Trojan Compromises Oregon Taxpayers

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

Cliché

[TheGatekeeper]

Cue trojan condom jokes, where's my +5 funny?

Re:Cliché

[tomhudson]

Hey, maybe I can get government funding for creating an approved porn list of sites that government employees can surf without getting a drive-by smack ...

.. or at least a research grant from the Department of Homeland Security ... after all, if we don't have safe pr0n, the terr'rists have won!

Re:Cliché

[RyanXP]

I've always been afraid that Trojan would compromise hard working Oregonians - thats why 5 years ago I made the switch to lamb-skin, and never looked back.

Re:Cliché

[MobileTatsu-NJG]

"Cue trojan condom jokes, where's my +5 funny?"

By announcing that you wanted a +5 Funny, you screwed your chances.

Re:Cliché

[afaik_ianal]

It's just lucky this happened in Oregon, rather than Virgina.

Now where's my +5, huh?

Re:Cliché

[kfg]

If people from Troy, Oregon are called Trojans, how come people from Tampa, Florida aren't called Tampons?

KFG

Re:Cliché

[FrankDrebin]

Here goes...

• Somebody's gonna get a ribbing for that cock-up!
• Obviously a problem with the firewall's LaTeX filter...

Re:Cliché

[pilgrim23]

Wait. I thought they just blew up Trojan. Oh well, I always thought taxation was obscene. now we have proof.

Re:Cliché

[IngramJames]

If anyone mentions the island of Lesbos, I shall simply scream and then run for my video camera.

Re:Cliché

[odourpreventer]

Funny thing is, history has you covered on this one. (But I guess you may already be aware of that.)

Re:Cliché

[Potent]

Yeah, they should have used a Sheik instead. :)

Re:Cliché

[mopower70]

Because they're not French.

Re:Cliché

[Marxist+Hacker+42]

Better yet- a limited access, SERVER based browser, that both encrypts contents runnning between the Java client and the proxy server, but ALSO does not allow executable code to be downloaded. Build such a mousetrap, and all the better government mice including schools will beat a path to your doorstep.

Re:Cliché

[colinrichardday]

GP said "Cretin", not "Cretan". There is a difference.

Re:Cliché

[Amouth]

Sorry but you for got to mention how it will protect children.. there for you can not recive funding..

Re:Cliché

[tomhudson]

Well, we can always put a nanny-cam on them, and make the feed available online ... and arrest anyone looking at it on the presumption they were searching for kiddie pr0n :-) ... after all, it's a gubbermint opahrashun

Re:Cliché

[Amouth]

sounds good... now take it down the hall and have it rubber stamped and translated into legalize.. and move along

Only 2000 people paying tax in Oregon?

[jd]

No wonder my taxes this year were so high. Hey, guys, I can't pay for Trimet on my own!

Good Idea

[TadZimas]

That's why I haven't paid my taxes in years.
Ironically, my CAPTCHA was "Protects".

moron!

[eobanb]

Forgive my crudeness, but...what an idiot!

Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

Re:moron!

[Crazyscottie]

No, they probably employed a firewall that required both hands to operate.

Re:moron!

[megaditto]

Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software,[...] Actually, this is not surprizing at all. Remember all the red tape envolved!!!! To deploy 'web filtering software', a request has to be generated, afeasibility study needs to be performed, a 'validation' process has to be followed, SOPs have to be written, then the whole thing re-certified in its entirety (used to be, you would need to re-certify each component again after modifying one part). Of course the reason you they Windows is that NT 4 and 5 were 'certified' by the govt... if the site admin decided to bend the corners by installing linux on the desktop or router, he's be out of a job and possibly in jail! Frankly, they don't get paid enough for it.

Re:moron!

We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:

1. Allowing private data to be stored on a workstation that has access to the Internet.
2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).

All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET, but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.

Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.

Re:moron!

I work for a school district in California and as part of my duties I am responsible for the content filter (squid children+dansguardian+squid parent peers) and I parse the content to sarg logs with a few custom reports. One of those reports is between the hours of 3-5pm and on

I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.

Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.

Re:moron!

[rolfwind]

No, they probably employed a firewall that required both hands to operate.

And if you read the summary, the employee apparently didn't have both hands available....

Re:moron!

Why do you assume there was no web filtering software?
There was. Major player in the industry, updated every day.
Virus software on the desktops set to update ever 2 hours.
This was a zero day exploit from a non-obvious, not yet blocked web site.
It reported back only via port 80.
The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
He might have been an idiot, but not a dumb one.
As for rules on conduct, suprisingly, browsing porn is actually against the rules.
You have to sign an Internet Use agreement before you can use the Internet.
Windows? Well, we have no choice there.
There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.

Re:moron!

[Mr.+Freeman]

Well if you're in charge of blocking websites then filter out the personal shopping ones. No one would get written up.
Now, I'm not too sure how the hell 90% of the bandwidth during non-school hours could all be personal shopping and have no one get caught, perhaps I misunderstood your comment.

Re:moron!

[Mr.+Freeman]

I fully agree with you except for one point. I'm pretty sure looking at porn with government computers isn't allowed, so...... they did one thing right.

Re:moron!

[djupedal]

nearly 100% during Late Nov/all Dec) is personal shopping

'Cake & eat it too' kind of Sheriff you are, eh?

There is a reason you're only a filter nazi and the school admin is an admin...

Most employers know that their employees shop online via their work computer - and most don't break a sweat of it, because it is either allow it or face having them absent an entire afternoon just to drop by Border's. Shopping online for 30 minutes can take the place of driving around, looking for parking, cruising the mega-mall on foot and standing in long queues just to pay for one pair of ear rings....all of which can take up the better part of an afternoon.

What the district give up in active hours is made up for in spades simply by having the teacher at their desk. Take the ability to shop away and see how fast they all head for the exit. Besides, when they stop using the computers, and there is no longer a need to filter the hell out of 'em, you no longer have a job.

Re:moron!

[Lehk228]

having web access on a box with access to confidential data was the mistake.

Re:moron!

[Beryllium+Sphere(tm)]

Yes. And that list the AC put together earlier was a damn good summary, though I could think of things to add.

For what computers cost these days, if the guy really needed web access, they could have issued him two machines in a red/black environment. I like air gaps. They're almost as good as not storing the data in the first place.

Re:moron!

[mcrbids]

You are right - there are multiple failures here, and they aren't good.

Can you imagine how much worse this would be if the data compromised included the GPS information that the good state of Oregon seems to want to collect from your car usage patterns? Suddenly, this information on the usage and driving patterns of every single car in the state of Oregon would/could be used by black hats - the number of cars stolen might just drop your jaw.

I'd push hard to preserve the gas tax! It not only preserves your privacy, it also encourages people to save gas, and that preserves our sovereignty.

Re:moron!

[dotgain]

More like 'web access to a computer with network access to the database', which is probably all of the computers on the floor - it is in a lot of places I've seen.

Re:moron!

[Max+Threshold]

I think you began in the right place.

Re:moron!

[CastrTroy]

It seems to come up every couple months in the media (at least). Stories about how people are browsing pron on their work computer. I mean, come on, how stupid can you be? How bad is your job? And these aren't low ranking secretaries (although i'm sure it happens). Most of the time when you hear about it on the local news, it's high ranking city officials. Not that pron is evil or anything, but it's not something that you should be looking at on office hours. Is it really that common for people to do this? I mean, I've never been sitting at my desk, typing up a TPS report, and thought hey, I'd really like to look at some porn right now.

Re:moron!

[NeoSkandranon]

I believe he meant "Spending tax dollars" as in using bandwidth.

Re:moron!

[Roofus]

Hey! This is Slashdot, we don't like 'facts' around here. They have an obvious bias towards the truth.

Re:moron!

[Mr+Z]

BINGO! And that time not spent driving around hells half acre to get some chores done leads to a less stressed, happier employee. And, in the case of teachers, more time at home to grade papers. :-) It's not like teachers do all their work on site between 8AM and 5PM.

--Joe

Re:moron!

[RpiMatty]

(90%+ of bandwidth utilization yearly

Re:moron!

[Secrity]

Social Security numbers should never have had any value to anybody except to track an individual's Social Security (not IRS) taxes and benefits.

