Trojan Compromises Oregon Taxpayers

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

moron!

[eobanb]

Forgive my crudeness, but...what an idiot!

Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

Indicitive of a larger problem

[mcpkaaos]

What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

It is absolutely amazing to me that this event was even possible.

Re:Indicitive of a larger problem

[TheViewFromTheGround]

It is absolutely amazing to me that this event was even possible.

Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

On the other hand

[Sentri]

FTA:

"Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

Lets read that again

Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

EX-EMPLOYEEE!
What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

In the words of Napoleon Dynamite "Freakin Idiot!"

They don't have to care as long as others pay

[quentin_quayle]

Is it just my perception or is this becoming routine now?

I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.