Slashdot Mirror
IRS Employees Fall For Hackers
linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.
We need more incompetence out there giving away our life stories!
If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.
You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...
While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.
...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.
This does not surtprise me, the typical IRS employee has probably only had a computer for 6 months. And it is probably a crippled 386. The IRS has NEVER been at the forefront of technology. In fact, it is a well kept secret that their use of technology is very limited. In addition, the caliber of people that will actually work for the IRS is not exactly the highest in the world. It is mostly Civil Service work. Now, before you jump up my ass with flames about not being fair, I am being fair. I didn't say Civil Service was bad, it just doesn't attract the finest we have to offer. Try training them.
A most overlooked advantage to owning a computer is if they foul up there's no law against wacking them around a bit.
I'm sure that all this bad press for the IRS must be really taxing.
Sorry.
There are 2 kinds of people in this world. Those that can keep their train of thought,
Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".
any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
Scary.
Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!
The two hour echo strikes again.
H.
Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.
English is easier said than done.
"Only two things are infinite, the universe and human stupidity, and I'm not
sure about the former." Albert Einstein
"Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."
It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:
"Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."
It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.
Wow! Tax chicks will date me?
Social Engineering is the biggest problem. Just like I always say
Oh please. You have never ever said that before. Just yesterday you were saying the shrinkrap on new DVDs was the biggest problem. I can hear it now, "Damn it! I can't get open up my new Steel Magnolia Director's Cut DVD!!! This damn wrapper is the biggest problem! There should be a law!".
Strange women lying in ponds distributing swords is no basis for a system of government.
I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.
We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.
Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.
I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.
I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.
As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.
I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.
Why do overlook and oversee mean opposite things?
This really shouldn't be terribly surprising. It has been made obvious that the government is not all that swift at securing technology. From the recent FBI email hack to the several times the Department of the Interior has been ordered offline by a federal judge because of their security ineptitude, it seems pretty clear to me that aside from a few pockets, by and large, the government couldn't secure a pop tart, let alone a complex network.
The truth about Scientology, Xenu, and you: Operation Clambake
The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."
Since few have read the fucking article, I'll quote the relevant portions here:
With this news, I'll probably be calling my credit card company to see about helping a few customer service representatives with their account problems.
Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.
[Fuck Beta]
o0t!
Due to an error in the server configuration, all logins will fail unless you change your password to 'password'. We encourage all users to change their password in order to continue to enjoy services that logged in members have access to. Thank you, - Tech Support.
SIGFAULT
you probably wouldn't believe it - i didn't at first - but some banks have a single password policy... thats right; there's just a single password for every user - get that out somehow and you have access to virtually everything
I don't want to read
First off, biometrics are not very secure. Second, how do you ssh in? Most programs don't have hooks for biometrics, after all. Web browser based interfaces. Lots of off the shelf software. Things where you want most of the data to stay on a central server, rather than storing all the tax information for the US on a guy's laptop...
I suggest to anyone interested in social engineering (defending or attacking) to read to the book 'The Art of Deception' by Kevin Mitnick, the hacker god himself.
Calling somone on the phone and asking them for their password is hardly "hacking", even in the loose sense most mainstream news media uses it.
Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.
;)
You must be new here...
I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).
One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.
I guess cracking the IRS dbase isn't so impressive. Poor Trinity. ^_^
"You are only young once, but you can be immature forever." -www.animemusicvideos.org