Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded
from the oops dept
Intercept reporter Jenna McLaughlin alerts us to a rather stunning security mistake by a Customs and Border Patrol (CBP) agent, as outlined in some DHS released "incident reports" concerning "cloud data breaches." The very first one involves the CBP agent forwarding all of his email to a personal account, but messing up the configuration, so that it actually forwarded to someone else's Gmail account (someone with a similar name) -- and this mistake was only noticed when this "civilian" responded to an email he had received via this forwarding, and the response was sent to a wider mailing list of Homeland Security employees:
CBP reports that one (1) CBP user had an auto-forwarding rule setup to have emails sent externally to a civilian's personal Gmail account. There is a possibility that sensitive information to include Personally Identifiable Information (Pll) has been accidently sent out due to this rule. The incident was discovered when a civilian responded to a CBP user's email to a distribution list of other CBP/DHS users. The CBP user noticed the civilian's Gmail address and reported it to the FTO who then reported the incident to the CBP CSIRC. Upon investigation and confirmation from EaaS, one (1) CBP Border Patrol Agent who was on the email distribution list had an auto-forwarding rule setup within their Exchange account to a non-CBP/DHS user's personal Gmail account. The name of the Border Patrol Agent and the civilian are very similar, but it was determined that the Border Patrol Agent misconfigured the rule by using the civilian's personal Gmail address instead of his own. Technical remediation will include working with the EaaS team to implement a rule to disable the auto-forwarding rule and only allow it when requests are made to the Exchange team. The incident has been reported to the CBP Privacy Office and Joint Intake Center for action (assisting the user to have all government emails removed and confirmed).It seems rather stunning that CBP/DHS didn't already have such a rule in place. Then again, this is Customs and Border Patrol, who has something of a history of not really giving a fuck because they can get away with doing whatever they want and no one ever does anything about it.
Later in the same report, it is revealed that this auto-forwarding from inside DHS to private accounts happened somewhat frequently. An investigation just a month after the incident above showed 771 such rules set in DHS staffers Exchange systems:
DHS SOC reports that a total of 771 rules are configured in Exchange to auto-forward emails external to DHS. DHS SOC requested and received a list of 771 automated email forwarding rules created by DHS Email as a Service (EaaS) users. Auto-forwarding or redirecting of DHS email to address outside of the .gov or .mil domain is prohibited and shall not be used per DHS 4300A policy, section 5.4.6.i and poses a high risk of accidental disclosure of Pll, SBU, FOUO, LES, or classified data. The incident has been reported to the Joint Intake Center (JIC). Affected Components (CBP, FEMA, DHS HQ, and DC2) are asked to identify and remediate the rules.Not sure about to you, but this doesn't make me feel much safer about DHS at all. And, remember, DHS is one of the government bodies currently looking to manage the government's cybersecurity efforts -- and they're considered the better option given just how little people trust the NSA or the FBI (the two other main contenders).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: border patrol, cbp, cybersecurity, dhs, email, email forwarding, homeland security
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
The DHS is apparently not as prompt about enforcing security regulations.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Why were the users allowed to forward their mail, and additionally, allowed to forward to non-government/cloud services?
You see, I agree with that to some point. The government needs to communicate with the outside world at some point. I'm not sure how CBP works but they surely need to send some mail out at some point. What could be done here is to make it a whitelist system where you need to submit external mails to approval (ie: John Doe must be contacted because X reason, his e-mail is Y so upon review, Y mail is allowed to communicate to that employee and that employee only). So the best alternative is to weed the stupid out and keep the system minimally workable. Maybe somebody better at security can prove me wrong?
[ link to this | view in chronology ]
Re: Re: Re: Forwarding mail, automatic vs manual
You cannot protect against users making stupid mistakes, but you can take away the tools that let them magnify a single stupid mistake into a huge mess.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
This examination is VERY strict, and if the email you're sending even looks like it might contain something sensitive, then that email is not sent. Instead, you get a warning of the problem and are told to contact the security team to get an exception put into place if needed.
