Slashdot Mirror
IRS Employees Fall For Hackers
linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.
A most overlooked advantage to owning a computer is if they foul up there's no law against wacking them around a bit.
We've had fingerprint technology for a long time. In fact, the Samsung laptop has it built in. Why are (especially) government agencies using passwords? You can't exactly "share" your fingerprint with someone on the phone.
71% down to 35%.
IRS employs 100,013 employees in 2001.
36,000 employees got wise. What about the remaining 35,000 employees?
No wonder, the quality of our audit is getting better! I just hope not to get audit at all, but if I do, I'd like to know which employee passed this social engineering test so I can avoid them...
What better ways to railroad them with unmarked receipts and explaination of multiple exemptions?
The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.
from the article:
"We were able to convince 35 managers and employees to provide us their username and change their password," the report said.
That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.
35 employees != 35% of all employees
I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.
We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.
Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.
I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.
I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.
As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.
I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.
Why do overlook and oversee mean opposite things?
This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack to the several times the Department of the Interior has been ordered offline by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.
The truth about Scientology, Xenu, and you: Operation Clambake
The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.
The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."
"Some hesitated but got approval from their managers to cooperate."
Just goes to show that you don't promote based on brains.
but then again, it doesn't show too much brains on the part of the employees either. They cave as soon as a "higher up" says it's okay.
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
I know getting into the IRS is already pretty bad, but what about other government agencies (FBI, CIA) or the military? I know in many cases they are on seperate networks, but in the cases where it's possible to get in...
It would appear that they are more savvy, and receive more training, but who knows?
I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."
::sigh:: I spend more time worrying about spyware, though.
Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.
So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust.
Firewalls and routers are technological solutions - throw money at the problem and it goes away.
The problem with social engineering is that before the users can be given a clue, management has to get one.
And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?
Opportunity knocks. Karma hunts you down.
you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything
I don't want to read
I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.
Another form of authentication seems like a feasible solution. Eye-print scanning, blood analysis, distributed networked random key generation or even simple yet less secure fingerprinting
'Or else pizza is going to order out for you'
I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).
One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.
Ring
Ring
Unwitting Participant: Hello, Information Services, John Smith Speaking.
SlyDog: Oh, shoot Hi John. I was trying to get a hold of [insert the mark's Name], can you transfer me to extension 701 please?
Ring
Ring
The Mark: Accounts payable Margaret speaking.
SlyDog: Hi Margaret this is Mike over from IS we are scheduling some maintainence on your computers down there. We heard you were having some problems.
The Mark: Yes/No
Slydog: [TechnoBanter]
Slydog: Before I schedule an appointment, we're going to need your current password for our Tech.
The Mark: Oh, my password is 12345
Slydog: Ok, great. What time today would be good for you?
The Mark: How long do you think it would take?
SlyDog: Probably ten-maybe twenty minutes.
The Mark: Oh that's fine you can do it when I take lunch.
Slygod: [Lunch Banter]
SlyDog: Ok great, I'll make sure John knows the maintainence will start at noon.
The most advanced form of electronic access I have ever seen in the Australian military are light based hand scanners used in combination with a PIN. This is in compounds housing TS codeword material, about as secure as it gets. In addition, you must pass through a one-person doorway (glass tube) that has additional cameras and sensors to ensure there is only one person inside.
On mobile platforms, it can be anything from a dull cloth curtain, to foot thick steel vault doorways.
Eye scanners, blood analysis, and fingerprinting will never be used since they can all be bypassed with little effort. Hand scanners, while not perfect, are the most challenging to defeat, since hands generally stay attached to their owners, it is difficult to make a copy un-noticed.
You might think I'm trolling, but seriously, don't underestimate the power of paper, crayons, and cling wrap. It's been used to gain access to more than a few classified compartments. Once inside, everyone assumes you are meant to be there. Security pass or not. People would laugh at you for a hand made ID card before they would even contemplate a security problem.
Ok, that was 10 years ago, these days the guards have to walk around and discreetly make sure everything is in order.
If the supervisor gets reports of an unusually high number of these cases in one day, he could also institute a sort of "lockdown." For instance, instead of just looking at the caller ID, ask for employee IDs, callback phone numbers, that sort of thing. And in fact sensitive operations could be disallowed over the phone entirely. In a perfect world, the IRS would always be in this "lockdown" mode, but in reality they have a lot of work to do and it may just not be feasible to have those kind of restrictions in place all the time.
> I worry about it all the time. My users constantly volunteer their passwords
> when I don't ask for them.
You're lucky: your users know their passwords. If I tell my users that they
need a password for something, they tell me they don't have a password, don't
want a password, and that I have to fix it so they don't need one.
Cut that out, or I will ship you to Norilsk in a box.
this is almost something people should learn in high school in this age, but definitely at your first day on the job it should be made clear: i dont need your password, nobody needs your password, if you give out your password, even to you grandmother, you'll be fired as a security risk.
if the discipline is just "you gave out your password! idiot!" then....well then appearently only half of those people are going to stop giving it out; and while that's an improvement it's not good enough.
By and large, language is a tool for concealing the truth. -- George Carlin
I wonder how much of the "reduction" is due to changing attitudes or increased "security" -- and how much is just plain "ohhh, I fell for this last time".
So the old guys didn't reply, but the new ones did.
Yes, fire everyone! Don't bother taking an important chance to educate the existing workforce. After all, it would cost practically nothing to rehire and retrain 30% of the IRS.
So while I agree with you that absolutely draconian measures are called for, and people should be fired for not being as smart as you (even though they were hired for jobs in which computer expertise is not a prerequisite), I'm curious about the potential disaster you proclaim.
What sort of disaster would this be exactly? Every other week some credit card database gets stolen and shipped to god knows where, but our lives haven't really changed that much for the worse have they? I can still buy food. The TV still works. I still have my job, a house, running water, electricity, the internet works, life goes on....
So what exactly do you propose would be the practical effect (as opposed to the chicken-little paranoia that some people here are prone to exhibit) of an IRS security breach? After all, I'm sure it's happened before and we've not been told. In fact, it probably happens annually....
Not really. At the IRS, accounts administration and desktop administration have, in the name of security, a near-impenetrable wall between them. If desktop support finds a problem with user account permissions, corrections must go through time-consuming formal channels and take quite a while to occur. Then you test, find out that wasn't quite the problem, and start the process over. Yes, oversight is important but the way it's set up at the IRS means that desktop support personnel have an extremely strong motivation to work around security procedures and the users are accustomed to helping them do so.
Of course, that's not saying that users are officially told to give out their passwords. Just the opposite. But the actual adoption of that meme has been slow to catch on. As some other posters have noted, the previous audit, with much worse results, made a big impression and convinced most people to play by the rules. There will always, however, be a few who don't get the message.
Agreed. That would be called two-factor authentication, wouldn't it?
The problem at the IRS, though, is that the userid for all users is publicly published. You can look up an individual user a couple of different ways, including one with a big scary warning about why you shouldn't misuse the information, but the fact remains that any IRS employee can get the userid for any other IRS employee. It's set up that way on purpose.
Lessee, how many authentication factors does that leave us with?
PS - The worst part of the whole thing is that if employee A gets pissed off at employee B, employee A only needs to sit down at any random workstation, input employee Bs userid with a bad password three times, and, voila, employee B is locked off the LAN. This situation really, truly bothers me.
Posting anon for obvious reasons.
This is very close to home for me. I'm the systems administrator for one of IRS's Training Centers.
Other posters are correct... Government hasn't embraced technology nearly to the degree that the rest of the world has. My site in particular still has mostly 1Ghz machines, and half of them are still running NT4.
You have to understand that most of IRS' employees are either accountants or lawyers, used to doing everything on paper. Getting these people trained on technology is getting better, but it's classically been like nailing jello to a wall. Only recently has there been any real effort to provide adequite training for everyone who touches a computer.
Also note, Of the ~103,000 IRS employees, I'd say 60 - 75% of them are older, near retirement. We all know how well older people love new technology:)
I work in a huge 'Fortune 10' company, and quite often sysadmins (while doing some configuration or other) will ask for my password to type it in themselves rather than surrender the keyboard to let me type it in. I can tell you it's awkward to refuse to give it, so you go with the flow.
When real sysadmins encourage/expect this behavior, is it surprising that employees give their passwords to fake ones?