IRS Employees Fall For Hackers

← Back to Stories (view on slashdot.org)

IRS Employees Fall For Hackers

Posted by samzenpus on Wednesday March 16, 2005 @03:04PM from the this-mail-may-come-as-a-shock-to-you dept.

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

25 of 279 comments (clear)

Min score:

Reason:

Sort:

Social Engineering is the biggest problem by suso · 2005-03-16 15:05 · Score: 5, Insightful

Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.
1. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · 2005-03-16 15:08 · Score: 5, Insightful
  
  Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.
  
  No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.
2. Re:Social Engineering is the biggest problem by game+kid · 2005-03-16 15:14 · Score: 2, Insightful
  
  Absolutely; it's too easy to fool someone to do something like make someone change their password this way, simply because people are nervous aout their computers and they'd obey anyone who sounds technical enough. It's like people need a minimum Bachelor's in CS* to live in this age.
  
  *not that said degrees are/are not useful, just that lots of people need to learn a lot about computers and scams like this. Now.
  
  --
  You can hold down the "B" button for continuous firing.
3. Re:Social Engineering is the biggest problem by yuriismaster · 2005-03-16 15:15 · Score: 4, Insightful
  
  I think they should take any person who fell for this and instantly can them. I mean, unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious. Their job is VERY important, and any security breach spells disaster.
  
  I think there should be a memo at every single person's desk: "Never give out your password or credit card number in a phone call." (Quick play on MSN's security warning..)
  
  Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.
  
  I hate stupid poeple...
4. Re:Social Engineering is the biggest problem by suso · 2005-03-16 15:16 · Score: 5, Insightful
  
  Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.
  
  I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.
5. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · 2005-03-16 15:18 · Score: 4, Insightful
  
  that social engineering is the least worried about security vulnerability.
  
  That's an excellent point. I'd say perhaps that instead of being least worried about, its more likely the most over looked. When you think of stopping hackers, most people picture a firewall program and router. Not their telephone and a random IT department problem.
6. Re:Social Engineering is the biggest problem by Elminst · 2005-03-16 15:31 · Score: 3, Insightful
  
  I believe this is how the "most famous hacker ever" (mitnick) got into most of the systems.
  It's been proved time and time again that it is so much easier to just walk up and ask for a password than to try and crack it.
  
  1024-bit encryption doesn't prevent a helpful secretary with her password on a post-it note stuck to the front of her monitor.
  
  --
  No unauthorized use. Trespassers will be shot. Survivors will be shot again.
7. Re:Social Engineering is the biggest problem by GigsVT · 2005-03-16 16:52 · Score: 4, Insightful
  
  Well that's an example of a "feelgood" security measure that is counter productive.
  
  Get rid of the buzzer on the door, get rid of the keycards. Get rid of anything that creates a false sense of security, or an idea that you are somehow within a "trusted" environment.
  
  --
  I've had enough abrasive sigs. Kittens are cute and fuzzy.
8. Re:Social Engineering is the biggest problem by Paul+McMahon · 2005-03-16 17:02 · Score: 2, Insightful
  
  There is no such thing as perfect security when too many people are in the know, or have some sort of access. There is no such thing as perfect security. Given a sufficient motivation, amount of time, and resources any protection can be overcome.
9. Re:Social Engineering is the biggest problem by KingJoshi · 2005-03-16 18:15 · Score: 4, Insightful
  
  I'm working temporarily as a cashier at a fast food place. Sometimes, I get tips from people when I ask them for IDs on their credit cards :)
  
  People are willing to pay a huge price for convenience. Social engineering attacks exploit that, but obviously, it hasn't been enough to make people cynical or stringent on rules.
  
  My first inclination was to make the process of buying and receiving the food fast and convenient. Many people don't bring out their IDs with their credit cards and sometimes have to dig through purses for them. So it makes it slower and inconveniences them. Obviously, I understand that security is important enough, but it's not something people are taught. And even if you are, when you have rushes of people and some can be a pain, you just want to get them through.
  
  But even then, you have to wonder what balance to reach. Do you always reject people if they don't have their IDs? On campus, some places take your ID if you check something out or whatever. How trusting can you be? And "never" just doesn't work in regards to customer service because you want the people to feel as they're treated well and come back (without angering those that care about security).
  
  Social engineering will always work into the future because people are willing to take certain losses (billions of dollars each year) for convenience, values such as courtesy and (as in the secretary case the other guy mentioned) save face.
  
  Then, you have issues of people that rebel due to overly strict rules or disagreement with them. I know that many universities have had to deal with theft. The Engineering department at MSU locks the doors on the buildings around midnight (though the hours say until 2am) and since so many people come in and go out of the buildling later than that, the students keep a trash can to prop the door open. And if I'm going out of the building, I wouldn't hesitate to keep it open for someone who's trying to get in.
  
  With software it's the same things. Writing passwords down or whatever. Given the option between security and convenience, most likely, it'll be the latter.
  
