IRS Employees Fall For Hackers

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

Social Engineering is the biggest problem

[suso]

Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.

Re:Social Engineering is the biggest problem

[LewsTherinKinslayer]

Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.

Re:Social Engineering is the biggest problem

[game+kid]

Absolutely; it's too easy to fool someone to do something like make someone change their password this way, simply because people are nervous aout their computers and they'd obey anyone who sounds technical enough. It's like people need a minimum Bachelor's in CS* to live in this age.

*not that said degrees are/are not useful, just that lots of people need to learn a lot about computers and scams like this. Now.

Re:Social Engineering is the biggest problem

[yuriismaster]

I think they should take any person who fell for this and instantly can them. I mean, unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious. Their job is VERY important, and any security breach spells disaster.

I think there should be a memo at every single person's desk: "Never give out your password or credit card number in a phone call." (Quick play on MSN's security warning..)

Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

I hate stupid poeple...

Re:Social Engineering is the biggest problem

[suso]

Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.

Re:Social Engineering is the biggest problem

[LewsTherinKinslayer]

that social engineering is the least worried about security vulnerability.

That's an excellent point. I'd say perhaps that instead of being least worried about, its more likely the most over looked. When you think of stopping hackers, most people picture a firewall program and router. Not their telephone and a random IT department problem.

Re:Social Engineering is the biggest problem

[dezcola]

The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.

Re:Social Engineering is the biggest problem

[SteelV]

"...I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it."

You think? Of course, the more "sophisticated the ruse" is, the more people will fall for it. That's what worries me. If 30% fall for this, then what about the key employee who will be tricked by a deceptive criminal who is focusing all his attention on tricking that one person?

Re:Social Engineering is the biggest problem

[Elminst]

I believe this is how the "most famous hacker ever" (mitnick) got into most of the systems.
It's been proved time and time again that it is so much easier to just walk up and ask for a password than to try and crack it.

1024-bit encryption doesn't prevent a helpful secretary with her password on a post-it note stuck to the front of her monitor.

Re:Social Engineering is the biggest problem

[caino59]

yea - fuck that - i work in support and hate dealing with assholes that think they know our system and everything else b/c they have a masters or, even worse - a doctorate, in a computer related field.

The best is, after they try and berate you and make asses out of themselves, you ask them what their IP address is now (after you walked them through checking what it was before) and they 'forget' how to get there.

fucking assholes.

Re:Social Engineering is the biggest problem

[Mistlefoot]

What is a disgrace is that with 71% of users falling for this 4 years ago they haven't audited again for it in the interim.

Did they not think that there was a potential security risk here?

Re:Social Engineering is the biggest problem

[forkazoo]

I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."

Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.

So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust. ::sigh:: I spend more time worrying about spyware, though.

Re:Social Engineering is the biggest problem

[slittle]

Firewalls and routers are technological solutions - throw money at the problem and it goes away.

The problem with social engineering is that before the users can be given a clue, management has to get one.

And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?

Re:Social Engineering is the biggest problem

And its not just in your local IT department. If you thought cross site scripting was bad, try this on:

1. Key to safety deposit box stored in desk drawer just 8 steps off the elevator to your floor that is sometimes not locked because someone forgot.

2. Bank with matching safety deposit box will sometimes not check the person's ID when visiting, just have them sign (another bank I know of just lets you walk in the vault).

3. Take backup tape from vault, copy, return to vault.

4. Return key to desk drawer.

5. Wait a few months so that the vault video tape is destroyed.

6. During these few months, run jack the ripper on passwd file that was on the backup tape.

7. Use passwords from step 6 to login to account(s)

All first six steps without even talking to anyone at the company or hacking their servers or having any record of doing first 6 steps.

Sad, just sad. Fortunately, the key is now kept in a much safer place, but the bank is still as stupid as hell.

Posted anonymously to protect myself from DMCA and other bullshit.

Re:Social Engineering is the biggest problem

I'm sure he's making more there than any so-called 'security engineer' (what a joke job).

Re:Social Engineering is the biggest problem

[RodgerDodger]

You need to fool people? Hah! 70% of people would give away their password for a block of chocolate!

Re:Social Engineering is the biggest problem

[T-Ranger]

I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.

Re:Social Engineering is the biggest problem

[GigsVT]

Well that's an example of a "feelgood" security measure that is counter productive.

Get rid of the buzzer on the door, get rid of the keycards. Get rid of anything that creates a false sense of security, or an idea that you are somehow within a "trusted" environment.

Re:Social Engineering is the biggest problem

[Foobar+of+Borg]

True. It reminds me of an old BBspot.com article entitled "Security Hole Found In Sysadmin's Head". I wish I could find the article. Would anyone have a copy or a link by any chance?

Re:Social Engineering is the biggest problem

[Paul+McMahon]

There is no such thing as perfect security when too many people are in the know, or have some sort of access. There is no such thing as perfect security. Given a sufficient motivation, amount of time, and resources any protection can be overcome.

Re:Social Engineering is the biggest problem

[wo1verin3]

Sure, but first please let me confirm your slashdot login.. please reply with your username and password.

Security Breach Traced To Hole in Head of Admin

Re:Social Engineering is the biggest problem

[shadowbearer]

Disgruntled employees... :-(

SB

Re:Social Engineering is the biggest problem

[nacturation]

Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

There's a good scam I read about in a book, I think it might have been the one written by Mitnick. Here's how it works:

You pretend to be the network administrator testing some new security procedures and you phone up your target user. Introduce yourself and say that you're running some security testing on the networks and you need five minutes of their time to do some testing. Remind them that never, under any circumstances, should the user tell anybody else their password. Even reinforce that they shouldn't even tell you, as you don't need to know.

Now here's the trick. Ask them to logoff. Once they've done that, tell them that you're doing some monitoring and that they should now login with their password... "and remember, don't tell me what it is!" Great, now we need to test the change password function. Get them to change their user account password to something which is known, such as "abacus". Once they've changed their password, ask them to logoff again. You, the intruder, can now login to their account as you know the password. If it's unix-based, you can setup some kind of daemon to run and accept connections, grab random files, login to the corporate VPN, whatever. Stall them for a little bit while you pillage their network... get them to login, letting them know you can't see their login come through, etc. Whatever buys you the time you need.

Then get them to login once more and change their password back to what it was. Remind them yet again not to tell you that password as they should never tell anybody what their password is. Thank them for their time and for helping you test the security system [and for allowing you to preview tomorrow's result of whether or not the FDA will be accepting or rejecting their new drug therapy, thereby allowing you to take out appropriate options on the stock].

Re:Social Engineering is the biggest problem

[BiggRanger]

I had the same thing happen to me at a po-dunk BP in Michigan last week. I couldn't believe it, and she actally looked at the reciept to make sure it matched! Must be some type of new policy at gas stations.

Re:Social Engineering is the biggest problem

[DreamerFi]

I hope you gave the guy a compliment. I always remark how I appreciate their concern for security when somebody does something similar. It's unfortunate good behaviour needs to be rewarded, but that's life...

Re:Social Engineering is the biggest problem

Ring
Ring
Unwitting Participant: Hello, Information Services, John Smith Speaking.
SlyDog: Oh, shoot Hi John. I was trying to get a hold of [insert the mark's Name], can you transfer me to extension 701 please?
Ring
Ring
The Mark: Accounts payable Margaret speaking.
SlyDog: Hi Margaret this is Mike over from IS we are scheduling some maintainence on your computers down there. We heard you were having some problems.
The Mark: Yes/No
Slydog: [TechnoBanter]
Slydog: Before I schedule an appointment, we're going to need your current password for our Tech.
The Mark: Oh, my password is 12345
Slydog: Ok, great. What time today would be good for you?
The Mark: How long do you think it would take?
SlyDog: Probably ten-maybe twenty minutes.
The Mark: Oh that's fine you can do it when I take lunch.
Slygod: [Lunch Banter]
SlyDog: Ok great, I'll make sure John knows the maintainence will start at noon.

Re:Social Engineering is the biggest problem

[KingJoshi]

I'm working temporarily as a cashier at a fast food place. Sometimes, I get tips from people when I ask them for IDs on their credit cards :)

People are willing to pay a huge price for convenience. Social engineering attacks exploit that, but obviously, it hasn't been enough to make people cynical or stringent on rules.

My first inclination was to make the process of buying and receiving the food fast and convenient. Many people don't bring out their IDs with their credit cards and sometimes have to dig through purses for them. So it makes it slower and inconveniences them. Obviously, I understand that security is important enough, but it's not something people are taught. And even if you are, when you have rushes of people and some can be a pain, you just want to get them through.

But even then, you have to wonder what balance to reach. Do you always reject people if they don't have their IDs? On campus, some places take your ID if you check something out or whatever. How trusting can you be? And "never" just doesn't work in regards to customer service because you want the people to feel as they're treated well and come back (without angering those that care about security).

Social engineering will always work into the future because people are willing to take certain losses (billions of dollars each year) for convenience, values such as courtesy and (as in the secretary case the other guy mentioned) save face.

Then, you have issues of people that rebel due to overly strict rules or disagreement with them. I know that many universities have had to deal with theft. The Engineering department at MSU locks the doors on the buildings around midnight (though the hours say until 2am) and since so many people come in and go out of the buildling later than that, the students keep a trash can to prop the door open. And if I'm going out of the building, I wouldn't hesitate to keep it open for someone who's trying to get in.

With software it's the same things. Writing passwords down or whatever. Given the option between security and convenience, most likely, it'll be the latter.

Re:Social Engineering is the biggest problem

[The_Mr_Flibble]

Social Engineering is a fun game to play. In my job I have to go out to secure sites and do work. In the past I have asked these sites about access procedures to no avail. So now it's fun to just go along and ask to get in unanounced. And if you know enough info they will let you in and give you the master keys for a multistory building. Ocassionaly they'll make you sign in as well.

Re:Social Engineering is the biggest problem

Congrats, genius! You just discovered that thing we call a "cash register", this mysterious object displays the pump number on the screen, the cashier then see you walk from this pump to the counter through his security camera. Why he asked you for your last name is a mystery to me, maybe he just wanted to match it with your credit card number to fraud you on a later time, in all your witness you propably got social engineered.

Re:Social Engineering is the biggest problem

I understand why you didn't manage to get any master or doctorate.

Re:Social Engineering is the biggest problem

[drsmithy]

Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

s/worried/talked/

That's because it can't be blamed on Microsoft !

Re:Social Engineering is the biggest problem

[RWerp]

Especially such behaviour. Some people working as cashiers may be afraid they'll offend you by checking your identity. We need to encourage such behaviour.

Re:Social Engineering is the biggest problem

[Fred_A]

Umm, my password is 12345, can I have the chocolate now ?

Re:Social Engineering is the biggest problem

[jonadab]

> I worry about it all the time. My users constantly volunteer their passwords
> when I don't ask for them.

You're lucky: your users know their passwords. If I tell my users that they
need a password for something, they tell me they don't have a password, don't
want a password, and that I have to fix it so they don't need one.

Re:Social Engineering is the biggest problem

[R.Caley]

70% of people would give away their password for a block of chocolate!

I would, if it was good chocolate. Of course, I'd immediatly replace my account with one which captured information about anyone trying to use it. Maybe I could get a bounty for catching the bastard and buy more chocolate.

Re:Social Engineering is the biggest problem

[R.Caley]

What is a disgrace is that with 71% of users falling for this 4 years ago they haven't audited again for it in the interim.

No point testing the same social hacking hole too often on the same population, unless you can keep the results secret. People who were embarassed first time around will be sensitised to the attack.

Wouldn't suprise me if this is the reason for much of the improvement from 4 years ago. N% of people were caught and embaressed back then and M% have heard the coffee-room teasing of the N%. 71% of the remainder fell for it this time.

Re:Social Engineering is the biggest problem

[Skater]

The gas station receipts I get don't include the full card number (usually just the last 4 digits) or much else information of use. They really have no value to anyone other than the person that actually bought the gas, who only uses it to enter the information in their checkbook.

Re:Social Engineering is the biggest problem

[dcw3]

I hate stupid poeple...

DOH

Re:Social Engineering is the biggest problem

[Illserve]

Yes, fire everyone! Don't bother taking an important chance to educate the existing workforce. After all, it would cost practically nothing to rehire and retrain 30% of the IRS.

So while I agree with you that absolutely draconian measures are called for, and people should be fired for not being as smart as you (even though they were hired for jobs in which computer expertise is not a prerequisite), I'm curious about the potential disaster you proclaim.

What sort of disaster would this be exactly? Every other week some credit card database gets stolen and shipped to god knows where, but our lives haven't really changed that much for the worse have they? I can still buy food. The TV still works. I still have my job, a house, running water, electricity, the internet works, life goes on....

So what exactly do you propose would be the practical effect (as opposed to the chicken-little paranoia that some people here are prone to exhibit) of an IRS security breach? After all, I'm sure it's happened before and we've not been told. In fact, it probably happens annually....

Re:Social Engineering is the biggest problem

"Their[IRS Employees] job is VERY important, and any security breach spells disaster" I live in a city which has a primary IRS data entry facility. These people make barely more than minimum wage. It is many peoples first job when they get out of high school, or drop out of high school.

Re:Social Engineering is the biggest problem

[bleckywelcky]

On this topic: Does signing a credit card receipt actually mean anything?

Apparently not.

Re:Social Engineering is the biggest problem

[The+Spoonman]

Just curious, but where are you? I don't think I've seen a credit card receipt anywhere in the last few years that has had more than just the last four digits of the card number.

I agree I'm impressed by the clerk. I always write "MUST ASK FOR ID" in permanent black marker ink on the back of every one of my credit cards, and it never ceases to amaze me how people will pretend to look at my card, then my signature on the receipt and hand both back to me. If I'm feeling evil, I'll turn to my gf and loudly say something like, "See, I told you they never really check the signatures on your cards here. And you were worried we'd get caught with his card!" Yeah, I know the trouble that could get me in. Most of the time, though, I'll make sure to make note of the person's name and contact their corporate offices with a long and scathing letter.

Re:Social Engineering is the biggest problem

fraud is not a verb, it is a noun. You mean DEFRAUD which is a verb. The rest of your thought is a jumble of thoughts that meander through your skull and I will not even bother trying to understand them until you grasp coherence.

Re:Social Engineering is the biggest problem

[proboy256]

The attendant may have been worried about security, or just wondering which of the five receipts behind the counter is yours. Heh.

Part of the reason why social engineering is regularly overlooked is that behavior is much more difficult to upgrade than software. Just try to get a clerical worker to understand why they have to change their password every 90 days and it needs a digit and punctuation mark in it, and you'll see what I mean.

Re:Social Engineering is the biggest problem

[Firethorn]

College Student looking for money?
High school student wanting spending cash?
2nd job(they do pay pretty good)?

He might even be 'temporarily between jobs'.

Re:Social Engineering is the biggest problem

[sgtrock]

Strange. I've never had a problem educating my management when I had to. That's through 5 Naval commands and three civilian jobs over a 25 year career. Maybe you should quit taking so much pride in your sig and realize that management isn't always the problem?

Re:Social Engineering is the biggest problem

[Fillymon]

Well this completely changes my outlook on the IRS. Maybe I'll stop making my annual April 15th donation every year.

Re:Social Engineering is the biggest problem

[lowrydr310]

While I was in College, it was possible to have pizza delivered from one of the local joints and charge the amount to your student account (money you put into your account each semester that can be used in the bookstore and restaurants on and off campus). You would simply call in your order, give them your account number, and when they delivered the pizza they didn't bother to check any ID.

Unfortunately the account numbers were Social Security Numbers. In one particular class, the professor distributed midterm grades on a spreadsheet and used SSNs to identify each student. Some genius decided to take adavntage of the fact that he had a list of about 200 social security numbers. For about a semester, he was making a lot of new friends by ordering a few hundred dollars worth of pizza each week!

The student got caught and had to pay back all the money he stole (over $1000 dollars), and the school revamped their ID and account number policy.

Re:Social Engineering is the biggest problem

We had the same issue.

Until someone starting using there unlocked accounts from their desks to send nasty emails to the CEO and subscriping to all sorts of nasty sites.

Trust me after they get yelled at by the CEO for telling him to F-off they will never give out their password or leave their computer unlocked again.

Do this to only two or three really stupid people and word will spread really really really fast.

Re:Social Engineering is the biggest problem

But it is a problem they can throw money at and make it go away. They pay some "consultant" to come in and give a lecture to the troops about security, and problem solved. The managers might stop in briefly, too. Someone will probably make some poorly-informed policies to prevent any problems.

The problem I generally see is just a lack of respect. Most managers have come out of different areas than computer security. They will pay a lot of attention to the areas they understand, but the areas they haven't worked in personally fall off the radar unless they become a real problem. You need a good CIO who is respected by the COO, and he can suggest appropriate measures. (Which do not include spending all the company's money on IT, contrary to popular belief.)

Re:Social Engineering is the biggest problem

[Firethorn]

Actually, it'd probably be easier to do a quick 'probe' on half a dozen people to find an easy mark than to attempt a more complex attack on one.

Re:Social Engineering is the biggest problem

[fair_n_hite_451]

I'm always pleasantly surprised when a clerk in a store actually checks my signature on the back of my credit card to the one I sign on the slip.

The signature strip is completely worn off the card (overuse - so sue me), and I'll compliment them on their diligance if they ask me if I have any other ID which has a signature on it to verify.

Happens maybe twice a year...

Re:Social Engineering is the biggest problem

Management often times is aware that social engineering is a threat, but do not realize to what extent. When I did security audits in the federal government I enquired as to why social engineering attacks were never looked at or tested. The answer that I got was because of liability (they were afraid it could get people fired). This varies from agency to agency. So unless you perform tests like this, management won't be worried at all because it is not on their list of vulnerabilities and audit findings to resolve.

Re:Social Engineering is the biggest problem

[newend]

Have you read Art of Deception? It provides a lot of insight into ways that people use social engineering attacks.

I know that my company has regular online training for social engineering, but at the same time there are a lot of breakdowns. Also, when security upgrades were made at our facility many of the people got upset because it makes getting physical access more difficult. I don't think that very many people understand the dangers of physical access or having a user login for a few moments.

"Social Engineering, because there's no patch for human stupidity"

Re:Social Engineering is the biggest problem

[trentblase]

CMU by any chance? I find it hard to believe TWO universities had the exact same problem. You forgot to mention how ass-nasty Pizza Outlet was.

Re:Social Engineering is the biggest problem

[newend]

I called SBC support once, and they wanted me to give them my password or what they thought was likely my password. That makes me VERY uncomfortable, but when it came down to having someone steal all my personal information or live without Internet, I decided to give what was likely my password...

I think Cingular also wanted me to give them my PIN number over the phone. This was even worse, because I was walking around on campus.

