Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IRS Workers Prone to Hackers

From: David Farber <dave () farber net>
Date: Thu, 17 Mar 2005 06:54:44 -0500

------ Forwarded Message
From: kelley <kelley () rakfoundry com>
Date: Thu, 17 Mar 2005 05:20:02 -0500
To: <dave () farber net>
Subject: IRS Workers Prone to Hackers

Dave,

It's not as easy to social engineer passwords out of IRS employees as it
used to be! Just thought I'd give you the good news first!



Kelley

Ink Works: Security awareness training and more!
http://www.inkworkswell.com
+1 (727) 942-9255

----------

http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/03/16/nati
onal/w162055S07.DTL


Auditors Find IRS Workers Prone to Hackers
- By MARY DALRYMPLE, AP Tax Writer
Wednesday, March 16, 2005

(03-16) 19:59 PST WASHINGTON, (AP) --

More than one-third of Internal Revenue Service employees and managers who
were contacted by Treasury Department inspectors posing as computer
technicians provided their computer login and changed their password, a
government report said Wednesday.

The report by the Treasury Department's inspector general for tax
administration reveals a human flaw in the security system that protects
taxpayer data.

It also comes on the heels of accounts of thieves' breaking into computer
systems of private data suppliers ChoicePoint Inc. and LexisNexis.

The auditors called 100 IRS employees and managers, portraying themselves
as personnel from the information technology help desk trying to correct a
network problem. They asked the employees to provide their network logon
name and temporarily change their password to one they suggested.

"We were able to convince 35 managers and employees to provide us their
username and change their password," the report said.

That was a 50 percent improvement when compared with a similar test in
2001, when 71 employees cooperated and changed their passwords.

"With an employee's user account name and password, a hacker could gain
access to that employee's access privileges," the report said.

"Even more significant, a disgruntled employee could use the same social
engineering tactics and obtain another employee's username and password,"
auditors said.

With some knowledge of IRS systems, such an employee could more easily get
access to taxpayer data or damage the agency's computer systems.

Employees gave several reasons for complying with the request, in violation
with IRS rules that prohibit employees from divulging their passwords.

Some said they were not aware of the hacking technique and did not suspect
foul play, or they wanted to be as helpful as possible to the computer
technicians. Some were having network problems at the time, so the call
seemed logical.

Other employees could not find the caller's name on a global IRS employee
directory but gave their information anyway. Some hesitated but got
approval from their managers to cooperate.

Within two days after the test, the IRS issued an e-mail alert about the
hacking technique and instructed employees to notify security officials if
they get such calls. The agency also included warnings into its mandatory
security training.



http://www.inkworkswell.com

"Be a scribe! Your body will be sleek, your hand
will be soft. You are  one who sits grandly in your
house; your servants answer speedily; beer is poured
copiously; all who see you rejoice in good cheer.
Happy is  the heart of him who writes; he is young
each day."

                  --Ptahhotep, Vizier to Isesi,
                    Fifth Egyptian Dynasty, 2300 BC


------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: