[ISN] Obama, Clinton, McCain Passport Breaches Expose Human, Not Tech Weakness

From: InfoSec News (alerts@private)
Date: Mon Mar 24 2008 - 10:53:34 PST


http://www.informationweek.com/news/showArticle.jhtml?articleID=206905232

By K.C. Jones
InformationWeek
March 21, 2008

Access to personal passport information from presidential hopefuls Sens. 
Barack Obama, Hillary Rodham Clinton, and John McCain may not have been 
preventable, the U.S. State Department said this week.

The incident highlights the need for greater data access controls for 
employees and contractors in the IT sector and the government.

Three State Department contractors had taken unauthorized looks at the 
electronic files of each of the candidates, although each had clearance 
to use the database, Undersecretary for Management Patrick F. Kennedy 
said Thursday. Obama's file was accessed three times: Jan. 9, Feb. 12, 
and March 14. It was disclosed later that the files of Clinton and 
McCain were also reviewed by the contractors.

Two workers were fired. State Department leaders have said they believe 
that the workers accessed the files out of curiosity. Secretary of State 
Condoleezza Rice on Friday issued an apology to Obama and Clinton and 
was scheduled to speak with McCain.

Kennedy said during a press briefing Thursday that all three people 
suspected of viewing the candidates' passport information had access to 
the database for one reason or another. He declined to state their job 
titles or explain specific functions that required the access, except to 
say that State Department workers must be able to look up information 
when people call about their passports.

"They were in a variety of functions that required them, in order to do 
their tasks, to have the access to the computer system," he said.

He also said it was impossible to provide that access and simultaneously 
deny it to prevent people from snooping for no reason. Kennedy did say, 
however, that the computer monitoring system (PDF) worked properly by 
flagging the workers' activities after the fact. That's when supervisors 
were notified and took action, he said.


The Security Technology Worked

"One thing I want to emphasize, in each of these three cases, the system 
that was set up to detect any unauthorized access of these kinds of 
records worked," Kennedy said. "These unauthorized accesses were 
detected by the State Department and they were immediately acted upon. 
In each of these cases, the unauthorized access was caught by a 
monitoring system that was tripped when, in each of these cases, an 
employee accessed the record of a high-profile individual. When the 
monitoring system is tripped, we immediately seek an explanation for the 
record access. If the explanation is not satisfactory, the supervisor is 
notified. And that is the case in each of these three individual cases."

Kennedy has acknowledged, however, that the incidents should have been 
reported higher up the chain of command by insiders. Reporters first 
brought the data breach to the attention of senior members of the State 
Department.

The Bureau of Consular Affairs is in charge of monitoring database 
access, Kennedy said.

A department spokeswoman contacted Friday did not know immediately who 
designed the database or the monitoring system, which, according to 
Kennedy, has been in place for several years. It appears unlikely that 
technology is to blame for the invasion of the candidates' privacy, 
according to Kennedy's statements. Rather, it appears that the problem 
stems from a breach of trust by three of more than 50,000 employees.

The State Department restricts access to passport records, performs 
background checks on employees and contractors, and trains workers about 
privacy policies. Each time a worker logs on to the system, the worker 
acknowledges that the records are protected by the Privacy Act and that 
they are only available on a need-to-know basis, Kennedy said. 
Transaction logs provide a record of activity.

"They were supposed to use their access to -- for the purposes of the 
task that they were assigned," Kennedy said during the briefing. "They 
violated that trust, and that is, and they were caught in the monitoring 
system that we have. When you produce, as I said earlier, when you 
produce 18 million passports a year and there are numbers of passports 
that are lost every year, people call in and ask, "Where is my passport 
in the system?"

The Office of the Inspector General is investigating the incident, and 
authorities have not ruled out involvement by the Department of Justice. 
The logical areas of examination for both entities: e-mail folders, hard 
drives, and servers, but Kennedy said he hasn't told investigators where 
to look because he doesn't tell them how to do their job.

Kennedy said that the State Department will consider whether it's 
possible to "lock out" access to high-profile individuals' records, 
while still allowing workers to respond to inquiries. The information 
contained in passport files comes from applications and may contain 
additional information gleaned from research used to determine whether 
issue the passport. It is shared with a variety of law enforcement and 
other agencies for investigation.

One of the more sensitive pieces of information contained in the file is 
a Social Security number, which can be used for identity theft or to 
access more information from other sources.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Mar 24 2008 - 11:05:29 PST