Re:Social Engineering is the biggest problem

[hackstraw]

The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.

Yeah, but obviously we have come a long way in access control since then.

I mean, yes, in 83 they already adopted the draconian measure of changing passwords frequently. (Excellent!) But they were not "strong" passwords. If I remember correctly, "pencil" was the password.

Now, if they used the same authentication principles we do today with stringent password policies to change their passwords frequently and use a strong password like "P3nC1l!69@", then the likelihood of the password being written down in an obvious place, or simply given away would never happen.

</sarcasm>

In my not so humble and strong opinion, password policies that require certain number of nonsense characters and changed every so often so that I cannot remember the password, is simply ignorant. The only thing that changing a password frequently will do is eliminate the time of exposure for someone who has given up their password to someone, which is already bad and a sign of a breech, so the changing of the password would only limit the time that a breech would happen. The impossible to remember character sequence is simply ignorant. If I were to explicitly tell you that my password was a weak one like a family member or a pet and you had 3 guesses before the account was locked. Even then the likelihood of compromising the account would be extremely low. And again, this is even telling someone a limited subset of words to guess. Yes, automatic lockouts after X number of failed login attempts should be a requirement for a secure setting. Not pestering me to change it to something I don't even want to care to remember all the time.

So all of you CIO people out there. Keep doing what your doing. If I ever want access to your machines, I'll just ask for a username and password.

Re:Social Engineering is the biggest problem

[aspx]

If he was good at his job, he would have put more paper in the printer before you arrived and you wouldn't need to go inside.

Re:Social Engineering is the biggest problem

[nine-times]

Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.

In the more general case, no matter what security measures you put in place, you can't stop someone from misusing authorized access. Therefore, I would go as far as to say that there's no perfect security and the only way for something to be completely secure is to disallow any access whatsoever.

Re:Social Engineering is the biggest problem

[lowrydr310]

Hahah... I actually knew the guy who did that quite well. The only reason I found out about it is when the police came to his door. I didn't know it actually made headlines.

Re:Social Engineering is the biggest problem

[lowrydr310]

I just wanted to say "actually" one more time to make it a hat trick.

Yes, Pizza Outlet was horrible. The only time I ever ate it was when an organization or corporate recruiter was giving it away for free (or if an acquaintance bought it using someone else's account).

Re:Social Engineering is the biggest problem

[bluGill]

Are you aware that Visa does allow you to check any id other than the signature on the back of the card? See id not valid

Re:Social Engineering is the biggest problem

Username: Anonymous Coward
Password:

Re:Social Engineering is the biggest problem

I wish people would stop using my account. Please don't give the password away anymore. You are not ME. =)

Anonymous Coward

Re:Social Engineering is the biggest problem

[nospam007]

>I had the same thing happen to me at a po-dunk BP in Michigan last week. I couldn't believe it, and she actally looked at the reciept to make sure it matched! Must be some type of new policy at gas stations.

---
Well, the receipt doesn't say "Middle-aged Fatso" on it and the card number is way too long, so they use the name to tell which is which.

Well, I'm glad choicepoint has competition..

[Tobias.Davis]

We need more incompetence out there giving away our life stories!

Re:Well, I'm glad choicepoint has competition..

[Black+Copter+Control]

It's not like I got anything of value from the IRS that we couldn't get from choicepoint....

(although I could have Taco's spelling audited for the next 3 years!)

Fool me once...

[The+Amazing+Fish+Boy]

If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.

You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...

Re:Fool me once...

How do you figure? massachusetts in the bottom third in local taxes in the country.
The average citizen in the US pays 10.0% of his or her income to state and local taxes of all kinds.
In massachusetts, its 9.4%, thats 36th in the country.
Its no rhode island (11.1%) or connecticut (10.6%) or new york (12.9%, #1 in the country)

Re:Fool me once...

Fool me once shame on you, Fool me twice.. won't get fooled again.

Re:Fool me once...

Fool me once shame on you, fool me twice I must be an American.

Re:Fool me once...

Of course. Someone has to pay for the stop signs in the south.

http://www.fuckthesouth.com/

Re:Fool me once...

I wonder how much of the "reduction" is due to changing attitudes or increased "security" -- and how much is just plain "ohhh, I fell for this last time".

So the old guys didn't reply, but the new ones did.

I would be happy..

[KenFury]

While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.

Re:I would be happy..

[LewsTherinKinslayer]

... Hopefully in a few years it will be down to 10%

I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

Better training to recognizing attempts at social engineering I think would make a world of difference.

Re:I would be happy..

Oh come on, be more optimistic! Personally I am hoping for 9.9999%. Five nines, people, five nines!

Re:I would be happy..

[boingyzain]

Yeah, and then there's only a 10% chance that someone will be able to hack the IRS and give themselves a $30,000 tax return!

Re:I would be happy..

[ThisIsFred]

Not to mention they're doing regular audits, which is more than I can say for some downstream users of my credit data.

Re:I would be happy..

[vfwlkr]

However, when it comes to IRS, SSA or the like, even 10% would be a defeat. Hackers need only one account to gain unauthorised access, not 10% of the workforce!

Re:I would be happy..

[paylett]

I'm impressed that they even conducted this experiment. Twice! At least someone is taking the problem seriously.

Re:I would be happy..

[Old+Uncle+Bill]

Like I always say, our application won't give you five nines, but it can give you nine fives.

Re:I would be happy..

[gstoddart]

... Hopefully in a few years it will be down to 10%

I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

Not to detract from the observation this is a vast improvement, but I should think you could do one hella lot of mischief with even a 10% rate of success. Especially at the IRS. And almost anyplace else, come to think of it.

Re:I would be happy..

[knightri]

Another form of authentication seems like a feasible solution. Eye-print scanning, blood analysis, distributed networked random key generation or even simple yet less secure fingerprinting

Re:I would be happy..

[Matilda+the+Hun]

You think you'd be able to get it through some people's heads: "DON'T GIVE OUT YOUR PASSWORD!" It's not brain surgery...if an admin needs to get you to change your password, he can set an expiration date...or, *gasp*, talk to you in person. Or log into your account using su and just leave a note. You just don't do things like that over the phone...

Re:I would be happy..

[GigsVT]

If the other 90% actively reported attempted social engineering, and those reports were followed up on by real law enforcement, then it would raise the bar as to who would actually attempt such an attack.

The only measure of security is:

It would make an effective deterrent to all but the most dedicated intruder.

That's all that matters. Increasing the dedication needed to break in is what security is all about.

Re:I would be happy..

[nametaken]

You're probably right, but I'd like to think 0.x% is possible.

Afterall, the campaign should be simple.

"If ANYONE, EVER asks for a personal password, report it to I.T. and building security immediately."

Hang posters above the urinals, on the walls, in every cubicle... just to drive it home.

Re:I would be happy..

Awww, are you sad that your country is irrelevant in the world scene on this tiny little blue planet?

I'm sorry America is so powerful and rich. Maybe your country will get its turn, next.

Re:I would be happy..

[digitalchinky]

The most advanced form of electronic access I have ever seen in the Australian military are light based hand scanners used in combination with a PIN. This is in compounds housing TS codeword material, about as secure as it gets. In addition, you must pass through a one-person doorway (glass tube) that has additional cameras and sensors to ensure there is only one person inside.

On mobile platforms, it can be anything from a dull cloth curtain, to foot thick steel vault doorways.

Eye scanners, blood analysis, and fingerprinting will never be used since they can all be bypassed with little effort. Hand scanners, while not perfect, are the most challenging to defeat, since hands generally stay attached to their owners, it is difficult to make a copy un-noticed.

Re:I would be happy..

[digitalchinky]

An old boss at one time went on to become the head of DSD's personnel security, I wont say his name butt we worked together in a section known as AE - going back some years before that, when analog mobile phones were all the rage, he telephoned me on leave in another state asking for the combination to the vault safe. I refused to give it, though it wasn't the first or last amusing incident he was involved in.

TS documents, oops, I wasn't supposed to take those home last night... Very nice guy, but a little absent minded - still, I'd trust him with my life.

Re:I would be happy..

It's also important to have some sort of policy in place to detect social engineering attacks as they happen. For instance, if you get a call from someone who is requesting access and you didn't give it to him, you should report it to your supervisor. He can then fire out an email or do whatever is appropriate to remind people not to give out access. He can also note down the time of the call, the originating phone number, who got the call, and other useful information which could be used to identify a particular pattern. In the event of a successful engineering attempt, it could also be provided to law enforcement officials to aid them in their investigation.

If the supervisor gets reports of an unusually high number of these cases in one day, he could also institute a sort of "lockdown." For instance, instead of just looking at the caller ID, ask for employee IDs, callback phone numbers, that sort of thing. And in fact sensitive operations could be disallowed over the phone entirely. In a perfect world, the IRS would always be in this "lockdown" mode, but in reality they have a lot of work to do and it may just not be feasible to have those kind of restrictions in place all the time.

Re:I would be happy..

[xSauronx]

real law enforcement cant follow up on everything they have to follow up on as it is, never mind following up by trying to find "that guy with blonde hair and green eyes who kept asking for my password last night".

this is almost something people should learn in high school in this age, but definitely at your first day on the job it should be made clear: i dont need your password, nobody needs your password, if you give out your password, even to you grandmother, you'll be fired as a security risk.

if the discipline is just "you gave out your password! idiot!" then....well then appearently only half of those people are going to stop giving it out; and while that's an improvement it's not good enough.