There are only four entities that should have your Social Security number; Yourself, your spouse, your employer, and the US Social Security Administration. Nobody else should have your Social Security number; not the IRS, no state or local governments, and especially; not the banks, lenders or credit bureaus.

When Social Security numbers were introduced, many people resisted them because they feared that they would become national ID numbers. The US government appeased the US citizens by assuring them that Social Security numbers would and could never be used for identification -- that is why Social Security cards used to say "Not to be used for Identification." The long and short of it is that the US government lied to the citizens and Social Security numbers have become de-facto national identification numbers used and misused both by various government agencies and private entities.

Re:moron!

[jelle]

I think there should be a law that attaches liability to owners of such information. If holding that information and letting it out can result in you paying steep damages, then companies and governments will think twice about a having such a bad security policy like that place has... Or at least they will buy insurance and the victims don't get screwed like they do now.

Re:moron!

[daigu]

Hopefully, you've asked for what other people have pointed out - that personal information should not be on individual machines with access to the internet, the data should be encrypted, there should be logging of when the data is used, etc. The measures you talk about were obviously not enough, and the fact that it is better than other agencies just confirms that it is a systematic problem.

So, how are you going to deal with the issue before it happens again?

Re:moron!

[MyLongNickName]

How about this one: I misfiled my state taxes and had to send in an additional check to cover difference (phone entry system, transposed a number). The instructions indicated that I had to write my social security number ON THE CHECK!

I wrote them a note stating how irresponsible this was... causing delays in its processing. For those out there who are too young, or haven't been educated on such matters: think about how many folks will get to see that check. Now think... they have your name, financial institution, account number and SSN in one nice convenient spot. They have enough information on one piece of paper to become you. And not only will all the gov't employees have it, but a half dozen low paid employees in whatever bank the gov't uses AND your bank. Brilliant. And if that check gets lost, you are totally screwed.

I love my gov't. It is always watching out for me like this.

Re:moron!

[pete6677]

What the hell are you complaining about? That a government employee will be seeing your SSN? Oh my god, the shock and horror! Guess what else they can see: your checking account and routing number. That's almost as big of a concern as your SSN since that's all it takes to drain your account. There will ALWAYS be confidential information on tax returns, that's why they're confidential. And employees hired to handle this information are properly screened. No, I'm not saying that the government never fails to keep things safe, but asking you to put an SSN on a check, which is already a piece of confidential information, is hardly an outrage. In fact, its a non-issue. It's YOUR fault that the processing got held up, not the government.

Re:moron!

[MyLongNickName]

No, genius, it is n
t.
First, the state gov't processes it. I am not sure how many handle, but I bet the majority of the folks in their check processing department otherwise would not know my SSN. Why do they need my SSN to process a check?

The check does not stay in just their hands. It eventually gets handed to someone at a third party bank that I do NOT do business with. Jillian the cashier now gets to see my SSN and all my banking information. She hands that off to someone who does the reconciliation. It goes to a centralized processing place where $8 an hour workers get to see it. If I am lucky the stuff gets scanned in as opposed to manually entered, but that is not guaranteed.

It is then sent to my bank where other people process. Sure, the bank knows my SSN, but that does not appear on general teller screens etc. It ends up being seen by other folks. So how many people now have my routing number/SSN? Three organizations.

You may not care. But there is no reason SSN has to be on every piece of information. A different ID could appear that would suffice. The SSN could stay on the actual tax form only.

It is attitudes like yours that lead to the abuse of the SS identification system.

Re:moron!

[GuyverDH]

"You have to sign an Internet Use agreement before you can use the Internet."

Nuff said.

MORON!
DUMBASS!
TOO STUPID TO LIVE!

Get the idea?

Re:moron!

[Mister+Whirly]

Yeah, facts can be used to prove anything!

Re:moron!

[Mister+Whirly]

There are laws that do already. But fines for infractions after the fact don't do anything to prevent things from happeneing... But now laws have passed that make the individuals responsible (and can be fined) and not just the companies....

Re:moron!

[Frank+T.+Lofaro+Jr.]

and it doesn't seem like you're school is using it well at all.

There are likely issues with YOUR (not you're) school as well.

Re:moron!

[Marxist+Hacker+42]

RTFA= they had web filtering software. What they didn't have is:

a) an outgoing desktop firewall
or
b) limited functionality browsers on the desktop.

I just don't see why the Department of Administrative Services insists that everybody needs IE 6.0, the most unsafe browser immaginable, on the desktop. That's just asking for this kind of abuse.

Re:moron!

[maxpublic]

And if the lazy fucking slackers are taking paid time off to go shopping then their sorry 'the-world-owes-me' asses should be fired and replaced with someone who'll, say, actually do the job. In the current economy, with so many looking for decent employment this should be an insanely easy thing to do.

When I taught middle school I was also in charge of the network for the schools I was at. The hype was all about the 'improper access' that kids might have to the internet, but nearly all the violations were by shithead teachers and employees who a) shopped online, b) surfed online, c) downloaded porn, or d) the worst of all - the Bearshare/Limewire/Gnutella folks who downloaded every damned piece of music they could find. The bitch of it was that the worst offenders were those highest up the food chain, and so much as suggesting that they cut that inappropriate shit out would get your position in the district 're-evaluated in light of budget constraints'.

These assholes were also the folks who kept bringing in the viruses past our skimpy firewalls and spreading them internally. Even suggesting they were to blame was a great way to get intimately involved with the unemployment office. This same situation held true in government when I worked for those scum-sucking bastards.

Your tax dollars at work. Hope you think you're getting your money's worth.

Max

Re:moron!

[HungWeiLo]

Yeah, there's something about Oregon government workers. I used to work there too!

I heard about this manager who not only surfed pr0n at work, but printed it out on the full-color plotter as a poster to take home! Needless to say, he didn't stay very long after that.

The IT staff was a hilariously incompetent bunch. I remember that they wanted to upgrade all the computers, so they bought a pallet full of 486 OverDrive chip upgrades. By the time the purchase order got in and their overpriced, sleazy vendor got the order through, Pentiums were already widely available. The pallet of shrink-wrapped OverDrive upgrades still sit in the conference room, AFAIK.

All the people who couldn't get jobs during the dot-com boom (when you could write webpages with Word and get paid $15/hr) stayed behind and worked there. Because they were having trouble keeping people, they kept increasing salaries to retain people. The end result is that some of those people who have stuck around get around $8000-$9000 a month now rebooting Windows and admin'ing LANDesk.

And don't get me started on their migration to _Token Ring_ towards the end of the 90's.

Re:moron!

[AK+Marc]

the data should be encrypted

This was a keylogger. Encrypting the data won't help when the person still has to type in information in cleartext.

personal information should not be on individual machines with access to the internet

Well, since the number of people in my company with access to "sensitive" information is, well, everyone, such a suggestion is simply not feasible. What company do you know that will ban the entire HR department, most (if not all) of the finance department, and all VPs and higher from accessing the Internet? The people that make the rules won't make a rule they don't like, even if it was more secure. There is a balance between security and convenience. Just crying for absolute security all the time will result in no security any of the time. Just like passwords, if you force them to be evil (10 characters long, must contain numbers special characters and mixed case and changes every 30 days) people will make that *less* secure than if you made them weak (6 character minimum, no restrictions or expiration) because the hard ones will be in their wallet/purse or written down at their work station.

Re:moron!

[AK+Marc]

I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.

And you know what? I bet some of them even make - I hope you are sitting down - personal calls while at work! No really, I've heard some people waste phone lines, electricity and time talking to wives/husbands. I think you need to tap all their phones next and write them up for every personal call that they take.

I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.

Well, get a job in the corporate world. You'll find it is exactly the same. But at least then, you'll be blaming it on rampant capitalism.

Re:moron!

[daigu]

Every company that I have worked for keep data in a centralized database that people access through various applications that have security policies applied, logging and so forth. Having people have this information on their specific machines is bad data management policy for a number of reasons: hardware failure, security/accountability, and so forth.

It can be done. It is done - just take a look at any companies that have to deal with requirements such as HIPPA, SOX, SEC and so forth. If you don't do it, this will happen again, and eventually, you will be required to do it anyway. It's as simple as that.

Re:moron!

[AK+Marc]

Every company that I have worked for keep data in a centralized database that people access through various applications that have security policies applied, logging and so forth. Having people have this information on their specific machines is bad data management policy for a number of reasons: hardware failure, security/accountability, and so forth.

