US Internet Leaked Years of Internal Customer Emails Krebs on Security

pThe Minnesotabased Internet provider US Internet Corp has a business unit called Securence which specializes in providing filtered secure email services to businesses educational institutions and government agencies worldwide But until it was notified last week US Internet was publishing more than a decades worth of its internal email and that of thousands of Securence clients in plain text out on the Internet and just a click away for anyone with a Web browserppHeadquartered in Minnetonka Minn US Internet is a regional ISP that provides fiber and wireless Internet service The ISPs Securence division bills itself a leading provider of email filtering and management software that includes email protection and security services for small business enterprise educational and government institutions worldwideppUS InternetSecurence says your email is secure Nothing could be further from the truthppRoughly a week ago KrebsOnSecurity was contacted by Hold Security a Milwaukeebased cybersecurity firm Hold Security founder Alex Holden said his researchers had unearthed a public link to a US Internet email server listing more than 6500 domain names each with its own clickable linkppA tiny portion of the more than 6500 customers who trusted US Internet with their emailppDrilling down into those individual domain links revealed inboxes for each employee or user of these exposed host names Some of the emails dated back to 2008 others were as recent as the present dayppSecurence counts among its customers dozens of state and local governments including ncgov the official website of North Carolina stillwatermngov the website for the city of Stillwater Minn and cityoffrederickmdgov the website for the government of Frederick MdppIncredibly included in this giant index of US Internet customer emails were the internal messages for every current and former employee of US Internet and its subsidiary USI Wireless Since that index also included the messages of US Internets CEO Travis Carter KrebsOnSecurity forwarded one of Mr Carters own recent emails to him along with a request to understand how exactly the company managed to screw things up so spectacularlyppIndividual inboxes of US Wireless employees were published in clear text on the InternetppWithin minutes of that notification US Internet pulled all of the published inboxes offline Mr Carter responded and said his team was investigating how it happened In the same breath the CEO asked if KrebsOnSecurity does security consulting for hire I do notppAuthors note Perhaps Mr Carter was frantically casting about for any expertise he could find in a tough moment But I found the request personally offensive because I couldnt shake the notion that maybe the company was hoping it could buy my silenceppEarlier this week Mr Carter replied with a highly technical explanation that ultimately did little to explain why or how so many internal and customer inboxes were published in plain text on the InternetppThe feedback from my team was a issue with the Ansible playbook that controls the Nginx configuration for our IMAP servers Carter said noting that this incorrect configuration was put in place by a former employee and never caught US Internet has not shared how long these messages were exposedppThe rest of the platform and other backend services are being audited to verify the Ansible playbooks are correct Carter saidppHolden said he also discovered that hackers have been abusing a Securence link scrubbing and antispam service called UrlShield to create links that look benign but instead redirect visitors to hacked and malicious websitesppppThe bad guys modify the malicious link reporting into redirects to their own malicious sites Holden said Thats how the bad guys drive traffic to their sites and increase search engine rankingsppFor example clicking the Securence link shown in the screenshot directly above leads one to a website that tries to trick visitors into allowing site notifications by couching the request as a CAPTCHA request designed to separate humans from bots After approving the deceptive CAPTCHAnotification request the link forwards the visitor to a Russian internationalized domain name рпроагрфppThe link to this malicious and deceptive website was created using Securences linkscrubbing service Notification popups were blocked when this site tried to disguise a prompt for accepting notifications as a form of CAPTCHAppUS Internet has not responded to questions about how long it has been exposing all of its internal and customer emails or when the errant configuration changes were made The company also still has not disclosed the incident on its website The last press release on the site dates back to March 2020ppKrebsOnSecurity has been writing about data breaches for nearly two decades but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed Im not sure what the proper response from authorities or regulators should be to this incident but its clear that US Internet should not be allowed to manage anyones email unless and until it can demonstrate more transparency and prove that it has radically revamped its securitypp
This entry was posted on Wednesday 14th of February 2024 1145 AM
ppAs a USInternet ISP and email customer for 28 years I have to say I have NOT Once had any inappropriate email activity with them or with the card I use to pay them I will restate that they are justified in being rated as far and away the best ISP in the Twin Cities area always fast and responsive with a huge uptime percentage Their fiber was easy to have installed consistently 1Gb and and very affordable relatively Dont paint them with a broad brush for an obscure technical failingppSounds naive and even like youre try to cover for them Its a bad breach and that can undo many years of good service by wrecking peoples lives for years to come by the theft of their private communicationsppUnfortunately its not clear that any other service will be better Remember security is very very very hard and attackers only have to find 1 breach but defenders have to plug all of the branches Its hardppIn this case it looks like the company probably did not do any security testing or security code reviews which are very different from regular code reviews Unfortunately this is very commonppIf you really want security