Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Compromises Oregon Taxpayers

Posted by ryuzaki0 on from the but-the-internet-is-for-porn dept.

Blair writes "An employee at the Oregon Department of Revenue downloaded a trojan file from a porn site, possibly compromising up to 2,200 taxpayers. An information technology security officer with the state said, 'the released data likely involved names, addresses or Social Security numbers, or possibly in some cases all three.' I guess some of our public workers are having too much fun after all."

27 of 250 comments (clear)

  1. Only 2000 people paying tax in Oregon? by jd · · Score: 4, Funny

    No wonder my taxes this year were so high. Hey, guys, I can't pay for Trimet on my own!

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. Re:Cliché by tomhudson · · Score: 4, Funny

    Hey, maybe I can get government funding for creating an approved porn list of sites that government employees can surf without getting a drive-by smack ...

    .. or at least a research grant from the Department of Homeland Security ... after all, if we don't have safe pr0n, the terr'rists have won!

  3. moron! by eobanb · · Score: 5, Insightful

    Forgive my crudeness, but...what an idiot!

    Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software, lax rules on conduct...I don't know where to even begin.

    --

    Take off every sig. For great justice.

    1. Re:moron! by megaditto · · Score: 3, Interesting

      Actually there seem to be multiple failures in this. Running Windows, not employing some sort of web filtering software,[...] Actually, this is not surprizing at all. Remember all the red tape envolved!!!! To deploy 'web filtering software', a request has to be generated, afeasibility study needs to be performed, a 'validation' process has to be followed, SOPs have to be written, then the whole thing re-certified in its entirety (used to be, you would need to re-certify each component again after modifying one part). Of course the reason you they Windows is that NT 4 and 5 were 'certified' by the govt... if the site admin decided to bend the corners by installing linux on the desktop or router, he's be out of a job and possibly in jail! Frankly, they don't get paid enough for it.

      --
      Obama likes poor people so much, he wants to make more of them.
    2. Re:moron! by Anonymous Coward · · Score: 5, Informative

      We should list the failures. Otherwise we don't learn anything. Since events like this are occurring all over the place, there is obviously an issue with government security controls. I'll start:

      1. Allowing private data to be stored on a workstation that has access to the Internet.
      2. Failure to encrypt private data or a private key (presumably) when the computer is connected to the Internet.
      3. Allowing a user who has access to private data to access sites that do not have anything to do with official duties.
      4. Failure to log data packets sent on a secure computer (not every packet, but at least the bytes sent).

      All of these have the same root cause: the government and government employees did not consider the private data in their custody important enough to require rigorous controls and rigorous controls were not implemented. We could break down the problems into training issues, operational issues, etc., and politicians certainly will. But I would guess that the issue was due to a lack of political motivation to hold accountable every state IT group that has access to private data. Secure networks with access to classified or private information can be built, like the SIPRNET, but people didn't think the private data was important enough. It will change in Oregon (at least for the Dept. of Revenue) due to this incident, but elsewhere in the country people will carry on business as usual, until it affects them.

      Anyone want to guess how long it takes before Social Security numbers become worthless because of these data intrusions? We know the government isn't going to learn.

    3. Re:moron! by Anonymous Coward · · Score: 4, Informative

      I work for a school district in California and as part of my duties I am responsible for the content filter (squid children+dansguardian+squid parent peers) and I parse the content to sarg logs with a few custom reports. One of those reports is between the hours of 3-5pm and on

      I can tell you, the majority of web usage during the hours where students are not present (90%+ of bandwidth utilization yearly, nearly 100% during Late Nov/all Dec) is personal shopping. Sure, there is a good deal of sports and a spattering of news sites as well. But the people your tax dollars pay to be doing work, are spending your tax dollars and getting paid to do it.

      Individuals who get caught have their internet disabled and *might* be written up. Being written up in government means you might be able to have it used against you if you: a) sexually harass someone, or b) come to work drunk/stoned. As far as penalties in government work, umm... there aren't really any. I do have to pay state income tax (with no other income source than the state) of course there are lots of other inefficiencies, rampant graft, overly complex beurocratic heirarchies and completely complacent unions but such are the benefits of socialism.