Re:I would be happy..

[DustMagnet]

While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.

I don't agree. With a clear policy and good training a 35% failure rate is way to high. Clearly they've failed to fix this problem in the last four years. One thing also missing is the number of people who reported the hacking attempt. I'd like to see a majority of those called reporting it. Otherwise it doesn't matter what percentage fall for the trick, because you'll never get that to zero.

Re:I would be happy..

[jthayden]

True, 10% is still high, but it depends on what population the 10% is coming out of. Hopefully nobody in IT is going to be giving out their passwords. So at least you shouldn't have any admin or poweruser problems. I would also hope that places like the IRS have restricted access from the outside world, which would mean that in order to do much damage, you'd need to be internal, in which case you've got an even bigger problem.

Re:I would be happy..

Hand scanners are not foolproof. Keep in mind that there is no security that can't be bypassed with sufficient explosives.

you know what they say..

[peculiarmethod]

as the old saying goes.. death, taxes, and idiocy.

Re:you know what they say..

[ikkonoishi]

"Only two things are infinite, the universe and human stupidity, and I'm not
sure about the former." Albert Einstein

Re:you know what they say..

[game+kid]

He was a genius! (Though I hear he=teh sux in math...)

Re:you know what they say..

[sdo1]

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." Albert Einstein

Once again, he was right. (At least about the former part. The later part goes without saying)

-S

Re:you know what they say..

[Buffo]

I have always heard it spoken thusly:

"The two most common elements in the universe are hydrogen and stupidity..."

Sigh...

No matter what OS you're running...

[TelJanin]

...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.

Re:No matter what OS you're running...

[Elminst]

Most times you don't even need the candy bar...
Just carry around a bunch of computer parts and wander up and tell them you're the "computer guy."

They'll let you in, show you the server room, and get you a cup of coffee and a donut.

And even if you can't crack the server, you get a free snack! =P

Re:No matter what OS you're running...

A sandbox without any shared files, and no way of sending any attachments in their emails would be the ideal solution. Productivity might take a hit, but it would remove most security risks.

Re:No matter what OS you're running...

[Caspian]

Mmmmmmmmmmm, candy bar. jsmith/fido

Re:No matter what OS you're running...

[Soko]

Informative? This is common knnowledge, or should be to any admin who's been on the job for more than a day or two.

Where have all the BOFHs gone? In my day, that candy bar would be 6o grams or so of C4 nougat with 3 remote detonator almonds all covered in a delicious chocolatey coating.

Kids - no sense of history.

Soko

Re:No matter what OS you're running...

[lachlan76]

Why crack it? Just put it on a trolley, and then carry it out,

Re:No matter what OS you're running...

[Elminst]

Ah. good point...
And they'll probably hold the door for you on your way out!

Re:No matter what OS you're running...

[patches]

Why use a trolley? You would probably be able to get them to help carry it out to your car...

No Surprise here

[bananahead]

This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.

Re:No Surprise here

Keep in mind that these are the same people, when answering questions about filling out the tax forms, usually provide the wrong answer.

Re:No Surprise here

[PitaBred]

Hear, hear. I get to train a bunch of forest service people to use our software soon. That's always a trip. "Directory? You mean like a folder? Where's that?"
Not that our software requires that you work with lots of data, and there are sometimes many pathnames and such you have to deal with...

Re:No Surprise here

[ebvwfbw]

Why do you think this? Have you ever been to an IRS office? The IRS has some of the newest systems out there. Most if not all employees work on a computer each day they are at work. I don't work for the IRS but I do interact with them professionally. I saw a lot of contemporary machines on desks - at least >= 2 gig pentiums. Machines that you would find at any Fortune 500 company. Machines that may be better than the one you are using. They interact with some of the best database machines out there - Terradata for example.

There is a surprise here. The IRS has what is known as "title" data, it is in the USC under section 24 or "Title 24" data. They are very strict and EVERYONE that has access to their data has to go through training every year on it. They are not kidding, they make sure everyone has completed the training or they will stop you from accessing it. I have seen them do it. There is a test on it and they do audit. I have had the completion nazi's come after me more than once.

Obviously they have a problem with understanding what they learned and how to apply it to daily activities. I know I have found professionally that if someone is having trouble, they will do anything to get it working again. They ask very few questions. Obviously you don't do this to someone that has a clue, there are plenty of clueless ones around. Just look at Mitnick's book on social engineering. Obviously they are aware of the problem and they are trying to do something about it.

You couldn't get me... besides it wouldn't matter. You see I have this guy in Nigeria that sent me a letter about making a bunch of money for helping him, his father died a year ago.... Just kidding. Check out http://www.ebolamonkeyman.com/

Re:No Surprise here

[BenEnglishAtHome]

A few notes from someone who works at the subject TLA.

...the typical IRS employee has probably only had a computer for 6 months.

Flat wrong. Essentially every IRS employee gets a computer when they come on board.

...it is probably a crippled 386.

Wrong. All the 386s have been gone for years. The slowest machines in common use are 800Mhz Dell C600s and they're being replaced this year.

The IRS has NEVER been at the forefront of technology.

Demonstrably wrong. Look at the history of LCD fabs for one example. Specifically, IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago. Look up the screen specs for the old Zenith 171 lunchbox computer.

You want more current examples? Linux deployment, our VPN implementations, and plenty of other things we do have been at the leading edge of what's workable for a long time.

...it is a well kept secret that their use of technology is very limited.

Where in the hell did you get that idea? Holy smoke, our work processes are so tied to technology it's ridiculous. That's why people freak out when computers don't work and they're willing to do anything, even, sometimes, give out their passwords, to get things working again. I really don't know where you're getting this crap.

...the caliber of people that will actually work for the IRS is not exactly the highest in the world.

Ad hominem and not worth responding to. Wrong, to boot.

...It is mostly Civil Service work.

The Civil Service system is almost dead. If you didn't get on board over 20 years ago, you're probably not even a member. Almost everyone is a Federal Employee Retirement System member now, so the old "stay there a lifetime and ossify in your chair because you're bound to the retirement system" motivation no longer exists. As for the more general use of the term, as in "Civil Service protections," they've been under unrelenting attack for so long there's little left. Yes, it's different from private industry but the old image of "Civil Service," which is what you're evoking, is simply no longer anywhere close to accurate.

...before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer.

I would never flame someone for ignorance. Ignorance is curable.

Try training them.

Finally, something insightful. Thank you. The IRS dedication to computer training is pitiful and if that condition were corrected, much of these problems would go away.

As an aside, the IRS was on the verge of making huge inroads on this in 2001. We had set up a new-hire training model that shipped all new employees to a central location for training. The advantages were absolutely huge. This successfully addressed complaints from tax professionals about disparate enforcement of tax law in different jurisidictions because everyone was going to be trained to do things the same way. In addition, since everyone was in one place at the same time, the IT folks had managed to get time slots to provide real, quality training to everyone. Things were good.

We were in class on 9/11. We dealt with getting people home during the full ground stop. We dealt with people who saw massive numbers of their coworkers dying on television and simply collapsed under the emotional assault. (Not our people, but some of the folks working in the same facility were HQ'd in the WTC.) We dealt with people having an unreasonable fear of flying for a long time. (I spent a half day printing maps and plotting routes for shaky employees who had chosen to rent cars and drive home, even if that drive was a thousand miles.)

The bottom line, though, was that centralized (read: high quality, consistent) training was then deemed too cumbersome and the program canceled. Big mistake. I hope we find a better way to do things before I retire.

Re:No Surprise here

[clickster]

IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago

Whoa...It wasn't driving very fast then. Large ones have only been around in decent supply and for decent prices for a few years now.

Re:No Surprise here

[BenEnglishAtHome]

Whoa...It wasn't driving very fast then

That's exactly my point. The IRS placed a large order for Zenith 171 computers with 8-line by 80-character LCD screens before such screens existed. Zenith said "Place the order and we'll find a way to produce bigger screens." So the IRS took delivery of the computers with the largest screens then extant, 4 X 66, until a new fab could get online and up to speed. Then Zenith did free upgrades for everything already deployed.

At the time, the industrial press went on and on about what a bold move it was for the IRS to trust so much in the advancement of technology and place the order that kickstarted the "large" LCD panel industry.

Note - My memory isn't perfect. The screen size numbers above are for illustrative purposes only but I think they're pretty close to what actually happened.

Re:No Surprise here

[Dread_ed]

"In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world

The first person that I saw win on "Who Wants to be a Millionaire" was an auditor for the IRS. This guy was a smooth operator. I actually found myself liking him in spite of the 35% of my income that is stolen every two weeks by those bastards.

The best part of his whole run to milliondom was the last question. He hadn't used any of his lifelines and on the last question he used his "phone a friend." He called his dad and the conversation went basically like this:

Dad: "What question do you need help with son?"

IRS dude: "Don't need any help dad. I know the answer to the question, I just wanted to call you and mom so that you would be the first to know that I won."

Dad: "Good job son, see you later."

The guy was a badass in the geekiest sense of the word. I find it pretty scary that he works for the IRS. Just imagine a bunch his clones coming to audit your ass!

So, in essence, I see no truth in the comment you just made, sorry. The evidence speaks to the contrary.

Apologies in advance...

[nganju]

I'm sure that all this bad press for the IRS must be really taxing.

Sorry.

Re:Apologies in advance...

Some humorless mods out there? Troll? Give me a break.

Re:Apologies in advance...

[michaeldot]

A smile counts as Funny in my book.

