First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management.
The Columbia Dispatch is reporting that a state employee with access to a “test account” has been accessing Joe the Plumber’s government records:
“We’re trying to pinpoint where it came from,” she said. The investigation could become “criminal in nature,” she said. Brindisi would not identify the account that pulled the information on Oct. 16.
Records show it was a “test account” assigned to the information technology section of the attorney general’s office, said Department of Public Safety spokesman Thomas Hunter.
Brindisi later said investigators have confirmed that Wurzelbacher’s information was not accessed within the attorney general’s office. She declined to provide details. The office’s test accounts are shared with and used by other law enforcement-related agencies, she said.
Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed.
It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn’t connect back to an individual’s computer and to a shared machine, the search will have been narrowed down greatly.
Written by: Chris Wysopal