Slashdot Mirror
Trojan Compromises Oregon Taxpayers
Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."
Most people just dont give a damn about conmputer security.
This is the same old story over again, it shouldnt suprise you, why? Here's some links to get you started
Can't we all just get along
We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:
1. Allowing private data to be stored on a workstation that has access to the Internet.
2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).
All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET, but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.
Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.
Quote from this one: "We maybe had a false sense of security," O'Meara said.
Whoa, maybe. Y'think?
The Trojan horse gathered the equivalent of 7,000 text pages of data.
Somewhere a scammer is very, very busy.
.. paranoid crackpot leftover from the days of Amiga.
Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.
What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).
The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.
None of that information is secret. Your SSN, Address, and Name are all public information, the subject of numerous public records that anyone patient enough can pay $.10 per copy to get. Or just visit the appropriate county records website.
There is a switch in the story from employee to "ex". The employee was fired subsequent to the leak, but was "working" at the time of the download.
.. paranoid crackpot leftover from the days of Amiga.
I work for a school district in California and as part of my duties I am responsible for the content filter (squid children+dansguardian+squid parent peers) and I parse the content to sarg logs with a few custom reports. One of those reports is between the hours of 3-5pm and on
I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.
Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.
A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:
Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.
After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.
Why do you assume there was no web filtering software?
There was. Major player in the industry, updated every day.
Virus software on the desktops set to update ever 2 hours.
This was a zero day exploit from a non-obvious, not yet blocked web site.
It reported back only via port 80.
The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
He might have been an idiot, but not a dumb one.
As for rules on conduct, suprisingly, browsing porn is actually against the rules.
You have to sign an Internet Use agreement before you can use the Internet.
Windows? Well, we have no choice there.
There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.
I work with Data in the private sector and data like this cannot be on an unprotected machine.
I don't know what companies you've been working for, but out there in the real world, people tend to run things by the seat of their pants. I've seen data, including credit card data, stored in a database on a windows 2000 server directly connected to the internet. I've had data worth millions of dollars emailed to me on the same machine I browsed Slashdot on during lunch. It was a windows 2000 machine too.
That's just personal expierience. I've heard stories of critical data sitting in USB shared drives, secured by nothing but friction to their sockets. Private company files transferred to the upstairs office via a hotmail account. Databases being backed up to iPods. The list goes on.
These stories didn't come from government or other public organisations. No. These are stories straight from private industry, that magical market force that will save us all. If you think people actually follow the rules out there in the real world, you'd do better to think again.
May the Maths Be with you!
You work with Data? I always thought he were just a fictionary Star Trek character
SCNR
The Tao of math: The numbers you can count are not the real numbers.