Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Employees Fall For Hackers

Posted by samzenpus on from the this-mail-may-come-as-a-shock-to-you dept.

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

7 of 279 comments (clear)

  1. Wasted time..but at least I made money by gmerideth · · Score: 5, Interesting

    I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.

    We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

    Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

    I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

    I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

    As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

    I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.

    --
    Why do overlook and oversee mean opposite things?
  2. Re:Social Engineering is the biggest problem by dezcola · · Score: 5, Interesting

    The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.

  3. Company upgrade snafu by DodgeRules · · Score: 5, Interesting

    The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."

  4. Re:Social Engineering is the biggest problem by forkazoo · · Score: 5, Interesting

    I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."

    Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.

    So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust. ::sigh:: I spend more time worrying about spyware, though.

  5. Re:Social Engineering is the biggest problem by slittle · · Score: 4, Interesting

    Firewalls and routers are technological solutions - throw money at the problem and it goes away.

    The problem with social engineering is that before the users can be given a clue, management has to get one.

    And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?

    --
    Opportunity knocks. Karma hunts you down.
  6. Re:Social Engineering is the biggest problem by T-Ranger · · Score: 4, Interesting

    I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.

  7. public passwords by jamesh · · Score: 4, Interesting

    I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).

    One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.