Slashdot Mirror
IRS Employees Fall For Hackers
linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.
Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
Scary.
Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!
"Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."
It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:
"Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."
It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.
I suggest to anyone interested in social engineering (defending or attacking) to read to the book 'The Art of Deception' by Kevin Mitnick, the hacker god himself.
Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.
There's a good scam I read about in a book, I think it might have been the one written by Mitnick. Here's how it works:
You pretend to be the network administrator testing some new security procedures and you phone up your target user. Introduce yourself and say that you're running some security testing on the networks and you need five minutes of their time to do some testing. Remind them that never, under any circumstances, should the user tell anybody else their password. Even reinforce that they shouldn't even tell you, as you don't need to know.
Now here's the trick. Ask them to logoff. Once they've done that, tell them that you're doing some monitoring and that they should now login with their password... "and remember, don't tell me what it is!" Great, now we need to test the change password function. Get them to change their user account password to something which is known, such as "abacus". Once they've changed their password, ask them to logoff again. You, the intruder, can now login to their account as you know the password. If it's unix-based, you can setup some kind of daemon to run and accept connections, grab random files, login to the corporate VPN, whatever. Stall them for a little bit while you pillage their network... get them to login, letting them know you can't see their login come through, etc. Whatever buys you the time you need.
Then get them to login once more and change their password back to what it was. Remind them yet again not to tell you that password as they should never tell anybody what their password is. Thank them for their time and for helping you test the security system [and for allowing you to preview tomorrow's result of whether or not the FDA will be accepting or rejecting their new drug therapy, thereby allowing you to take out appropriate options on the stock].
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I hope you gave the guy a compliment. I always remark how I appreciate their concern for security when somebody does something similar. It's unfortunate good behaviour needs to be rewarded, but that's life...
thats right; there's just a single password for every user
Not any US bank, I wouldn't think. You see (and I work for a bank, so I know a thing or two..), every year, we have a couple of audits. In addition to the SEC stuff, which really doesn't touch much here, FDIC makes sure our procedures are solid. The bigger audit is OCC (Office of the Currency Comptroller). Typically, we have several auditors on-site for a week or a week and a half, poring over standards, guidelines, and procedures. If, and this is a big if, we had anything like a single password for all users, we would be dinged most severely.
Then there's the whold GLBA (Graham Leach Bliley Act) morass. GLBA governs a lot of things for banks, but most importantly for this discussion, that any customer sensitive or confidential data must be protected, access audited, etc. A single password for every user is neither protected nor auditable. Any financial institution found doing such things would be socked with a rather nasty five figure fine, more than likely. That alone is incentive enough not to cut corners on security.
The truth about Scientology, Xenu, and you: Operation Clambake
Look on msdn, there's an ImpersonateUser function you can use, if you know how to program.
Write up a quick VB/C++/C#/Whatever app, make up a login prompt, get it to login, impersonate the user, and start explorer (obviously, you'll need to shut down explorer first).
You could do the same and spawn cmd as well, if that's all that is needed.
A few notes from someone who works at the subject TLA.
Flat wrong. Essentially every IRS employee gets a computer when they come on board.
Wrong. All the 386s have been gone for years. The slowest machines in common use are 800Mhz Dell C600s and they're being replaced this year.
Demonstrably wrong. Look at the history of LCD fabs for one example. Specifically, IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago. Look up the screen specs for the old Zenith 171 lunchbox computer.
You want more current examples? Linux deployment, our VPN implementations, and plenty of other things we do have been at the leading edge of what's workable for a long time.
Where in the hell did you get that idea? Holy smoke, our work processes are so tied to technology it's ridiculous. That's why people freak out when computers don't work and they're willing to do anything, even, sometimes, give out their passwords, to get things working again. I really don't know where you're getting this crap.
Ad hominem and not worth responding to. Wrong, to boot.
The Civil Service system is almost dead. If you didn't get on board over 20 years ago, you're probably not even a member. Almost everyone is a Federal Employee Retirement System member now, so the old "stay there a lifetime and ossify in your chair because you're bound to the retirement system" motivation no longer exists. As for the more general use of the term, as in "Civil Service protections," they've been under unrelenting attack for so long there's little left. Yes, it's different from private industry but the old image of "Civil Service," which is what you're evoking, is simply no longer anywhere close to accurate.
I would never flame someone for ignorance. Ignorance is curable.
Finally, something insightful. Thank you. The IRS dedication to computer training is pitiful and if that condition were corrected, much of these problems would go away.
As an aside, the IRS was on the verge of making huge inroads on this in 2001. We had set up a new-hire training model that shipped all new employees to a central location for training. The advantages were absolutely huge. This successfully addressed complaints from tax professionals about disparate enforcement of tax law in different jurisidictions because everyone was going to be trained to do things the same way. In addition, since everyone was in one place at the same time, the IT folks had managed to get time slots to provide real, quality training to everyone. Things were good.
We were in class on 9/11. We dealt with getting people home during the full ground stop. We dealt with people who saw massive numbers of their coworkers dying on television and simply collapsed under the emotional assault. (Not our people, but some of the folks working in the same facility were HQ'd in the WTC.) We dealt with people having an unreasonable fear of flying for a long time. (I spent a half day printing maps and plotting routes for shaky employees who had chosen to rent cars and drive home, even if that drive was a thousand miles.)
The bottom line, though, was that centralized (read: high quality, consistent) training was then deemed too cumbersome and the program canceled. Big mistake. I hope we find a better way to do things before I retire.
Are you aware that Visa does allow you to check any id other than the signature on the back of the card? See id not valid