Going Postal

The expression ‘going postal’ came into being after a series of shootings in the US Postal Service in which more than 40 people were shot and killed by fellow postal employees.

Along with ‘drinking the Kool-Aid’, which refers to the 1978 Jonestown massacre in which more than 900 people committed suicide by drinking a poisonous cocktail, it is quite astonishing that these phrases have entered into fairly common use alongside many less violently themed, but equally nauseating business bs.

We can only imagine that senior types at The United States Postal Service may well themselves be ‘going postal’, probably in the direction of the application development team or third party suppliers of the Application Programming Interface (API) for its Informed Visibility service, which was created to enable access to the status of deliveries for business customers.

Unfortunately despite much testing and the identification of numerous issues, it appears that, according to the much-esteemed Brian Krebs Esq, this biggy remained unnoticed:

In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.

‘How many user’s data?’ 60 Million. ‘How long for?’ Over a year. ‘Anything else?’ YES! In some cases, the data could be updated. ‘Oooh’.

Will heads roll at the USPS? Time will tell.

We do know that in this age of ‘digitalisation’ (when someone knows exactly what that means, can they please clue us up), the speed of development and release of applications and APIs cannot be effectively secured using legacy, manual processes and procedures. Instead, automation is required, and fairly smart automation at that.

A reasonable approach seems to be to use tooling to:

  • Model the likely attack vectors for your application profile
  • Automatically test your code for vulnerabilities
  • Examine your code as it runs for potential breaches and stop them before they happen. This is called ‘Runtime application self-protection’ or RASP and appears to be more effective than Web Application Firewalls in many instances.
  • Assess your third party supply chain. It may be a very weak link with unnecessary broad access to your stuff.

Alongside basic hygiene such as regular patching and traditional security measures (you know, boring old plumbing like correctly configured routing and switching, Firewalls, Intrusion Prevention Systems and the like), you might just get away with it.

Unless, of course you have an account at usps.com.

Our legion of cyber security professionals would love to talk to you about your security fears, woes and ideas. Please contact us at: [email protected] or 020 7517 3900.

Idiot of the week is undoubtedly one Igor Voritinov, who faked his own death (in a particularly grizzly fashion) in 2011 for life insurance purposes, only to be captured because of recent photographs on his son’s computer. Probably not looking forward to the next 20 years, best not drop the soap.