Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Employees Fall For Hackers

Posted by samzenpus on from the this-mail-may-come-as-a-shock-to-you dept.

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

85 of 279 comments (clear)

  1. Social Engineering is the biggest problem by suso · · Score: 5, Insightful

    Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.

    1. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · · Score: 5, Insightful

      Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

      No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.

    2. Re:Social Engineering is the biggest problem by game+kid · · Score: 2, Insightful

      Absolutely; it's too easy to fool someone to do something like make someone change their password this way, simply because people are nervous aout their computers and they'd obey anyone who sounds technical enough. It's like people need a minimum Bachelor's in CS* to live in this age.

      *not that said degrees are/are not useful, just that lots of people need to learn a lot about computers and scams like this. Now.

      --
      You can hold down the "B" button for continuous firing.
    3. Re:Social Engineering is the biggest problem by yuriismaster · · Score: 4, Insightful

      I think they should take any person who fell for this and instantly can them. I mean, unless the Auditors used the Tech Line's desk number, any (semi-intelligent) IRS employee would feel a little cautious. Their job is VERY important, and any security breach spells disaster.

      I think there should be a memo at every single person's desk: "Never give out your password or credit card number in a phone call." (Quick play on MSN's security warning..)

      Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

      I hate stupid poeple...

    4. Re:Social Engineering is the biggest problem by suso · · Score: 5, Insightful

      Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

      I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.

    5. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · · Score: 4, Insightful

      that social engineering is the least worried about security vulnerability.

      That's an excellent point. I'd say perhaps that instead of being least worried about, its more likely the most over looked. When you think of stopping hackers, most people picture a firewall program and router. Not their telephone and a random IT department problem.

    6. Re:Social Engineering is the biggest problem by dezcola · · Score: 5, Interesting

      The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.

    7. Re:Social Engineering is the biggest problem by Elminst · · Score: 3, Insightful

      I believe this is how the "most famous hacker ever" (mitnick) got into most of the systems.
      It's been proved time and time again that it is so much easier to just walk up and ask for a password than to try and crack it.

      1024-bit encryption doesn't prevent a helpful secretary with her password on a post-it note stuck to the front of her monitor.

      --
      No unauthorized use. Trespassers will be shot. Survivors will be shot again.
    8. Re:Social Engineering is the biggest problem by forkazoo · · Score: 5, Interesting

      I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."

      Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.

      So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust. ::sigh:: I spend more time worrying about spyware, though.

    9. Re:Social Engineering is the biggest problem by slittle · · Score: 4, Interesting

      Firewalls and routers are technological solutions - throw money at the problem and it goes away.

      The problem with social engineering is that before the users can be given a clue, management has to get one.

      And they can't just buy it in a shrinkwrapped package from $VENDOR, they'd have to admit (to the entire company) they don't know something and be educated. But they're not going to do that, nor will they defer to the experts they (should have) employed to handle it without managerial fiddling. Therefore the problem doesn't exist, mmkay?

      --
      Opportunity knocks. Karma hunts you down.
    10. Re:Social Engineering is the biggest problem by RodgerDodger · · Score: 2, Funny

      You need to fool people? Hah! 70% of people would give away their password for a block of chocolate!

      --
      "Software is too expensive to build cheaply"
    11. Re:Social Engineering is the biggest problem by T-Ranger · · Score: 4, Interesting

      I suppose it depends on what level of security you are dealing with. In 2005, on Slashdot, security might only mean computers, but its more general then that. The good counterexample would be that of Alan Turing.. While he was not hacked, the powers beleived he could be, and thus was striped of all his security clearences.

    12. Re:Social Engineering is the biggest problem by GigsVT · · Score: 4, Insightful

      Well that's an example of a "feelgood" security measure that is counter productive.