I'm sorry I don't have any mod points to counter the unfair Troll moderation you've been given.

Re:Apologies in advance...

[Elminst]

Probably an IRS employee with mod points... ;)

Re:Apologies in advance...

[Soko]

I'm sure that all this bad press for the IRS must be really taxing.

Sorry.

No problem.

We now return you to your regularlly scheduled discussion.

Soko

Re:Apologies in advance...

That's okay, we'll make an exemption this time.

Re:Apologies in advance...

[BlueJay465]

Yeah, I suppose now the IRS can also appreciate the irony of getting 'audited'.

Re:Apologies in advance...

[jrockway]

That was the worst joke I've ever heard. Not funny AT ALL.

But how stupid are they...

Do they check their PCs as soon as pop-ups tell them that it might need a tune up?

Hmmm

[user9918277462]

Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".

Re:Hmmm

[magefile]

Yeah, but that would be good for the people of the US, and thus is party of their duty. Giving away their passwords isn't.

Re:Hmmm

[operagost]

You could probably get 35% of them to stick their tongues in an electrical socket

That's certainly a good start. I suggest convincing the rest to hold lightning rods over their heads in a thunderstorm.

Re:Hmmm

[Alioth]

All you have to do, is in the words of the BOFH - is to get DUMMY MODE ON. Then the luser will agree to pretty much anything. I thought BOFH was merely extreme fictional parody when I read it as a student. When I got into the real work world, it was shocking to find that it wasn't that far from the truth.

Re:Hmmm

[OhHellWithIt]

I was thinking the "government worker" jibe, but you beat me to it. Unfortunately, it's not any better in private enterprise. I've worked in both environments, and I'm not impressed. When people stop sending their money to Obewan Kanobi or whoever it is in Nigeria, then I'll begin to have hope for the human race.

fire them

[CAIMLAS]

any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...

Re:fire them

[patches]

Actually I was thinking that you send out a memo to every employee and discuss the audit, and stress the fact that they should never give their password out. Then in 3 months you do it again, and fire everyone that falls for it at that time. I am positive that there would still be firings....

Re:fire them

[Marge+N.+Lacoste]

It would take a lot more than that to successfully fire a Federal employee. Even in the case where an IRS worker has actually divulged personal information on a large number of taxpayers, the appeals and arbitration process is an arduous journey through a maze of twisty passages.

How do you get a civil servant fired? Get his manager worried about HIS OWN job. In this case, no harm, no foul. Nobody got hurt, so nobody is at fault.

Fingerprints

[SamMichaels]

We've had fingerprint technology for a long time. In fact, the Samsung laptop has it built in. Why are (especially) government agencies using passwords? You can't exactly "share" your fingerprint with someone on the phone.

Re:Fingerprints

[smcd]

Problem - you are assuming that IRS workers are human.

Re:Fingerprints

Uhhh because fingerprints are inherently insecure. May as well make everyone's password "sex".

Re:Fingerprints

[forkazoo]

First off, biometrics are not very secure. Second, how do you ssh in? Most programs don't have hooks for biometrics, after all. Web browser based interfaces. Lots of off the shelf software. Things where you want most of the data to stay on a central server, rather than storing all the tax information for the US on a guy's laptop...

Re:Fingerprints

[slinky259]

What happens when someone cuts off your fingers to get access?

Re:Fingerprints

[Paul+McMahon]

Biometrics shouldn't be used instead of passwords. They should be used in addition to them.

Re:Fingerprints

Or steals your coffee cup out of the garbage, or sniffs your fingerprint data as it's being sent to the computer.

Re:Fingerprints

[Paul+Crowley]

Biometrics are only useful when you can be sure of their "liveness" - ie that the biometric you're examining belongs to the party you're currently trying to authenticate. You can violate liveness with photographs of people's irises, or by sending a stored biometric over the network. There is some progress in automatic liveness verification, but currently the only way to be really sure that a biometric is live is to have a security guard standing next to the biometric tester, verifying that it's really looking at a real person's iris/fingerprint before triggering biometric verification.

Re:Fingerprints

[RupW]

Second, how do you ssh in?

Certificate-based login. You could protect the cert with a hash from the biometric result or something.

Web browser based interfaces.

Again, SSL client certificates.

Re:Fingerprints

[thinkliberty]

Fingerprints offer almost 0 security, unless you wipe down the sensor after every use.

For more info see: http://cryptome.org/gummy.htm

Giving out passwords

[dcclark]

Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.

Scary.

Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!

Re:Giving out passwords

There should be a simple policy (and maybe there even is, but obviously even some managers don't know)

Call me silly, but I think anyone who read the article would know that there is such a policy, since the article specifically says there is.

Re:Giving out passwords

[hdparm]

Yes. But these people are from Treasury Department. They must have had some sort of ID card hanging off their necks - how would someone random got into IRS offices and pull off scam like this? Do they have security guards in that building?

Re:Giving out passwords

[digitalchinky]

You might think I'm trolling, but seriously, don't underestimate the power of paper, crayons, and cling wrap. It's been used to gain access to more than a few classified compartments. Once inside, everyone assumes you are meant to be there. Security pass or not. People would laugh at you for a hand made ID card before they would even contemplate a security problem.

Ok, that was 10 years ago, these days the guards have to walk around and discreetly make sure everything is in order.

Re:Giving out passwords

ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call.

Not really. At the IRS, accounts administration and desktop administration have, in the name of security, a near-impenetrable wall between them. If desktop support finds a problem with user account permissions, corrections must go through time-consuming formal channels and take quite a while to occur. Then you test, find out that wasn't quite the problem, and start the process over. Yes, oversight is important but the way it's set up at the IRS means that desktop support personnel have an extremely strong motivation to work around security procedures and the users are accustomed to helping them do so.

Of course, that's not saying that users are officially told to give out their passwords. Just the opposite. But the actual adoption of that meme has been slow to catch on. As some other posters have noted, the previous audit, with much worse results, made a big impression and convinced most people to play by the rules. There will always, however, be a few who don't get the message.

There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid

Agreed. That would be called two-factor authentication, wouldn't it?

The problem at the IRS, though, is that the userid for all users is publicly published. You can look up an individual user a couple of different ways, including one with a big scary warning about why you shouldn't misuse the information, but the fact remains that any IRS employee can get the userid for any other IRS employee. It's set up that way on purpose.

Lessee, how many authentication factors does that leave us with?

PS - The worst part of the whole thing is that if employee A gets pissed off at employee B, employee A only needs to sit down at any random workstation, input employee Bs userid with a bad password three times, and, voila, employee B is locked off the LAN. This situation really, truly bothers me.

Posting anon for obvious reasons.

slashdot_story= yahoo_story_delay(2hrs);

[hedley]

The two hour echo strikes again.

H.

Re:slashdot_story= yahoo_story_delay(2hrs);

[nate+nice]

Followed shortly by its side-kick, the 404 error.

Not isolated to software

[hunterx11]

Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.

Does this mean IRS employees are slow learners

[Dark+Coder]

71% down to 35%.

IRS employs 100,013 employees in 2001.

36,000 employees got wise. What about the remaining 35,000 employees?

No wonder, the quality of our audit is getting better! I just hope not to get audit at all, but if I do, I'd like to know which employee passed this social engineering test so I can avoid them...

What better ways to railroad them with unmarked receipts and explaination of multiple exemptions?

Re:Does this mean IRS employees are slow learners

I couldnt help myself but had to respond. Your post is meaningless for two reasons. First, you are making some assumptions based off of a statistic. Second, the statistic itself is meaninless without knowing the difference in employee count between the two audits, not to mention the reasons explaning the shift, if any, etc... If the post was meant to be humorous, as it seems to be, please try harder next time.

Defence Against Social Engineering

[Shackleford]

As I read through the article, I wondered what it was that made these employees think that giving their usernames and passwords could possibly correct anything that was occurring on the network. Then in the article was the explanation I was looking for.

"Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."

It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:

"Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."

It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.

Re:Defence Against Social Engineering

It all appears to come from these people naturally wanting help those who ask for assistance

RTFA, dude.. This is the IRS we're talking about.

correction

The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.

from the article:

"We were able to convince 35 managers and employees to provide us their username and change their password," the report said.

That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.

35 employees != 35% of all employees

Re:correction

They called 100 people at the IRS. So 35 people is 35% of their sample.

"IRS Employees Fall For Hackers"

Wow! Tax chicks will date me?

Re:"IRS Employees Fall For Hackers"

No, but lonely tax guys will.

Re:"IRS Employees Fall For Hackers"

No, they'll call you in for an "audit". They just need to check your "assets". Yeah, that's it.

Re:"IRS Employees Fall For Hackers"

[SandiConoverJones]

Anonymous Coward on Wednesday March 16, @10:22PM: Wow! Tax chicks will date me?

Watch what you wish for, that tax chick might look like the fat Dixie Chick!

Re:"IRS Employees Fall For Hackers"

Now, your stink will drop them at 10 paces.

*thud*

Re:"IRS Employees Fall For Hackers"

[shadowbearer]

Sure, they want to audit your personal files in view of a possible future partnership of matrimony. Truly a relationship to bank on.

SB

Re:"IRS Employees Fall For Hackers"

[Kirth+Gersen]

First rule of dating tax chicks:

Never, never dump one.

Quit lying!

[toupsie]

Social Engineering is the biggest problem. Just like I always say

Oh please. You have never ever said that before. Just yesterday you were saying the shrinkrap on new DVDs was the biggest problem. I can hear it now, "Damn it! I can't get open up my new Steel Magnolia Director's Cut DVD!!! This damn wrapper is the biggest problem! There should be a law!".