    4. Re:moron! by Anonymous Coward · · Score: 5, Informative

      Why do you assume there was no web filtering software?
      There was. Major player in the industry, updated every day.
      Virus software on the desktops set to update ever 2 hours.
      This was a zero day exploit from a non-obvious, not yet blocked web site.
      It reported back only via port 80.
      The trojan wasn't picked up by virus protection until after we reported it, which was after we discovered it.
      He might have been an idiot, but not a dumb one.
      As for rules on conduct, suprisingly, browsing porn is actually against the rules.
      You have to sign an Internet Use agreement before you can use the Internet.
      Windows? Well, we have no choice there.
      There were some things that the tech staff has asked for that we now are likely to change, but the tech stuff is much better than I've seen in the other agencies.

  4. Indicitive of a larger problem by mcpkaaos · · Score: 5, Insightful

    What was real data doing on a workstation with Internet access in the first place? One would think (hope?) that such data would be under heavy lock and key and only accessible by the software written to manage it or, when absolutely necessary, a trusted administrator with lotsa logging.

    It is absolutely amazing to me that this event was even possible.

    --
    It goes from God, to Jerry, to me.
    1. Re:Indicitive of a larger problem by megaditto · · Score: 3, Insightful

      a trusted administrator with lotsa logging

      A competent admin is working elsewhere, where s/he is paid accordingly. The IT leftovers, not able to get hired by the private sector, get to work for the Govt... Generalization, of course, but more true than not.

      Remember, in 2006, nearly 5 years after 9/11, most FBI employees still do not have a work email access, or the ability to do multiple word searches (e.g. cannot search for "bin laden", have to enter just "bin", then scroll down, because of the space character!). So what can you expect from a State govt of Oregon...

      --
      Obama likes poor people so much, he wants to make more of them.
    2. Re:Indicitive of a larger problem by KnowledgeFreak · · Score: 5, Informative

      Mod this guy up, he knows what he's talking about. I work with Data in the private sector and data like this cannot be on an unprotected machine.

      What he's saying is that the data should only be on an oracle or whatever database where only reporting applications can run pre-written reporting programs on it, Those program will then return reports to the idiot business people. Those reports will not return a soc. or other identifying info all at the same (and rarely that stuff at all).

      The reporting monkeys take *that* home. No one actaully gets to see the data. This is exactly what part of sarbanes oxley is forcing the private sector to do with customer credit card data and other sensitive info.

    3. Re:Indicitive of a larger problem by TheViewFromTheGround · · Score: 4, Insightful
      It is absolutely amazing to me that this event was even possible.

      Actually, it isn't that amazing at all. I'm wrapping up a sysadmin gig in the nonprofit world (and moving back to strictly commercial work) right now. Specifically, I'm in legal services, where the IT talent is very thin but some of the privacy and security needs are pretty serious. I can tell you, I know of three legal services organizations or programs in the US that practice anything resembling defense-in-depth. That's why a lot of recent attacks (like the rise of "spear-phishing") use social engineering to get in. Because once you're inside the walls, so to speak, far too many networks are open season that really shouldn't be.

      If you're throwing around passwords in the clear or unecrypted files or have network shares with sensitive information and broad access on the local network, the risk is there because there's always a door to the inside in our pervasive-Internet world. In many cases, that door is through human nature/sociological probability/whatever you want to call it.

      A sysadmin must absolutely assume that there will be a user that is going to pull this kind of stupid crap, and design their defenses around it. But, speaking from experience, go to a big ol' local nonprofit that has lots of sensitive client information and start grilling the sysadmins about defense-in-depth and see what they say. You think they're monitoring all local network segments for malicious traffic with Snort? Encrypting local traffic and keeping a tight lock on any shared resources? Have a containment strategy if they detect an intrusion? Have clear and enforceable policies with respect to data retention or user activity? You'll definitely find folks are running Symantec Enterprise and have a badass firewall, etc, and that's cool, but it just isn't enough.

