Slashdot Mirror
IRS Employees Fall For Hackers
linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.
A most overlooked advantage to owning a computer is if they foul up there's no law against wacking them around a bit.
I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.
We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.
Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.
I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.
I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.
As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.
I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.
Why do overlook and oversee mean opposite things?
This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack to the several times the Department of the Interior has been ordered offline by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.
The truth about Scientology, Xenu, and you: Operation Clambake
The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.
The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."
I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."
::sigh:: I spend more time worrying about spyware, though.
Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.
So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust.
Firewalls and routers are technological solutions - throw money at the problem and it goes away.
The problem with social engineering is that before the users can be given a clue, management has to get one.
And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?
Opportunity knocks. Karma hunts you down.
you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything
I don't want to read
I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.
I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).
One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.
You might think I'm trolling, but seriously, don't underestimate the power of paper, crayons, and cling wrap. It's been used to gain access to more than a few classified compartments. Once inside, everyone assumes you are meant to be there. Security pass or not. People would laugh at you for a hand made ID card before they would even contemplate a security problem.
Ok, that was 10 years ago, these days the guards have to walk around and discreetly make sure everything is in order.