      Get rid of the buzzer on the door, get rid of the keycards. Get rid of anything that creates a false sense of security, or an idea that you are somehow within a "trusted" environment.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    13. Re:Social Engineering is the biggest problem by Paul+McMahon · · Score: 2, Insightful

      There is no such thing as perfect security when too many people are in the know, or have some sort of access. There is no such thing as perfect security. Given a sufficient motivation, amount of time, and resources any protection can be overcome.

    14. Re:Social Engineering is the biggest problem by wo1verin3 · · Score: 4, Funny

      Sure, but first please let me confirm your slashdot login.. please reply with your username and password.

      Security Breach Traced To Hole in Head of Admin

    15. Re:Social Engineering is the biggest problem by nacturation · · Score: 5, Informative

      Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

      There's a good scam I read about in a book, I think it might have been the one written by Mitnick. Here's how it works:

      You pretend to be the network administrator testing some new security procedures and you phone up your target user. Introduce yourself and say that you're running some security testing on the networks and you need five minutes of their time to do some testing. Remind them that never, under any circumstances, should the user tell anybody else their password. Even reinforce that they shouldn't even tell you, as you don't need to know.

      Now here's the trick. Ask them to logoff. Once they've done that, tell them that you're doing some monitoring and that they should now login with their password... "and remember, don't tell me what it is!" Great, now we need to test the change password function. Get them to change their user account password to something which is known, such as "abacus". Once they've changed their password, ask them to logoff again. You, the intruder, can now login to their account as you know the password. If it's unix-based, you can setup some kind of daemon to run and accept connections, grab random files, login to the corporate VPN, whatever. Stall them for a little bit while you pillage their network... get them to login, letting them know you can't see their login come through, etc. Whatever buys you the time you need.

      Then get them to login once more and change their password back to what it was. Remind them yet again not to tell you that password as they should never tell anybody what their password is. Thank them for their time and for helping you test the security system [and for allowing you to preview tomorrow's result of whether or not the FDA will be accepting or rejecting their new drug therapy, thereby allowing you to take out appropriate options on the stock].

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    16. Re:Social Engineering is the biggest problem by DreamerFi · · Score: 2, Informative

      I hope you gave the guy a compliment. I always remark how I appreciate their concern for security when somebody does something similar. It's unfortunate good behaviour needs to be rewarded, but that's life...

    17. Re:Social Engineering is the biggest problem by KingJoshi · · Score: 4, Insightful

      I'm working temporarily as a cashier at a fast food place. Sometimes, I get tips from people when I ask them for IDs on their credit cards :)

      People are willing to pay a huge price for convenience. Social engineering attacks exploit that, but obviously, it hasn't been enough to make people cynical or stringent on rules.

      My first inclination was to make the process of buying and receiving the food fast and convenient. Many people don't bring out their IDs with their credit cards and sometimes have to dig through purses for them. So it makes it slower and inconveniences them. Obviously, I understand that security is important enough, but it's not something people are taught. And even if you are, when you have rushes of people and some can be a pain, you just want to get them through.

      But even then, you have to wonder what balance to reach. Do you always reject people if they don't have their IDs? On campus, some places take your ID if you check something out or whatever. How trusting can you be? And "never" just doesn't work in regards to customer service because you want the people to feel as they're treated well and come back (without angering those that care about security).

      Social engineering will always work into the future because people are willing to take certain losses (billions of dollars each year) for convenience, values such as courtesy and (as in the secretary case the other guy mentioned) save face.

      Then, you have issues of people that rebel due to overly strict rules or disagreement with them. I know that many universities have had to deal with theft. The Engineering department at MSU locks the doors on the buildings around midnight (though the hours say until 2am) and since so many people come in and go out of the buildling later than that, the students keep a trash can to prop the door open. And if I'm going out of the building, I wouldn't hesitate to keep it open for someone who's trying to get in.

      With software it's the same things. Writing passwords down or whatever. Given the option between security and convenience, most likely, it'll be the latter.

      --
      In times like these, it is helpful to remember that there have always been times like these. - Paul Harvey
    18. Re:Social Engineering is the biggest problem by jonadab · · Score: 2, Interesting

      > I worry about it all the time. My users constantly volunteer their passwords
      > when I don't ask for them.

