US Postal Service Suspends Telecommuting Following Massive Breach

← Back to Stories (view on slashdot.org)

US Postal Service Suspends Telecommuting Following Massive Breach

Posted by Soulskill on Tuesday November 11, 2014 @11:50AM from the you-can't-go-home-again dept.

An anonymous reader writes: The folks at the USPS have responded to the recent breach that exposed data on 800K employees and another some 2.8 million customers. They have suspended telecommuting for all employees until further notice while they replace their VPN with a more secure version. "Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach."

50 comments

Min score:

Reason:

Sort:

Which VPN solution were they using? by EmagGeek · 2014-11-11 11:59 · Score: 1

Does anyone know?
1. Re:Which VPN solution were they using? by detritus. · 2014-11-11 12:02 · Score: 4, Funny
  
  Whatever it was, it probably was backed by a UPS.
2. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:06 · Score: 0
  
  an old ptpp solution, probably...
3. Re:Which VPN solution were they using? by DoofusOfDeath · 2014-11-11 12:18 · Score: 1
  
  TCP over Postal System.
  Low packet loss, but terrible latency.
4. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:27 · Score: 0, Insightful
  
  Actually, we go to war regularly. I'm getting tired of it.
5. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:32 · Score: 0
  
  Actually, we go to war regularly. I'm getting tired of it.
  I think Anonymous meant a war on US soil.
6. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:36 · Score: 1
  
  No nation in history has ever needed a real war as badly has the US.
  I am curious, how would another war fix the USPS?
  If war is a panacea for government woes, why didn't the wars in Afghanistan/Iraq fix problems like this?
  I have a feeling the veterans who served in them and populations that lived through them find them quiet real. The question is, why don't you?
7. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:48 · Score: 0
  
  why didn't the wars in Afghanistan/Iraq fix problems like this?
  Small, debt funded optional non-wars don't contribute to correcting our fucked up priorities.
8. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 12:51 · Score: 0
  
  Telegraph?
9. Re:Which VPN solution were they using? by hodet · 2014-11-11 12:57 · Score: 1
  
  PCAnywhere
10. Re: Which VPN solution were they using? by TimMD909 · 2014-11-11 13:08 · Score: 1
  
  Telnet
11. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 13:22 · Score: 0
  
  If it was one of Linux or OS X it would have been mentioned in the article, else it's 'computer' malware :)
12. Re:Which VPN solution were they using? by Anonymous Coward · 2014-11-11 13:23 · Score: 0
  
  Reform is possible without violence, it's just not as "fun" apparently.
  Show me where and I'll sign on the dotted line. And then they'll circular file it.
  Reform works better when your entire government isn't complicit in allowing massive breaches of your most fundamental laws to occur every single day, as a matter of practice and policy. They've decided to cooperate and solve their prisoner's dilemma.
13. Re: Which VPN solution were they using? by jd2112 · 2014-11-11 13:37 · Score: 1
  
  And massive bandwidth. Up to multiple terabytes in a single packet.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
14. Re:Which VPN solution were they using? by CaptainDork · 2014-11-11 13:56 · Score: 1
  
  We had one back in the 1860s and that didn't update the VPNs and stuff.
  
  --
  It little behooves the best of us to comment on the rest of us.
15. Re: Which VPN solution were they using? by Anonymous Coward · 2014-11-11 15:07 · Score: 1
  
  The odds the VPN were compromised are pretty low in comparison to the odds a users system was compromised by malware, virus, trojan, etc.
800k weren't delivering the mail? by aoeu · 2014-11-11 12:13 · Score: 1

What were they paid to do?

--
All your database are belong to U.S.
1. Re:800k weren't delivering the mail? by The+New+Guy+2.0 · 2014-11-11 12:17 · Score: 1
  
  Answer calls in the style of a call center.. Postal rates are complicated right now, so to get an exact price for a big shipment the average user needs to speak with somebody.
2. Re:800k weren't delivering the mail? by Anonymous Coward · 2014-11-11 12:32 · Score: 0
  
  4x the staff of General Motors to compute rates............
  What a racket.
3. Re:800k weren't delivering the mail? by Anonymous Coward · 2014-11-11 12:36 · Score: 0
  
  They also cold call local businesses to see if they'd like to be in the weekly spamvertisement for a set of ZIP codes.
4. Re:800k weren't delivering the mail? by Joe_Dragon · 2014-11-11 12:50 · Score: 0
  
  the mailman have to do there time cards and TSP reports somehow.
5. Re:800k weren't delivering the mail? by mattjh · 2014-11-11 13:04 · Score: 5, Insightful
  
  I don't post much, don't read much on here anymore either, but I can't resist...TSP report? Try TPS. 800k not delivering the mail? Try data RELEASED on 800k employees, not by faulty VPN configs USED by 800k employees. PTPP VPN? Try PPTP. For such a self righteous "we're always right" bunch of users, you people sure aren't putting much effort into this.
6. Re:800k weren't delivering the mail? by PopeRatzo · 2014-11-11 14:17 · Score: 0
  
  I post a lot and read a lot
  ...and mama used to say, "Life is like a box of chocolates."
  
