Slashdot Mirror
IRS Employees Fall For Hackers
linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."
Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.
We need more incompetence out there giving away our life stories!
If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.
You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...
While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.
...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.
I'm sure that all this bad press for the IRS must be really taxing.
Sorry.
There are 2 kinds of people in this world. Those that can keep their train of thought,
Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".
any of those 35% that fell for it 4 years ago should immediately be sacked. you'd think that after such a drastic fuck up, someone might take it to heart...
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.
Scary.
Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!
The two hour echo strikes again.
H.
Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.
English is easier said than done.
"Only two things are infinite, the universe and human stupidity, and I'm not
sure about the former." Albert Einstein
"Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."
It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:
"Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."
It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.
Wow! Tax chicks will date me?
I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.
We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.
Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.
I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.
I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.
As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.
I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.
Why do overlook and oversee mean opposite things?
The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."
Since few have read the fucking article, I'll quote the relevant portions here:
With this news, I'll probably be calling my credit card company to see about helping a few customer service representatives with their account problems.
Probably my health & car insurance companies too. It'd be great if I could save 15% on my car insurance.
[Fuck Beta]
o0t!
Or maybe I don't know what I'm talking about. I'm sure moderation will let me know.
;)
You must be new here...
I hate it when users just give up their password when asked. But on the other hand it is so damn useful to be able to get into somebodies computer to fix a problem that only affects them (eg using their profile).
One thing that windows lacks is for an Admin user to be able to impersonate anyone ala su under unix. It would make fixing problems for other people so much easier as you could log into their computer as them using your/admin credentials.
thats right; there's just a single password for every user
Not any US bank, I wouldn't think. You see (and I work for a bank, so I know a thing or two..), every year, we have a couple of audits. In addition to the SEC stuff, which really doesn't touch much here, FDIC makes sure our procedures are solid. The bigger audit is OCC (Office of the Currency Comptroller). Typically, we have several auditors on-site for a week or a week and a half, poring over standards, guidelines, and procedures. If, and this is a big if, we had anything like a single password for all users, we would be dinged most severely.
Then there's the whold GLBA (Graham Leach Bliley Act) morass. GLBA governs a lot of things for banks, but most importantly for this discussion, that any customer sensitive or confidential data must be protected, access audited, etc. A single password for every user is neither protected nor auditable. Any financial institution found doing such things would be socked with a rather nasty five figure fine, more than likely. That alone is incentive enough not to cut corners on security.
The truth about Scientology, Xenu, and you: Operation Clambake
A few notes from someone who works at the subject TLA.
Flat wrong. Essentially every IRS employee gets a computer when they come on board.
Wrong. All the 386s have been gone for years. The slowest machines in common use are 800Mhz Dell C600s and they're being replaced this year.
Demonstrably wrong. Look at the history of LCD fabs for one example. Specifically, IRS demand for larger LCDs drove much of the that industrys momentum a couple of decades ago. Look up the screen specs for the old Zenith 171 lunchbox computer.
You want more current examples? Linux deployment, our VPN implementations, and plenty of other things we do have been at the leading edge of what's workable for a long time.
Where in the hell did you get that idea? Holy smoke, our work processes are so tied to technology it's ridiculous. That's why people freak out when computers don't work and they're willing to do anything, even, sometimes, give out their passwords, to get things working again. I really don't know where you're getting this crap.
Ad hominem and not worth responding to. Wrong, to boot.
The Civil Service system is almost dead. If you didn't get on board over 20 years ago, you're probably not even a member. Almost everyone is a Federal Employee Retirement System member now, so the old "stay there a lifetime and ossify in your chair because you're bound to the retirement system" motivation no longer exists. As for the more general use of the term, as in "Civil Service protections," they've been under unrelenting attack for so long there's little left. Yes, it's different from private industry but the old image of "Civil Service," which is what you're evoking, is simply no longer anywhere close to accurate.
I would never flame someone for ignorance. Ignorance is curable.
Finally, something insightful. Thank you. The IRS dedication to computer training is pitiful and if that condition were corrected, much of these problems would go away.
As an aside, the IRS was on the verge of making huge inroads on this in 2001. We had set up a new-hire training model that shipped all new employees to a central location for training. The advantages were absolutely huge. This successfully addressed complaints from tax professionals about disparate enforcement of tax law in different jurisidictions because everyone was going to be trained to do things the same way. In addition, since everyone was in one place at the same time, the IT folks had managed to get time slots to provide real, quality training to everyone. Things were good.
We were in class on 9/11. We dealt with getting people home during the full ground stop. We dealt with people who saw massive numbers of their coworkers dying on television and simply collapsed under the emotional assault. (Not our people, but some of the folks working in the same facility were HQ'd in the WTC.) We dealt with people having an unreasonable fear of flying for a long time. (I spent a half day printing maps and plotting routes for shaky employees who had chosen to rent cars and drive home, even if that drive was a thousand miles.)
The bottom line, though, was that centralized (read: high quality, consistent) training was then deemed too cumbersome and the program canceled. Big mistake. I hope we find a better way to do things before I retire.