  --
  In times like these, it is helpful to remember that there have always been times like these. - Paul Harvey
I would be happy.. by KenFury · 2005-03-16 15:07 · Score: 5, Insightful

While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.
1. Re:I would be happy.. by LewsTherinKinslayer · 2005-03-16 15:11 · Score: 3, Insightful
  
  ... Hopefully in a few years it will be down to 10%
  
  I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.
  
  Better training to recognizing attempts at social engineering I think would make a world of difference.
2. Re:I would be happy.. by vfwlkr · 2005-03-16 15:18 · Score: 3, Insightful
  
  However, when it comes to IRS, SSA or the like, even 10% would be a defeat. Hackers need only one account to gain unauthorised access, not 10% of the workforce!
  
  --
  If you're not using firefox, you're not surfing the web, you're suffering it.
  ---
3. Re:I would be happy.. by gstoddart · 2005-03-16 16:07 · Score: 3, Insightful
  
  ... Hopefully in a few years it will be down to 10%
  
  I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.
  
  Not to detract from the observation this is a vast improvement, but I should think you could do one hella lot of mischief with even a 10% rate of success. Especially at the IRS. And almost anyplace else, come to think of it.
  
  --
  Lost at C:>. Found at C.
4. Re:I would be happy.. by Matilda+the+Hun · 2005-03-16 16:55 · Score: 2, Insightful
  
  You think you'd be able to get it through some people's heads: "DON'T GIVE OUT YOUR PASSWORD!" It's not brain surgery...if an admin needs to get you to change your password, he can set an expiration date...or, *gasp*, talk to you in person. Or log into your account using su and just leave a note. You just don't do things like that over the phone...
  
  --
  Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
5. Re:I would be happy.. by GigsVT · 2005-03-16 16:57 · Score: 3, Insightful
  
  If the other 90% actively reported attempted social engineering, and those reports were followed up on by real law enforcement, then it would raise the bar as to who would actually attempt such an attack.
  
  The only measure of security is:
  
  It would make an effective deterrent to all but the most dedicated intruder.
  
  That's all that matters. Increasing the dedication needed to break in is what security is all about.
  
  --
  I've had enough abrasive sigs. Kittens are cute and fuzzy.
fire them by CAIMLAS · 2005-03-16 15:12 · Score: 4, Insightful

any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...

--
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Re:Fingerprints by forkazoo · 2005-03-16 15:53 · Score: 3, Insightful

First off, biometrics are not very secure. Second, how do you ssh in? Most programs don't have hooks for biometrics, after all. Web browser based interfaces. Lots of off the shelf software. Things where you want most of the data to stay on a central server, rather than storing all the tax information for the US on a guy's laptop...
Re:Company upgrade snafu by omahajim · 2005-03-16 16:10 · Score: 4, Insightful

So if the IT department can't reset the password of their own employees, what the hell good are they? If you can't remember your password, you're forever locked out of your account? In a company with a "food chain" large enough to include a CEO, CTO, CFO, and "all the way down", they weren't using SMS or some other central software distribution system that doesn't require individual visits to client desktops? I don't doubt your story, I laugh at the clearly deficient system design that required someone to personally visit every desktop for some "upgrade". Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.
Re:"Hackers"? by 1u3hr · 2005-03-16 17:15 · Score: 3, Insightful

Calling somone on the phone and asking them for their password is hardly "hacking", even in the loose sense most mainstream news media uses it.
No wonder... by Spy+der+Mann · 2005-03-16 18:01 · Score: 2, Insightful

with this american culture showing hour and half infomercials, telling you lots of lies and "DIAL NOW and GET SLIM, BE HAPPY FOREVER" pressure.

The american public has been educated by the media into BELIEVING scams, rather than distrusting them. No wonder it's the country with the greatest incidence of religious cults (as in "brainwashing" cults).

So is it a mystery that people fall for sharing their passwords?
Re:Old News again on slashdot. by Anonymous Coward · 2005-03-16 18:40 · Score: 1, Insightful

Excellent point.

When companies start paying workers what it's actually worth to protect their data and resources, then maybe employees will care. If the average worker doesn't give a shit about company goods to begin with because they're disgruntled, giving out passwords is the last thing they're worried about.
Mod parent insightful, please by godless+dave · 2005-03-16 18:50 · Score: 2, Insightful

The american public has been educated by the media into BELIEVING scams, rather than distrusting them.

--
"If it's real, then it gets more interesting the closer you examine it. If it's not real, just the opposite is true." -
Been There Done That by WaldoXX · 2005-03-16 19:49 · Score: 2, Insightful

What did we learn from Kevin Mitnick's social engineering hacks? ABSOLUTELY NOTHING... Seems like employers have to teach their support staff the first word you learned as a tyke... NO
Other reasons it's failing by 192939495969798999 · 2005-03-17 00:31 · Score: 2, Insightful

There's another reason why social engineering works at a company like the IRS. They probably have a very CMM level 0 process for managing their I.T. infrastructure, and people just have to give out their passwords all the time just to get something they need to be fixed inside of a month. Turn that stuff around, and a lot less people will be giving out passwords.

--
stuff |