  --
  You are welcome on my lawn.
7. Re:800k weren't delivering the mail? by tehcyder · 2014-11-12 03:07 · Score: 1
  
  Your user name could only be more appropriate if it was something like CuntyMcPointless.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Further Security Enhancements to come by Anonymous Coward · 2014-11-11 12:37 · Score: 0

In a broad sweeping policy,the USPS has also forced everyone to change their password from "Password123" to "Password1234!". Employees were somewhat disgruntled that they now had to remember two extra characters "...because of those dicks in IT.".
The interesting bit would be to know HOW these hackers got in - even just a broad idea... eg: injection attack, brute force, social engineering... whatever.
I suspect, being 'Murica, they don't want to disclose anything because undoubtedly the next two words they will see are "Class Action".
The question is wrong by radarskiy · 2014-11-11 12:53 · Score: 1

The summary says that data on 800k workers was exposed, not that 800k workers were telecommuting. The linked article does not put a number on how many workers were telecommuting.
Also, although I don't know whether it is done in practice it is not impossible for an urban mail carrier to never go to the post office. The green boxes are used as intermediate collection points for carriers that are on foot.
A more secure VPN version .. by lippydude · 2014-11-11 13:23 · Score: 1

"Since Target’s breach last fall, numerous business and organizations including Home Depot, JPMorgan, Supervalu, Community Health Systems, UPS Stores, Dairy Queen, and others have announced breaches that cumulatively have exposed data on tens of millions of people. The sudden rash of data breaches has left security experts scrambling to find a reason for what is going on". ref
Breach first ... by CaptainDork · 2014-11-11 13:41 · Score: 1

... patch later.

--
It little behooves the best of us to comment on the rest of us.
The new normal by Anonymous Coward · 2014-11-11 14:21 · Score: 0

Is this how companies do layoffs now?
Why do VPN users have access to this much data? by Harlequin80 · 2014-11-11 14:25 · Score: 1

Before looking at the technological failure point I would like to know why that much data is exposed to a vpn connection in such a way that it can be exploited.
Surely you have to treat the machines on the other end of the vpn as hostile. You don't have them inside your controlled network 100% of the time (not to mention even if you did you should treat them as hostile). How is it that even if someone managed to gain access to a vpn connection that they could hit the database servers for that much data?
I'm sure I am missing something but I would have thought there should be an application layer between any user and the raw data and that you would have to know how that application requested the information to get an output.
1. Re:Why do VPN users have access to this much data? by cbiltcliffe · 2014-11-11 16:31 · Score: 1
  
  Before looking at the technological failure point I would like to know why that much data is exposed to a vpn connection in such a way that it can be exploited.
  Because idiot IT "consultants" generally view the firewall as the only important line of defence. I can't count the number of business I've gone into to clean up a mess, and found the perimeter firewall to be....well...mediocre, and the internal security to be absolutely non-existent. Basically, the assumption is that anything that's on the network is supposed to be there, so you don't set anything up to question it.
  I've seen databases set up to allow root/sa access to anything, with no password. If I question the IT genius who set it up, the response is usually something like: "Well, that way everybody who needs it has access to it, and the firewall blocks any outside access, so it's secure."
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
2. Re:Why do VPN users have access to this much data? by Harlequin80 · 2014-11-11 17:05 · Score: 1
  
  I can "kinda" understand that in a small shop. But with sooooo many employees your risk of bad hardware being brought into the office is huge. And what's more, it's the postal service. You know, the place that had the term "go postal" named after it. Surely you would assume your employees were high risk if they named "going crazy and shooting people" after your company.
3. Re:Why do VPN users have access to this much data? by tlhIngan · 2014-11-11 18:38 · Score: 1
  
  Surely you have to treat the machines on the other end of the vpn as hostile. You don't have them inside your controlled network 100% of the time (not to mention even if you did you should treat them as hostile). How is it that even if someone managed to gain access to a vpn connection that they could hit the database servers for that much data?
  I'm sure I am missing something but I would have thought there should be an application layer between any user and the raw data and that you would have to know how that application requested the information to get an output.
  Hey, if a user has access to that information, that information can be leaked. It may not be convenient in that you have to take screenshots every time (e.g., if you demand telecommuters work in a secured remote desktop session thus protecting the network from the user).
  And why they may have it? Well, your telecommuter can be anyone - perhaps it's the application developer who has access to the database? (Aren't IT guys one of the biggest complainers if telecommuting is restricted?) HR folks who need access to personnel records? Perhaps you ban programmers and IT guys telecommuting because they have access to servers with sensitive data and source code? Or add HR bans as well because HR has access to sensitive data? At which point you can pretty much exclude everyone from telecommuting.
  Perhaps you're part of the sysadmin team and someone does a deployment - are you going to mandate everyone come into the office because something might go wrong, or let everyone telecommute in? Perhaps the DBA needs to do something to the production database because something went wrong - are you going to make them drive in or let them log in remotely and fix it? Oh, he has access to the production database!
4. Re:Why do VPN users have access to this much data? by magamiako1 · 2014-11-11 18:44 · Score: 1
  