You missed that it doesn't matter. There are hardware key loggers - the kind that are inserted inline with the keyboard, and since no one I know checks the back of their computer on a regular basis, the cleaning crew could be hired to spy easily. It doesn't matter where the data is stored. When the person at the keyboard enters in the new information for a customer, they just sent the keylogger the name, address, and SSN for the person. Centralized or decentralized data is irrelevant. That is closer to what actually happened (as far as what data was captured) than what it is that I think you think. Most keyloggers will save and batch. That is, they don't send out a packet for every key stroke. They save the data in files, then batch send the data later. That's why "files of information" were sent. These were key log files, not data files. From everything I've read on this particular incident, there was absolutely no sensitive data stored on the local computer.

It can be done. It is done - just take a look at any companies that have to deal with requirements such as HIPPA, SOX, SEC and so forth. If you don't do it, this will happen again, and eventually, you will be required to do it anyway. It's as simple as that.

Well, there's nothing in HIPPA that prevents every computer having a locally replicated version of the database or other things you imply are unsafe. It might be impractical to satisfy HIPPA with such a configuration, but it certainly is possible. Not to mention that most people following HIPPA don't even know what it is. They read someone else's wrong interpretation. Go read it. It specifically says that encryption is not required for WANs and such, but every consultant I've heard has said that encryption is required. So be sure when you pull out what is "required" that you know what is reqired, and not what you heard from someone else what they think might be required.

Re:moron!

[e_armadillo]

[i]He might have been an idiot, but not a dumb one.[/i]

Re:moron!

[e_armadillo]

Strange, I selected "preview" to check my tags, and it *sumitted*.

Oh well, take 2 :

He might have been an idiot, but not a dumb one.

OK . . .

Being an Oregon tax payer it makes me feel soooo much better to hear that the idiot isn't dumb and may still be working in the Department of Revenue . . . WHAT ABOUT DISCIPLINARY ACTION????? Is our semi-intelligent idiot going to pay any consequence?

Re:moron!

[jelle]

Unless it means that any taxpayer Oregon who becomes a victim of identity theft can now file and actually receive a large claim at the institution that leaked their data, it's still severely lacking...

Just imho of course...

Re:moron!

[jesterzog]

All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data.

Why do you consider government to be the root cause of the problem here? If all this can happen in a government organisation and you hear about it, consider how much can just as easily happen in a private organisation and you hear nothing. I know of plenty of organisations, most of them commercial, that have very slack IT policies -- if most of these organisations were compromised in a similar way, it'd be unlikely you'd hear anything whatsoever unless there was a leak, or a compelling legal reason for them to come forward.

Government is clearly not perfect. In places where there's corruption, there's absolutely the possibility of influence from people with political agendas. There are in private organisations, too. In well organised government, though, which realisitcally might rule out much of the USA, government organisations tend to have more strict policies that they have to adhere to than anyone else. They also have less of a commercial incentive to keep quiet about things when they go wrong.

Indicitive of a larger problem

[mcpkaaos]

What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

It is absolutely amazing to me that this event was even possible.

Re:Indicitive of a larger problem

[megaditto]

a trusted administrator with lotsa logging

A competent admin is working elsewhere, where s/he is paid accordingly. The IT leftovers, not able to get hired by the private sector, get to work for the Govt... Generalization, of course, but more true than not.

Remember, in 2006, nearly 5 years after 9/11, most FBI employees still do not have a work email access, or the ability to do multiple word searches (e.g. cannot search for "bin laden", have to enter just "bin", then scroll down, because of the space character!). So what can you expect from a State govt of Oregon...

Re:Indicitive of a larger problem

[mikesd81]

The problem is that once the trojan is on the network it travels through the whole network.

FTA:
may have been compromised by an ex-employee's unauthorized use of a computer,

It doesn't say that it was downloades on the computer that held the information.

Re:Indicitive of a larger problem

[mcpkaaos]

Trojans don't replicate. While its payload might, the trojan itself is just a delivery mechanism.

From the article:

The "trojan" program attached to the file may have sent taxpayer information back to the source when the computer was turned on again.

That suggests to me that only the workstation was compromised, as does this:

McLaughlin said the department determined on May 15 that the computer was being improperly used and on May 23 that some data may have been captured and sent out.

Re:Indicitive of a larger problem

[KnowledgeFreak]

Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.

Re:Indicitive of a larger problem

[TheViewFromTheGround]

It is absolutely amazing to me that this event was even possible.

Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

Re:Indicitive of a larger problem

[TheViewFromTheGround]

Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

People (not you, necessarily) in this thread have immediately jumped on a public/private sector distinction. But I don't think that's so much the cause of variance. Instead, security, finally, varies by resource allocation. If a body, public or private, puts the right resources and personnel towards security, then things will be better. If they don't, things will be worse. Ultimately, if higher-ups won't allocate the resources, this is going to happen. For better and for worse, actual regulation, via Sarbanes-Oxley, is imposed for the private sector.

Re:Indicitive of a larger problem

[dbIII]

What was real data doing on a workstation with Internet access in the first place?

Diebold automatic teller machines are also connected to the public internet. There are plenty of incompetant fools out there who will make those silly SF ideas of hacking into critical systems and causing havoc possible.

Re:Indicitive of a larger problem

[Phroggy]

Um, I filed my taxes electronically this year. How's that gonna work if they don't have Internet access?

(But this information definitely should not have been on a computer that was used for downloading porn, or rather, a computer with this information on it definitely should not have been used for downloading porn...)

Re:Indicitive of a larger problem

[mr_zorg]

What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

You seem to be forgetting about the developers who design these things and the reports that the idiot business people run. Only 2,200 records were compromised? Sounds to me like a sample data file for a developer. I'm a developer and I have real data on my hard drive. Of course, I like to think I'm smarter than downloading sketchy files from a porn site on my work machine. But I'm only human, I may screw up some day, who knows.

Re:Indicitive of a larger problem

[peterfa]

You're right, but in the real world things are a tad different. I used to work for a college and I would always be sent to some computer because it was bogged to death of spyware. I was sent to administrator machines... and security machines. I've done research on the spyware they were infected with and some where key loggers. These machines were used to access sensitive and private information. That said, everybody's information is teh pwnd. Just be glad there's so many so that you know your data is drowned out... you know, safety in numbers.

Re:Indicitive of a larger problem

[mcpkaaos]

Just be glad there's so many so that you know your data is drowned out... you know, safety in numbers.

Actually, it's just the opposite. For one, the thief will get through all of the records eventually. If they don't, a buyer will.

Also, the bigger the leak, the more complicated it becomes to account for every potentially compromised individual and notfiy them.

You're right, but in the real world things are a tad different. I used to work for a college...

Forgive me if I offend, but I had a good chuckle at that. :)

Re:Indicitive of a larger problem

[Lehk228]

a developer should have the SSN's scrambled and the first/last names shuffled before getting the data

Re:Indicitive of a larger problem

[ObsessiveMathsFreak]

I work with Data in the private sector and data like this cannot be on an unprotected machine.

I don't know what companies you've been working for, but out there in the real world, people tend to run things by the seat of their pants. I've seen data, including credit card data, stored in a database on a windows 2000 server directly connected to the internet. I've had data worth millions of dollars emailed to me on the same machine I browsed Slashdot on during lunch. It was a windows 2000 machine too.

That's just personal expierience. I've heard stories of critical data sitting in USB shared drives, secured by nothing but friction to their sockets. Private company files transferred to the upstairs office via a hotmail account. Databases being backed up to iPods. The list goes on.

These stories didn't come from government or other public organisations. No. These are stories straight from private industry, that magical market force that will save us all. If you think people actually follow the rules out there in the real world, you'd do better to think again.

Re:Indicitive of a larger problem

[mysidia]

By separating the secure data server from the electronic submission server.

Filing a form is a one-shot data import, and the machine with internet connectivity does not need access to read a listing of data or a database dump from the secure data server.

There is a risk of a trojan monitoring activity of the electronic server after compromise; however, the risk is smaller, and the data exposure in the event of a compromise would more likely than not be much less, if the data is not routinely stored on the compromised machine, AND it wouldn't have to be allowed to have an effect on returns in paper format manually scanned.