Re:Quit lying!

[B3ryllium]

This sounds like a perfect Penny Arcade comic. Okay, you be Tycho!

Wasted time..but at least I made money

[gmerideth]

I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.

We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.

Re:Wasted time..but at least I made money

You're so right. No matter how much I tell them to browse with Firefox, not to install software that just "pops up" and certainly not to open things they get sent by strangers via e-mail or IM, they still get infected faster than a 2 dollar hooker.

At my workplace this ain't a problem, because the computers are running either a more secure OS, or locked tight via group policies.

The biggest problem are home users, which I used to provide tech support to. I don't anymore, because even though I got paid for it, it was just not worth the frustration. I always feel unrespected when they keep doing the exact opposite of what I tell them (Eg installing spyware, KaZaA, your_random_porn_searchbar, ...), as soon as I leave their house. I may make a few dollars less, but at least I've got my weekends and evenings back.

Re:Wasted time..but at least I made money

[fedork]

I guess the way to make it work is to make these checks periodic (and pretty often) like fire drills and do them in more-or-less creative ways so it is not obvious it's a drill. And then punish those who fall for it in some way. I think posting a "shamelist" publicly would be an apropriate punishment. After a person burns oneself a few times he would start to be more careful...

Re:Wasted time..but at least I made money

[inject_hotmail.com]

Dude, you're not alone. I am a technical consultant for a number of businesses/SOHO/home users...people are happy to PAY ME to tell them exactly what to do, and they still don't listen.

I'd say my "correctly understood and adhered to" instruction rate would be around 80% though. (Likely because people pay me directly out of their own pockets). I don't speak techno-babble because I know neophites, newbies, and non-techies don't understand it. I always speak in specific yet comprehensible language.

Similar to you, I don't mind, because I get paid over and over to do the same things. Spyware erradication has been very very good to me...S'ok by me!

They hear us, theys just ain't listenin'.

Inject

Re:Wasted time..but at least I made money

[MyLongNickName]

Anyone else see the flaw? If it gives you a 'If this was real, you would be in trouble" message, then a lot of the folks may have opened it in response to co-worker's discussions about the "test". To make this a more reliable test, the executable should have done nothing.

Now, ahving said that, I bet the click-through rate does not drop below 60% :)

Government and Computers - Just say No!

[camusflage]

This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack to the several times the Department of the Interior has been ordered offline by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.

Re:Government and Computers - Just say No!

[shadowbearer]

What makes the irony complete is that the NSA is a department of the Federal Government. ;-)

SB

Re:Government and Computers - Just say No!

[KingJoshi]

Yeah, and social engineering only works with technology. I mean, you couldn't use the technique to gain access to physical files or anything.

Or do you suggest private companies are so much better at security?

Geesh, this is a human issue. Notice the word "social"!

Company upgrade snafu

[DodgeRules]

The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."

Re:Company upgrade snafu

[omahajim]

So if the IT department can't reset the password of their own employees, what the hell good are they? If you can't remember your password, you're forever locked out of your account? In a company with a "food chain" large enough to include a CEO, CTO, CFO, and "all the way down", they weren't using SMS or some other central software distribution system that doesn't require individual visits to client desktops? I don't doubt your story, I laugh at the clearly deficient system design that required someone to personally visit every desktop for some "upgrade". Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

Re:Company upgrade snafu

[spsheridan]

6 years ago huh? 8 years back I helped a company do a mail migration. That's migrate from MS Mail to MS OUtlooks. Yeah yeah .. MS, Outlook, hey, it was 1997 and who knew what a virus was?

Anyways, the point is that I had to walk to each users desk, log in as THEM, and set up the application as THEM and get it working. That required their username and pwd. I was contractor IT boy and no one was going to give me access to admin rights so I could change the users creds for myself.

It's 8 years later, I'm a sys admin now, and if I had to do it again I can't think of any way to do an upgrade like this without loggin in as each user and making sure the account settings migrated properly in their email client.

Re:Company upgrade snafu

[HermanAB]

It depends on the size of the company. With a small company, it is not cost effective to buy all the centrally managed software - basically any place up to several hundred employees run like a glorified home user, with some random flavour of Windoze on the desktop and one or two harried IT blokes walking around, fixing random problems on random desktops.

Re:Company upgrade snafu

so, what youre saying is, youre a Sys Admin now, and you still don't know what youre doing.

thats the thing about working with windows. any joker can claim to be a sys admin, and probably get away with it for a long time.

Re:Company upgrade snafu

You want to know how to tell if an upgrade and migration will work?

System admin, huh?

HOW ABOUT TESTING? Just set up a dozen workstations, log a bunch of people on to them in the old system, perform your automatic upgrade, log those people back in and see if it works. If it doesn't, fix it. When you have a 95% success rate, or 99% if you're picky, roll the upgrade out.

Re:Company upgrade snafu

[DA-MAN]

HOW ABOUT TESTING? Just set up a dozen workstations, log a bunch of people on to them in the old system, perform your automatic upgrade, log those people back in and see if it works. If it doesn't, fix it. When you have a 95% success rate, or 99% if you're picky, roll the upgrade out.

8 Years ago there were no automatic upgrades. Most of this stuff is fairly new. The sysadmin was stating that even though he knows the trade a hell of alot better know, there weren't all the tools available back then and would still require logging in to each machine.

Re:Company upgrade snafu

Well if you work in the fields where it seems to be harder to fire people, education or government, you'll see the least intelligent people and those with the least vision slowly rise to the top.

Middle managers don't want to 'lose' their best workers to management, workers won't budge in responsibility because they're already getting paid under the market, and those who can maintain the status quo and keep everyone busy get the management positions.

I work at a school with an IT department of fifteen or so people. Only three people are familiar at all with an OS besides Windows, I'm the only person comfortable with a command-line interface, and our network administrator learned what a 'VLAN' is yesterday, and he doesn't 'trust' them yet.

It seems to me that the best way to get ahead in a place like this is to play stupid and ask for consultants to do everything, so there's always a finger to point. When there's nothing major to do or no money for consultants, push paper around a lot and pretend you didn't totally lie on your resume to get this job.

Re:Company upgrade snafu

[funkify]

Did you ever stop to wonder if the list you saw was created in response to the email you refused? Is it possible that the list of "everyone in the company" actually didn't include you?

I'm going out on a limb here and saying that the tech staff dumbasses weren't the only dumbasses working for this company... hehhehhhehe

Re:Company upgrade snafu

[DodgeRules]

Funkify, the list did NOT include me. So I guess it didn't include those of us that were smart enough to NOT send in our passwords.

By the way, I need to install an upgrade on your PC, so please send me the admin password and IP address.

(DodgeRules mutters "dumbass" under his breath)

blame the manager...

[Elminst]

"Some hesitated but got approval from their managers to cooperate."

Just goes to show that you don't promote based on brains.

but then again, it doesn't show too much brains on the part of the employees either. They cave as soon as a "higher up" says it's okay.

RTFA

[TubeSteak]

Since few have read the fucking article, I'll quote the relevant portions here:

The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.

"We were able to convince 35 managers and employees to provide us their username and change their password," the report said.

That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.

... three sentences ...

Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords.

Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical.

Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
... Two Sentences.

With this news, I'll probably be calling my credit card company to see about helping a few customer service representatives with their account problems.

Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.

Re:RTFA

[Phleg]

Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.

You could always just call Geico.

Re:RTFA

[TubeSteak]

Ya know I thought about it.

But who really wants to fill out all that paper work?

Now if they threw in a poseable Gecko...

I'd reconsider.

Homeland Security

[varmittang]

I got dibs on calling Homeland Security next!

Re:Homeland Security

Too late, I already did. Their root password is "password". Amazingly secure, isn't it?

Well...

We got blogging.

What about employees of more sensitive agencies?

[SteelV]

I know getting into the IRS is already pretty bad, but what about other government agencies (FBI, CIA) or the military? I know in many cases they are on seperate networks, but in the cases where it's possible to get in...

It would appear that they are more savvy, and receive more training, but who knows?

how do we know

[zippthorne]

it's not just the other 30%.. the ones who didn't fall for it last time so were not told about it... (what's the turnover in the IRS anyway?)

Change your passwords!

[dfj225]

Due to an error in the server configuration, all logins will fail unless you change your password to 'password'. We encourage all users to change their password in order to continue to enjoy services that logged in members have access to. Thank you, - Tech Support.

Re:Change your passwords!

Dear Tech Support,

I tried to change my password as you have asked, but the computer is asking me for the password to the "server Administrator". Can you please tell me this password so I can comply with your request immediately. Thank you very much.

PS. I think you Tech Support Men are soooooo sexy!!

xoxoxo,
Cute Receptionist

Re:Change your passwords!

[dfj225]

Every password is 'password'.

Duh, didn't I just get done saying that?

-Tech Support

there's worse

[nigham]

you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything

Re:there's worse

Not just banks - giant insurance companies have done it, too.

Re:there's worse

[digitalchinky]

Yeah, that would be called the 'root' password.

Here's something a little easier than guessing passwords. Purchase a satellite dish, followed by assosicated receiver, downconverter, modem, digital capture card, and a computer. A spectrum analyser is also a definite requirement, better if you can pick up an old HP that still has a good CRT, maybe an o-scope, as well as an additional down/upconverter (For figuring out symbol rates and such) None of this new digital scope crap though. (Unless it's a vector analyser)

Sync up anything at about 19.2-32kbps Keep tuning until you run across ATM's chugging out unencrypted details via satellite back to head office (there are thousands of them) As an added bonus, many do a bulk upload at some scheduled time of day, so you can capture everything in a short single burst. They are mostly using X.25 on HDLC with that EBCDIC crud.

