Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Employees Fall For Hackers

Posted by samzenpus on from the this-mail-may-come-as-a-shock-to-you dept.

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

17 of 279 comments (clear)

  1. Social Engineering is the biggest problem by suso · · Score: 5, Insightful

    Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.

    1. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · · Score: 5, Insightful

      Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

      No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.

    2. Re:Social Engineering is the biggest problem by yuriismaster · · Score: 4, Insightful

      I think they should take any person who fell for this and instantly can them. I mean, unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious. Their job is VERY important, and any security breach spells disaster.

      I think there should be a memo at every single person's desk: "Never give out your password or credit card number in a phone call." (Quick play on MSN's security warning..)

      Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

      I hate stupid poeple...

    3. Re:Social Engineering is the biggest problem by suso · · Score: 5, Insightful

      Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

      I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.

    4. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · · Score: 4, Insightful

      that social engineering is the least worried about security vulnerability.

      That's an excellent point. I'd say perhaps that instead of being least worried about, its more likely the most over looked. When you think of stopping hackers, most people picture a firewall program and router. Not their telephone and a random IT department problem.

    5. Re:Social Engineering is the biggest problem by Elminst · · Score: 3, Insightful

      I believe this is how the "most famous hacker ever" (mitnick) got into most of the systems.
      It's been proved time and time again that it is so much easier to just walk up and ask for a password than to try and crack it.

      1024-bit encryption doesn't prevent a helpful secretary with her password on a post-it note stuck to the front of her monitor.

      --
      No unauthorized use. Trespassers will be shot. Survivors will be shot again.
    6. Re:Social Engineering is the biggest problem by GigsVT · · Score: 4, Insightful

      Well that's an example of a "feelgood" security measure that is counter productive.

      Get rid of the buzzer on the door, get rid of the keycards. Get rid of anything that creates a false sense of security, or an idea that you are somehow within a "trusted" environment.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    7. Re:Social Engineering is the biggest problem by KingJoshi · · Score: 4, Insightful

      I'm working temporarily as a cashier at a fast food place. Sometimes, I get tips from people when I ask them for IDs on their credit cards :)

      People are willing to pay a huge price for convenience. Social engineering attacks exploit that, but obviously, it hasn't been enough to make people cynical or stringent on rules.

      My first inclination was to make the process of buying and receiving the food fast and convenient. Many people don't bring out their IDs with their credit cards and sometimes have to dig through purses for them. So it makes it slower and inconveniences them. Obviously, I understand that security is important enough, but it's not something people are taught. And even if you are, when you have rushes of people and some can be a pain, you just want to get them through.

      But even then, you have to wonder what balance to reach. Do you always reject people if they don't have their IDs? On campus, some places take your ID if you check something out or whatever. How trusting can you be? And "never" just doesn't work in regards to customer service because you want the people to feel as they're treated well and come back (without angering those that care about security).

      Social engineering will always work into the future because people are willing to take certain losses (billions of dollars each year) for convenience, values such as courtesy and (as in the secretary case the other guy mentioned) save face.

      Then, you have issues of people that rebel due to overly strict rules or disagreement with them. I know that many universities have had to deal with theft. The Engineering department at MSU locks the doors on the buildings around midnight (though the hours say until 2am) and since so many people come in and go out of the buildling later than that, the students keep a trash can to prop the door open. And if I'm going out of the building, I wouldn't hesitate to keep it open for someone who's trying to get in.

      With software it's the same things. Writing passwords down or whatever. Given the option between security and convenience, most likely, it'll be the latter.

      --
      In times like these, it is helpful to remember that there have always been times like these. - Paul Harvey
  2. I would be happy.. by KenFury · · Score: 5, Insightful

    While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.

    1. Re:I would be happy.. by LewsTherinKinslayer · · Score: 3, Insightful

      ... Hopefully in a few years it will be down to 10%

      I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

      Better training to recognizing attempts at social engineering I think would make a world of difference.

    2. Re:I would be happy.. by vfwlkr · · Score: 3, Insightful

      However, when it comes to IRS, SSA or the like, even 10% would be a defeat. Hackers need only one account to gain unauthorised access, not 10% of the workforce!

      --
      If you're not using firefox, you're not surfing the web, you're suffering it.
      ---
    3. Re:I would be happy.. by gstoddart · · Score: 3, Insightful
      ... Hopefully in a few years it will be down to 10%

      I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

      Not to detract from the observation this is a vast improvement, but I should think you could do one hella lot of mischief with even a 10% rate of success. Especially at the IRS. And almost anyplace else, come to think of it.
      --
      Lost at C:>. Found at C.
    4. Re:I would be happy.. by GigsVT · · Score: 3, Insightful

      If the other 90% actively reported attempted social engineering, and those reports were followed up on by real law enforcement, then it would raise the bar as to who would actually attempt such an attack.

      The only measure of security is:

      It would make an effective deterrent to all but the most dedicated intruder.

      That's all that matters. Increasing the dedication needed to break in is what security is all about.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  3. fire them by CAIMLAS · · Score: 4, Insightful

    any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  4. Re:Fingerprints by forkazoo · · Score: 3, Insightful

    First off, biometrics are not very secure. Second, how do you ssh in? Most programs don't have hooks for biometrics, after all. Web browser based interfaces. Lots of off the shelf software. Things where you want most of the data to stay on a central server, rather than storing all the tax information for the US on a guy's laptop...

  5. Re:Company upgrade snafu by omahajim · · Score: 4, Insightful

    So if the IT department can't reset the password of their own employees, what the hell good are they? If you can't remember your password, you're forever locked out of your account? In a company with a "food chain" large enough to include a CEO, CTO, CFO, and "all the way down", they weren't using SMS or some other central software distribution system that doesn't require individual visits to client desktops? I don't doubt your story, I laugh at the clearly deficient system design that required someone to personally visit every desktop for some "upgrade". Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

  6. Re:"Hackers"? by 1u3hr · · Score: 3, Insightful

    Calling somone on the phone and asking them for their password is hardly "hacking", even in the loose sense most mainstream news media uses it.