Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRS Employees Fall For Hackers

Posted by samzenpus on from the this-mail-may-come-as-a-shock-to-you dept.

linuxwrangler writes "Treasury department auditors recently posed as network technicians and attempted to get IRS employees to reveal their usernames and passwords and/or change the password to one suggested by the "technician". The result: over one-third shared their passwords. If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001."

19 of 279 comments (clear)

  1. Social Engineering is the biggest problem by suso · · Score: 5, Insightful

    Just like I always say. Social Engineering is the biggest security problem nowadays. Maybe this time it showed a decrease in the people who fell for the attack, but I bet that if the Auditors increased the sophistication of their ruse, that they would actually increase the amount who fell for it.

    1. Re:Social Engineering is the biggest problem by LewsTherinKinslayer · · Score: 5, Insightful

      Social Engineering has always been the biggest problem. There is no such thing as perfect security when too many people are in the know, or have some sort of access.

      No matter how good an encryption system is, its obviously going to fail if the person breaking in has the right information.

    2. Re:Social Engineering is the biggest problem by suso · · Score: 5, Insightful

      Right, but it also *seems* (I have no fact to back up this claim) that social engineering is the least worried about security vulnerability.

      I was however pleasantly surprised recently when going to a gas station, paying at the pump, the receipt didn't print out and when I went inside the cashier actually asked me for the last name on the card instead of just handing me the receipt. I almost offered him a job.

    3. Re:Social Engineering is the biggest problem by dezcola · · Score: 5, Interesting

      The first time I saw Social Engineering on the big screen was when Matthew Broderick got himself sent to the principals office just so he could get the weekly password. That movie came out in 83 and the idea wasn't new then.

    4. Re:Social Engineering is the biggest problem by forkazoo · · Score: 5, Interesting

      I worry about it all the time. My users constantly volunteer their passwords when I don't ask for them. If they know I am going to use their computer to install a printer driver or something, many will write their password on a sticky note for me, "just in case."

      Our receptionist will buzz anybody into the office if they ask. After work one day, she admitted she felt bad not knowing anybody's name because she's new, and didn't want anybody to realise she didn't know them, so she buzzes everybody in.

      So, any random person could compromise my whole network by knowing only a few words of english. "Can you buzz me in?" and it doesn't matter what they say for the second part, because you can trust anybody in the building because you "need key card access," and the users will volunteer their password to anybody they think they can trust. ::sigh:: I spend more time worrying about spyware, though.

    5. Re:Social Engineering is the biggest problem by nacturation · · Score: 5, Informative

      Besides, any admin worth his salt will reset a user's password and tell him to change it instead of telling him to change it to what the admin wants.

      There's a good scam I read about in a book, I think it might have been the one written by Mitnick. Here's how it works:

      You pretend to be the network administrator testing some new security procedures and you phone up your target user. Introduce yourself and say that you're running some security testing on the networks and you need five minutes of their time to do some testing. Remind them that never, under any circumstances, should the user tell anybody else their password. Even reinforce that they shouldn't even tell you, as you don't need to know.

      Now here's the trick. Ask them to logoff. Once they've done that, tell them that you're doing some monitoring and that they should now login with their password... "and remember, don't tell me what it is!" Great, now we need to test the change password function. Get them to change their user account password to something which is known, such as "abacus". Once they've changed their password, ask them to logoff again. You, the intruder, can now login to their account as you know the password. If it's unix-based, you can setup some kind of daemon to run and accept connections, grab random files, login to the corporate VPN, whatever. Stall them for a little bit while you pillage their network... get them to login, letting them know you can't see their login come through, etc. Whatever buys you the time you need.

      Then get them to login once more and change their password back to what it was. Remind them yet again not to tell you that password as they should never tell anybody what their password is. Thank them for their time and for helping you test the security system [and for allowing you to preview tomorrow's result of whether or not the FDA will be accepting or rejecting their new drug therapy, thereby allowing you to take out appropriate options on the stock].

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  2. Well, I'm glad choicepoint has competition.. by Tobias.Davis · · Score: 5, Funny

    We need more incompetence out there giving away our life stories!

  3. Fool me once... by The+Amazing+Fish+Boy · · Score: 5, Funny

    If there is any good news in the story it is that the 35% figure represents a substantial reduction from the 71% who fell for the ruse in 2001.

    You know, there's an old saying in Tennessee - I know it's in Texas, it's probably in Tennessee...

