1(630)802-8605 Ravi.das@bn-inc.net

First, I wanted to wish everybody today a Happy Thanksgiving!  Its hard to believe that in just a matter of a few weeks, it will be time for 2019.  Since I am off from work for a few days now, I am back to my normal frequency of posting until next week.  Anyways, as I was scouring the websites of what to write about, I came across a topic that seemed kind of unique to me.

That is, the United States Postal Service.  I have always been amazed by the logistics operations of the USPS, and have always wondered how they are able to deliver from Point A to Point B without hardly any failures.  But what I think truly amazes me are the people that work for them, especially the people that deliver the actual mail.

When I was looking for a job during these last few months, I usually came into contact on a daily basis with my mail carrier.  We would engage in some casual conversation, and I always thanked him whenever I saw him every day for the hard work that they do.  We as a public, take them for granted.  But no matter how bad the weather is, they still have to come through for us every day, even when it is still subzero temperatures.

I think the worst of it came before the mid term elections.  Every day, the postal carriers had to put each and every flier in every mailbox of the candidates that would send them out.  I finally asked my postal carrier why can’t he just leave it one huge stack on the table, and let people take the fliers if they wanted to?

He said that they were not allowed to do that, it is against the policy of the USPS to do that.  I truly felt sorry for him, because it was a gargantuan waste of time.  So once again, to all of the postal carriers out there in the United States, THANK YOU VERY MUCH FOR THE HARD WORK THAT YOU DO, AND ENJOY THIS DAY WITH YOUR FAMILIES!!!

I realize I kind of got long winded here, but I had to express my gratitude’s of appreciation in a public forum.  Anyways, back to how all of this relates to Cyber security.  Apparently, as I was reading the news headline this morning, the USPS suffered a rather serious Security breach that could have impacted as many as 60 million customers.

This is not something related to credit card fraud at the Point of Sale Terminals at the many USPS branches; but rather, this breach impacted their website, especially a portal that resides from it, called the “Informed Visibility Program”.

This is an area where businesses and corporations can view and track all of the packages and mail that they send in bulk to both existing and prospective customers.  This is not just meant for casual mailings, but rather for those organizations that send things in bulk amounts, such as mass mailings.

After doing a careful investigation, it was discovered that there was a flaw in the 3rd part API that supported this specialized portal.  Believe it or not, this was discovered almost a year ago, and this allowed for the Cyber attacker to have the ability to modify or even delete an end users’ account details without their knowledge or consent.

This was accomplished by making use of the API’s wildcard search parameter. Through this, the Cyber attacker could access email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, mailing campaign data, and much more.  To make matters even worse, there was no special hacking tool that was needed either in order to launch this kind of threat.

All the Cyber attacker had to was just be logged into the USPS website and have a working knowledge of how to modify the parameters of any Web Browser console (such as Edge, Chrome, Firefox, Mozilla, Safari, etc.). Apparently, after that, there were no other Logical Access Controls put into place to safeguard the information and data that resided in that specialized portal.  With just this basic access, a Cyber attacker could read, write, and even execute malicious code packages.

There have been no further details on this, and so far, the USPS has not commented on this.  It is not even known if this vulnerability has been fixed or not.

My thoughts on this?

To be honest, this is truly the first time I have ever heard or read about a Security breach at the USPS.  I never really thought of them as being a victim of a Cyber-attack, and this point only underscores just how truly vulnerable we the United States are, as an entire society.  I never really visit too often a USPS branch (except to mail in tax payments to the IRS), but whenever I have been to one, I was rather impressed to the level of Security that they do have in place.

For example, as far as I can remember, they were amongst the first to install the chip readers for credit card transactions.  And one time when I had to mail a certified letter, they had even asked to see my credit card if it had been signed or not.  I forgot to, so at first, they refused to accept it, unless I produced two other forms of identification, and signed my credit directly under the presence of a USPS supervisor.

So yes, this does all come to a total surprise to me, even that the USPS not formally acknowledged this Security Breach.  Hopefully this will all get resolved before the mad rush of the Holiday Season starts, where all of our financial information and data will be at grave risk, no matter how secure retailers try to make their systems.  After all, the Cyber attacker can and will find a way to circumvent all of that.

More specific details on this Security Breach can be seen at this link:

https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/