      Shoot, this isn't local security, but nonetheless some major ASPs that handle donations for nonprofits provide the option of sending credit cards numbers in the clear. Sure, you're looking at a secure page, but some script is actually doing the real POST over straight http, and you never see it.

      Defense-in-depth is going to become more and more critical for everybody, especially small and medium sized businesses that have been marketed elaborate and powerful perimeter defenses and anti-virus companies have hawked products that day-by-day become increasingly irrelevant to the real security threats, which must rely on tightening local security measures and doing actual traffic analysis of the network itself, not just watching for compromises on the client, because those compromises are going to be harder and harder to detect as the compromises become more and more social in nature and frankly, only good for post-mortem analysis, after the catastrophe has already hit.

      A final thought: Elaine Scarry, a philosopher, is writing a book on the meaning of consent in a world where nuclear war is a possibility. I think one could ask some questions about the meaning of technological freedom in a world where a lot of greedy, malicious people are out to clobber any and all security weaknesses on computing machines that store and transmit incredibly sensitive information.

      --
      Online citizen journalism from the inner city: The View From The Ground
    4. Re:Indicitive of a larger problem by ObsessiveMathsFreak · · Score: 3, Informative

      I work with Data in the private sector and data like this cannot be on an unprotected machine.

      I don't know what companies you've been working for, but out there in the real world, people tend to run things by the seat of their pants. I've seen data, including credit card data, stored in a database on a windows 2000 server directly connected to the internet. I've had data worth millions of dollars emailed to me on the same machine I browsed Slashdot on during lunch. It was a windows 2000 machine too.

      That's just personal expierience. I've heard stories of critical data sitting in USB shared drives, secured by nothing but friction to their sockets. Private company files transferred to the upstairs office via a hotmail account. Databases being backed up to iPods. The list goes on.

      These stories didn't come from government or other public organisations. No. These are stories straight from private industry, that magical market force that will save us all. If you think people actually follow the rules out there in the real world, you'd do better to think again.

      --
      May the Maths Be with you!
  5. From the I've-never-had-a-2,200-some-before dept. by NMerriam · · Score: 5, Funny

    Though on the bright side, porn site customers finally have a way to get screwed over the internet!

    --
    Recursive: Adj. See Recursive.
  6. Windows+IE+Porn by pembo13 · · Score: 3, Funny

    = Owned

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  7. It's fitting I suppose... by mojotooth · · Score: 3, Funny

    Only figures... Since most of the money I was supposed to pay my taxes with, I used to buy porn anyway.

    --
    -- Mojo Tooth : exploring our world as only an idiot can.
  8. Indicative of the norm by Sentri · · Score: 3, Informative

    Most people just dont give a damn about conmputer security.

    This is the same old story over again, it shouldnt suprise you, why? Here's some links to get you started

    --
    Can't we all just get along
  9. On the other hand by Sentri · · Score: 4, Insightful

    FTA:

    "Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday."

    Lets read that again

    Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday.

    EX-EMPLOYEEE!
    What the hell was an ex employee doing on site, surfing porn. Forget computational security, what about physical security.

    In the words of Napoleon Dynamite "Freakin Idiot!"

    --
    Can't we all just get along
    1. Re:On the other hand by whitehatlurker · · Score: 4, Informative

      There is a switch in the story from employee to "ex". The employee was fired subsequent to the leak, but was "working" at the time of the download.

      --
      .. paranoid crackpot leftover from the days of Amiga.
  10. Another view, better tech quality by whitehatlurker · · Score: 4, Informative
    Here's a better version. The site did hassle me about where I lived for a bit, until I said I was a foreigner.


    Quote from this one: "We maybe had a false sense of security," O'Meara said.


    Whoa, maybe. Y'think?


    The Trojan horse gathered the equivalent of 7,000 text pages of data.
      Somewhere a scammer is very, very busy.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  11. Oregon = Oregon Trail by Tickle+Cricket · · Score: 4, Funny
    You get a Trojan!
    You die of dysentary lol
  12. Welcome to the present... by Sparr0 · · Score: 4, Informative

    None of that information is secret. Your SSN, Address, and Name are all public information, the subject of numerous public records that anyone patient enough can pay $.10 per copy to get. Or just visit the appropriate county records website.