      You're lucky: your users know their passwords. If I tell my users that they
      need a password for something, they tell me they don't have a password, don't
      want a password, and that I have to fix it so they don't need one.

      --
      Cut that out, or I will ship you to Norilsk in a box.
    19. Re:Social Engineering is the biggest problem by Illserve · · Score: 2, Interesting

      Yes, fire everyone! Don't bother taking an important chance to educate the existing workforce. After all, it would cost practically nothing to rehire and retrain 30% of the IRS.

      So while I agree with you that absolutely draconian measures are called for, and people should be fired for not being as smart as you (even though they were hired for jobs in which computer expertise is not a prerequisite), I'm curious about the potential disaster you proclaim.

      What sort of disaster would this be exactly? Every other week some credit card database gets stolen and shipped to god knows where, but our lives haven't really changed that much for the worse have they? I can still buy food. The TV still works. I still have my job, a house, running water, electricity, the internet works, life goes on....

      So what exactly do you propose would be the practical effect (as opposed to the chicken-little paranoia that some people here are prone to exhibit) of an IRS security breach? After all, I'm sure it's happened before and we've not been told. In fact, it probably happens annually....

    20. Re:Social Engineering is the biggest problem by bluGill · · Score: 2, Informative

      Are you aware that Visa does allow you to check any id other than the signature on the back of the card? See id not valid

  2. Well, I'm glad choicepoint has competition.. by Tobias.Davis · · Score: 5, Funny

    We need more incompetence out there giving away our life stories!

  3. Fool me once... by The+Amazing+Fish+Boy · · Score: 5, Funny

    If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.

    You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...

    1. Re:Fool me once... by Anonymous Coward · · Score: 2, Funny

      Fool me once shame on you, fool me twice I must be an American.

    2. Re:Fool me once... by Anonymous Coward · · Score: 2, Interesting

      I wonder how much of the "reduction" is due to changing attitudes or increased "security" -- and how much is just plain "ohhh, I fell for this last time".

      So the old guys didn't reply, but the new ones did.

  4. I would be happy.. by KenFury · · Score: 5, Insightful

    While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.

    1. Re:I would be happy.. by LewsTherinKinslayer · · Score: 3, Insightful

      ... Hopefully in a few years it will be down to 10%

      I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

      Better training to recognizing attempts at social engineering I think would make a world of difference.

    2. Re:I would be happy.. by vfwlkr · · Score: 3, Insightful

      However, when it comes to IRS, SSA or the like, even 10% would be a defeat. Hackers need only one account to gain unauthorised access, not 10% of the workforce!

      --
      If you're not using firefox, you're not surfing the web, you're suffering it.
      ---
    3. Re:I would be happy.. by Old+Uncle+Bill · · Score: 2, Funny

      Like I always say, our application won't give you five nines, but it can give you nine fives.

      --
      Yes, I am an agent of Satan, but my duties are largely ceremonial.
    4. Re:I would be happy.. by gstoddart · · Score: 3, Insightful
      ... Hopefully in a few years it will be down to 10%

      I like your goal, its actually feasible. I think it would be pretty much impossible to make social engineering ineffective in any large business or agency.

      Not to detract from the observation this is a vast improvement, but I should think you could do one hella lot of mischief with even a 10% rate of success. Especially at the IRS. And almost anyplace else, come to think of it.
      --
      Lost at C:>. Found at C.
    5. Re:I would be happy.. by knightri · · Score: 2, Interesting

      Another form of authentication seems like a feasible solution. Eye-print scanning, blood analysis, distributed networked random key generation or even simple yet less secure fingerprinting

      --
      'Or else pizza is going to order out for you'
    6. Re:I would be happy.. by Matilda+the+Hun · · Score: 2, Insightful

      You think you'd be able to get it through some people's heads: "DON'T GIVE OUT YOUR PASSWORD!" It's not brain surgery...if an admin needs to get you to change your password, he can set an expiration date...or, *gasp*, talk to you in person. Or log into your account using su and just leave a note. You just don't do things like that over the phone...

