LUWS Account Security Breach

[LakeyTW]

In addition to disabling the account, (and removing directory
information, if you suspect physical harm) there is a way
to give her an account if she really, really needs one.

The admin could use a highly inactive member's credentials to
set her up an account. I would completely recommend
against this option - but it is a possibility. If taken, the
admin would need to NEVER release the MRN or other info
to anyone, so as not risk further release of confidential information.

- Atticus

This should NEVER be done. Members should not utilize other members data to create accounts.

[LakeyTW]

If the impostor is a "stalker," the information from LUWS can be used to create plausible fictitious lies in order to gain the confidence of the victim.

If the impostor is an "abuser," the information from LUWS can be used to stay connected with the victim, even when the victim wanted no further contact.

Wherever the victim moved, the impostor would be able to maintain control. Just knowing the ward could be enough information for the impostor to gain the confidence of the victim's bishop or fellow ward members.

The specific details of this situation are best left for others to handle. It suffices that we have detected the security breach and we are now working to remedy it, if possible.

Please contact me ASAP. I have sent you my contact information via private message.

[russellhltn]

Or maybe one of the Ward Website Administrators.

I thought about that, but the LDS Account is a centralized account that provides access to many different functions, some of which could be very sensitive. The LUWS is only one of those functions. It is never good security design to allow an individual to maintain functionality that grants access to secure information beyond that individual's trust domain or responsibility.

I hate to put more work on a bishop. What about a ward clerk? They have access to the information and can confer with the bishop as needed. They'd probably be the ones having to tell the bishop how to do it.

[russellhltn]

The admin could use a highly inactive member's credentials to set her up an account. I would completely recommend against this option - but it is a possibility

Theoretically possible, but quite unethical. No doubt it will just lead to problems later. To begin with, you'll look like the bad guy instead of someone trying to work around another bad guy.

[dmaynes]

I hate to put more work on a bishop. What about a ward clerk? They have access to the information and can confer with the bishop as needed. They'd probably be the ones having to tell the bishop how to do it.

I'm sure that if the suggested "LOCK" mechanism is implemented that a reasonable procedure can be created. I currently have over 100 members enrolled for the website and I do not believe there is another situation like this brewing in my ward. While it is dangerous to extrapolate from one ward to every ward, I would venture to say that the "LOCK" mechanism would be needed only occasionally.

If I am right about occasional need, the big challenge is training and making people aware of a specialized procedure, not the hourly or manpower requirement.

How will the local leadership know that such a procedure exists?
How easy or hard would it be to manage?

It might be best to consolidate this at the Stake level. That presents its own challenges. Within my stake, website usage is low (except with my ward). Thus, our STS is not involved with the websites. I believe that a high councilor is assigned as the stake website administrator.

I think the first security improvement that should be implemented is not technical. The first improvement that should be made is procedural and people-based. It is important to provide website administrators with more information about security, why it is important, and how to recognize a security breach. I should have recognized this security breach a lot sooner than I did.

Good security always starts with trained people.

Thanks,
Dennis

[russellhltn]

I should have recognized this security breach a lot sooner than I did.

Short of doing your own membership audit, how so?

[dmaynes]

Short of doing your own membership audit, how so?

1. The e-mail address of the impostor included the first name of the impostor and it was obvious that the name did not belong to the ward member. By itself, that should have prompted me to start a casual conversation about the ward website with the member.

2. I have been thinking that I need to do an "e-mail acknowledgment" survey. Any person who does not acknowledge receipt of the e-mail may no longer control their e-mail address. A valid, but inactive, e-mail address may pose a security risk. For example, the e-mail box of a departed employee may be monitored by the IT department.

3. This particular website account was set up for the e-mail address to be private and for no e-mail broadcasts to be received. While that does not suggest a security problem, it is very unusual. I think I have only one or two other accounts like that in my ward. I can confirm this supposition quite quickly, and I should do that.

4. I have confirmed a large number of e-mail addresses through enrollment, so I know they are valid. This particular e-mail address already existed when I started maintaining the website. It was sort of "inherited." I'm finding more problems with e-mail addresses when members move in, than for members that have been in the ward for a while or for members where I have had interaction (As I learn about other problems, I clean them up... so in some degree or another, I have validated most of the e-mail addresses for members in my ward).

Each of the above are important factors that can help maintain the website and its security.

Thanks,
Dennis

[dmaynes]

This particular website account was set up for the e-mail address to be private and for no e-mail broadcasts to be received. While that does not suggest a security problem, it is very unusual. I think I have only one or two other accounts like that in my ward. I can confirm this supposition quite quickly, and I should do that.

This is a little off-topic, but I performed the check. I found that 11% of the website accounts are set to receive no e-mail (except the broadcast to all accounts). It was enlightening because e-mail settings appear to be very wrong for several accounts (e.g., one high priest and his wife receive e-mail for the Young Single Adults, but not the High Priests or the Relief Society).

[russellhltn]

I found that 11% of the website accounts are set to receive no e-mail (except the broadcast to all accounts).

How are you doing this? The only way I know is to draft a broadcast email and then record all the results. I'm not sure if it's still true, but I seem to remember that only showed the first 100 addresses.

[lajackson]

one high priest and his wife receive e-mail for the Young Single Adults, but not the High Priests or the Relief Society

One of our YSA advisor couples has theirs set this way. It keeps them up with the single member stuff, and they don't worry about HP and RS things.