  13. Re:Likely a reporting wonk by mcpkaaos · · Score: 3, Insightful
    My guess is they had the data locally in Excel spreadsheets, fiddling with things.


    Dummy data. In all my years as a software engineer I have never worked with real or production data. There is never a reason for it, so just dummy something up and use that. Then situations like this are simply impossible.

    Many people have secure information on their hard drives too.


    Not in the Department of Revenue. At least, they shouldn't. That they obviously do should be a huge cause for concern and a process audit or three.
    --
    It goes from God, to Jerry, to me.
  14. Re:Cliché by afaik_ianal · · Score: 4, Funny

    It's just lucky this happened in Oregon, rather than Virgina.

    Now where's my +5, huh?

  15. Re:Cliché by kfg · · Score: 4, Funny

    If people from Troy, Oregon are called Trojans, how come people from Tampa, Florida aren't called Tampons?

    KFG

  16. No Lawyer Necessary - Only Patience. Here's How by Anonymous Coward · · Score: 5, Informative
    when information is leaked about your own private stuff, you should get a lawyer.

    A lawyer is unnecessary and expensive. It's easy to handle ID theft once you understand that the situation cannot be corrected immediately, that you shouldn't go ballistic, and that time and patience (and a few simple procedures) is all that's required to correct the situation:
    1. Write to the major credit bureaus and ask for a credit report from each. Explain that you're a victim of ID theft and they'll give you a free credit report.
    2. Ask the credit bureau to place a 7-year freeze on your credit report (not the 3-month freeze). That ensures that anyone who extends credit must contact you directly (usually by phone) prior to extending credit. Make sure the credit bureau has your phone number correct!
    3. If the ID theft resulted from something locally enforceable (stolen wallet, burglary), file an offense report with the local police and get a printed copy of the report.
    4. find any fraudulent/old accounts on your credit report. For old accounts, write to the address on the credit report informing the creditor and ask that the account be closed. For fraudulent accounts, notify the creditor of same and include a copy of the police report (above). For any fraudulent account _applications_, also notify the creditor that the application was fraudulent.
    5. In all cases, ask the creditor to notify the major credit bureaus of all updates/closure of accounts.
    6. Keep paper copies of all letters - use a separate paper file folder for each account or account application. Seems tedious, but you'll be glad you did, believe me.

    Above all, be patient, take your time (there's no rush, all changes are made at snail mail speed at best) and don't worry. Just go through the steps and everything can be corrected within about 180 days.

    After that, make sure you check your credit record with the major credit bureaus at least once a year. They'll send this for free. Follow the above steps whenever you see a fraudulent account or application. The Bad Guys won't be able to touch you.

  17. They don't have to care as long as others pay by quentin_quayle · · Score: 4, Insightful

    Is it just my perception or is this becoming routine now?

    I used to be only concerned in a detached way. Then *today* I received a letter from the student loan people saying, in essence: "We lost a dataset including your information. Sorry! Better contact the credit bureaus, and watch your financial statements. Have a nice day!"

    The only way we are going to have data security is if the parties that fail to secure data are held responsible for the consequences to others. Ideally, that would mean that if someone commits fraud using my stolen data, the organization that lost it has to pay me the actual cost of correcting credit reports, changing all my accounts, compensation for time spent, any lawyers needed, etc..

    Instead the banks are allowed to exploit the situation by selling insurance against it. We can't even get disclosure laws everywhere.

    Well excuse me for ranting. I guess my only point is, the only way the technical and user-education type of solutions will become relevant is if the costs are placed appropriately.

  18. Re:Cliché by FrankDrebin · · Score: 3, Funny
    Here goes...
    • Somebody's gonna get a ribbing for that cock-up!
    • Obviously a problem with the firewall's LaTeX filter...
    --
    Anybody want a peanut?