      --
      Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
    7. Re:I would be happy.. by GigsVT · · Score: 3, Insightful

      If the other 90% actively reported attempted social engineering, and those reports were followed up on by real law enforcement, then it would raise the bar as to who would actually attempt such an attack.

      The only measure of security is:

      It would make an effective deterrent to all but the most dedicated intruder.

      That's all that matters. Increasing the dedication needed to break in is what security is all about.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    8. Re:I would be happy.. by digitalchinky · · Score: 2, Interesting

      The most advanced form of electronic access I have ever seen in the Australian military are light based hand scanners used in combination with a PIN. This is in compounds housing TS codeword material, about as secure as it gets. In addition, you must pass through a one-person doorway (glass tube) that has additional cameras and sensors to ensure there is only one person inside.

      On mobile platforms, it can be anything from a dull cloth curtain, to foot thick steel vault doorways.

      Eye scanners, blood analysis, and fingerprinting will never be used since they can all be bypassed with little effort. Hand scanners, while not perfect, are the most challenging to defeat, since hands generally stay attached to their owners, it is difficult to make a copy un-noticed.

    9. Re:I would be happy.. by xSauronx · · Score: 2, Interesting
      real law enforcement cant follow up on everything they have to follow up on as it is, never mind following up by trying to find "that guy with blonde hair and green eyes who kept asking for my password last night".

      this is almost something people should learn in high school in this age, but definitely at your first day on the job it should be made clear: i dont need your password, nobody needs your password, if you give out your password, even to you grandmother, you'll be fired as a security risk.

      if the discipline is just "you gave out your password! idiot!" then....well then appearently only half of those people are going to stop giving it out; and while that's an improvement it's not good enough.

      --
      By and large, language is a tool for concealing the truth. -- George Carlin
  5. you know what they say.. by peculiarmethod · · Score: 2, Funny

    as the old saying goes.. death, taxes, and idiocy.

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
    1. Re:you know what they say.. by ikkonoishi · · Score: 4, Funny

      "Only two things are infinite, the universe and human stupidity, and I'm not
      sure about the former." Albert Einstein

  6. No matter what OS you're running... by TelJanin · · Score: 5, Informative

    ...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.

    1. Re:No matter what OS you're running... by Soko · · Score: 2, Funny

      Informative? This is common knnowledge, or should be to any admin who's been on the job for more than a day or two.

      Where have all the BOFHs gone? In my day, that candy bar would be 6o grams or so of C4 nougat with 3 remote detonator almonds all covered in a delicious chocolatey coating.

      Kids - no sense of history.

      Soko

      --
      "Depression is merely anger without enthusiasm." - Anonymous
  7. No Surprise here by bananahead · · Score: 3, Interesting

    This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.

    --
    A most overlooked advantage to owning a computer is if they foul up there's no law against wacking them around a bit.
    1. Re:No Surprise here by ebvwfbw · · Score: 2, Interesting
      Why do you think this? Have you ever been to an IRS office? The IRS has some of the newest systems out there. Most if not all employees work on a computer each day they are at work. I don't work for the IRS but I do interact with them professionally. I saw a lot of contemporary machines on desks - at least >= 2 gig pentiums. Machines that you would find at any Fortune 500 company. Machines that may be better than the one you are using. They interact with some of the best database machines out there - Terradata for example.

      There is a surprise here. The IRS has what is known as "title" data, it is in the USC under section 24 or "Title 24" data. They are very strict and EVERYONE that has access to their data has to go through training every year on it. They are not kidding, they make sure everyone has completed the training or they will stop you from accessing it. I have seen them do it. There is a test on it and they do audit. I have had the completion nazi's come after me more than once.