  4. I would be happy.. by KenFury · · Score: 5, Insightful

    While not perfect results, a 50% decrease in the number of users giving away their password is a victory. Hopefully in a few years it will be down to 10%.

  5. No matter what OS you're running... by TelJanin · · Score: 5, Informative

    ...the user is the largest security hole. Either you can restrict them to where they can't do their job, or somebody can get them to reveal their u/p for a candy bar.

  6. Apologies in advance... by nganju · · Score: 5, Funny


    I'm sure that all this bad press for the IRS must be really taxing.

    Sorry.

    --
    There are 2 kinds of people in this world. Those that can keep their train of thought,
  7. Hmmm by user9918277462 · · Score: 5, Funny

    Anybody who's had any significant amount of contact with government workers isn't impressed. You could probably get 35% of them to stick their tongues in an electrical socket if a "technician" told them it'd make their "Internet work better".

  8. Giving out passwords by dcclark · · Score: 5, Informative

    Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate.

    Scary.

    Call me silly, but I think people should know that ANYONE in a position to legitimately be messing around with your account already has the ability to do what they need without giving you a call. There should be a simple policy (and maybe there even is, but obviously even some managers don't know): DON'T give out your password or userid to anyone. Period. And start telling that to the managers!

  9. slashdot_story= yahoo_story_delay(2hrs); by hedley · · Score: 5, Funny

    The two hour echo strikes again.

    H.

  10. Not isolated to software by hunterx11 · · Score: 5, Funny

    Wetware too is vulnerable to buffer overflow exploits. Annoy a person for long enough and they'll do what you say just to get you to stop talking.

    --
    English is easier said than done.
  11. Defence Against Social Engineering by Shackleford · · Score: 5, Informative
    As I read through the article, I wondered what it was that made these employees think that giving their usernames and passwords could possibly correct anything that was occurring on the network. Then in the article was the explanation I was looking for.

    "Some said they were not aware of the hacking technique and did not suspect foul play, or they wanted to be as helpful as possible to the computer technicians. Some were having network problems at the time, so the call seemed logical."

    It all appears to come from these people naturally wanting help those who ask for assistance and claim to be trying to help them. It also can be the result of ignorance, with their lack of knowledge of this technique, and thinking that it would be logical to give that kind of information. But here's what I find most interesting:

    "Other employees could not find the caller's name on a global IRS employee directory but gave their information anyway. Some hesitated but got approval from their managers to cooperate."

    It was managers that gave this approval? Aren't they the ones who should be informing the employees of social engineering attacks? I think this may be the problem right here.

  12. "IRS Employees Fall For Hackers" by Anonymous Coward · · Score: 5, Funny

    Wow! Tax chicks will date me?

  13. Wasted time..but at least I made money by gmerideth · · Score: 5, Interesting

    I started using a feature that WatchGuard has on their website called ClickAware within 2-3 days of our big "security" speech at some of our clients.

    We spent 4 hours discussing spyware, attachment best practices, viruses, adaware, malicious sites and policys on installing web apps.

    Shortly afterwards, using the ClickAware site, we send out fake e-mail with ( my personal favorite ) the "Install this Microsoft Patch" message with a phantom 241K attachment.

    I can then view the click rate and then match the click's to the internal IP browsing logs to see who's been a bad boy/girl/it.

    I'm stunned most of the time when not but 3 days after a rather lengthy, yet energetic, discussion, some 70% of the people ( of 122 e-mails ) actually clicked on the phantom attachment and saw the "If this was real you would be in trouble" message.

    As the subject says, I feel like I am wasting my time in performing these security meetings but hell, I'm getting paid for it.

    I know there will be the obligatory ( you must suck as a teacher then ) comments but it would be good to see if anyone else has experienced the same thing after doing security discussions with their employees.

    --
    Why do overlook and oversee mean opposite things?
  14. Company upgrade snafu by DodgeRules · · Score: 5, Interesting

    The company I worked for 6 years ago was upgrading some software on all of their computers. They emailed everyone asking them for their username and password so that the technician could log in to their computer at night and perform the upgrade. I refused to hand over my password and told them that I would be there at the time they wanted to perform the upgrade. They weren't very happy about it. When they came to upgrade, I logged in for them. And watched everything they did. I watched as they connected to the server and install the upgrade. After they finished, they rebooted and left. I connected to the server again using my account and noticed that on the server was a list of everyone in the company, their usernames and passwords. Including the President and CEO of the company, CTO, CFO, all the way down the food chain. I walked over to the IT staff, showed them what I found and told them "THAT is why I won't give out my password."