Trojan Compromises Oregon Taxpayers

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

moron!

[eobanb]

Forgive my crudeness, but...what an idiot!

Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

Re:moron!

[djupedal]

nearly 100% during Late Nov/all Dec) is personal shopping

'Cake & eat it too' kind of Sheriff you are, eh?

There is a reason you're only a filter nazi and the school admin is an admin...

Most employers know that their employees shop online via their work computer - and most don't break a sweat of it, because it is either allow it or face having them absent an entire afternoon just to drop by Border's. Shopping online for 30 minutes can take the place of driving around, looking for parking, cruising the mega-mall on foot and standing in long queues just to pay for one pair of ear rings....all of which can take up the better part of an afternoon.

What the district give up in active hours is made up for in spades simply by having the teacher at their desk. Take the ability to shop away and see how fast they all head for the exit. Besides, when they stop using the computers, and there is no longer a need to filter the hell out of 'em, you no longer have a job.

Re:moron!

[Mr+Z]

BINGO! And that time not spent driving around hells half acre to get some chores done leads to a less stressed, happier employee. And, in the case of teachers, more time at home to grade papers. :-) It's not like teachers do all their work on site between 8AM and 5PM.

--Joe

Re:moron!

[Secrity]

Social Security numbers should never have had any value to anybody except to track an individual's Social Security (not IRS) taxes and benefits.

There are only four entities that should have your Social Security number; Yourself, your spouse, your employer, and the US Social Security Administration. Nobody else should have your Social Security number; not the IRS, no state or local governments, and especially; not the banks, lenders or credit bureaus.

When Social Security numbers were introduced, many people resisted them because they feared that they would become national ID numbers. The US government appeased the US citizens by assuring them that Social Security numbers would and could never be used for identification -- that is why Social Security cards used to say "Not to be used for Identification." The long and short of it is that the US government lied to the citizens and Social Security numbers have become de-facto national identification numbers used and misused both by various government agencies and private entities.

Indicitive of a larger problem

[mcpkaaos]

What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

It is absolutely amazing to me that this event was even possible.

Re:Indicitive of a larger problem

[megaditto]

a trusted administrator with lotsa logging

A competent admin is working elsewhere, where s/he is paid accordingly. The IT leftovers, not able to get hired by the private sector, get to work for the Govt... Generalization, of course, but more true than not.

Remember, in 2006, nearly 5 years after 9/11, most FBI employees still do not have a work email access, or the ability to do multiple word searches (e.g. cannot search for "bin laden", have to enter just "bin", then scroll down, because of the space character!). So what can you expect from a State govt of Oregon...

Re:Indicitive of a larger problem

[TheViewFromTheGround]

It is absolutely amazing to me that this event was even possible.

Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

On the other hand

[Sentri]

FTA:

"Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

Lets read that again

Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

EX-EMPLOYEEE!
What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

In the words of Napoleon Dynamite "Freakin Idiot!"

Re:Likely a reporting wonk

[mcpkaaos]

My guess is they had the data locally in Excel spreadsheets, fiddling with things.

Dummy data. In all my years as a software engineer I have never worked with real or production data. There is never a reason for it, so just dummy something up and use that. Then situations like this are simply impossible.

Many people have secure information on their hard drives too.

Not in the Department of Revenue. At least, they shouldn't. That they obviously do should be a huge cause for concern and a process audit or three.

They don't have to care as long as others pay

[quentin_quayle]

Is it just my perception or is this becoming routine now?

I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.

Three questing before firing DOR squatters

[BadassJesus]

1) How (the fuck) is possible to have DOR private database on a computer that is connected to the internet ?
2) What (the fuck) is DOR employee doing on the internet porn site during working hours ?
3) Where (the fuck) is this whole world coming to!? (err, is he a prudent republican?)