First we had the Gov. Palin Yahoo email break in to teach us the vulnerabilities of weak password reset schemes. Now we have a Joe the Plumber government records snooper teaching us about proper computer account management.

The Columbia Dispatch is reporting that a state employee with access to a "test account" has been accessing Joe the Plumber's government records:

"We're trying to pinpoint where it came from," she said. The investigation could become "criminal in nature," she said. Brindisi would not identify the account that pulled the information on Oct. 16.

Records show it was a "test account" assigned to the information technology section of the attorney general's office, said Department of Public Safety spokesman Thomas Hunter.

Brindisi later said investigators have confirmed that Wurzelbacher's information was not accessed within the attorney general's office. She declined to provide details. The office's test accounts are shared with and used by other law enforcement-related agencies, she said.

Security best practices require that test accounts be removed before a system is put into production and loaded with real data. Otherwise there is no accountability to any one individual. Shared accounts such as test accounts are frequently abused so that the snooper can get away undetected. The investigation should look at what other data has been snooped on using this test account. Perhaps this has been going on for a long time and no one noticed.

It is still likely that the perpetrator can be tracked down if he or she accessed the data from an internal system and the records application logged the IP address that connected to it. Even if the IP address doesn't connect back to an individual's computer and to a shared machine, the search will have been narrowed down greatly.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (1)

EmmGee-Ohio | October 27, 2008 5:42 am

There is a problem with security in Lucas county. When I worked for Kelly Temporary Service, I was assigned to "check credit reports" for various banks. Where was this done? Lucas County Courhouse, 2nd floor computer. It was open to anyone, no restrictions. I'm not surprised someone can find out allot on a person that way. I saw everything from name address, type of criminal record, warrents, Social Security Numbers, etc.

Another possible issue with security, Lucas county keep books of registered voters, on tables for potential voters to go through. This gives acces to anyone's address and phone number. This is according ton one poll worker, who made "LOVE NOTES" on said topic, to the Lucas County Elections board. This same source "Ms. Rabbit"or similar last name, kept mentioning to this media person, that nothing had changed...and polling judges had not put a stop to it.

Point being, it's too much to have this information monitored, restricted and kept on a need-to know basis. I had to give no identifying infomation to use the PC, nor snoop at other people's names, as I tried to "check the correct polling station, for myself"... so to speak.

Once again, The Joe the plumber issue is another flaw in Ohio and Lucas County's proceedures, showing how corrupt the system really is.

What apauls me... "live and let live" or even agree to disagree is not a concept amoung some people nowdays, no matter where they stand on political issues.

For a man who claims he will run a clean campaign, his workers and foloowers are ruining that reputation. I as an undecided and undeclared voter see that as a turn-off.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.