      Obviously they have a problem with understanding what they learned and how to apply it to daily activities. I know I have found professionally that if someone is having trouble, they will do anything to get it working again. They ask very few questions. Obviously you don't do this to someone that has a clue, there are plenty of clueless ones around. Just look at Mitnick's book on social engineering. Obviously they are aware of the problem and they are trying to do something about it.

      You couldn't get me... besides it wouldn't matter. You see I have this guy in Nigeria that sent me a letter about making a bunch of money for helping him, his father died a year ago.... Just kidding. Check out http://www.ebolamonkeyman.com/

    2. Re:No Surprise here by BenEnglishAtHome · · Score: 4, Informative

      A few notes from someone who works at the subject TLA.

      ...the typical IRS employee has probably only had a computer for 6 months.

      Flat wrong. Essentially every IRS employee gets a computer when they come on board.

      ...it is probably a crippled 386.

      Wrong. All the 386s have been gone for years. The slowest machines in common use are 800Mhz Dell C600s and they're being replaced this year.

      The IRS has NEVER been at the forefront of technology.

      Demonstrably wrong. Look at the history of LCD fabs for one example. Specifically, IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago. Look up the screen specs for the old Zenith 171 lunchbox computer.

      You want more current examples? Linux deployment, our VPN implementations, and plenty of other things we do have been at the leading edge of what's workable for a long time.

      ...it is a well kept secret that their use of technology is very limited.

      Where in the hell did you get that idea? Holy smoke, our work processes are so tied to technology it's ridiculous. That's why people freak out when computers don't work and they're willing to do anything, even, sometimes, give out their passwords, to get things working again. I really don't know where you're getting this crap.

      ...the caliber of people that will actually work for the IRS is not exactly the highest in the world.

      Ad hominem and not worth responding to. Wrong, to boot.

      ...It is mostly Civil Service work.

      The Civil Service system is almost dead. If you didn't get on board over 20 years ago, you're probably not even a member. Almost everyone is a Federal Employee Retirement System member now, so the old "stay there a lifetime and ossify in your chair because you're bound to the retirement system" motivation no longer exists. As for the more general use of the term, as in "Civil Service protections," they've been under unrelenting attack for so long there's little left. Yes, it's different from private industry but the old image of "Civil Service," which is what you're evoking, is simply no longer anywhere close to accurate.

      ...before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer.

      I would never flame someone for ignorance. Ignorance is curable.

      Try training them.

      Finally, something insightful. Thank you. The IRS dedication to computer training is pitiful and if that condition were corrected, much of these problems would go away.

      As an aside, the IRS was on the verge of making huge inroads on this in 2001. We had set up a new-hire training model that shipped all new employees to a central location for training. The advantages were absolutely huge. This successfully addressed complaints from tax professionals about disparate enforcement of tax law in different jurisidictions because everyone was going to be trained to do things the same way. In addition, since everyone was in one place at the same time, the IT folks had managed to get time slots to provide real, quality training to everyone. Things were good.

      We were in class on 9/11. We dealt with getting people home during the full ground stop. We dealt with people who saw massive numbers of their coworkers dying on television and simply collapsed under the emotional assault. (Not our people, but some of the folks working in the same facility were HQ'd in the WTC.) We dealt with people having an unreasonable fear of flying for a long time. (I spent a half day printing maps and plotting routes for shaky employees who had chosen to rent cars and drive home, even if that drive was a thousand miles.)

      The bottom line, though, was that centralized (read: high quality, consistent) training was then deemed too cumbersome and the program canceled. Big mistake. I hope we find a better way to do things before I retire.

  8. Apologies in advance... by nganju · · Score: 5, Funny


    I'm sure that all this bad press for the IRS must be really taxing.

    Sorry.

    --
    There are 2 kinds of people in this world. Those that can keep their train of thought,
    1. Re:Apologies in advance... by Elminst · · Score: 3, Funny

      Probably an IRS employee with mod points... ;)

      --
      No unauthorized use. Trespassers will be shot. Survivors will be shot again.
  9. Hmmm by user9918277462 · · Score: 5, Funny

    Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".

