
The Port Authority of New York & New Jersey, which operates the area’s transportation facilities, including Stewart International Airport, said in a statement that its network “has not been compromised” and that issues identified several years ago have been addressed:
“Based on our investigation, the Port Authority network has not been compromised and remains sound. AVPorts, an independent contractor that handles various airport functions including serving as security manager at Stewart International Airport, maintains a separate system for administering those responsibilities. Our investigation into AVPorts separate system is ongoing. The TSA findings in the documents in that system from several years ago were addressed at that time to the satisfaction of the TSA and are no longer relevant.”
This article originally appeared on ZDNet.com.
NEW YORK (FOX 5 NEWS) - Stewart International Airport in Orange County, New York, is a fairly small airport with a big problem.
Chris Vickery is a data security expert in California. Part of his job is to find private information exposed to the public and then let the companies or agencies know about their security lapse. That is exactly what he did with Stewart International Airport earlier this month.
"I found that what's known as the remote synchronization service at this IP address was open and exposed to the entire world," Vickery said. "Anybody with an Internet connection could have downloaded from it."
Chris was then shocked to see the documents he easily downloaded from the server: tons of information about Stewart International Airport.
"When I opened it, it contained all sorts of airport data," Vickery said. "It had folders named 'HR,' 'Payroll.' It had employees' Social Security numbers as well as 107 gigabytes of email correspondence."
Chris says he immediately called the airport management company and then the Port Authority, which owns the airport. He let them know about the dangerous security breach. Several hours later, the public server shut down.
In a statement, the Port Authority said: "Based on our investigation, the Port Authority network has not been compromised and remains sound. AVPorts, an independent contractor that handles various airport functions including serving as security manager at Stewart International Airport, maintains a separate system for administering those responsibilities. Our investigation into AVPorts separate system is ongoing."
We also reached out to the TSA, which said it takes these allegations very seriously and is reviewing the incident.
Story and video: http://www.fox5ny.com
Posted by Kathryn on 7:03:00 PM