Interesting People mailing list archives
IRS Workers Prone to Hackers
From: David Farber <dave () farber net>
Date: Thu, 17 Mar 2005 06:54:44 -0500
------ Forwarded Message From: kelley <kelley () rakfoundry com> Date: Thu, 17 Mar 2005 05:20:02 -0500 To: <dave () farber net> Subject: IRS Workers Prone to Hackers Dave, It's not as easy to social engineer passwords out of IRS employees as it used to be! Just thought I'd give you the good news first! Kelley Ink Works: Security awareness training and more! http://www.inkworkswell.com +1 (727) 942-9255 ---------- http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/nati onal/w162055S07.DTL Auditors Find IRS Workers Prone to Hackers - By MARY DALRYMPLE, AP Tax Writer Wednesday, March 16, 2005 (03-16) 19:59 PST WASHINGTON, (AP) -- More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password, a government report said Wednesday. The report by the Treasury Department's inspector general for tax administration reveals a human flaw in the security system that protects taxpayer data. It also comes on the heels of accounts of thieves' breaking into computer systems of private data suppliers ChoicePoint Inc. and LexisNexis. The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested. "We were able to convince 35 managers and employees to provide us their username and change their password," the report said. That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords. "With an employee's user account name and password, a hacker could gain access to that employee's access privileges," the report said. "Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee's username and password," auditors said. With some knowledge of IRS systems, such an employee could more easily get access to taxpayer data or damage the agency's computer systems. Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords. Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical. Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate. Within two days after the test, the IRS issued an e-mail alert about the hacking technique and instructed employees to notify security officials if they get such calls. The agency also included warnings into its mandatory security training. http://www.inkworkswell.com "Be a scribe! Your body will be sleek, your hand will be soft. You are one who sits grandly in your house; your servants answer speedily; beer is poured copiously; all who see you rejoice in good cheer. Happy is the heart of him who writes; he is young each day." --Ptahhotep, Vizier to Isesi, Fifth Egyptian Dynasty, 2300 BC ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IRS Workers Prone to Hackers David Farber (Mar 17)