[ link to this | view in chronology ]
Re: Re:
Never say never.
"and if the email you're sending even looks like it might contain something sensitive"
So does it autodetect encrypted files? Even then there are ways to hide data within perfectly legitimately looking data.
[ link to this | view in chronology ]
Re: Re: Re:
...So does it autodetect encrypted files? Even then there are ways to hide data within perfectly legitimately looking data...
Depends on your system configuration and how good your admins are. I've lost count how many times we had to ask for software or firmware updates be snail mailed on CD because our systems trash any EXE, DLL, and BIN files even if they're in a ZIP or RAR file. Any attempt to direct download does the same thing. We finally figured out that setting up a single workstation directly on the internet gateway but outside the LAN/WAN was good enough for such downloads. Once downloaded the file(s) get put onto a CD or USB and taken to the IT folks for them to play with.
[ link to this | view in chronology ]
Re: Re: Re:
The purpose is to prevent accidental disclosure. It goes without saying that if someone wanted to intentionally disclose, they could.
[ link to this | view in chronology ]
A clear case.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hell
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Here's another one, why is there a system that allows auto-forwarding to a non-verified email address? That would be like allowing people to sign up for a service with any old email address and not verifying it.
[ link to this | view in chronology ]
Re:
oh wait, how does someone know what they DIDN'T receive again (other than the telepathy of just knowing, like knowing offensive when you see it...)
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Just being picky...
[ link to this | view in chronology ]
Re: Just being picky...
[ link to this | view in chronology ]
Re: Just being picky...
[ link to this | view in chronology ]
Why can't people verify email addresses before sending?
Having had an amazingly similar situation happen with me where a non-profit organization sent a very sensitive document to me at one point on accident, and then wanted me to sign an NDA because, even though I told them I deleted the email unread, I might have seen something I shouldn't have and could have made life miserable for them (the email and the contents were deleted, I have no idea what it was.) I told them full stop, they sent the email to me due to no fault of my own, and I wasn't going to sign anything.
It really doesn't take that long to verify you have the right email address (and more importantly, the right domain name) for sending sensitive information. Yet, they told me they were so busy and couldn't confirm the email address and thus it was somehow my problem that they sent me what they sent me.
What is really sad is that even though they screwed up, in today's society, I suspect that no good deed will go unpunished (especially given the phrasing above.) The good samaritan let them know they were broken, but they discovered the problem, no thanks to the good samaritan.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
organizational policies
If i forwarded those email to my gmail account I do jave quick an easy access.
So not saying it was a good thing but rather there may be other things in play that made the agent forwarf the stuff in the first place.
And in case you are wonderingn I do not forward any work email to a personal account. If a manager needs something from me during non-regular hours he or she can call me.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Does it matter? He's a cop! A demigod!
[ link to this | view in chronology ]
That Private Citizen Was Lucky
[ link to this | view in chronology ]
SMTP insecure
Even when TSL is required, there's the possibility of one of the many certificate authorities that the average SMTP server trusts going rogue. Each of these weaknesses are exacerbated by a dependence on easily-spoofed DNS.
[ link to this | view in chronology ]
Re: SMTP insecure
That's how easy it is to do. Somewhere along in time, a lot of people decided that, for whatever reason (too busy, no time, inattention to detail, lazy, easily distracted,...), proofreading was unnecessarily costly and too much trouble.
Add to that this CBP agent also couldn't be bothered to test that his forwarding rule was actually doing what he intended. Combine those two failures and, when it finally comes a cropper, he (and his employer) get to wear egg on their faces while damage control kicks in.
TD even supplies a "Preview" button, and that malformed Three Letter Acronym (TLA) is wearing a squiggly line underneath it put there by my browser's spell-check.
Trust, but verify. Or look funny when eventually found out. :-)
[ link to this | view in chronology ]