  10. fire them by CAIMLAS · · Score: 4, Insightful

    any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...

    --
    ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  11. Fingerprints by SamMichaels · · Score: 2, Interesting

    We've had fingerprint technology for a long time. In fact, the Samsung laptop has it built in. Why are (especially) government agencies using passwords? You can't exactly "share" your fingerprint with someone on the phone.

    1. Re:Fingerprints by smcd · · Score: 2

      Problem - you are assuming that IRS workers are human.

    2. Re:Fingerprints by forkazoo · · Score: 3, Insightful

      First off, biometrics are not very secure. Second, how do you ssh in? Most programs don't have hooks for biometrics, after all. Web browser based interfaces. Lots of off the shelf software. Things where you want most of the data to stay on a central server, rather than storing all the tax information for the US on a guy's laptop...

  12. Giving out passwords by dcclark · · Score: 5, Informative

    Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.

    Scary.

    Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!

    1. Re:Giving out passwords by digitalchinky · · Score: 3, Interesting

      You might think I'm trolling, but seriously, don't underestimate the power of paper, crayons, and cling wrap. It's been used to gain access to more than a few classified compartments. Once inside, everyone assumes you are meant to be there. Security pass or not. People would laugh at you for a hand made ID card before they would even contemplate a security problem.

      Ok, that was 10 years ago, these days the guards have to walk around and discreetly make sure everything is in order.

  13. slashdot_story= yahoo_story_delay(2hrs); by hedley · · Score: 5, Funny

    The two hour echo strikes again.

    H.

  14. Not isolated to software by hunterx11 · · Score: 5, Funny

    Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.

    --
    English is easier said than done.
  15. Does this mean IRS employees are slow learners by Dark+Coder · · Score: 2, Interesting

    71% down to 35%.

    IRS employs 100,013 employees in 2001.

    36,000 employees got wise. What about the remaining 35,000 employees?

    No wonder, the quality of our audit is getting better! I just hope not to get audit at all, but if I do, I'd like to know which employee passed this social engineering test so I can avoid them...

    What better ways to railroad them with unmarked receipts and explaination of multiple exemptions?

  16. Defence Against Social Engineering by Shackleford · · Score: 5, Informative
    As I read through the article, I wondered what it was that made these employees think that giving their usernames and passwords could possibly correct anything that was occurring on the network. Then in the article was the explanation I was looking for.

    "Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."

    It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:

    "Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."

    It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.

  17. "IRS Employees Fall For Hackers" by Anonymous Coward · · Score: 5, Funny

    Wow! Tax chicks will date me?

    1. Re:"IRS Employees Fall For Hackers" by shadowbearer · · Score: 3, Funny

      Sure, they want to audit your personal files in view of a possible future partnership of matrimony. Truly a relationship to bank on.

      SB

      --
      It's old. The more humans I meet, the more I like my cats. At least they are honest.
    2. Re:"IRS Employees Fall For Hackers" by Kirth+Gersen · · Score: 2, Funny

      First rule of dating tax chicks:

      Never, never dump one.

  18. Quit lying! by toupsie · · Score: 3, Funny

    Social Engineering is the biggest problem. Just like I always say

    Oh please. You have never ever said that before. Just yesterday you were saying the shrinkrap on new DVDs was the biggest problem. I can hear it now, "Damn it! I can't get open up my new Steel Magnolia Director's Cut DVD!!! This damn wrapper is the biggest problem! There should be a law!".

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
  19. Wasted time..but at least I made money by gmerideth · · Score: 5, Interesting

    I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.

    We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

    Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

    I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

    I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

    As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

    I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.

    --
    Why do overlook and oversee mean opposite things?
  20. Government and Computers - Just say No! by camusflage · · Score: 3, Interesting

    This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack to the several times the Department of the Interior has been ordered offline by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.