  * 2FA on VPN (RSA Tokens)
  * Separate Administrative credentials used by IT staff
  * Dedicated administrative workstations that IT staff do not use to do daily tasks (email, web, etc.)
  * OR dedicated IT jump box requiring further 2FA to log in to.
5. Re:Why do VPN users have access to this much data? by Harlequin80 · 2014-11-11 23:31 · Score: 1
  
  Of course it can be leaked. 1 screenshot at a time. But there is no reason that they should be able to dump data on 800k employees and 2 million + customers.
  That should have taken someone a lifetime, one screenshot at a time.
  The HR department does not need access to the customer records. The HR department does not need access to bulk information. The application developer pool should not have access to the live production database from a remote location. The developer should be given access to a sanitised database clone. There is zero reason they should be working on the full dataset.
  As for your DBA, it depends on how mission critical and how sensitive your data is. You are talking about a company that has 800,000 employees. I'm sorry but they should have a dba sitting on site 24/7. Outside of that though why couldn't they have 2 factor authentication. Compromising a network SHOULD NOT give you access to everything. They should have been running kerberos with highly controlled access levels.
  You can't remove all risks. But those should be actively minimised.
6. Re:Why do VPN users have access to this much data? by aaronb1138 · 2014-11-12 06:55 · Score: 1
  
  Usually, I have found the culprit in large organizations with strong granular security to be the developers and support. The number of times I have watched a new person get onboard and have proper, restricted intranet access, and then the application support people have to open everything up to them to get that one proprietary app to work is astounding.
7. Re:Why do VPN users have access to this much data? by Rich0 · 2014-11-14 06:56 · Score: 1
  
  Before looking at the technological failure point I would like to know why that much data is exposed to a vpn connection in such a way that it can be exploited.
  Because idiot IT "consultants" generally view the firewall as the only important line of defence. I can't count the number of business I've gone into to clean up a mess, and found the perimeter firewall to be....well...mediocre, and the internal security to be absolutely non-existent. Basically, the assumption is that anything that's on the network is supposed to be there, so you don't set anything up to question it.
  I work in a Fortune 500 company, and anybody on a VPN can ping any database server in the company. If they have valid credentials, they can log in. For some servers the application accounts are extended into the database so if you know where the database is you could log in and query the whole thing (ie bypassing the front-end and any business logic it might enforce - hopefully the DB account would be read-only but I wouldn't count on it).
  Internal security tends to be very light. Maybe they're running IDS, but I can't vouch for that one way or another.
  The flip side of this is that strong security isn't cheap, so it isn't appealing to PHBs. It costs money and tends to slow things down. So, we have lots of perimeter security and a soft, squishy interior.
8. Re:Why do VPN users have access to this much data? by Rich0 · 2014-11-14 07:00 · Score: 1
  
  The application developer pool should not have access to the live production database from a remote location. The developer should be given access to a sanitised database clone.
  In many the two are one and the same, and they access the database from halfway around the world. Physical access isn't always compatible with $15/hr, and you can imagine which sounds more important to the typical PHB...
Upgrade Time by sir-gold · 2014-11-11 14:27 · Score: 1

Sounds like it's time to get rid of those Win2k servers.
1. Re:Upgrade Time by cbiltcliffe · 2014-11-11 16:32 · Score: 1
  
  Server 2K3 also uses PPTP, which is known to be broken, and no fix is planned from MS, despite the fact that 2K3 is still supported til next year sometime.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
Thanks NSA by Anonymous Coward · 2014-11-11 17:02 · Score: 0

Should have spent more time upgrading security instead of undermining it.
Telecommuting?? by sunderland56 · 2014-11-11 21:58 · Score: 1

How the bleep does the mailman get to telecommute???
Marissa Mayer is the devil incarnate - but even I'll agree, delivering the mail kinda sorta has to be done in person.
1. Re:Telecommuting?? by tehcyder · 2014-11-12 03:41 · Score: 1
  
  How the bleep does the mailman get to telecommute???
  Marissa Mayer is the devil incarnate - but even I'll agree, delivering the mail kinda sorta has to be done in person.
  Yes, because everyone working for the Postal Service is a mailman/woman.
  They are a unique organisation in that they require no HR, planning, IT, marketing, finance, management, sales, payroll, admin or training support staff whatsoever.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
2. Re:Telecommuting?? by deadweight · 2014-11-12 06:09 · Score: 1
  
  FYI, not everone at the Post Office delivers mail. In other news, not all Delta employees are pilots and not all NASCAR employees are drivers.
tsk by Anonymous Coward · 2014-11-12 07:40 · Score: 0

No one ever should be telecommuting.
Sorry, this is my stance after my years in IT. I myself have done it and it's just not worth the "convenience."
Literally, if you can't be in an office to do your job, you don't need a job. If there are extenuating circumstances, that's fine. If your entire job exists on the road, fine. As someone who can successfully work from home, I would never do it again.