Over 2000 Oregon taxpayers tax info victim to keylogging trojan on system for 8 DAYS

[David Farber <dave () farber net>]

Begin forwarded message:

From: Ethan Ackerman <eackerma () u washington edu>
Date: June 15, 2006 2:16:42 PM EDT
To: David Farber <dave () farber net>
Subject: Over 2000 Oregon taxpayers tax info victim to keylogging  
trojan on system for 8 DAYS

(glad you're not Oregonian? me too, but I'm sure security is no better
at <insert your state here>)

http://katu.com/stories/86791.html
and
http://www.oregon.gov/DOR/webtrojan.shtml

Let's count known security failures...

This computer had tax info (1) associated with personal information
like names and ssns and addresses rather than disintermediated, (2)
unencrypted on a computer that was (3) connected to the general
internet (4) without effective access or copy or user restrictions for
those files, on a computer (5) without effective/properly
configured/antivirus or firewall software**.  In addition, the (6)
computer and its (7) administrators lacked _effective_ breach
monitoring systems to even know something wrong had happened in a
timely matter, much less (8) restrict outbound info in the mean time.

(The news article says it took _8 DAYS_ for the DoR to make the leap
from 'improper use' to 'oops, information went out.'  One can only
dread how much longer it took them to conclude that maybe it should be
unplugged to contain the damage.)

And because security isn't just preventive, but also cleaning up
after, and learning from, breaches - the picture gets worse...

The DoR response:  (1) Non-business-related internet use is now  
prohibited.
-my comment- SO WHAT? Visiting pron sites was prohibited before too -
the DoR release says that's why they fired the employee - but 'office
policy' restricting sites didn't seem to prevent this from happening.
(2) we'll evaluate our systems
-What this is code for, I don't know - hopefully something good will  
come of it.
(3) that's all.
Seriously - DoR's own website says that's the only steps it is taking.
They list or reference several steps they AREN'T taking which would
seem to be effective - switching away from SSN overuse or
disconnecting/restricting tax-info-containing computers from the
general internet/other agencies/the IRS's computers.

Their customer-side damage control looks to be a little better - they
are sending out letters (a month later), and recommending citizens
monitor their credit reports with hints that they might arrange credit
monitoring for victims.

But this line about the letters is probably the worst on the whole site:
"If you have not received or do not receive a letter, it means that
your information was not compromised. "

Or, that you just didn't receive a letter...  Or that your info WAS
compromised and we just don't know it.... etc.


**To be fair, DoR says the trojan was so new that its antivirus vendor
hadn't yet "'written a filter for it"  - an assertion yet to be
verified...
It should also be noted that the detection of keyloggers is often
trivial, even if the particular trojan they came in on isn't.


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/