    --
    The truth about Scientology, Xenu, and you: Operation Clambake
  21. Company upgrade snafu by DodgeRules · · Score: 5, Interesting

    The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."

    1. Re:Company upgrade snafu by omahajim · · Score: 4, Insightful

      So if the IT department can't reset the password of their own employees, what the hell good are they? If you can't remember your password, you're forever locked out of your account? In a company with a "food chain" large enough to include a CEO, CTO, CFO, and "all the way down", they weren't using SMS or some other central software distribution system that doesn't require individual visits to client desktops? I don't doubt your story, I laugh at the clearly deficient system design that required someone to personally visit every desktop for some "upgrade". Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

  22. blame the manager... by Elminst · · Score: 2, Interesting

    "Some hesitated but got approval from their managers to cooperate."

    Just goes to show that you don't promote based on brains.

    but then again, it doesn't show too much brains on the part of the employees either. They cave as soon as a "higher up" says it's okay.

    --
    No unauthorized use. Trespassers will be shot. Survivors will be shot again.
  23. RTFA by TubeSteak · · Score: 4, Funny

    Since few have read the fucking article, I'll quote the relevant portions here:

    The auditors called 100 IRS employees and managers, portraying themselves as personnel from the information technology help desk trying to correct a network problem. They asked the employees to provide their network logon name and temporarily change their password to one they suggested.

    "We were able to convince 35 managers and employees to provide us their username and change their password," the report said.

    That was a 50 percent improvement when compared with a similar test in 2001, when 71 employees cooperated and changed their passwords.

    ... three sentences ...

    Employees gave several reasons for complying with the request, in violation with IRS rules that prohibit employees from divulging their passwords.

    Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical.

    Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
    ... Two Sentences.

    With this news, I'll probably be calling my credit card company to see about helping a few customer service representatives with their account problems.

    Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.

    --
    [Fuck Beta]
    o0t!
    1. Re:RTFA by Phleg · · Score: 4, Funny

      Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.

      You could always just call Geico.

      --
      No comment.
  24. Homeland Security by varmittang · · Score: 2, Funny

    I got dibs on calling Homeland Security next!

    --
    -----BEGIN PGP SIGNATURE-----
    12345
    -----END PGP SIGNATURE-----
  25. What about employees of more sensitive agencies? by SteelV · · Score: 2, Interesting

    I know getting into the IRS is already pretty bad, but what about other government agencies (FBI, CIA) or the military? I know in many cases they are on seperate networks, but in the cases where it's possible to get in...

    It would appear that they are more savvy, and receive more training, but who knows?

  26. Change your passwords! by dfj225 · · Score: 3, Funny

    Due to an error in the server configuration, all logins will fail unless you change your password to 'password'. We encourage all users to change their password in order to continue to enjoy services that logged in members have access to. Thank you, - Tech Support.

    --
    SIGFAULT
  27. there's worse by nigham · · Score: 3, Interesting

    you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything

    --
    I don't want to read /. I want to go home and re-think my life.
    1. Re:there's worse by camusflage · · Score: 4, Informative

      thats right; there's just a single password for every user
      Not any US bank, I wouldn't think. You see (and I work for a bank, so I know a thing or two..), every year, we have a couple of audits. In addition to the SEC stuff, which really doesn't touch much here, FDIC makes sure our procedures are solid. The bigger audit is OCC (Office of the Currency Comptroller). Typically, we have several auditors on-site for a week or a week and a half, poring over standards, guidelines, and procedures. If, and this is a big if, we had anything like a single password for all users, we would be dinged most severely.

      Then there's the whold GLBA (Graham Leach Bliley Act) morass. GLBA governs a lot of things for banks, but most importantly for this discussion, that any customer sensitive or confidential data must be protected, access audited, etc. A single password for every user is neither protected nor auditable. Any financial institution found doing such things would be socked with a rather nasty five figure fine, more than likely. That alone is incentive enough not to cut corners on security.

      --
      The truth about Scientology, Xenu, and you: Operation Clambake
  28. A book about social engineering by comwiz56 · · Score: 3, Informative

    I suggest to anyone interested in social engineering (defending or attacking) to read to the book 'The Art of Deception' by Kevin Mitnick, the hacker god himself.

  29. Ladies and gentlemen by Master_T · · Score: 2, Funny

    Your Tax Dollars at work.

  30. Re:"Hackers"? by 1u3hr · · Score: 3, Insightful

    Calling somone on the phone and asking them for their password is hardly "hacking", even in the loose sense most mainstream news media uses it.

  31. Moderation? by CustomFort · · Score: 4, Funny

    Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.

    You must be new here... ;)

  32. public passwords by jamesh · · Score: 4, Interesting

    I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).

    One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.

    1. Re:public passwords by lachlan76 · · Score: 3, Informative

      Look on msdn, there's an ImpersonateUser function you can use, if you know how to program.

      Write up a quick VB/C++/C#/Whatever app, make up a login prompt, get it to login, impersonate the user, and start explorer (obviously, you'll need to shut down explorer first).

      You could do the same and spawn cmd as well, if that's all that is needed.

    2. Re:public passwords by lachlan76 · · Score: 3, Funny

      I prefer to use obfuscated perl to show the usablility of the Unices...makes me look all 1337, and keeps the virus-writers away ;)

  33. No wonder... by Spy+der+Mann · · Score: 2, Insightful

    with this american culture showing hour and half infomercials, telling you lots of lies and "DIAL NOW and GET SLIM, BE HAPPY FOREVER" pressure.

    The american public has been educated by the media into BELIEVING scams, rather than distrusting them. No wonder it's the country with the greatest incidence of religious cults (as in "brainwashing" cults).

    So is it a mystery that people fall for sharing their passwords?

  34. HUMAN SOFTWARE UPGRADE!! by Maxhrk · · Score: 2, Funny

    HUMAN VERSION 2.0 CHANGELOG Fixed social engineering immunity system KNOWN BUG: AIDS Aging problem heart disease etc... (you know the rest.. i am trying to be funny :( )

  35. Mod parent insightful, please by godless+dave · · Score: 2, Insightful

    The american public has been educated by the media into BELIEVING scams, rather than distrusting them.

    --
    "If it's real, then it gets more interesting the closer you examine it. If it's not real, just the opposite is true." -
  36. Been There Done That by WaldoXX · · Score: 2, Insightful

    What did we learn from Kevin Mitnick's social engineering hacks? ABSOLUTELY NOTHING... Seems like employers have to teach their support staff the first word you learned as a tyke... NO

  37. It's a darn shame... by Lord_Breetai · · Score: 3, Funny

    I guess cracking the IRS dbase isn't so impressive. Poor Trinity. ^_^

    --
    "You are only young once, but you can be immature forever." -www.animemusicvideos.org
  38. Other reasons it's failing by 192939495969798999 · · Score: 2, Insightful

    There's another reason why social engineering works at a company like the IRS. They probably have a very CMM level 0 process for managing their I.T. infrastructure, and people just have to give out their passwords all the time just to get something they need to be fixed inside of a month. Turn that stuff around, and a lot less people will be giving out passwords.

    --
    stuff |
  39. I'm an SA for the DoT. by rgf71 · · Score: 2, Interesting

    This is very close to home for me. I'm the systems administrator for one of IRS's Training Centers.

    Other posters are correct... Government hasn't embraced technology nearly to the degree that the rest of the world has. My site in particular still has mostly 1Ghz machines, and half of them are still running NT4.

    You have to understand that most of IRS' employees are either accountants or lawyers, used to doing everything on paper. Getting these people trained on technology is getting better, but it's classically been like nailing jello to a wall. Only recently has there been any real effort to provide adequite training for everyone who touches a computer.

    Also note, Of the ~103,000 IRS employees, I'd say 60 - 75% of them are older, near retirement. We all know how well older people love new technology:)