Re:Indicitive of a larger problem

[elpapacito]

sarbanes oxley is forcing the private sector

Excuse my realistic cynism, but SOX isn't forcing anybody to do anything. Consider the enormous body of accounting rules and laws that were supposed to _discourage_ and possibily _prevent_ Enron, Worldcom et al ; they work only if they are rigorously implemented and above all if they are -respected- yet even so they put quite a burden on many firms without apparently producing positive results for the masses.

Considering that , apparently from what we see, many firms don't want to respect rules or consider the rules inconvenient for their growth, maybe it could be wiser to change the rules so that they are relieved of the burden of compliance, yet are also reduced to a point becoming harmless.

For instance, if a firm can't demostrate that extremely tight security is being implemented it loses any right to collect and maintain information concerting consumer..and I mean ANY information. Now that is a little draconian, but I doubt ordinary people without money for lawsuit AND affected by data leaks will be reimbursed or treated better then manure.

Re:Indicitive of a larger problem

[dajak]

I agree. I sometimes do work for a tax administration. Internet and email access is only possible
through separate computers in the corridors, in plain sight, on a separate network. The only way
to move private data to the Internet-enabled computer is by memorizing it. It is terribly
inconvenient for IT staff, but it works.

Re:Indicitive of a larger problem

[maxwell+demon]

I work with Data in the private sector

You work with Data? I always thought he were just a fictionary Star Trek character ...
SCNR :-)

Re:Indicitive of a larger problem

[Gryle]

Source(s) please?

Re:Indicitive of a larger problem

[Splab]

Depends on alot of things I should say.

I work part time as sysadmin for the government, and I chose to do so because, well, things happen at a slower pace. When I'm not working here, I got my studies to tend to, so I love a job where I don't have to stress anything, and when I'm off work - I'm off, theres no calling me at 3 a.m. because something doesn't work. If it's broken people just send an email and expect me to deal with it when I find the time to do so.

Re:Indicitive of a larger problem

[Mister+Whirly]

http://it.slashdot.org/article.pl?sid=06/03/21/042 9236
FBI agents not having email

Can't find a link to the search engine problem, but have read a few artilces confirming what parent said about not being able to search multiple word phrases...

Re:Indicitive of a larger problem

[Gryle]

Gratzi.

Re:Indicitive of a larger problem

[mcpkaaos]

Say you are an auditor at this department.

One good method of auditing is to use the Internet.

Why wouldn't that auditor have direct, physical access to an authorized network inside the same building? Is the risk of sending sensitive data over the very public Internet worth having the convenience to do the job off-site?

However, you find some good pages with safe looking names that aren't apparently in a filter yet.

How is that going to happen when the auditor is on a workstation with no access to outside networks and no means to copy the data to a portable device? That's even easier to arrange than encryption and firewalls.

Re:Indicitive of a larger problem

[mcpkaaos]

You have yet to explain why an auditor would need the Internet to perform the job of auditing.

From the I've-never-had-a-2,200-some-before dept.

[NMerriam]

Though on the bright side, porn site customers finally have a way to get screwed over the internet!

Windows+IE+Porn

[pembo13]

= Owned

It's fitting I suppose...

[mojotooth]

Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway.

Re:It's fitting I suppose...

[grcumb]

"Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway."

That what you call cutting out the middle man. Only thing is, I can't remember if cutting out the middle man is considered Good or Bad in the pr0n world....

Re:It's fitting I suppose...

[Hobbes897]

most of the money I was supposed to pay my taxes with, I used to buy porn anyway.

Woah woah, you paid for porn? When did this start?

Whitelist sites they can and cannot use

[linzeal]

There is no reason anyone handling SS numbers should be given this sort of carte blanche access to their computers.

Re:Whitelist sites they can and cannot use

[WindBourne]

I like your idea. Part of the idea of not using windows in my house is so that I do not have deal with a stolen ID (once somebody has your ID, then you move to hell). I make sure that the sites that I give my credit card to, do not run windows (nearly 100% of all CCs yet about 1/3 of the https space). But I have no control of gov sites. or the business desktops. And it is all the idiots that run windows that expose my life. If they are going to run windows, then should limit that risk for their customers. Besides it will probably increase productivity.

Re:Whitelist sites they can and cannot use

[Mister+Whirly]

Unsafe habbits and stupid human errors are the cause for most identity thefts, not the particular OS the computer is running. And social engineering not using any computer at all is still one of the most effective tools for identity theft. Windows is not responsible for identity theft, and using Linux or OS X or (fill in OS here) will not give you absolute protection. Let me ask you this - would you rather use a credit card on a properly protected Windows box, or a misconfigured Linux box??

Re:Whitelist sites they can and cannot use

[Frank+T.+Lofaro+Jr.]

properly protected Windows box

What's that?

Re:Whitelist sites they can and cannot use

[Mister+Whirly]

Something Slashdotters commonly pretend doesn't exist... But hey, ignorance is bliss, right?

Re:Whitelist sites they can and cannot use

[WindBourne]

would you rather use a credit card on a properly protected Windows box, or a misconfigured Linux box??

First, there is no such thing. MS even came out during their trial and said that it was impossible for to totally lock down windows. So it is impossible to "properly protect" it. As such, I would hope that somebody with Linux on the net has done a good job. But I sure feel better if It is somewhat current.

Second, watch news.com for announced thefts. Whenever they occur, go to netcraft and find out what was run. Pay attention carefully. If you look over the info, you will find that all of the large hits run windows. Sadly, it use to be that you could get the stats for this, but in Feb. 2001, the FBI quit publishing this information. I will tell you that the last large none windows theft was in 1999 on a playboy.com system.

Finally, for the unsafe habits/stupid human errors, that would be such things as answering spam or going to a website which allows a virus to run on your home system. Of course, this affects only windows (at this time). A off-beat example is the current one where an idiot on windows allowed him self to be comprimised.

Now, as to the social engineering, that is not really about ID theft. That is about how to crack a system. It could lead to mass ID theft, but overall it does not. Basically, you are crossing problems.

MS windows (currently, all of them ) is the single largest issue with network security. It has nothing to do with numbers, but the fact that it is impossible to lockdown. Maybe with vista after a year, this will not be true, but not at the current time

Indicative of the norm

[Sentri]

Most people just dont give a damn about conmputer security.

This is the same old story over again, it shouldnt suprise you, why? Here's some links to get you started

mod parent funny

[slack-fu]

this just needs a midi rimshot for effect.

Sparks

[Joebert]

I can't wait to see what Larry Flint has to say about this.

Re:Sparks

[Joebert]

I'm sorry, but anyone who would mod a post about Larry Flint "Off Topic" in a thread about Porn & Government Scandal obviously knows nothing about porn or government scandal.

Re:Sparks

[Joebert]

The People VS Larry Flint
http://www.imdb.com/title/tt0117318/

Likely a reporting wonk

[PIPBoy3000]

My guess is they had the data locally in Excel spreadsheets, fiddling with things. Everyone's PC has Internet access these days - it's hard to function without it. Many people have secure information on their hard drives too.

The alternative is thin-clients, which haven't ever taken off, mostly because they tend to be harder to use.

Re:Likely a reporting wonk

[mcpkaaos]

My guess is they had the data locally in Excel spreadsheets, fiddling with things.

Dummy data. In all my years as a software engineer I have never worked with real or production data. There is never a reason for it, so just dummy something up and use that. Then situations like this are simply impossible.

Many people have secure information on their hard drives too.

Not in the Department of Revenue. At least, they shouldn't. That they obviously do should be a huge cause for concern and a process audit or three.

Re:Likely a reporting wonk

[jawtheshark]

Dummy data. In all my years as a software engineer I have never worked with real or production data.

How do you generate representative "Dummy Data"? Everywhere where I worked, we tested on real production data, with the personally identifiable data scrabled. So if I saw a name there saying "Joe Sixpack", I could be certain that the data was not of a guy named "Joe Sixpack", neither was his social security number. Those things were bogus, the rest was not.

Re:Likely a reporting wonk

[Don853]

Here's an alternative:

I work for a DoD contractor, and I have two computers in my cube. A sun machine connected to a classified intranet with no external access whatsoever, and a windoze machine connected to the outside world, with presumably the normal protection you'd expect from a large company. The windows machine may have proprietary information which we wouldn't want comprimised, but anything truly sensitive is on the classified net, which has no external access.

