Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.
Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.
This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.
@briankrebs "...is encrypted and protected and scanned..." stood out to me so much that I went and found the original source of a meme template just for this edit...
@briankrebs Given that they took everything offline within minutes of you informing them, there is no reason not to name them now, as the hole is plugged. And it sounds like there is every reason to name them. The likelihood of them informing their customers is zero, so if you don't release the info, you're basically involved in a coverup, even if you don't directly benefit from it.
@grepular I will write about it, but probably not for a bit yet. They asked if I did consulting, and I was momentarily flattered (that's not even something I do) until I realized the subtext and probable reason for the question. I'm still waiting for an official reply/explanation from them.
@grepular I can say this for now. They are a mid-sized ISP and fiber provider for a specific region of the US, and they appear to have a separate business unit whose name and stated mission is to help companies do email securely and safely.
@briankrebs
This is nowhere near as egregious, but for some clients, Vektron implements their corporate training services in such a way that you can not only see an employee's training history but also take training as them if you know their corporate email address. No password.
@dangillmor@briankrebs if you can be charged for fraud for really insecure misconfigured systems then not a CISo in America would be safe. The number of IT and hosting providers who have implemented all of the security measures they say they do is a shockingly small number. Marketing always outpaces security and infrastructure for that matter
@peterhoneyman@tstruthers@dangillmor@briankrebs he only said there was a big file index. Didn't say whether the individual files were encrypted or not. Not enough info given, to conclude fraud.
@hyc@peterhoneyman@tstruthers@dangillmor None of the files, folders, emails or anything exposed on their website were encrypted at all. It was all plain text. List all customers. Click customer. Click current or temporary folder. Click A-Z name list. Click name. Click inbox. Behold plain text email files.
@briankrebs@peterhoneyman@tstruthers@dangillmor ugh, that's pathetic. Esp when it's trivial to write e.g. a milter to pgp encrypt all unencrypted incoming email. The provider only needs pubkeys, can't decrypt anything once encrypted. Then you only need to trust that they're not storing a backup copy of the incoming plaintext...
@briankrebs in first aid when we ask someone to describe how much pain there in we also ask them what there most painful experience was for reference. So, where does this fall on your 1-10 scale of witnessed security ineptitude, and what is your 10?
@briankrebs You not mentioning the company is already creating rumors, and possibly hurting companies that are innocent. Note the remark about atomic particles. Rumors can already be starting about Proton, unfairly perhaps.
Given that the emails may have been read by others, shouldn't their customers know about this?
Did they promise you that they would notify potentially impacted customers, or did they indicate they plan to bury this?
If they don't disclose, will you? Why wouldn't you?
I mean, I could be impacted as I use two email services promising encryption and protection and I want, I need, to know if I'm impacted. What happens next?
@jumbanho One of my favorite Richard Wright quotes: I have a very large seashell collection. I keep scattered across lots of beaches. Maybe you've seen it.
Add comment