These signals contain, among other things, Card Numbers, Names, Expiration Dates, sometimes PINs, etc, etc, etc. This is where the really BIG crime happens. The stakes are some serious jail time, but if it's money you are after, that's the easiest (passive and remote) way I can think of - off the top of my head.

I don't have enough money to set such a system up personally, but I know a few (million) taxpayer friends that have helped others out in the past :-)

I do not condone such activity, but I am aware of its existance.

Re:there's worse

[camusflage]

thats right; there's just a single password for every user
Not any US bank, I wouldn't think. You see (and I work for a bank, so I know a thing or two..), every year, we have a couple of audits. In addition to the SEC stuff, which really doesn't touch much here, FDIC makes sure our procedures are solid. The bigger audit is OCC (Office of the Currency Comptroller). Typically, we have several auditors on-site for a week or a week and a half, poring over standards, guidelines, and procedures. If, and this is a big if, we had anything like a single password for all users, we would be dinged most severely.

Then there's the whold GLBA (Graham Leach Bliley Act) morass. GLBA governs a lot of things for banks, but most importantly for this discussion, that any customer sensitive or confidential data must be protected, access audited, etc. A single password for every user is neither protected nor auditable. Any financial institution found doing such things would be socked with a rather nasty five figure fine, more than likely. That alone is incentive enough not to cut corners on security.

Re:there's worse

[WhatAmIDoingHere]

Banks are pretty great with their passwords, I think. My online banking (Not some huge bank, just a local bank serving the county) forces a password change every 90 days. You can't log in after the 90th day without changing your password.

Re:there's worse

[cylcyl]

If the auditors are there for just a couple of wks, it sounds like they'll just be spending there time holding meetings, presentations and going over documentation. With minimal time going over the actual adherence.

There might not be a policy for single passwds, but that doesn't prevent lazy admins from making only one passwd for everything

A book about social engineering

[comwiz56]

I suggest to anyone interested in social engineering (defending or attacking) to read to the book 'The Art of Deception' by Kevin Mitnick, the hacker god himself.

Re:A book about social engineering

[Paul+McMahon]

A god doesn't get caught. ;)

Social Engineering = Insult to Engineers

Why would con artists who have no regards to social safety and responsibilies are being classified as 'engineers'? Are you all too stupid to see this is a scam made up by frausters to legitimize identity theft?! In case you don't notice, you are wrongfully condemning a real social engineering department that doesn't rely on cheating and stealing to surive!

YOU SHAMEFUL IGNORANT FOOLS, you should all stop calling frauster as 'engineers' and relabel them as the scums they truly are!!!

Re:What about employees of more sensitive agencies

I would suspect that they would be less vulnerable, given that they're more security minded to begin with.

Social Engineering = Insult to Engineers

Why would con artists who have no regards to social safety and responsibilies are being classified as 'engineers'? Are you all too stupid to see this is a scam made up by frausters to legitimize identity theft?! In case you don't notice, you are wrongfully condemning a real social engineering department that doesn't rely on cheating and stealing to surive!

YOU SHAMEFUL IGNORANT FOOLS, you should all stop calling frauster as 'engineers' and relabel them as the scums they truly are!!!

Social Engineering = Insults to engineers

Why would con artists who have no regards to social safety and responsibilies are being classified as 'engineers'? Are people too stupid to see this is a scam made up by frausters to legitimize identity theft?! In case you don't notice, you are wrongfully condemning a real social engineering department that doesn't rely on cheating and stealing to surive!

YOU SHAMEFUL IGNORANT FOOLS, you should all stop calling frausters as 'engineers' and relabel them as the criminals they truly are!!!

Ladies and gentlemen

[Master_T]

Your Tax Dollars at work.

Hopefully they got the following email:

[Black+Copter+Control]

To: Me
From: Myself
Subject: Meet with auditing team 10:30

Something about stupid passwords.
Don't miss it!

--

Can you be fired from the IRS for brazen stupidity?

"Hackers"?

[predakanga]

I personally wouldn't classify a social engineer (a.k.a. phisher) as a hacker...

Re:"Hackers"?

[1u3hr]

Calling somone on the phone and asking them for their password is hardly "hacking", even in the loose sense most mainstream news media uses it.

Ummm,

[stinkpad]

So, stupid tax collectors are a BAD thing? Intelligent gestapo agents scare me more than the Col. Klink types.

Re:What about employees of more sensitive agencies

[Jah-Wren+Ryel]

It would appear that they are more savvy, and receive more training, but who knows?

The answer is, "it depends."

It depends A LOT on the individual security people at each site. Some are idiots. Some are competent. Anecdotally, the higher up the DSS management chain you go, the more likely they are to be idiots because they are further and further divorced from the technical details and thus prone to more and more "hand-waving" like "it only takes a simple script to do the firewalling" and "no open source software allowed on the internal network because some of the contributors are foreign nationals" (while closed-source software written entirely in Pakistan, China or Russia is fine as long as it comes through an American reseller who disclaims all liability for anything anyway).

A lot of the official security protocols are general guidelines that are meant to be interpreted locally by well trained, if not expert, security officers. When you have well trained or expert security officers, everything goes well. When you don't have them, it because a whole lot of sound and fury with little actual security.

Moderation?

[CustomFort]

Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

You must be new here... ;)

Old News again on slashdot.

[GISGEOLOGYGEEK]

Big deal.

Some other study found that most people will give out their workstation password in exchange for a chocolate bar.

Who cares.

All it proves is that the average american office worker is just a brain dead puppet waiting for a paycheque.

There's nothing to see here. Carry on.

Re:Old News again on slashdot.

Excellent point.

When companies start paying workers what it's actually worth to protect their data and resources, then maybe employees will care. If the average worker doesn't give a shit about company goods to begin with because they're disgruntled, giving out passwords is the last thing they're worried about.

Re:Old News again on slashdot.

[digitalchinky]

Or maybe that the employer has a brain dead philosophy on life, and the worker 'sheep' have a GAF attitude (that would be 'Give A F#&*')

Re:Old News again on slashdot.

All it proves is that the average american office worker is just a brain dead puppet waiting for a paycheque.

Strike "American" from that statement and you are correct. Leave it in and you demonstrate to the world your own brain-dead bigotry.

Re:Old News again on slashdot.

[a24061]

All it proves is that the average american office worker is just a brain dead puppet waiting for a paycheque.

I'm not going to argue that one.

Who cares.

You might care when the puppet's passwords are used to read or alter your tax/bank/etc. records!

Re:Old News again on slashdot.

[GISGEOLOGYGEEK]

Please explain to me how those puppet's passwords could read or alter my tax/bank records?

You've made big assumptions on how I deal with personal information while on an office computer.

Either that or you go around making your puppet co-workers use passwords that could give them access to your records.

Re:Old News again on slashdot.

[GISGEOLOGYGEEK]

Its not bigotry when its true. Redundant perhaps, but not bigotry.

public passwords

[jamesh]

I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).

One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.

Re:public passwords

[lachlan76]

Look on msdn, there's an ImpersonateUser function you can use, if you know how to program.

Write up a quick VB/C++/C#/Whatever app, make up a login prompt, get it to login, impersonate the user, and start explorer (obviously, you'll need to shut down explorer first).

You could do the same and spawn cmd as well, if that's all that is needed.

Re:public passwords

[Fred_A]

It's nice that Windows is so user friendly.

Write a program instead of "su foo && startx", that's really nice.

People at Microsoft still haven't got the hang of that multiuser business apparently...

Re:public passwords

[lachlan76]

No offence, but you don't seem to have gotten the hang of bash ;)

su && startx will only start X when you have dropped your new priv set.

Re:public passwords

[Fred_A]

I know, a subshell would have been spawned, it was "poetic license" for the sake of brievety.

Let's pretend that the <pseudocode does_not_work> tag was eaten by slashcode :)

Re:public passwords

[lachlan76]

I prefer to use obfuscated perl to show the usablility of the Unices...makes me look all 1337, and keeps the virus-writers away ;)

Re:public passwords

[Cro+Magnon]

I hate it when users just give up their password when asked.

Yeah, I know. I would NEVER tell anyone that my password is "********".

Re:public passwords

[lowrydr310]

When you call a Sprint customer service representative, you are required to give them your phone number and account password over the telephone. Unfortunately, this account password is the same that is used to access your account information online.

I always question the CSR's need for my password and they tell me it's for security purposes, however every other company I deal with always has other ways of determining your identity (address, birthdate, last 4 numbers of SSN). I guess any method of verifying identity over the phone can reveal too much personal information.

The real problem I have is trusting a Customer Service Representative. When they make $10 an hour to talk with angry customers all day long, what's to stop them from using someone else's SSN, DOB, Address, or account numbers to their personal advantage?

Re:public passwords

[robbkidd]

One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.

Granted, a su-like utility would be more useful, but there is a way to this. As an admin, you can:

• change the user's password to something you know,
• log in as the user, fix the problem
• leave user a note that they need to contact you (or an appropriate helpdesk) to have their password reset to something only they know.

Re:public passwords

There's actually such a command tool included with the Windows resource kits :

runas /profile /user:MyUser "some commands"

Re:public passwords

[brj]

No need to do any programming at all...