you are going to have to change a lot Here are the changes we will needpp1 People are going to have to accept using simpler software which changes slowly and has far fewer featurespp2 People are going to have to find a way to evaluate softwares security No one has figured this out The security certifications are not very useful because even certified software has lots of serious security bugspp3 Managers and executives are going to have to find a way to evaluate technical staff software engineers IT operations etc and determine which technical people are producing more secure software and which do not care Unfortunately the majority of our technical workforce pays lip service to securitypp4 Organizations will have to spend a lot more effort on testing security and a lot less effort on new features Customers are also going to have to accept that the cost of security is smaller less functional software with fewer features It will also cost moreppI doubt that these changes will happen Instead I suspect we will continue on our current path because it is good enough ie people prefer cheaper software which is somewhat security over perfect software which costs a lot more and has a lot fewer featuresppObscure technical failingppRead the articleppThey made public email from hundreds of clients If YOU are ok with that thats fine Nobody else is Full stopppStop trying to justify your friends failure Nobody cars if its ok in the Twin Cities for someone to publish all their emails You Twin Cities guys feel free to have your own standards The rest of the world wants out data secured by those we entrust them toppI think you dont comprehend the issue at hand if you think this is obscure What we have is unencrypted plaintext copies of emails from vast quantities of accounts of users from all walks of life government private personal that use their service Not just recent emails either these are the emails going back months ppIf bad actors had gotten this treasure trove it would be a much much worse scenario This data in the wrong hands can wreck havoc its bad I like my money my identity and my stuff Do youppDid BK question their pricing fiber install service uptime etc No ppHe said he wondered if they were slyly trying to buy his silence
which given the circumstances would be the 1 corporate move
Its a serious incident plenty of obscure technical fails are that
but who is inferring anything about their pricing service etc
Its missing the point of a security incident investigationblog
Nobody is questioning their customer service either way AFAIK
But just because trains run on time doesnt mean all is wellppAs a current Securence customer Im disappointed that we have not received any kind of notification of the system being compromised by a bad setting or misconfiguration etc So the question now is what to do moving forward What else was exposedppAssume everythingppUS Internet has quality and very affordable fiber internet with minimal overhead I was very sad when we moved out of their coverage area I now pay much more for much less for cabledelivered internetppThat said this incident reflects several gaps in process automation basic network security and audit The company must demonstrate both the failures and the mitigations transparently if they want to regain the trust of their customersppThis needs more attention As Chip reports above who pays for the notification of breach I imagine a lazy employee was using this to access and snoop around perhaps after they left the org This kind of breach is awful Imagine the intelligence day traders could be using from watching email exchanges Imagine if this is happening elsewhere that isnt even public yetppAnyone sending anything confidential in an email that is not encryption the message is at fault of that data begin breached All Email communication should be assumed not secure So who in the right mind would be sending anything related to day trading in email SMTP is the worst way possible to communicate securelyppFirst off all it doesnt matter if the information is confidential or not Dont be an apollogist
Secong E2E encryption is beyond most users technical capabilities
Third interoperability is a huge issue
Fourth it isnt really feasible at scale with todays technologyppThis is victim blaming at its finest In order to intercept SMTP you have to compromise the network its traveling on Client to server communications are ordinarily encrypted Its true that E2E encryption is more secure but there is no excuse for such an egregious fiduciary failure as thisppThe basic fact is that data is compromised and believing what USi individuals are now saying is also questionable This is not only a breach of data but also a breach of confidentiality and trust I for one will be assessing legal implicationsppI would agree Legal action should be takeppThank you AaronppIm confused why you responded to yourself as yourselfppProbably because the respondent is not the original poster Jim ppI just realized that I read an entire article that didnt try to sell me anything The article was full of the information that I need and didnt contain any junk that I didnt need That is an impressive feat Well doneppChris I really miss being able to sleep at night secure in the knowledge that you were minding the the government information store for all of us Thank you for everything that you did under trying circumstancesppUnrealppHilariousppThe worst part is many of the shmoos whose emails were compromised wont even care that much Remember privacy is so bourgeouise In the future youll own nothing have no privacy and be happyppWell this isnt good
Shucks with Hockey Pucks
Is that PG enough ugh
Whats that song by Whitesnake Here we go Again
Time to move to Belize and make bird houses out of popsicle sticks perhapsppI had concerns about Securence email security years ago and dumped them for another provider Now weve been notified that the messages they were supposed to have purged long ago are probably in the hands of malicious actors This level of incompetence is appalling Its indefensible This is gross negligence on a scale rarely if ever seen Management needs to be held fully accountable up to and including criminal charges I will be forwarding this to our legal team for possible actionppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp

ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap