Internet provider based in Minnesota US Internet Company There is a business unit called safetyspecializes in providing filtered and secure email services to businesses, educational institutions, and government agencies around the world. But until he was notified last week, US Internet had published more than a decade’s worth of his internal emails, as well as those of thousands of Security clients, on the internet in clear text to anyone with a web browser. But we made it accessible with just a click.
US Internet, headquartered in Minnetonka, Minnesota, is a regional ISP providing fiber-optic and wireless Internet services. ISP’s security division bills itself as a “leading provider of email filtering and management software, including email protection and security services for small and medium-sized businesses, large enterprises, educational institutions, and government agencies around the world.”
US Internet/Security says your email is safe. There must be no difference from the truth.
About a week ago, KrebsOnSecurity was contacted by Hold Security, a Milwaukee-based cybersecurity company.Hold Security Founder alex holden He said his researchers found public links to Internet email servers in the United States that listed more than 6,500 domain names, each containing a unique clickable link.
Only a fraction of our more than 6,500 customers trust the US Internet for email.
Drilling down into these individual domain links revealed the inboxes of each employee or user of these public websites. Some of the leaked emails date back to 2008. Others were as recent as the present.
Security customers include dozens of state and local governments, including: north carolina state government — North Carolina official website; stillwatermn.gov, City of Stillwater, Minnesota website.and cityofffredericmd.govgovernment website Frederick, Maryland.
Incredibly, this huge index of US Internet customer emails included internal messages from every current and former employee of US Internet and its subsidiaries. USI wireless. That index also included U.S. Internet messages, so CEO Travis CarterKrebsOnSecurity forwarded one of Mr. Carter’s own recent emails to Mr. Carter, requesting that he understand exactly how the company was able to screw things up so spectacularly. Added.
A US Wireless employee’s personal inbox has been published in clear text on the Internet.
Within minutes of this notification, US Internet took all public inboxes offline. Carter responded by saying his team is investigating how it happened. At the same time, he asked if KrebsOnSecurity does security consulting (I don’t).
[Author’s note: Perhaps Mr. Carter was frantically casting about for any expertise he could find in a tough moment. But I found the request personally offensive, because I couldn’t shake the notion that maybe the company was hoping it could buy my silence.]
Earlier this week, Carter responded with a very professional explanation, but ultimately it says little about why or how so many internal and customer inboxes were published in clear text on the Internet. It wasn’t explained.
“Feedback from my team was an issue with the Ansible playbook that controls the Nginx configuration of the IMAP server,” Carter said, adding that the incorrect configuration was set by a former employee and went undetected. I pointed out that. US Internet has not disclosed how long these messages have been exposed.
“The rest of the platform and other backend services have been audited to ensure the Ansible playbooks are correct,” Carter said.
Holden said it also discovered that hackers were abusing the Security link scrubbing and anti-spam service, Security. URL shield Although it looks harmless at first glance, it creates links that redirect visitors to hacked and malicious websites.
“Bad actors modify the malicious links they report to redirect to their own malicious sites,” Holden said. “This is how bad actors drive traffic to their sites and improve their search engine rankings.”
For example, shown in the screenshot directly above[Securence]Clicking on the link will take you to a website that attempts to trick visitors into allowing site notifications by disguising the request as a CAPTCHA request designed to separate humans from bots. After approving her deceptive CAPTCHA/notification request, the link redirects the visitor to a Russian internationalized domain name (рпроаг).[.]рф).
The link to this malicious and deceptive website was created using Security’s link scrubbing service. A notification pop-up was blocked when this site attempted to disguise the prompt to accept notifications as a form of CAPTCHA.
US Internet did not respond to questions about how long all internal and customer emails were exposed or when the erroneous configuration change was made. The company has not yet announced the incident on its website. The last press release on this site dates back to March 2020.
KrebsOnSecurity has been writing about data breaches for nearly 20 years, but this article easily surpasses it in terms of the level of incompetence required to let such a major mistake go unnoticed. Masu. I don’t know what the appropriate response from authorities and regulators should be to this incident, but unless they can prove that the U.S. internet has become more transparent and fundamentally revamped the way the internet works. , and until that happens, it’s clear that no one should be allowed to manage anyone’s email. safety.
