United States Postal Service Breach – Expert Comments

By   ISBuzz Team
Writer , Information Security Buzz | Nov 12, 2014 05:05 pm PST

This week, it was announced that 800,000 United States Postal Service employees’ data was compromised as part of a breach likely perpetrated by Chinese hackers. Here to comment are a number of experts from the information security industry. Lieberman Software, Network Box USA, PFU Systems, STEALTHbits Technologies, and Tripwire are represented.

Philip Lieberman, President, Lieberman Software:

“Given the size of the USPS and their limited engagement of the security industry in general, there is a high probability that malware could be launched from USPS servers, workstations and devices. In general, it is more probable that an attacker would launch attacks from systems external to USPS since they would be more manageable for the attacker.

“The information’s value really depends on the intentions of the attacker(s). The size and richness of the list provides a valuable resource for spammers and criminals alike.

Featured Download: Social media access at work. Do your employees know the rules?

“Detecting or preventing secondary attacks would be very hard without seeing the trail of attacks. A trackback through the servers and systems used is the only way to understand the attack and its command and control systems, which may lead us to attribute the attackers. As to how far back investigators can go, this is unknown to the outside world at this point in time.

“The USPS is a rich target for any attacker because of the size of its databases. Reports say the USPS will provide credit monitoring for its own employees since that was the majority of the data extracted. More than 800,000 names and full employment data of USPS employees!

“As with any mass leakage of personal identifiable information (PII), there may be another large wave of identity theft, fraud, malware, phishing and other bad outcomes for those that have dealt with the USPS. The funny thing about all of this is that the Attorney Generals of the 50 states will be unable to put their hooks into the USPS for poor cyber security (no lawsuits or AG shakedowns for money, as is typical for commercial firms), nor will citizens be able to file lawsuits against USPS. USPS is not going to provide credit monitoring and, as to compensating for reputation loss and the loss of business, that is hard to say.”

Chad F Walter, Director of Channel Development, Network Box USA:

“This is huge in scope and, based on early reports, the information accessed and potentially stolen could have an unlimited impact on USPS employees and customers for years to come. No, I don’t wish to see an outbreak of panic, but perhaps a little panic is required for IT security to be taken seriously.

“The 2.9 million customer records that were accessed contained names, addresses, phone numbers and emails.

“I often argue that this information is far more valuable than bank account or credit card numbers. Account numbers can quickly be changed and monitored for investigative purposes. On the other hand, have you ever known someone to move often or change a phone number? Or even change their email because of a cyber breach? That personal information is exactly what is needed to launch massive social engineering campaigns beyond ‘My associate, the exiled former Nigerian President, needs your help….’

“Such detailed, personal information has a shelf-life lasting years beyond the initial breach.

“It’s also imperative to point out that there is also a legitimate market for such data. Consequently, these details are gold to legal list companies who either sell the list to sales organizations, not-for-profits, or even political campaigns. The criminals who stole this information have the potential to make quite a lot of money outside of the black and grey markets.”

Carmine Clementelli, Network Security Expert, PFU Systems, a Fujitsu company:

“Not only government organizations or large corporations are the victims of targeted attacks, but more and more these attacks are becoming common at any level and any type of organization. What is valuable (target of these organized attacks) is the target information, which includes not only credit card information or intellectual property but also names, addresses, emails, dates of birth, Social Security numbers, contact information, patient records and so on.

“This is an APT attack, an advanced and targeted attack done by sophisticated cyber criminals. This type of attack is becoming very common. Organizations of any size today need to be aware that APT attacks might be around the corner and need to invest in more robust security.

“Organizations must embrace highly effective defense-in-depth strategies and deploy a multi-point defense. That means combining solutions that can detect attacks not only at the Internet edge but also inside the company’s network and on connected endpoints. It is important to monitor & analyze multi-directional communication patterns to detect any anomalous behavior, especially communication with command & control servers and device-to-device communications within the network, and to inspect traffic crossing the network for continuous security.”

Jonathan Sander, Strategy & Research Officer, STEALTHbits Technologies:

“Clearly, the attacker is after data. What they will do next is grab more data if they can. Another attack is possible; there could be booby traps all over their infrastructure. With the attention it’s netting, it will be a challenge for the attackers to spring a trap undetected. However detection may be before the data gets over the wire, or just after. Sending millions of records over the Internet is as simple as transferring a few megabytes of data.

“The old expression is that the military is always ready to fight the last war. Along these lines, cybersecurity experts will b look for what they know to look for. In the meantime, we won’t know the real story of what these attackers used for a long time. If these hackers have come up with truly novel angles of attack that no one has really exploited before, then finding the traps will be very difficult.

“Until we know who did it, it’s impossible to really understand the motive beyond one simple fact: USPS employs a lot of people, and stealing data about people is profitable. So for now the sure thing one can say is that this was a smash and grab and it’s most likely for profit motive like most other breaches.”

Ken Westin, Security Analyst, Tripwire:

“Identifying the full scope of a compromise is an incredible challenge, as it can take months to get systems back into a trusted state and ensure the full compromise is contained. If they collected detailed system logs and other data, it can help replay the pattern of the attack and identify other systems on the network that may have been compromised.

“Unfortunately, many government agencies only do the bare minimum in terms of log collection, so it may be more difficult to identify the full scope of the breach. The difficulty of this depends on the measures USPS had in place before the compromise. My guess is that the attackers exfiltrated all of the data they could from the systems they were able to access, so there may not have been anything left to attack.

“I believe these kinds of breaches can be avoided, but I think a general complacency about security allows these types of breaches to occur. Lack of resources and training are common challenges; however, if the USPS plans to load this data on servers for convenience, they should have put stronger security plans in place to secure the data. If there are no resources available to secure this type of data, then it shouldn’t be put onto accessible systems in the first place.”