It's a little more expensive to give everyone two machines, but it works, besides, all the windows machine needs is Office, Acrobat and IE/Firefox, so an old P3 would be fine.

Re:Likely a reporting wonk

[pedalman]

The alternative is thin-clients, which haven't ever taken off, mostly because they tend to be harder to use.

The real reason why thin clients haven't taken off is because users get very territorial about their work PCs. They think that just because they can install what they want on them (Thank you, MS), that they own them. Thin clients cut them off at the knees.

We had one employee who thought her main purpose at work was to download and install every damned browser toolbar and toy she could find. Of course, her system wouldn't connect to the Web because one those "toys" had reset her to a proxy address. Clean it up, explain to her that her downloaded freebies caused the problem, and remind her that there was a written policy about using work computers for personal use. Then she has the gall to complain that it's "her" computer and she'll put what she wants on it.

Damned assmonkeys!!!!

Re:Likely a reporting wonk

[Mister+Whirly]

Users will only do the stupid thing that they are allowed to do by the administrators. Don't give them anything but lowly user access and let them try to install their stupid screensavers. I work at a university, and anytime Joe User wants to install anything they need to call me for assistance. Annoying sometimes? Sure, but less annoying than having to spend 2 hours wiping and re-installing because they did something utterly moronic... You can lock down Windows machines to a pretty tight set of rules, (contrary to popular belief on Slashdot) but most compaines just don't choose to do so.

Re:Likely a reporting wonk

[mcpkaaos]

You could write a script (or scripts) to output pseudo-randomized data in a clean, parseable format. Create a database using the same schema as your production database and populate it with the output from your script(s). Simple and boring, but it's easy and it works. Even if you want to generate a massive database it's simply a matter of running the script over and over again with incremental data. Or, just create very simple scripts to generate a basic dataset and do the rest with queries.

To me, the extra work is worth it. I'd rather eliminate the risk than minimize it.

Plus, I just happen to believe that controlled datasets make for better testing. It's really no more difficult to write a script that generates random, re-occuring errors than it is to write one that doesn't, so you can pretty much attack your code/database/whatever from any angle you can think of. And for those you can't think of, just loosen the parameters and generate more random tests. You are only limited by the thought and time you want to put into it. With real data, scrambled or not, you are simply stuck with whatever happens to be in the tables at the time you grabbed it. Also, real data would already have been normalized and, in my opinion, not well suited for testing.

Wow...

[zmilo]

I knew Oregon had a lot of wood, but this is rediculous!

Re:Wow...

[grammar+fascist]

I knew Oregon had a lot of wood, but this is rediculous!

Meaning, of course, that it's "diculous" a second time.

Um...

Excellent security.

[bubbl07]

I hope the NSA wiretap logs are being secured under similar conditions. It would be supremely ironic if the computers holding those records/logs were infiltrated. Even more so if those data fell into the hands of those that the act against whom the act was supposed to defend us.

Re:Excellent security.

[Btarlinian]

I definitely don't agree with the NSA wiretapping, but I'm pretty sure that the NSA's security is a little better. I hope that the people working there are a bit smarter too.

As long as their penchant for breaking into systems doesn't mean they want to get broken into, things shouldn't get that bad.

On the other hand

[Sentri]

FTA:

"Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

Lets read that again

Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

EX-EMPLOYEEE!
What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

In the words of Napoleon Dynamite "Freakin Idiot!"

Re:On the other hand

[MostAwesomeDude]

Well, if he wasn't fired before, he sure is now...

Re:On the other hand

[whitehatlurker]

There is a switch in the story from employee to "ex". The employee was fired subsequent to the leak, but was "working" at the time of the download.

Re:On the other hand

[SlashSquatch]

Freakin Idiot

...You're just jealous because I've been online all day talking to babes in chatrooms.

You don't need a trojan ...

[Nicolas1979]

I just saw on CNN that some stupid government people in arizona and virginia opened up a public record accessible online. Maricopa county http://recorder.maricopa.gov/recdocdata/GetRecData Select.asp And the one who complain Virginia Watchdog http://www.opcva.com/watchdog/

Filters ?

[morcego]

How come there were no filters in place ?
I mean, it is the taxpayers money that are paying for that computer, internet link and his time.

Yes, I know it is possible to circunvect those filter. But people who can circunvect filters are not likely to catch those trojans.

Re:Filters ?

[ZeroExistenZ]

You'd be surpriced how government offices are run...

Employees who hook the -unused- built-in 56K modem into the phoneline to bypass filters to be able to read personal emails and what not, infecting the network without an admin being able to do much other then glueing the sockets shut to physically make it impossible to use that modem.

Government employees aren't particulary the brightest or security-aware lot; I've heard quite shocking stories of consultants working for [Belgian] government instances.

Re:Filters ?

[mysidia]

The fact that the employee used a computer to compromise the data, the probable fact that it was done without his knowledge are irrelevent...

The ex-employee was trusted enough to have access to the system but compromised the data by directly using the computer system, doing things with that system which were specifically prohibited, and using it in a clearly unauthorized manner, a manner which put the integrity of the system and the data at extreme risk.

These are acts by the ex-employee who used the computer, which should be regarded as a criminal offense, this seems like unauthorized use of a computer network at the level of gross negligence.

It is as if he e-mailed the file to a random e-mail address, hoping it wouldn't be a hacker who received it.

The fact that you use a computer to do something, does not mean you are no longer responsible for what happens. If one runs software on a machine of an unapproved source and nature, the fact that you run the software written by someone else blindly does not mean you are not responsible for what happens as a result.

The best filtering software in the world could not have protected the state against a person being wreckless with the sensitive computer system. The fact that he/she used it for personal matters wasn't the problem: shopping online or looking at news is ordinarily low risk, and, it was whatever he/she downloaded and ran, from a porn site, which is HIGH-RISK.

Would Linux have helped?

[jpardey]

In my mind, the weakest link here was the employee. The employee had permissions to access both the data and the internet, probably both needed for the work involved. Unless somehow the user was restricted to only running certain executables, he (or she) could have just downloaded the linux version of DESKTOP_HOTNESS-VIRUS_SCANNED_SAFE. I don't like the idea of employees being constantly watched, but perhaps more education, or a low level account for internet use on break time, would have helped, but just installing linux wouldn't stop trojans.

Re:Would Linux have helped?

[zolaris]

I know you run the risk of being modded down for your subject line but this is a serious issue. Security is everyone's problem and the only way we are ever going to stop this is to a) apply good security practices, regardless of the environment, b) educate users. The second is NOT a lost cause entirely. Many times people simply don't know the risks. I come a cross a lot of users that say "Wow I never knew you could do THAT!" Some of them are listening, we just need to tell them.

Re:Would Linux have helped?

[webweave]

It might have, I'm sure the same vulnerability does not exist on Linux but why was that machine running a web browser in the first place? Why was it allowed to connect to the internet? Was this guy and his sysadmin manager fired? Was the VP of IT or CTO fired? Looks like if you run Windows you can avoid any responsibility. Microsoft sure has avoided any responsibility, have your read the EULA? There's a good example of how good they feel the software is. (slightly joking, all vendors have similar lines) --You can play the blame game with windows but you have to accept the responsibility to run Linux.

Any OS that can be reliably locked down and controlled would help if set up correctly.

Due to the undocumented nature of M$ products and their history of intentionally setting up situations that compromise security nobody should be using Windows for secure and sensitive data uses. Surfing porn fine but not my personal records.

How hard is it to build a system for secure uses? Not hard if you use an OS where secure uses were conceived of during its design. You have a choice from tiny systems like QNX to larger ones like Sun-Solaris or VMS as well as various BSD and LInux and even commercial Unix versions. There are plenty of companies that will build you a secure system and plenty of companies to review those systems. In fact most available OSes that run on modern hardware were designed for secure system use, the big exception is anything by Microsoft.

You don't need tcp/ip to network a computer.
You don't need a web browser on every computer.
You don't need to run systems where you can't control what software its running.

Why is this so hard? I worked in and ran shops that operated networks running up to ten different vendor OSes. I don't remember having any of the problems we have today with Windows, this is progress?

Another view, better tech quality

[whitehatlurker]

Here's a better version. The site did hassle me about where I lived for a bit, until I said I was a foreigner.

Quote from this one: "We maybe had a false sense of security," O'Meara said.

Whoa, maybe. Y'think?

