Schneier on Security
A blog covering security and security technology.
« Blowback from Banning Backpacks |
| The Storm Worm »
October 3, 2007
Government Employee Uses DHS Database to Track Ex-Girlfriend
When you build a surveillance system, you invite trusted insiders to abuse that system:
According to the indictment, Robinson, began a relationship with an unidentified woman in 2002 that ended acrimoniously seven months later. After the breakup, federal authorities allege Robinson accessed a government database known as the TECS (Treasury Enforcement Communications System) at least 163 times to track the travel patterns of the woman and her family.
What I want to know is how he got caught. It can be very hard to catch insiders like this; good audit systems are essential, but often overlooked in the design process.
Posted on October 3, 2007 at 3:02 PM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It'd be comforting to think that his activity tripped an alarm and attentive system administrators detected the unusual behavior, wouldn't it? However, since this is a government database such an outcome is unlikely.
No doubt he acted on the information he uncovered somehow - tipping off the ex-girlfriend. She may have been previously aware of the surveillance possibilities of his job (as mid-level insiders with his access often like to brag about it.) She figured it out based on his subsequent behavior, lawyered up, and they looked into allegation. Yay, the system works!
He got CAUGHT ?
You call after AT LEAST __ 163 __ violations "getting caught" ??
I think 'blabbing to his boss that he was tracking his ex-girlfriend using the 'puter' has been misconstrued as "getting caught".
Alternatively, what kind of system, process or procedure only catches people after ""AT LEAST"" 163 SUCCESSFUL abuses !!??
The (other) question which comes to my mind is: how much information did the TECS system deliver? What does it do, and how does it get its data?
One would infer that, if it can deliver tracking information on a random individual (albeit one associated with an insider), it can do so for any member of the population.
What Trichinosis said... abuse of these sort of databases, particularly by LE personnel, is quite common, because even if there are logs (which there usually aren't), no one is looking at them. I'm personally aware of several cases of abuse, as well as of threatened abuse, of such systems.
No doubt the people who are getting caught are the borderline nut jobs who make easily traceable threats, shoot their mouths off, etc.
Abuse of access to privileged data is not a new problem.
Perhaps these agencies should look at the solutions deployed by Hospitals and related IT groups in response to HIPAA, where all access to patient data is logged and reported.
I know of multiple incidents where medical staff have been summarily terminated for viewing patient medical records that they had no business accessing. Why can't LE do the same?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.