C:\>WINNT\system32\runas.exe /?
RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote access only.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: USER@DOMAIN is not compatible with /netonly.

Re:public passwords

[marcansoft]

That won't work. "su" will spawn a shell and startx will be executed as admin user once the shell is closed. It'd be more like "su foo -c startx". Maybe "su - foo -c startx"

Re:public passwords

[Ciaran_H]

Actually, you could replace the "&&" with "-c" and it'd have the result you intended. :)

Re:public passwords

[initialE]

You fail it. The whole point was to impersonate the user w/o having to know his password. Runas specifically requires knowledge of a user's password.

No wonder...

[Spy+der+Mann]

with this american culture showing hour and half infomercials, telling you lots of lies and "DIAL NOW and GET SLIM, BE HAPPY FOREVER" pressure.

The american public has been educated by the media into BELIEVING scams, rather than distrusting them. No wonder it's the country with the greatest incidence of religious cults (as in "brainwashing" cults).

So is it a mystery that people fall for sharing their passwords?

HUMAN SOFTWARE UPGRADE!!

[Maxhrk]

HUMAN VERSION 2.0 CHANGELOG Fixed social engineering immunity system KNOWN BUG: AIDS Aging problem heart disease etc... (you know the rest.. i am trying to be funny :( )

Mod parent insightful, please

[godless+dave]

The american public has been educated by the media into BELIEVING scams, rather than distrusting them.

Been There Done That

[WaldoXX]

What did we learn from Kevin Mitnick's social engineering hacks? ABSOLUTELY NOTHING... Seems like employers have to teach their support staff the first word you learned as a tyke... NO

It's a darn shame...

[Lord_Breetai]

I guess cracking the IRS dbase isn't so impressive. Poor Trinity. ^_^

Re:It's a darn shame...

[mike2R]

That was a long time ago..

OverRated: Somebody didn't RTFA.

[TubeSteak]

unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious.

As you would have discovered by reading the fucking article
or God help /. if you had read a little further down the page
You would have noticed numerous posts talking about this gem:

Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.

Like you said Yurii's Master (or do you prefer Tuba Swimmer?)
I hate stupid poeple...
ahem. . . . . . pEOple

make it a game

[PsiPsiStar]

Do this regularly. Ask all employees to report breakin attempts. Give notices to those who fail to report. Dock the pay of anyone who gives out their password. Let employees know that you're doing it. Make them understand what the appropriate response is.

Paranoia is healthy.

Someone buy the movie rights

[Gax]

"IRS Employees Fall For Hackers" sounds like a story of lovers divided by insurmountable odds, but united by their mutual love of chat rooms. In a bold move the hacker accesses the IRS employees computer and leaves behind a box of Cadburys Milk Tray and a note declaring his/her undying love. It simply read "pwned".

and how exactly do you later change ...

[xlurker]

your biometric "password"?

You can't exactly "share" your fingerprint with someone on the phone.

At the moment that may be so, but what do you do when after years of using biometric based authentication, someone finds out how to gain entry by providing your biometric identification?

If the system were "changable key" based and somebody found out your key, the simple retort would be to change the key.

Whatcha going to do if your right thumb or right eye-ball has been "compromised"...? Yes, yes, some will say "just use the other eye or thumb". That's ridiculous. The person that went through the trouble to get your ID the first time, will simply do it again for the other ID (if he didn't already do it the first time).

Additionally, biometric data being just that: biometric, makes stealing the data from a person against his will laughably easy. Get the guy, hold him down, scan, cut or copy. If the system was "changable key" based he would at least have the options of

• not divulging it, if it's something he has to remember,
• destroying, disposing or deactivating it, if it's an object.

Surprisingly the key advantages of "changable key" id are also the source of it's disadvantage. To me something, most likely a "necessary something", that poses a advantage and disadvantage at the same time sounds like a responsiblity.

Re:and how exactly do you later change ...

[Firethorn]

At least with fingerprints, this has already been done. For $50 of equipment, you can lift a print from something like a drinking glass or other hard surface, and end up with a 'gummy finger' that isn't obvious (remember Gattica?).
All it takes is gelatin (local supermarket), and some photography materials available over the internet and camera shops. Heck, there are a couple of people who worked it using a lamp, digital camera and printer, then transferred it to the gummy finger.

While not perfect, the results I've read about result in 50-75% acceptance rate, per try. That means that it might take two or three tries, but you'll usually get it.

Like they're getting out of it that easily..

[t_allardyce]

"If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

The other good news comes from knowing that 35% of IRS employees have now been suspended pending contract review, re-training or dismissal. Darwin in action.

Re:Like they're getting out of it that easily..

That would be 35 employees, not 35%. It's in the article if you care to read it.

'hacker' etymology

Hacker "one who gains unauthorized access to computer records" is 1983

Are you any less into the system if you had to do less work to become so? I don't think so.

Hacking is not relegated to command-line operations; if you get into the system, you get into the system. Just cuz it's not the sexiest thing you've ever heard of, doesn't make it any less lethal.

But then I tend to think anyone who wastes a lot of oxygen crowing about what IS hacking and what's NOT hacking is focused a bit too much on the cosmetics and probably not enough on the substance -- despite emphatic protestations to the contrary.

Other reasons it's failing

[192939495969798999]

There's another reason why social engineering works at a company like the IRS. They probably have a very CMM level 0 process for managing their I.T. infrastructure, and people just have to give out their passwords all the time just to get something they need to be fixed inside of a month. Turn that stuff around, and a lot less people will be giving out passwords.

Re:Other reasons it's failing

[BenEnglishAtHome]

You may be just guessing, but, take it from an insider, that's the most insightful thing that's been posted here. Well, except for my own anon postings to this article. :-)

Wish I had mod points for ya.

Comment removed

[account_deleted]

Comment removed based on user account deletion

and

25% still use PASSWORD as their password.

how come they never mention that?

I'm an SA for the DoT.

[rgf71]

This is very close to home for me. I'm the systems administrator for one of IRS's Training Centers.

Other posters are correct... Government hasn't embraced technology nearly to the degree that the rest of the world has. My site in particular still has mostly 1Ghz machines, and half of them are still running NT4.

You have to understand that most of IRS' employees are either accountants or lawyers, used to doing everything on paper. Getting these people trained on technology is getting better, but it's classically been like nailing jello to a wall. Only recently has there been any real effort to provide adequite training for everyone who touches a computer.

Also note, Of the ~103,000 IRS employees, I'd say 60 - 75% of them are older, near retirement. We all know how well older people love new technology:)

Good news and bad news

[MarkGriz]

"The result: over one-third shared their passwords. If there is any good news in the story..."

That *was* the good news. The bad news is that 95% of the passwords were either "1234" or "password"

if 35% fell for it what did the other 65% do?

[sxmjmae]

If 35% fell for it what did the other 65% do?

Of the 65% did any of them report the request to gain access?

SysAdmins Partially to Blame

I work in a huge 'Fortune 10' company, and quite often sysadmins (while doing some configuration or other) will ask for my password to type it in themselves rather than surrender the keyboard to let me type it in. I can tell you it's awkward to refuse to give it, so you go with the flow.

When real sysadmins encourage/expect this behavior, is it surprising that employees give their passwords to fake ones?

Re:SysAdmins Partially to Blame

Then you're just not using a complex enough password!

You need to ensure that the process of telling them the password will leave them catatonic or preferably suicidal. Going overboard with non-alphanumeric characters is highly recommended.

"Whaddayoumean the password won't work? Did you remember to 1337-convert every character with an index in the Fibonacci-sequence, uppercase all prime indices and ROT13 encrypt the rest?"

Arrgh "hackers"

[nurb432]

Cant anyone use the term properly anymore?

And its just social enginnering/salesmanship anyway.. No magic in what they did..

only 35% ?

[Some_Llama]

"If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

Could this be from employee turnover? Since they did this same exact thing in 2001 I would think it would be hard to get people who went through this before to fall for it again...

35% = new employees?

Re:only 35% ?

[BenEnglishAtHome]

As a result of ridiculously shortsighted budgets for the last couple of decades, the IRS is bleeding institutional knowledge at a crippling rate as oldsters retire before they can pass on their knowledge to newbies. Nevertheless, the turnover is nowhere near 35% in 4 years. The IRS hasn't hired nearly that many folks over that period.

change the password every week for failure

The 35 percent employees who failed should be forced to change their password every week. This should cure them from falling for such ruses in the future.

I hope so.

[game+kid]

I like chicks with glasses and suits. Anything over Jessica Simpson*, that's my motto. Though I am scared that they might, uh, overtax my accounts.

*fully realizing she has some amazing [ahem]assets herself, but the chicken-tuna-fish thing destroyed almost every blonde singer's chance of my looking their way. I still like Ashlee though...

paraphrase

[RMH101]

...phone up a user, tell them to change their password to x. login and fuck about. the end. this is +5, why?

Re:paraphrase

[nacturation]

...phone up a user, tell them to change their password to x. login and fuck about. the end. this is +5, why?

The point you seemed to miss is that the purpose of any con is to gain the user's trust. Why should somebody trust you when you ask them to change their password? And how likely will it be that you'll hit someone who is somewhat security conscious, reports the phone call, and causes you trouble?

However, going through the supposed security exercise reinforces the notion of trust, makes the user feel good that they're helping, and in the end they believe their account is fully secure because they've never given out the password. The likelihood of them being suspicious is even lower and odds are good it'll never raise any red flags.

But hey... your choice.