The Trojan horse gathered the equivalent of 7,000 text pages of data.
  Somewhere a scammer is very, very busy.

If not under lock and key...

[jd]

...then at least kept in encrypted files as per FIPS-180. (Yes, that's a Federal standard, but damnit, States should abide by SOME standards. Well, given the VA fiasco, it would be nice if the Federal Government did as well...)

First off, you are right that direct access is Bad. Very Bad. In fact, internal systems should ideally be going through proxies and a firewall to prevent random applications (such as viruses) from setting up their own connections. For what is presumably a fairly low-bandwidth facility, they could probably even use layer 7 filtering and block unauthorized applications even if they did have all the correct passwords/tokens and port numbers.

Secondly, you are also correct that the data should not have been kept on a computer with such access. Normally, you'd have a private intranet that cannot access the outside world at all for sensitive data. There is no excuse for keeping data like that on a high-risk machine that may well be portscanned and attacked every few minutes anyway.

Then, there's the problem with the fact that the data was presumably in plain-text. If it was encrypted to any reasonable standard, there wouldn't have been any fuss made. Furthermore, since the trojan was presumably not designed with Oregon taxes in mind, it would have necessarily been your normal harvester looking in normal files. My suspicion is that the most likely place for the data to have been harvested would have been in e-mail. Anything else would require a disk search and that would have been amazingly obvious, even to the most idiotic. If (and I emphasise the if) I am correct and the data was indeed in an e-mail, then why the hell were they e-mailing plain-text files containing this kind of data? Particularly as it's so easy to e-mail the wrong person, using modern e-mail clients that guess at addresses.

I would very much like to see a requirement that ALL sensitive and personal data that is even potentially exposed to the Internet be encrypted using strong algorithms and strong keys, and that unnecessary risks with other peoples personal data be strongly penalized. (By my way of thinking, since the flaws in the VA office had been known for many years and never addressed by the Federal government even though the GAO had been sending up the red flags, rockets and flying saucers, those whose data was taken should be entitled to compensation at least equal to the cost they will have to endure to salvage and protect what they can.)

There is no excuse for insecure practices. There are far too many solutions, including free ones, that are easy enough, fast enough and secure enough to excuse delinquency on the part of any agency or (in e-commerce data theft cases) any corporation that puts laziness as a higher priority than standards.

Re:If not under lock and key...

[mlk]

Anything else would require a disk search and that would have been amazingly obvious, even to the most idiotic

Care to swap idiots? I have a few that think installing programs that have a large popup declare that they are "Now Hiding Your Porn" are a good method of hiding porn.

Re:If not under lock and key...

[FireFury03]

internal systems should ideally be going through proxies and a firewall to prevent random applications (such as viruses) from setting up their own connections.

The "security" provided by proxies is for the most part only perceived security - it's not exactly rocket science for malware to pull the proxy settings from other software such as your web browser and just connect that way.

they could probably even use layer 7 filtering and block unauthorized applications even if they did have all the correct passwords/tokens and port numbers.

To a firewall device, an HTTP POST on port 80 looks much the same as any other HTTP POST, even if it happens to be caused by some malware posting confidential data. (Even worse, if it uses HTTPS then all you get to know is that there's some SSL traffic on port 443 - you can't tell what is in that traffic). The only way you get to know this traffic isn't from the web browser is by running a personal firewall on the workstation itself so it can see which process owns the socket. Malware has a habit of disabling stuff like personal firewalls.

Normally, you'd have a private intranet that cannot access the outside world at all for sensitive data.

That very much depends what the job involves. It's getting increasingly difficult to work without web access in many jobs. For example, my ex-employer went nuts on security and blocked web access to all but a few "authorised" sites. If you needed access to a site that wasn't on the whitelist you had to request for it to be added. It basically just made it too hard to get to the sites that we legitimately needed to get to for our jobs. Our jobs wouldn't allow us to have a nice neat list of sites we needed to access regularly, we basically needed to be able to google for solutions to problems and follow the links to random sites. Not long after this "security" policy was implemented over 50% of us quit our jobs - this wasn't the only factor in us leaving but it certainly didn't help and it greatly reduced productivity.

There is no excuse for keeping data like that on a high-risk machine that may well be portscanned and attacked every few minutes anyway.

I think you're making bad assumptions here - A machine isn't going to be portscanned and attacked every few minutes if it's sat behind a firewall. The problem was caused by the user *downloading* a trojan and executing it, not by a remote machine attacking the network. There's very little a firewall can do to guard against trojans.

If it was encrypted to any reasonable standard, there wouldn't have been any fuss made.

It has to be plain text in the database's user-interface. Maybe the trojan was doing keylogging while the employee was doing data entry.

I would very much like to see a requirement that ALL sensitive and personal data that is even potentially exposed to the Internet be encrypted using strong algorithms and strong keys, and that unnecessary risks with other peoples personal data be strongly penalized.

The keys have to be stored somewhere (unless you expect an employee to enter a 2048 bit key from memory :) - once the workstation (complete with it's keys) has been compromised then it's game over. This is very much the "problem" that DRM faces - the data has to be decrypted before it's usable, which means you have to trust the end-user's system to give up neither the key nor the cleartext to any untrusted software or hardware.

If course, there is absolutely no excuse to not fix security holes in a timely fasion once they are discovered.

Re:If not under lock and key...

[jd]

I'd be happy to swap idiots, but the swap device isn't working correctly.

Oregon = Oregon Trail

[Tickle+Cricket]

You get a Trojan!
You die of dysentary lol

Welcome to the present...

[Sparr0]

None of that information is secret. Your SSN, Address, and Name are all public information, the subject of numerous public records that anyone patient enough can pay $.10 per copy to get. Or just visit the appropriate county records website.

Re:Welcome to the present...

[Sparr0]

You've still got one of the best public libraries in the south.

obligatory condom comment

[loonicks]

Anyone else think of condoms when they saw "trojan" and "porn", or is my mind just in the gutter?

Re:obligatory condom comment

[pembo13]

Your mind is just in the gutter

Re:obligatory condom comment

[ajs318]

Is Trojan a brand of condom, then? In this country, the leading brand of condoms is Durex and the colloquial term for a condom is a "johnny".

So...

[getwhipped]

Is that a link to the trojan or the porn site?

7000 pages?

[afaik_ianal]

More than 1,300 people face identity theft after a state employee let in data-stealing spyware.

and

The Trojan horse gathered the equivalent of 7,000 text pages of data. But O'Meara said his staff spent weeks poring over the data and found no tax files or financial information. He said it was limited to Social Security numbers, names and addresses.

So that's ~5.3 "pages of text" per person they got only the SSN, name and address for. Either people in Oregon have really long names and addresses, or something else got sent with that data. I smell a cover up! :)

Re:7000 pages?

[whitehatlurker]

... or something else got sent with that data.

Well, there was a lot of porn on the machine ;-)

No Lawyer Necessary - Only Patience. Here's How

when information is leaked about your own private stuff, you should get a lawyer.

A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:

1. Write to the major credit bureaus and ask for a credit report from each. Explain that you're a victim of ID theft and they'll give you a free credit report.
   
2. Ask the credit bureau to place a 7-year freeze on your credit report (not the 3-month freeze). That ensures that anyone who extends credit must contact you directly (usually by phone) prior to extending credit. Make sure the credit bureau has your phone number correct!
   
3. If the ID theft resulted from something locally enforceable (stolen wallet, burglary), file an offense report with the local police and get a printed copy of the report.
   
4. find any fraudulent/old accounts on your credit report. For old accounts, write to the address on the credit report informing the creditor and ask that the account be closed. For fraudulent accounts, notify the creditor of same and include a copy of the police report (above). For any fraudulent account _applications_, also notify the creditor that the application was fraudulent.
   
5. In all cases, ask the creditor to notify the major credit bureaus of all updates/closure of accounts.
   
6. Keep paper copies of all letters - use a separate paper file folder for each account or account application. Seems tedious, but you'll be glad you did, believe me.
   

Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.

After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.

Re:No Lawyer Necessary - Only Patience. Here's How

[jank1887]

for those that don't know: www.annualcreditreport.com

yearly free credit report file from all three agencies (Equifax, Experian, TransUnion). Mandatory according to the FACT act for all US citizens. (Used to be just certain states were free.)

Most government employees...

