Border Patrol Agent Forwarded All Emails To Someone Else's Gmail; Only Discovered When 'Civilian' Responded

from the oops dept

Intercept reporter Jenna McLaughlin alerts us to a rather stunning security mistake by a Customs and Border Patrol (CBP) agent, as outlined in some DHS released "incident reports" concerning "cloud data breaches." The very first one involves the CBP agent forwarding all of his email to a personal account, but messing up the configuration, so that it actually forwarded to someone else's Gmail account (someone with a similar name) -- and this mistake was only noticed when this "civilian" responded to an email he had received via this forwarding, and the response was sent to a wider mailing list of Homeland Security employees:
If you can't see that, here's what it says:
CBP reports that one (1) CBP user had an auto-forwarding rule setup to have emails sent externally to a civilian's personal Gmail account. There is a possibility that sensitive information to include Personally Identifiable Information (Pll) has been accidently sent out due to this rule. The incident was discovered when a civilian responded to a CBP user's email to a distribution list of other CBP/DHS users. The CBP user noticed the civilian's Gmail address and reported it to the FTO who then reported the incident to the CBP CSIRC. Upon investigation and confirmation from EaaS, one (1) CBP Border Patrol Agent who was on the email distribution list had an auto-forwarding rule setup within their Exchange account to a non-CBP/DHS user's personal Gmail account. The name of the Border Patrol Agent and the civilian are very similar, but it was determined that the Border Patrol Agent misconfigured the rule by using the civilian's personal Gmail address instead of his own. Technical remediation will include working with the EaaS team to implement a rule to disable the auto-forwarding rule and only allow it when requests are made to the Exchange team. The incident has been reported to the CBP Privacy Office and Joint Intake Center for action (assisting the user to have all government emails removed and confirmed).
It seems rather stunning that CBP/DHS didn't already have such a rule in place. Then again, this is Customs and Border Patrol, who has something of a history of not really giving a fuck because they can get away with doing whatever they want and no one ever does anything about it.

Later in the same report, it is revealed that this auto-forwarding from inside DHS to private accounts happened somewhat frequently. An investigation just a month after the incident above showed 771 such rules set in DHS staffers Exchange systems:
If you can't read that, it says:
DHS SOC reports that a total of 771 rules are configured in Exchange to auto-forward emails external to DHS. DHS SOC requested and received a list of 771 automated email forwarding rules created by DHS Email as a Service (EaaS) users. Auto-forwarding or redirecting of DHS email to address outside of the .gov or .mil domain is prohibited and shall not be used per DHS 4300A policy, section 5.4.6.i and poses a high risk of accidental disclosure of Pll, SBU, FOUO, LES, or classified data. The incident has been reported to the Joint Intake Center (JIC). Affected Components (CBP, FEMA, DHS HQ, and DC2) are asked to identify and remediate the rules.
Not sure about to you, but this doesn't make me feel much safer about DHS at all. And, remember, DHS is one of the government bodies currently looking to manage the government's cybersecurity efforts -- and they're considered the better option given just how little people trust the NSA or the FBI (the two other main contenders).
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: border patrol, cbp, cybersecurity, dhs, email, email forwarding, homeland security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 28 Aug 2015 @ 6:05am

    No amount of 'cybersecurity' legislation and software can prevent stupidity. So, uh, they should filter their candidates better? Give proper training?

    link to this | view in chronology ]

    • identicon
      David, 28 Aug 2015 @ 6:26am

      Re:

      I almost disagree here. Why were the users allowed to forward their mail, and additionally, allowed to forward to non-government/cloud services?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2015 @ 6:36am

        Re: Re:

        How dare you question authority - that's a tazing

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2015 @ 6:40am

        Re: Re:

        It's been forbidden to forward your emails like that since at least late 2010.

        The DHS is apparently not as prompt about enforcing security regulations.

        link to this | view in chronology ]

      • icon
        Ninja (profile), 28 Aug 2015 @ 7:58am

        Re: Re:

        You underestimate stupidity. You'd need an unworkable system to make it fully secure.

        Why were the users allowed to forward their mail, and additionally, allowed to forward to non-government/cloud services?

        You see, I agree with that to some point. The government needs to communicate with the outside world at some point. I'm not sure how CBP works but they surely need to send some mail out at some point. What could be done here is to make it a whitelist system where you need to submit external mails to approval (ie: John Doe must be contacted because X reason, his e-mail is Y so upon review, Y mail is allowed to communicate to that employee and that employee only). So the best alternative is to weed the stupid out and keep the system minimally workable. Maybe somebody better at security can prove me wrong?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Aug 2015 @ 8:13am

          Re: Re: Re: Forwarding mail, automatic vs manual

          I think grandparent is questioning why the e-mail platform allows writing a rule that automatically forwards e-mail outside the organization. Allowing a user who goes to the trouble of selecting the e-mail(s), clicking Forward To, and choosing a destination to send it wherever he/she wants, even if that destination is stupid, is comparatively fine, because we hope that the user does not routinely make the same stupid mistake as he/she forwards every e-mail of interest. On the other hand, in this case, it only took one stupid mistake, compounded by not investigating the problem when mails failed to forward to the intended GMail address, to let an unspecified number of e-mails go to the wrong destination. Moreover, if the owner of the receiving account had been inattentive or decided not to speak up, this could have gone undetected for a long time.

          You cannot protect against users making stupid mistakes, but you can take away the tools that let them magnify a single stupid mistake into a huge mess.

          link to this | view in chronology ]

        • identicon
          David, 28 Aug 2015 @ 9:47am

          Re: Re: Re:

          I understand being able to forward an email, but guy has his account setup to auto-forward. That's a little different.

          link to this | view in chronology ]

    • icon
      John Fenderson (profile), 28 Aug 2015 @ 7:50am

      Re:

      This could not have happened where I work, or at least it would have been detected much sooner. Here's how my employer runs company emails: if you are sending an email to a non-company address, then it goes through extra layers of scrutiny (including examining attachments to the extent of even unzipping and examining archive files).

      This examination is VERY strict, and if the email you're sending even looks like it might contain something sensitive, then that email is not sent. Instead, you get a warning of the problem and are told to contact the security team to get an exception put into place if needed.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2015 @ 8:29am

        Re: Re:

        "This could not have happened where I work"

        Never say never.

        "and if the email you're sending even looks like it might contain something sensitive"

        So does it autodetect encrypted files? Even then there are ways to hide data within perfectly legitimately looking data.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Aug 2015 @ 12:32pm

          Re: Re: Re:

          ..."and if the email you're sending even looks like it might contain something sensitive"...

          ...So does it autodetect encrypted files? Even then there are ways to hide data within perfectly legitimately looking data...



          Depends on your system configuration and how good your admins are. I've lost count how many times we had to ask for software or firmware updates be snail mailed on CD because our systems trash any EXE, DLL, and BIN files even if they're in a ZIP or RAR file. Any attempt to direct download does the same thing. We finally figured out that setting up a single workstation directly on the internet gateway but outside the LAN/WAN was good enough for such downloads. Once downloaded the file(s) get put onto a CD or USB and taken to the IT folks for them to play with.

          link to this | view in chronology ]

        • icon
          John Fenderson (profile), 31 Aug 2015 @ 6:55am

          Re: Re: Re:

          "Even then there are ways to hide data within perfectly legitimately looking data."

          The purpose is to prevent accidental disclosure. It goes without saying that if someone wanted to intentionally disclose, they could.

          link to this | view in chronology ]

  • identicon
    David, 28 Aug 2015 @ 6:26am

    A clear case.

    Do as we say, not as we do.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 28 Aug 2015 @ 6:40am

    Perhaps we should require them to do their own cybersecurity before giving them access to other peoples.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 6:47am

    Hell

    Well, hell, they should have just gotten their own server and put it in a bathroom or something and used that for e-mail instead of the government server. At this point in time what difference does it make?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 7:31am

    Quick question , why do the people not realize their mistake when emails are not routed to their account?

    link to this | view in chronology ]

    • icon
      nasch (profile), 28 Aug 2015 @ 9:56am

      Re:

      Quick question , why do the people not realize their mistake when emails are not routed to their account?

      Here's another one, why is there a system that allows auto-forwarding to a non-verified email address? That would be like allowing people to sign up for a service with any old email address and not verifying it.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Aug 2015 @ 1:28pm

      Re:

      I know what you mean, just last week I missed the 4 e-mails I never received and the 2 cards I didn't get in the mail...

      oh wait, how does someone know what they DIDN'T receive again (other than the telepathy of just knowing, like knowing offensive when you see it...)

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2015 @ 1:41pm

        Re: Re:

        When an email is found in their works account that they did not get to their private account, they have an indication that maybe they have not set up the forwarding properly.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Aug 2015 @ 2:32pm

        Re: Re:

        oh wait, how does someone know what they DIDN'T receive again
        Easy. You send a mail that you expect to be forwarded (or get someone else to do that for you, with out-of-band confirmation that they sent it). If it shows up, you know the forwarding is at least somewhat functional. If it does not, you can investigate further. This can be as easy as calling to the next desk over "Hey Joe, mail me a test message. I want to check something."

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 7:39am

    Just being picky...

    CBP is Customs and Border Protection - not Patrol.

    link to this | view in chronology ]

    • icon
      connermac725 (profile), 28 Aug 2015 @ 7:47am

      Re: Just being picky...

      easy mistake as there really is not a lot of protection actually happening so that patrol sounds more accurate

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 28 Aug 2015 @ 7:52am

      Re: Just being picky...

      Patrol might be technically incorrect, but it is more accurate, in my opinion.

      link to this | view in chronology ]

  • icon
    ltlw0lf (profile), 28 Aug 2015 @ 8:01am

    Why can't people verify email addresses before sending?

    The incident was discovered when a civilian responded to a CBP user's email to a distribution list of other CBP/DHS users.

    Having had an amazingly similar situation happen with me where a non-profit organization sent a very sensitive document to me at one point on accident, and then wanted me to sign an NDA because, even though I told them I deleted the email unread, I might have seen something I shouldn't have and could have made life miserable for them (the email and the contents were deleted, I have no idea what it was.) I told them full stop, they sent the email to me due to no fault of my own, and I wasn't going to sign anything.

    It really doesn't take that long to verify you have the right email address (and more importantly, the right domain name) for sending sensitive information. Yet, they told me they were so busy and couldn't confirm the email address and thus it was somehow my problem that they sent me what they sent me.

    What is really sad is that even though they screwed up, in today's society, I suspect that no good deed will go unpunished (especially given the phrasing above.) The good samaritan let them know they were broken, but they discovered the problem, no thanks to the good samaritan.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 8:27am

    They may want to try to avoid too many very similar e-mail addresses that can be easily and accidentally conflated.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 8:28am

    At least with google, it requires you to put in a pin that was sent to the email put in for forwarding. That would have prevented the entire fiasco.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 8:48am

    In other news, a CBP agent has been added to Hillary's appointed positions list.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 8:56am

    organizational policies

    This is a bad idea but being a government employee the reason the person may have done it in the first place was to have quicker access to work stuff under the belief that such access was needed. My org does not give everyone easy access to emails...just the "leaders" however it is highly suggested that ube able to check your email 24/7 in case a leader has something imprtant to tell you. True i can use VPN to access my account via a ccomputer (and maybe my phone...never tried it) but it is not always on and to be logging in over and over again.

    If i forwarded those email to my gmail account I do jave quick an easy access.

    So not saying it was a good thing but rather there may be other things in play that made the agent forwarf the stuff in the first place.

    And in case you are wonderingn I do not forward any work email to a personal account. If a manager needs something from me during non-regular hours he or she can call me.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2015 @ 12:36pm

    Genius can't even get a simple thing like his own e-mail address right. I wonder what else he can't do right...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2015 @ 7:21pm

      Re:

      "Genius can't even get a simple thing like his own e-mail address right. I wonder what else he can't do right..."

      Does it matter? He's a cop! A demigod!

      link to this | view in chronology ]

  • icon
    Pronounce (profile), 28 Aug 2015 @ 2:26pm

    That Private Citizen Was Lucky

    It could have gone another way for the reporting citizen and they could have been accused of hacking a government account. Yes, most normal people know that wouldn't be true, but based on recent reports it seems that the courts are more of neophytes than the CBP.

    link to this | view in chronology ]

  • identicon
    Joe Random, 28 Aug 2015 @ 3:55pm

    SMTP insecure

    It's a wonder that ANY sensitive information is permitted to go out via email, since almost every server is insecure by default. It's possible to require TLS/SSL, but almost no one does this in a way that's resistant to downgrading to plaintext (see https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks ). Default server settings also frequently do not bother to authenticate certificates, which, far too often, are self-signed or expired anyway. See also http://security.stackexchange.com/a/53237/70833 .

    Even when TSL is required, there's the possibility of one of the many certificate authorities that the average SMTP server trusts going rogue. Each of these weaknesses are exacerbated by a dependence on easily-spoofed DNS.

    link to this | view in chronology ]

    • icon
      tqk (profile), 30 Aug 2015 @ 7:48pm

      Re: SMTP insecure

      Even when TSL is required ...

      That's how easy it is to do. Somewhere along in time, a lot of people decided that, for whatever reason (too busy, no time, inattention to detail, lazy, easily distracted,...), proofreading was unnecessarily costly and too much trouble.

      Add to that this CBP agent also couldn't be bothered to test that his forwarding rule was actually doing what he intended. Combine those two failures and, when it finally comes a cropper, he (and his employer) get to wear egg on their faces while damage control kicks in.

      TD even supplies a "Preview" button, and that malformed Three Letter Acronym (TLA) is wearing a squiggly line underneath it put there by my browser's spell-check.

      Trust, but verify. Or look funny when eventually found out. :-)

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.