Author Topic: Fire with fire - Open Records Act  (Read 2457 times)

Offline infosec

  • Prepper
  • **
  • Posts: 54
  • Karma: 1
  • New TSP Forum member
Fire with fire - Open Records Act
« on: October 10, 2013, 02:33:18 PM »
Hey all, I am an information security professional and have been exposed to many situations where I've seen how organizations react to public information requests.  While I'm sure many of you have varying opinions on laws like the Open Records Act, I haven't seen anyone pose the idea of getting some of our heads together to either perhaps answer some questions, or perhaps have a bit of leverage or influence.  The way I see it, government agencies don't do much to be very proactive in protecting citizens' information, but I have seen where they get proactive as a result of someone "poking" around asking for particular pieces of information, especially reporters.  One of the things that I have used in demonstrating to municipalities compelling arguments to protect certain pieces of information, is to posing the question to them "What would happen if the media made a public information request for these records?"  Most often, and sadly, this tends to be one of the most compelling arguments to motivate municipalities to keep information accurate and confidential. 

I wanted to generate a bit of discussion to evaluate how legal means, such as making public information requests, might help motivate organizations to operate a little more acceptably.  It might even prompt some form of change.  It would certainly send a message that there are members of the public interested in what they are doing, and in my experience, they seem to operate under the impression that most of what they do goes completely unnoticed.  While a reporter asking for some information might indicate someone is trying to do a story or run a smear campaign, I think if multiple heads were put together, like in a forum such as this, we could probably come up with some really good requests to send to municipalities that might actually cause them to pay attention to things that they should. 

For example, if an organization is handling protected health information as defined in HIPAA/HITECH (and just about every employer is) then they are required to keep an information security policy.  They are also required to document procedures and such, such as how they handle encryption of sensitive data at rest.  Being that procedures are not exempted from open records requests in the state of Texas, then every city should logically be able to produce a document in response to a request of that procedure.  This is not the best example, but I'm sure if we get some heads together, especially with some of you folks that are knowledgeable in other areas of operation, I think there is some potential for some interesting requests.  People do not use those requests enough, in my opinion. 

Now, from the attacker's view point.  I would gladly make use of open records requests to conduct recon of a government organization.  You can actually build a strong portfolio of information just from council meeting minutes, such as what versions of software are they upgrading to, or how often do they replace their computers.  Are there any configuration standards that illustrate what the attack surface would look like from inside their network?  Are they contracting with any agencies for services that might expose the organization?  Who are they hiring to do their document destruction?  Could I dress like one of those employees and walk right out with a locked recycle bin labeled "to shred"?  You get the idea.  Although, I'm not interested in mobilizing any brains on attacking a government organization or any kind of rebellion or that sort of thing.  I'm just wondering if there would be a benefit in more organized thought surrounding how we could use these requests to get answers to a lot of the unknowns that we seem to face with how our "transparent" government is operating.