[5plicer]

...DO NOT need internet access IMO. I see can see intranet access, but full on Internet?

Re:Most government employees...

[maxwell+demon]

Of course they could go without internet access. But just think about the cost if all the porn would have to be stored on government computers in the intranet!

Wow

[xCROSSFIREx]

are the colleges really THAT bad up there???

but in all seriousness...why in the wolrd would an (ex) employee go to WORK TO LOOK AT PORN???
i cant help but think of the mac commercials (where the mac doesn't get viruses) and the trojan comercials (stay protected)...its like they combined, but in the exact opposite way...
sometimes mankinds intellegence overwhelms me

Can Ya Blame Him?

[Nicodemus101]

If I worked in a tax office I think I would need at least a coupla pr0n sites to make my work/life interesting. Have you seen the people who work there? uhhh *shudder

They don't have to care as long as others pay

[quentin_quayle]

Is it just my perception or is this becoming routine now?

I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.

Re:They don't have to care as long as others pay

[Detritus]

We might be better off if there were statutory damages, say $1,000 per individual affected by the security lapse. That would put a value on the data, and encourage organizations to take measures to protect it.

Re:They don't have to care as long as others pay

[barzok]

say $1,000 per individual affected by the security lapse. That would put a value on the data

$1,000 is a pittance compared to the potential financial loss, damage to one's credit & identity, and expenses incurred cleaning up someone else's mess.

And those affected would never see that money anyway, it'd simply be revenue for the states and the lawyers.

Re:They don't have to care as long as others pay

[Detritus]

Possibly, but the point is that it would create a real financial penalty for security lapses, which would be an improvement over the current situation, where, other than some bad p.r., the costs are borne by others.

Re:They don't have to care as long as others pay

[winwar]

"Possibly, but the point is that it would create a real financial penalty for security lapses, which would be an improvement over the current situation..."

Maybe, trending towards probably not. There are fines for knowlingly hiring illegal aliens. Wonder how that has worked out... :)

The real problem is assigning some magical property (uniqueness, secrecy) to a number. It doesn't matter if that number is a SSN or some other number (or ID form). Because if it is widespread enough it will be used by everyone for ID. If it isn't, it will almost certainly be linked to it.

Easy access to credit is the one of the large drivers. Maybe large fines (as in bankrupting ones) to organizations that tie you to a debt on the basis of a number incorrectly. Or key your ID to a single ID (name, number, or whatever). Pigs will learn to land before that happens.

After all, do you really care if someone adds to your social security benefits?

Re:They don't have to care as long as others pay

[Mister+Whirly]

You think companies want the bad PR and financial loses?? Just slapping some fine on the breach isn't going to be enough deterrent to make everything secure overnight. It is more a question of education and pointing out the fact it is cheaper to be secure and not have an incident. Most companies want to do the right thing, but just aren't sure exactly how... Data security is not an "off the shelf" product - it is education, policy making, and following procedures.

Re:They don't have to care as long as others pay

[barzok]

A simple financial penalty isn't enough. Let's say MegaBank "loses" my personal data. They get slapped a $1K fine. I never see the money in my pocket. Life goes on for them. Meh, a little bad PR, a little hit to the bottom line this quarter. In a year, no one will remember.

But I'm calling every credit bureau asking that a fraud watch flag be put on my account. That'll cost me time and money. I call every financial institution I deal with, every bank, credit card, student loan services, cable company, mortgage company, insurance companies, my employer, investment account managers, etc. It consumes 2-3 days, minimum, of my time and likely more money. Then the trouble of getting new bank account numbers, credit card numbers, etc. issued and updating everyplace that I've got an auto-charge or auto-debit system set up with. This takes weeks, and maybe even more expense.

No way is a $1000 fine satisfactory. I want this to cost me nothing out of pocket, and my time in cleaning up their mess compensated for. I don't mind recording the time in a logbook as long as there is a timely, well-defined and mandatory process which will compensate me at the hands of MegaBank for their screw-up. I want MegaBank taking care of the fraud flag at the credit bureaus for me. I want MegaBank changing any account numbers for accounts I hold with them, and communicating that to the other institutions that affects (they know who I transact with using those accounts).

Re:They don't have to care as long as others pay

[Detritus]

I think the companies need a different approach to the use and storage of sensitive information. They need to reorder their priorities. Over the years, I've had jobs where I worked with classified and/or sensitive information. It's a different world. You don't assume that people will be intelligent and honest, or that computers and networks are secure. You don't put a database on a computer that can be accessed from public networks. Every part of the system, hardware, software, people, and procedures, is evaluated and certified. In the commercial world, all they seem to care about is cost and speed. Cheaper is better. Why build a private network when you can use the existing Internet. Why use a dedicated workstation when you can use generic PCs running COTS software. Why write your own software when you can kludge together something from commercial products or outsource it to somebody else. Why spend money on physical security, audit trails, security audits, background checks, etc.

Screwed?

[SonicSpike]

Ahh yes, cue the obligatory puns of "there are three players in this incident, the people screwing, the people doing the screwing, and We The People getting screwed"

A city of sin

[Masterwanker]

What can you expect my lovely home town is a town of sin. If you look at the google search stats all we search for is weed porn and bush hate sites. Truly this city is lost to the liberals. (In case you can't tell I am being sarcastic) Portland/oregon Owns.

The internet is for porn

[Alioth]

Well, at least the employee knows what the internet is for:
The internet is for porn! http://video.google.com/videoplay?docid=5430343841 227974645

You think that's bad? See what they do in the UK

[OlivierB]

Civil servants *flash* (i.e. full frontal nude exposure) their colleagues

An information technology security officer!!!??

[Zero__Kelvin]

Did the "Information Technology Security Officer" happen to say why they were running an OS and application configuration that would let this happen in the first place?

Noticeably missing from all of the articles I have seen is the name of the OS that was compromised. Is that because the news sites don't know there is more than one OS, because the reporters are incompetant, because Bill Gates will fire them if they mention it (think msnbc subsidiary), or because the reporters figure it is patently obvious that it was Windows since the compromise happened in the first place?

Re:An information technology security officer!!!??

[pe1chl]

It also does not mention that the "Information Technology Security Officer" or his employees clearly are incompetent.
Even with the nonmentioned prevalent OS it is a snap to configure an office workstation in such a way that ordinary employees are not able to download, install and execute programs (including trojans) from the web.

It starts by not giving the user an Adminstrator account.

Chain Reaction

[giafly]

Thanks for the very clear instructions (mod parent up!).

1. When a big company lets your personal data get stolen
2. The solution is to give your personal data to lots more big companies
3. Recurse.

Three questing before firing DOR squatters

[BadassJesus]

1) How (the fuck) is possible to have DOR private database on a computer that is connected to the internet ?
2) What (the fuck) is DOR employee doing on the internet porn site during working hours ?
3) Where (the fuck) is this whole world coming to!? (err, is he a prudent republican?)

Just Porn?

[cno3]

At least he wasn't playing solitaire.

Oh, wait...

Re:You think that's bad? See what they do in the U

[Frightening]

Mod parent up. These guys are serious BUT..

If they tell me to choose between a civil servant who jumps naked off filing cabinets and another who does windows+IE+[possible pwning site] I'd pick servant A every time.

The screwing in lavatories thing is very strange tho. Are they gay?

Not his fault...it's a management failure

[Joce640k]

What's really needed is an OS which allows him to do his job and nothing more. No screensaver downloads, no animated cursors, none of that crap.

Re:Not his fault...it's a management failure

[Mister+Whirly]

Windows can be locked down to do only those things, or even more restrictive. It just sounds like the administration wasn't doing this....

That'll teach ya...

[msouth]

...to pay taxes in Oregon!

Poor Guy

[Xichekolas]

As someone who has worked for State Government... I can empathize with the guy. He was just trying to get some happy pr0n in to deal with the soul-crushing-depressing-meaninglessness that is working in the public sector. I mean, without internet pr0n, I bet the number of state workers going beserk and killing everyone would skyrocket. I say 2000 SSNs is a small price to pay... after all, they aren't exactly making a killing on the salary.

government ideas on privacy

[mu51c10rd]

This is very prevalent in the federal government. The feds train you to give your social for every piece of paperwork you ever fill out. I was a federal employee and it amazed me that *everything* required a social. When these employees are so used to carelessly using their SS#'s, it is obvious why other people's data is treated the same. Social security numbers in the government are used everywhere and not nearly treated with the care that they should be.

