Was VPN Used to Hack Postal Service?USPS Shutters VPN Around Same Time Breach Revealed
Did the hacker who breached the United States Postal Service computer system gain access through its virtual private network? It's unclear, but a USPS spokesman revealed the shuttering of the VPN around the same time the Postal Service acknowledged the breach.
The Postal Service on Nov. 10 said it had recently learned of a cybersecurity intrusion into some of its information systems, but provided few details about the breach. Records of more than 800,000 employees were exposed in the intrusion, USPS said (see U.S. Postal Service Confirms Data Breach). Some news reports said as many as 2.9 million customers also were affected.
As a precaution, our VPN system was not brought back up after other systems were brought back online.
The Postal Service spokesman who's handling media inquiries about the breach responded to my query, saying the VPN "did not cause the breach."
A virtual private network extends a private network across the public Internet, so in itself, a VPN cannot cause a breach. But a VPN could be a means for the hacker to gain access to the USPS computer systems.
In an e-mail exchange, I asked the spokesman: "To be clear, the hacker did not access USPS servers over the VPN, right? That has been ruled out by investigators, correct?"
His response: "The source of the attack and the way entry was gained remains under investigation and I don't have information for you to answer this question. The FBI is leading the investigation."
The FBI isn't providing specifics on the investigation, but the USPS spokesman's response suggests that investigators have not publicly ruled out the VPN as a suspected pathway for the hacker to access Postal Service IT systems.
Only a relatively few USPS employees use the virtual network, mostly administrative staff based at the USPS headquarters in Washington, many of whom telecommute a few days a week, the spokesman says. Besides the breach, were there other reasons USPS might shut down the VPN for an upgrade now? The spokesman's answer: "Not that I'm aware of."
The spokesman didn't know how the VPN, which is managed by the Postal Service's human resources department, will be upgraded. "The type of upgrades being made to VPN have not been announced yet; it may be a while before the new system is in place," he says. "... As a precaution, our VPN system was not brought back up after other systems were brought back online following the weekend work [to remediate the breach]. This is to allow for security upgrades to provide more robust security features for VPN to prevent a cyber-intrusion via this system."
How VPN Might Have Been Used
If the hacker used the VPN to breach USPS servers, how did it happen? Here's one possible scenario, as described by several networking experts:
A hacker breached an employee's computer when the device was not connected to the corporate network, and obtained the VPN credential on the employee's PC. The hacker reused the credential on a VPN client he created on his own PC. Using the pilfered credential, the hacker accessed the corporate system.
A variation of that scenario would have the hacker placing malware on the employee's computer that would enable the assailant to piggyback onto a genuine user's authenticated session to the Postal Service VPN gateway. The hacker, depending on the type of VPN session established, could potentially roam at will around the corporate network.
Also, it's unclear whether USPS requires the use of two-factor authentication to gain access to the network. According to the USPS Handbook, two-factor authentication is only required for remote access to payment cardholder information. The USPS spokesman didn't respond to a question on whether all access to the VPN requires two-factor authentication.
Union Files Charges Against USPS
The labor union representing about 200,000 postal employees has filed charges against the USPS with the National Labor Relations Board, accusing the Postal Service of not informing workers of the breach in a timely manner.
Mark Dimondstein, president of the American Postal Workers Union, says the APWU is protesting the Postal Service's failure to bargain with the union about the terms of the protections the Postal Service will offer employees, such as identity theft protection services. "We are demanding information from the USPS about the extent of the breach - both known and suspected - and what postal management knew, when they knew it and what they did or failed to do to protect employee information," he says.
Dimondstein says he was notified of the breach this past weekend. The USPS did not pinpoint when the breach occurred, but said the intrusion potentially compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16.
The Postal Service defended the timing of its notification of the breach.
"When the Postal Service became aware of the cyber-intrusion, it immediately put a plan into effect to counter the breach and developed a comprehensive communications plan to inform our employees about the incident and about the assistance the Postal Service is providing to them," the USPS spokesman said. "Announcing the cyber-intrusion to our employees prior to Nov. 10 would have put the remediation plan in jeopardy and could have put their information at greater risk."