Here's the real problem

[tweek]

The department updated the list of blocked sites every 24 hours, but like fast-multiplying germs, the Web sites overwhelmed its defenses.

When are people going to learn? The rule in security is denied unless explicitly allowed.

Simple math says there are an infinite number of sites to be blocked but only a handful of sites to be unblocked!

I have no sympathy for:
a) a company that allows the users to install software
b) a company that allows everything and only blocks after the fact

trojan compromises Oregon taxpayers

[rs232]

"the incident apparently occurred when an employee downloaded a contaminated file from a porn site"

What OS did this trojan run on?

From the department of redundancy department ....

[Zero__Kelvin]

From my initial post to which you replied:

Did the "Information Technology Security Officer" happen to say why they were running an OS and application configuration that would let this happen in the first place?

From your reply:

It also does not mention that the "Information Technology Security Officer" or his employees clearly are incompetent. Even with the nonmentioned prevalent OS it is a snap to configure an office workstation in such a way that ordinary employees are not able to download, install and execute programs (including trojans) from the web.

Perhaps you missed the sublety of the quotes around ITSO which implies "your" first point, and didn't read the remainder of my post, which states that the configuration was foobared?

Another option

[d_54321]

Hey, maybe we should switch to a form of taxation that doesn't require state and federal agencies to keep personal info on every American citizen

Re:Another option

[tomhudson]

It wouldn't end them keeping data on everyone ... here's what they have to say about how it would work:
http://www.fairtaxvolunteer.org/smart/sketch.html

To ensure no American pays tax on necessities, the FairTax plan provides a prepaid, monthly rebate (prebate) for every registered household to cover the consumption tax spent on necessities up to the federal poverty level.

So unless you're registered and providing ALL your financial info, current up to the last week (to properly adjust your "prebate level" in the case of job loss, etc), you'll be paying higher taxes.

Re:Another option

[d_54321]

I'm very perplexed by what you're saying- why would prebate level need to be adjusted in the case of a job loss?

And how do higher taxes result from not providing financial info?

Re:Another option

[mfrank]

They'd need to know your address and how many people are in your household. You know, what they collect every 10 years in the census. And I imagine that if you wouldn't want to tell them where to send the prebate check (which is the same for every citizen, no matter their income level), they'd be OK with that.

Re:Another option

[tomhudson]

if your significant other loses their job, you are now supporting them ... they're NOW a dependent ... so YOUR prebate has to go up. Same thing if you have a kid. Now, if one of your dependents gets a job, they get the prebate, and your prebate has to go down.

The point is that even issuing prebates requires a list of people to pay the prebates to, and that list is still open to being snatched.

Re:Another option

[tomhudson]

... so you have a kid a month after the census, and you're out $X per annum until the next census?

No, it can't work if its only tied into census data. Especially since there are people who refuse to fill in the census for political/privacy reasons.

Re:Another option

[d_54321]

I don't think you understand the way the prebate works. Your prebate does not have to go up with your S.O. loses their job because your S.O.'s tax liability does not change. This is what the prebate is based on - tax liability up to the poverty level.

It's not based on how many in your household have jobs, only how many are in your household. Yes this may require some agency to keep track of how many individuals there are in a household, but it would exclude keeping track of what the income is of these individuals, which frankly is none of any government's business.

And how will the goverment keep track of how many there are in a household? Sure maybe with SSN, but not necessarily. Could just as easily (maybe more easily) with some taxpayer ID (since Social Security is something you're supposed to get at retirement and the "IOU" number that associates you with it is a stupid identifier for paying taxes, just like it's a stupid identifier for all the other things that makes it so dangerous to have exposed).

Re:Another option

[tomhudson]

Let's recall your original statement:

Hey, maybe we should switch to a form of taxation [fairtax.org] that doesn't require state and federal agencies to keep personal info on every American citizen

As I pointed out, your assumption that state and federal agencies wouldn't need to keep personal info on people was refuted by fairtax.org's own documents. The details are irrelevant to the argument - the proposal of fairtax.org requires records on everyone, so that prebates can be issued, fraud detected, etc.

Evidence of reason to change?

[d_54321]

Could this be a sign that we should switch to a form of taxation that doesn't require state and federal agencies to keep personal info on every American citizen?

This list has nothing to do with the story

[addikt10]

The guy was surfing porn and aquired a keystroke logger. The only private data stored on the workstation where his keystrokes, which then got sent to the baddies when he opened his browser.

So a corrected list may look like:

1. Allowing data entry personnel to have access to the Internet.
2. Allowing data entry personnel to have enough access to their own machine to install a logger.
3. Failure to monitor all employees access to the Internet

How is logging all packets sent by a computer going to help? In this case, only by enumerating the personnel records compromised by the moron. Once the data is sent, what difference does it make if you have a log for it?

Why does every workstation need a web browser?????

[webweave]

Now that PCs are so cheap there is no excuse to not build a system intentionally for the job at hand.
If the job is to manage high value and sensitive date then why use a known flawed home OS?
Just read down the "features" of XP-professional, how many people consider all that multimedia junk applicable to business uses?

People should start to get fired for running Windows!

Local Chamber of Commerce?

[demo9orgon]

Everyone here has their "personal" information ponied out, bought and sold so many ways that even people who work in the business have no clue how much they're just cattle.
Everyone who has bought a home in many parts of the country has their information freely available to anyone on the Internet, often through their local Chamber of Commerce, the same people who enjoy sharing your information with water purifier companies, carpet cleaning companies, local window-installers and the local sham boiler-room fundraising people who like to make you feel guilty that you're not giving money to them, ahem, I mean to the police or the firemen.
It's kind of sad that some chap browsing for fun was walking down a dark alley and got ambushed while using a crepe-paper OS, but I think the message here is that government shouldn't use a computer operating system with so many fundamental weaknesses that you can't even browse the Internet without being victimized.
If people still want security why did they shitcan all the closed-loop VT102 minicomputer systems in favor of Uncle Bill's special sauce? (No solitare on a VT102 system?)
Just like we can't stop someone from blowing themselves up it's foolish to chastise people for being human. We can't fix humanity but we can do something about idiot IT policy and asshat billionaire software moguls who EULA themseleves out of any kind of responsiblity when their software is so weak?
Why do people buy the right to be exploited? Screw putting the dumbass "commandments" on display!
P.T. Barnum's truisms should be hung on courthouse walls and in classrooms!
Microsoft never takes any responsibility, there's no safety net. Everyone who uses it simply ignores the fact that the software license clearly states that there's no promises of fitness or usability. It's one thing to accept that policy for software in general when it's free and another to have to pay for the privledge of being criminalized and exploited by the vendor/developer and anyone smart enough to modify a vbscript.
It's also one thing for an individual to make this choice, and a cockup of an entirely different scope when government offices choose to exploit citizens with such poor decisions.
The dismissed fellow should have been followed by at least two other people, the person who made the purchase decision and the person in IT who supported it.

Re:I'm New Here

[dotgain]

Wow, I didn't think you were still around. You've outlived 'YOU ARE SO FIRED' and 'Lose, not loose', you should be proud, and I'm especially honoured to have conversed with you.

Who cares that he downloaded a trojan?

[Sloppy]

What I want to know is: why did he run the trojan? I can look at porn all day without executing any remote code.

The obvious answer is that he runs MS Windows, but that's also a very boring answer. What can go wrong even for people who use sane or modern OSes? Maybe a buffer-overflow in some codec library? Sure, it could happen. Web browsers should be sandboxed, so that it takes a lot of effort to download and execute something with the user's privs. You can't get rid of social engineering, but you can at least make it look stupider. e.g. "You did WHAT? You clicked on save, entered your personal passphrase, then adjusted the permissions on the file to make it executable, and then executed it, and then when the trojan asked you to, you entered the passphrase for the taxpayer database?!?"

Re:moron! Government trustworthy?

[3leggeddog]

When Congress was debating the Constitutional amendment to permit a federal income tax, the great Senator Borah assured the Senate that "the conscience of government" would guarantee that the federal income tax rate would never exceed 5%. This was the same Senator Borah who was a central figure in the Teapot Dome scandal.

Whatever else government may be it is not trustworthy.